Hi,
I ran spybot and it found 3 problems called "Command Service." It was able to fix one, but the other two were untouchable. It then told me to restart my computer so that spybot could run on startup. After doing this, it again failed to remove the problems.
I'm not experiencing any serious problems with my computer, but is this something that I should be worried about?

I have these as well, haven't tried to Fix them yet...


EDIT: TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
Malware can use it, but if you use any of the above security apps, then it's a false positive.

Hi,
I ran spybot and it found 3 problems called "Command Service." It was able to fix one, but the other two were untouchable. It then told me to restart my computer so that spybot could run on startup. After doing this, it again failed to remove the problems.
I'm not experiencing any serious problems with my computer, but is this something that I should be worried about?

I've had this same problem crop up today. Never seen it before, but Spybot keeps showing it to me, even after letting it "fix" the problems (two, in my case). I've used another sweeper as well, which came out negative, and my routine Norton AV sweep also came up negative.

I'm using Spybot 1.3, and I just updated earlier today; I'm wondering if there was something blinky in the latest detection file, leading to the false positive?:confused:

I have these as well, haven't tried to Fix them yet...


EDIT: TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
Malware can use it, but if you use any of the above security apps, then it's a false positive.

Spysweeper, eh? That just might explain it. But...I've been using Spysweeper in combination with Spybot for at least a year: why a false positive only now?

False positive? I guess I won't worry about it unless something else comes up.
Thanks for the info.

I likewise have found 3 instances of the Command Service trojan. They are located in the registry. 2 of the entries are buried so deep and are in memory that even if I boot in safe mode they cannnot be removed. Does anyone have any ideas on how to eliminate this problem. The software itself seems to disable any popup blocket or is inducing its own popup generator. (I think the latter is what's really happening since all the popups are related to registry clearner and other optimizaing type software - from publishers whose authenticity or at leat ethics is highly questionable)

Any advice on how to go about and resolve this problem.

mmagnotte:

Have you download and run a scan with the latest detection updates (2005-12-16)? There was a false positive for Command Service: Settings starting with the 2005-12-05. See this thread:
Command Service: mchInjDrv in HKLM:CurrentControlSet
http://forums.spybot.info/showthread.php?t=774

According to thomcats (http://forums.spybot.info/member.php?u=1742) in the following post the false positive(s) appear to have been resolved with the 2005-12-16 updates:
http://forums.spybot.info/showpost.php?p=4558&postcount=11
If you have the 2005-12-16 updates (Spybot > Help > About) and are still getting detections for the "Command Service" malware, please run another scan/fix. Then right click on the results list, select "Copy results to clipboard" and paste the clipboard into a new post so that we can see the actual detections that you are getting.

Just to clarify this a bit, I believe the instances of: "Command Service: mchInjDrv in HKLM:CurrentControlSet" can be a false positive when certain anti-malware applications that also contain these entries are installed. Due to the fact that these couldn't be safely differentiated from the versions included with some malware, Team Spybot made the decision to remove the detection of the mchInjDrv (Mad code hook Injection Driver) from the product.

What this means is that the mchInjDrv component itself won't be detected, but as I understand it, this is simply a support module anyway and has no real mal-intent by itself. The Command Service Product detection(s) still exist in the 12-16-05 update, so the malware components themselves are still detected and removed by Spybot S&D.

Please proceed as requested by md usa spybot fan in his post above to confirm your situation.

<<< Edit >>> fixed detections date, I'm only a month behind.

I've tried everything to remove command service, ran in safemode (could not remove) ran hijackthis and cwshredder.exe and couldn't find the files, only spybot seems to be able to detect this, yes i do have the latest updates (12/16/05). I have also tried going into registry to delete the directories but it would not let me. This is really frustrating here is the log:
--- Search result list ---
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

I've went into the controlset001 and the other controlset yet i cannot remove it for the life of me. Please comment and help!
j

My roommate's computer is having the same problem. Command service keeps showing up as spyware, but Spybot can never remove it.

Additionally, all sorts of "CoolWWWSearch" type stuff keeps showing up. His home page keeps getting taken over and being changed to "About:blank". Changing it back only works for the one time you have that browser open. Close it, and the homepage resets to "about:blank".

He's also receiving popups and security garbage from "Spyfighter." In fact, when I try to uninstall the "homepage" (it has a link for it in the top right), I'm taken to a page trying to sell me "Spyfighter".

Finally, I've run Spybot three times while typing this. Despite only being on this page, Spybot keeps finding the "Coolwwwsearch" over and over. I'm told it's successfully removing the items, but the very next scan "Coolwwwsearch" items show up again.

Hello,

when I added the detection I could delete it in Safe Mode. Do you have administrative rights? Let Spybot scan on startup in Safe Mode and try to fix the command service.
Also have a look in the windows\system32 directory. There has to be a randomized directory where the command.exe is located in. Please also delete it in safe mode.

@ardent enthusiast. And your roommate has the latest version of Spybot S&D 1.4?


As a first solution, please upgrade your copy of Spybot-S&D to make sure you're not refering to a problem that was solved recently.
Spybot-S&D 1.4 is available. If you are using 1.3 or older, please download and install this new version.
You will find links to several download locations on our web site:
http://www.safer-networking.org/en/mirrors/index.html
Please do also update the new version as it might not contain all current detection rules.

If this doesn´t solve the problem please send us your *complete* Spybot bug report: Therefore enter Spybot-S&D, let it scan, try to fix the problems (!) and then go to "Tools/View Report". Tick on all the 10 checkboxes (leave "Do not report disabled or known legitimate items" unchecked) you can find there and click on "View Report". Now choose "Export" and save the file to your desktop. Then attach it to your email and send it again to detections(at) spybot.info.

rene

My roommate's computer is having the same problem. Command service keeps showing up as spyware, but Spybot can never remove it.

Additionally, all sorts of "CoolWWWSearch" type stuff keeps showing up. His home page keeps getting taken over and being changed to "About:blank". Changing it back only works for the one time you have that browser open. Close it, and the homepage resets to "about:blank".

He's also receiving popups and security garbage from "Spyfighter." In fact, when I try to uninstall the "homepage" (it has a link for it in the top right), I'm taken to a page trying to sell me "Spyfighter".

Finally, I've run Spybot three times while typing this. Despite only being on this page, Spybot keeps finding the "Coolwwwsearch" over and over. I'm told it's successfully removing the items, but the very next scan "Coolwwwsearch" items show up again.i have the same problem too did you every find a way to fix it?

Hello,

when I added the detection I could delete it in Safe Mode. Do you have administrative rights? Let Spybot scan on startup in Safe Mode and try to fix the command service.
Also have a look in the windows\system32 directory. There has to be a randomized directory where the command.exe is located in. Please also delete it in safe mode.

@ardent enthusiast. And your roommate has the latest version of Spybot S&D 1.4?

rene

I have him up and running now. SpyBot definitely helped, and it was S&D 1.4. Unfortunately for my poor roommate, he had never really scanned his computer for viruses. I downloaded McAfee for him and we found quite a few infected files.

We're just about all clean now. SpyBot doesn't find anything at all, McAfee says we're clean, but SpyFighter continues to pop up. It's interesting to say the least. His Windows security center starts to flash saying something along the lines of "there may be viruses on your computer" and to click it. When it's clicked it tries to take you to spyfighter.com.

Additionally, when he's away from the computer for a while, he'll come back to a "Warning: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords. Do you want to learn how to protect your computer?"

Again, it takes him to the spyfighter.com thing. The browser it brings up "looks" legit. It looks like a standard help file. I'm a little puzzled on how to remove that from the computer.

Hello ardent enthusiast.

Re: Spyfighter: rogue_anti-spyware (http://www.spywarewarrior.com/rogue_anti-spyware.htm#notes)

His Windows security center starts to flash saying something along the lines of "there may be viruses on your computer" and to click it. When it's clicked it tries to take you to spyfighter.com.
Sounds like a hijack but best way to find out is for you to do the following:

Please go here and follow instructions.
Before you post a log (http://forums.spybot.info/showthread.php?t=288)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Someone will then take a look at the system and advise you as soon as a helper is available to do so. :)

Hey folkz, first time posting...I'm a game artist in training and I have the cmd service issue as well...I'm using 1.4 version from the download.com site...I'm currently in a hurry so are there newer updates?
Thnx

Pliang

There are usualy more malware involved, Post logs in our malware section please.

On a side note, SSD can fix command service fine, provided Ad-aware hasnt been ran first, what it leaves behind is just an empty key with modified permision's but sure alarms most people.

Logs as in the scan results and removal results?

Hello :)

Follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Start your own topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Alright, I had command service on my computer forever, and I didn't really bother to kill it cause it wasn't doing much, but me being a neat freak eventually decided that it was high time I killed it. This worked for me and if it doesn't work for you then don't complain to me. Also, here's a huge precaution, if you don't trust this information then don't touch it, I have no responsability on your PC, I'll give you my word though, I don't use virus removal software because I do it manually, and have been doing it manually for many years. Anyways..
Removed:

It turns out that the command service makes many many randomized entities in your registry. This is why nothing seems to be able to pick up on it and kill it, except for some of the more advanced spyware removers. Anyways, I used this method after doing some tinkering around so I don't know if that tinkering requires to be done before hand all I know is that my spyware detection software doesn't see it anymore, only immediately after I did the above steps. If you think you need to perform a pre-step to my above steps then:
Removed

If this worked extreamely well for you then do yourself a favor and delete all of the retarded anti spyware/virus software. Because virus hunting manually frees up RAM for more important things like oblivion or half-life 2. I just use detection software so I don't have to spend 2 hours everyday looking over my system32 folder and what not. Also, if you're having trouble removing things that are in you system32 folder, don't be afraid to use your LEGAL COPY of windows xp cd and boot your computer on the cd, then use the recovery console to gain ultimate cosmic power over your system32 folder. But very much like playing god you better know what your doing or you might find your computer not able to load windows. lol

If this worked extreamely well for you then do yourself a favor and delete all of the retarded anti spyware/virus software.
You think?
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)



But very much like playing god you better know what your doing or you might find your computer not able to load windows. lol

We have this sticky topic BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288) which I linked to above and which states:


Only authorized helpers may assist in the removal of malware.
Helpers, Warriors, Experts and Team Spybot.
For good reason.

Indeed we do our best to assist in the safe removal of malware and avoid anyone having to re-install Windows.

Regards.

You better find a better way to inform people of the rules, because you guys are one of millions, and I've already enrolled myself into atleast 20 different forums and am sick of reading everyone's little rules. The idea of me having to click on some stupid topic and read through a whole paragraph is a waste of time. If people are asking for help from complete strangers I'm sure they have already meditated on the fact that their chances of getting a helping answer is 50/50. So I don't understand why me, someone who knows a lot about computes, can't help someone who's having a problem with malware and your own people haven't done anything to solve their problem.

Have a nice day. :)

I've tried everything to remove command service, ran in safemode (could not remove) ran hijackthis and cwshredder.exe and couldn't find the files, only spybot seems to be able to detect this, yes i do have the latest updates (12/16/05). I have also tried going into registry to delete the directories but it would not let me. This is really frustrating here is the log:
--- Search result list ---
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

I've went into the controlset001 and the other controlset yet i cannot remove it for the life of me. Please comment and help!
j

How do you "go into the controlsets"? I need to get rid of Command Service too!

Hello lerlovesjc26.

If you can find the file/s, please zip and send to: detections(AT)spybot.info (Replace AT with @)

Also produce a complete Spybot bug report:

Open Spybot-S&D and start a scan ("check for problems"). After the scan, right-click in the results field and choose either "Save full report to file..." or
"Copy full report to clipboard".
Include that in the email.

Then follow the procedure in this link: "BEFORE you POST"(READ this Procedure before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and start your own thread in the Malware Removal Forum. (http://forums.spybot.info/forumdisplay.php?f=22)

Cheers.