Command Service

[Kabeja]

Hello,
My PC was recently infected with a trojan/virus called drsmartload which was carried by something called ErrorSafe. SpyBot identified this, DSO Exploit and something called Command Service (i don´t know what this is !). I seem to have successfully got rid of drsmartload and DSO Exploit but i´m unable to get rid of Command Service from the 3 registery keys that are identified, SpyBot identifies them, tells me it has been able to delete one of the keys (the 003 KEY) but says it is unable to delete the other 2 as they may be in use as part of the memory. When i reboot SpyBot and it checks again it identifies all 3 as being back ! These are the results.

Command Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdServices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdServices

My system is XP with SP2. I use AvastAntiVirus, SpywareBlaster, AdAware SE, Registery Mechanic (free version) and i have just downloaded Ewido. The only application which identifies Command Service is SpyBot.
Is it Malware\Spyware\Trojan\Virus ? If so could someone please advise me how to get rid of it ?
I´m not very techie and it has taken me a week to get this far so any help in solving this one would be very much appreciated.
Thanks in advance.

[Kabeja]

My apologies, i have just been browsing around some of your other forums and did a search in the SpyBot forum for Command Service and found the answers to my question above. :o
It seems like it is a false positive (i´m off to find out what that is).
The last week certainly has been a learning curve for me about the workings of PC´s.
Keep up the good work people.

:beerbeerb

[Kabeja]

Me again :o
I´m not so sure it is a false positive having read this >>>>>>

"It is a false possitive unless a 020 cmdservice command.exe is also present"
and the ending of my alerts did not end in "mchInjDrv".
I am confused, could someone please address my original question above.
I have all the latest downloads for all my applications.
Thanks.

[Kabeja]

Hello again, please find my HijackThis report below. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 17:19:19, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bbc.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Telefonica Kit ADSL USB\CnxDslTb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1136039374688
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136039326288
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37500.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81337949-BA04-41E8-8B74-B9731395733F}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[LonnyRJones]

Hi Kabeja
I suggest you uninstall this program via addremove programs then delete its folder
C:\Program Files\Spyware Cleaner

There will be a correction soon to target cmdServices correctly. you can either wait or if your familur with regedit we can delete it manualy ?
Its only a leftover i believe.

[Kabeja]

Hello,
I have already identified and removed spyware cleaner from my system with SpyBot and removed the relevant files.
Command Service still remains and i have tried to do it manually via the regedit but with no luck, as i said earlier SpyBot manages to get rid of the 03 string but on reboot it´s all back ! Having said that it does not seem to be posing too much of a problem (unless it can be used by a malicious code to enter the system ? ). Could you tell me what it is a leftover from ?
If you know a way of removing it manually using regedit i would be willing to give it a go.
Many thanks.

[LonnyRJones]

Hi

Command service = is an advertising company

Its not in your Hijackthis log, so it is not active.

What happens when you attempt to delete cmdservice manualy using regedit ? error message ?

[Kabeja]

Hello,
No, not an error message but a Warning window, it says,

Some problems couldn´t be fixed; the reason could be that the associated files are still in use (in memory).
This could be fixed after a restart.
May Spybot- S&D run on your next system startup ?......Y/N

Spybot fixes the 03 string but on reboot it can not get rid of CommandService. Usually the 03 string is still not there at this point but after using the PC for a while it is there when i run a Spybot check !

When i try to fix it manually using regedit it is actually in a sub folder of cmdServices called Enum and when i try to delete it from this i get an Error deleting values message which says...Unable to delete all specified values.

Hope this is of some use to you.
Thanks.

[LonnyRJones]

Hi

Could you export and post the cmdservice key from currentcontrolset
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Open regedit and navigate to the cmdservice key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
If you have trouble deleting a key. Then click once on the key name to highlight it and Rightclick > Permissions. Then make sure you are Administrator and give yourself Full Control of that key. place a check next to allow full control (if its not there already)
You might need to click advanced and place a check next to [x] inherit from parent the permissions that apply to child objects. Click Apply then ok untill your back at the suspect service key , right click and delete the key
Close the registry editor when done.
You might need to change permisions on the cmdservice\enum key

Its only nessesary to have deleted the bad key under currentcontrolset but
if these are present we might as well delete them also.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

[Kabeja]

Hello again,
I followed your instructions and changed permissions, i then found the current control set\cmdService key and this time it let me delete it I then checked the 01\02\03 keys but they had gone already. I did not need to change permission on the cmdService\EDUM key.
I then ran another Spybot check and the CommandService reappeared but when i checked them this time all three keys were deleted by Spybot.
I then rebooted the PC and ran another Spybot check and this time it came back as "no immediate threats found.
It appears CommandService has gone. :o)
Do i need to reset the permissions back to where it was previously ?
Many, many thanks for all your patience and help, keep up the good work.
Gratefully yours,
Kabeja. :beerbeerb