Huge Command-Service Problem [Archive] - Safer-Networking Forums

View Full Version : Huge Command-Service Problem

meekonfire

2008-05-29, 20:47

(Note: Sorry about the previous topics before that have been removed because I didn't provide a log..)

Hello, guys. I know you guys get alot of problems with the command service spyware. I ran a full sweep of Spybot when it asked to restart and got rid of mainly everything but Command Service. I have read up on previous topics other users have posted but I believe everyone has a different log from Hijackthis, so maybe you would have to look at mine before you give me a procedure on how to fix it. If you could help me I would very much appreciate it.

But there are a few other problems I have besides the annoying pop-ups..

1) My "Windows Security Alert" won't allow me to turn my Updates back on ..the notification is in my tray icon whenever I start up my computer.

2) I'm not able to visit some websites (e.g myspace, facebook, etc.) and won't bother loading.

I don't know if that has anything to do with the command service... All I know is that it was downloaded when I was trying to find a registration key for a program I was using a trial for.. but what do you guys think I should do?

Thanks a bunch.

The Kapersky Anti-Virus scan would not start up because of this virus I have.
But here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:19 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\bmwebcfg.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\RHlsYW4\command.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\AIM6\aim6.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\GameOverMan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Cingular Communication Manager] D:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
O4 - HKLM\..\Run: [BMe720b8e3] Rundll32.exe "D:\WINDOWS\system32\vbgoyxil.dll",s
O4 - HKLM\..\Run: [3cfd7534] rundll32.exe "D:\WINDOWS\system32\mmppfyhr.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingC3002] cmd /c del "D:\WINDOWS\system32\rqRJBTND.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\RHlsYW4\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

Blade81

2008-05-30, 09:45

Hi

Uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

meekonfire

2008-05-31, 06:35

ComboFix 08-05-29.1 - GameOverMan 2008-05-30 1:35:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -4:00]
Running from: D:\Documents and Settings\GameOverMan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\GameOverMan\My Documents\ASEMBL~1
D:\Documents and Settings\GameOverMan\My Documents\ASEMBL~1\w?auboot.exe
D:\Program Files\outerinfo
D:\Program Files\video activex object
D:\Program Files\video activex object\iesuninst.exe_old
D:\WINDOWS\BMe720b8e3.xml
D:\WINDOWS\pskt.ini
D:\WINDOWS\RHlsYW4\
D:\WINDOWS\RHlsYW4\\asappsrv.dll
D:\WINDOWS\RHlsYW4\\command.exe
D:\WINDOWS\RHlsYW4\\lJ5Psqb.vbs
D:\WINDOWS\RHlsYW4\command.exe
D:\WINDOWS\system32\cxtnrbdl.exe
D:\WINDOWS\system32\DNTBJRqr.ini
D:\WINDOWS\system32\DNTBJRqr.ini2
D:\WINDOWS\system32\dpalmfst.dll
D:\WINDOWS\system32\feaoojpq.exe
D:\WINDOWS\system32\ilymsffr.ini
D:\WINDOWS\system32\jkkJdCVM.dll
D:\WINDOWS\system32\klfipojl.dll
D:\WINDOWS\system32\kvloecgb.dll
D:\WINDOWS\system32\ljopiflk.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\mgassvkh.exe
D:\WINDOWS\system32\mmppfyhr.dll
D:\WINDOWS\system32\phammfti.dll
D:\WINDOWS\system32\radhspvx.dll
D:\WINDOWS\system32\regapi.exe
D:\WINDOWS\system32\rffsmyli.dll
D:\WINDOWS\system32\rhyfppmm.ini
D:\WINDOWS\system32\rqRJBTND.dll
D:\WINDOWS\system32\uencrnkr.dll
D:\WINDOWS\system32\vbgoyxil.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

Logfile of HijackThis v1.99.1
Scan saved at 11:34:32 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\bmwebcfg.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\AIM6\aim6.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\GameOverMan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Cingular Communication Manager] D:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - D:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

(everything seems to be working smoother now and my automatic updates is finally turned on and the web is faster as it was before :D )

Blade81

2008-05-31, 13:18

Hi

Looks like ComboFix log was only partial. Could you post a complete one, please? :)

Blade81

2008-06-06, 09:34

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.