I have ntl netgard which tells me that it cannot remove cmdserice from my pc looked at other items which give advice to remove it but everything I try will not remove.

looking forward to your help

DavidLogfile of HijackThis v1.99.1
Scan saved at 09:45:46, on 06/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\David Godfray\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148207324562
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Hello David and welcome to the forum. I don't see much wrong with this log, please do this:

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) I know nothing of ntl Netguard, what exactly is is finding? Is it Netguard that is finding this CMDservice or is it Spybot S&D. Please provide more information, what exactly are the symptoms you are experiencing.
Any error messages? If so, post them "word for word".

Thanks...pskelley
Safer Networking Forums

Anti-spyware failed to delete CMDService to learn more, refer to our spyware centre but the is no info.

a pop up keeps coming up
ntl netguard - anti-spyware

David

Dave, NTL is the UK right? I am in Florida. I need more information, run the program again and find out where it is locating CMDservice. I want badly to help you but there is nothing in the log. The netgard progam must have a way to tell where and what it is locating. If you have to, call them on the phone or online or whatever. While you have them ask them how the junk is getting by netgard in the first place. Do you pay for this program?

Thanks

This topic is closed due to lack of feedback to helper.

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.

Post as much information about your problem as you think will help, include any error messages you are receiving word for word, along with a new HJT log. I also need the name of any program that is finding this malware and the exact name and pathway of the item being located.

Thanks

Hello there,

I managed top contact ntl and they gave me a website to go to look at

http://www.spywareremove.com/removeCmdService.html

I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV##NextInstance High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_RDRIV High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_RDRIV## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_RDRIV##NextInstance High
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV##NextInstance High


after using spyware doctor this dected it and revomed it.

I had found it in the registery but was unable to delete it

but now it is all done and no pop up now

thank you for your help

David

Thanks David for that information and the feedback. I knew if we needed to get information from NTL about what they were finding. I will save the tool in case anyone else has the same issue.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Cheers...tashi:) may close this topic when time permits.

Thanks...pskelley
Safer Networking Forums
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.