Why spybot will not remove cmdService on my machine.

[Tommie]

i found after extensively looking arround the internet, that cmdService edits it's registry permissions, to protect it from automatic or manual deletion, becuase full control to the key was removed by the Command Service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

To remove these keys using Regedit i needed to then do is change the permissions to these keys enabling administrator full control to them.

By right clicking on the key:
[selecting permissions] then clicking on administrator or the account your using, full controal, apply ok.

Or Alternativly these this can be done using Safernetworkings Reganalizer.

By right clicking on the key:
[selecting grant full permissions to evryone in this folder]

Then for both Regedit or Reganliser
Delete the keys using the the editor, or run spybot again.

Is their any way that spybot could automaticly detect spyware registry keys? preventing removal in this way?

As only spybot and trend antispyware detected them, neither of which could remove them. :

[Microsoft Defender and Ad-Aware didn't evan detect them as at 20/04/06am]

[Tommie]

I'm running Windows 2003 server, i was wondering if their were any diffrences in fixing this on any other systems- particulary in Regedit can someone please report back; if their expearances differ from mine.

[tashi]

Hello.

Would you like to post a HJT log in the malware forum.

BEFORE you post a log, and who will advise you. Preliminary Steps

Start a topic here:
Malware Forum

Cheers.

[Tommie]

I would do, but i figured out how to remove the spyware, mid way through writing this post origonaly.... hence why it was moved from the malware forum {and still has an link from their}.

So their's not much point in posting an log, which displays no spyware on my machine. But here's for ***** and giggles:

Logfile of HijackThis v1.99.1
Scan saved at 16:11:05, on 21/04/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINDOWS\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\compaq\survey\Surveyor.EXE
E:\Program Files\UWIN\usr\etc\ums.exe
E:\Program Files\UWIN\usr\etc\init.exe
E:\Program Files\VMware\VMware Server\vmware-authd.exe
E:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\UWIN\usr\etc\inetd.exe
E:\Program Files\UWIN\usr\lib\cs\tcp\at\at.svc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1141861246216
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143199033522
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Information Technologies Group, L.P. - C:\WINDOWS\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - C:\WINDOWS\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - C:\WINDOWS\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - C:\WINDOWS\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Surveyor - Compaq Computer Corp. - C:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: Uwin Master (UWIN_MS) - Unknown owner - E:\Program Files\UWIN\usr\etc\ums.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - E:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

Moved to malware forum, no HJT logs elsewhere.

[tashi]

Hi
I will ask Lonny to address the questions you posted above.

[LonnyRJones]

Looks fine. the reason we wanted to see a log is becouse look2me is usualy involved, i think it is what modifies permision's. cmdservice has never changed perms that i have seen.

Any other questions or problems ?

[Tommie]

quite intresting, i'm not sure look 2 me was bundled with it....

it was just anoying that it took an while to figure out how to remove it.

[LonnyRJones]

Im Glad we could help

If you should need to post another log for the same PC let Me or Tashi know.