habsolutely
New member
Actually, when I run Spybot now, it still shows that I have 3 Command Service entries still present in the registry........looks like I still need help!
2 lingering Command Service entries to remove
- Thread starter habsolutely
- Start date
habsolutely
New member
Should also add though that popups are NOT present and nothing on taskbar either........are these just stray things that need to be manually deleted from the registry?
Rawe
Security Expert-Emeritus
Ok.. Please try delreg.bat again.. I know we ran it earlier but maybe something else was interfering at that time
Please download delcmdservice (by Marckie), and save it to your Desktop.
Any better now?
Please download delcmdservice (by Marckie), and save it to your Desktop.
- Unzip the content to your Desktop (a folder named delcmdservice)
- Double-click on the delcmdservice folder
- Double-click on delreg.bat to launch the tool
- When the tool has finished, please reboot your computer.
Any better now?
habsolutely
New member
Tried that and still nothing, those entries still exist in the registry....but they appear to be inactive or damages or something. I searched the registry where they are and tried to manually delete them, but I couldn't, said I could not delete them....?
Below is the partial results from spybot as to where exactly those registry entries are. And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually.
--- Search result list ---
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
Below is the partial results from spybot as to where exactly those registry entries are. And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually.
--- Search result list ---
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
Rawe
Security Expert-Emeritus
Try to fix 'em with SpyBot ?
Lets try a normal regedit for removal.
Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixcmd.reg to your desktop.
Now double-click on the Fixcmd.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.
==
Now, if that didn't work, please try this.. Click Start -> Run and type in: sc delete cmdService
Hit ok.
==
Scan with SpyBot again.. Still there?
Lets try a normal regedit for removal.
Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixcmd.reg to your desktop.
Now double-click on the Fixcmd.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.
==
Now, if that didn't work, please try this.. Click Start -> Run and type in: sc delete cmdService
Hit ok.
==
Scan with SpyBot again.. Still there?
habsolutely
New member
Still there after doing both things. First thing worked, ran spybot, still there, spybot won't remove.
Did second thing, ran spybot, still there, and spybot wont remove!
Did second thing, ran spybot, still there, and spybot wont remove!
Rawe
Security Expert-Emeritus
Well.. That is interesting.
We could try this. Download Regseeker here: http://www.snapfiles.com/get/regseeker.html
Unzip it, open the folder, double-click Regseeker.exe.
Click to 'Find in Registry'.
Check this box under a section named Keys: HKEY_LOCAL_MACHINE
Check all the boxes under a section named Search Options.
On the lower left-hand corner, check the box for Backup Before Deletion.
In the 'Search For' bar, type in: cmdService
There should be about three hits. Right-click each of them, and hit Delete Selected Items.
Close Regseeker, reboot and try running SpyBot again. Any better?
We could try this. Download Regseeker here: http://www.snapfiles.com/get/regseeker.html
Unzip it, open the folder, double-click Regseeker.exe.
Click to 'Find in Registry'.
Check this box under a section named Keys: HKEY_LOCAL_MACHINE
Check all the boxes under a section named Search Options.
On the lower left-hand corner, check the box for Backup Before Deletion.
In the 'Search For' bar, type in: cmdService
There should be about three hits. Right-click each of them, and hit Delete Selected Items.
Close Regseeker, reboot and try running SpyBot again. Any better?
habsolutely
New member
You're going to love this......ran that utility, seemed to work fine, and actaully appeared to delete the entries. Restarted machine, ran Spybot, and they are still there, Spybot will not remove them either....
habsolutely
New member
Sure, look at the stuff below...
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-14 Includes\Cookies.sbi (*)
2006-04-14 Includes\Dialer.sbi (*)
2006-04-14 Includes\Hijackers.sbi (*)
2006-04-14 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-04-14 Includes\Malware.sbi (*)
2006-04-14 Includes\PUPS.sbi (*)
2006-04-14 Includes\Revision.sbi (*)
2006-04-14 Includes\Security.sbi (*)
2006-04-14 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-14 Includes\Trojans.sbi (*)
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-14 Includes\Cookies.sbi (*)
2006-04-14 Includes\Dialer.sbi (*)
2006-04-14 Includes\Hijackers.sbi (*)
2006-04-14 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-04-14 Includes\Malware.sbi (*)
2006-04-14 Includes\PUPS.sbi (*)
2006-04-14 Includes\Revision.sbi (*)
2006-04-14 Includes\Security.sbi (*)
2006-04-14 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-14 Includes\Trojans.sbi (*)
I hope you don't mind my adding something here.
What does this mean please?
And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually
A Zip folder in the registry? This is very odd. What is the name of the key you are talking about please?
May I ask you to try something else for this? Although I am not sure it is going to work.
Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.
Copy the contents of the quote box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
'A file named results.txt will open
Post the contents of results.txt into your next reply here.
If you get a warning about a malicious script running please allow this to run. It is not malicious.
*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.
Then since it did come back after a reboot, please restart the computer and see if the entries are permanently gone again.
What does this mean please?
And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually
A Zip folder in the registry? This is very odd. What is the name of the key you are talking about please?
May I ask you to try something else for this? Although I am not sure it is going to work.
Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.
Copy the contents of the quote box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
'A file named results.txt will open
Post the contents of results.txt into your next reply here.
If you get a warning about a malicious script running please allow this to run. It is not malicious.
*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.
Then since it did come back after a reboot, please restart the computer and see if the entries are permanently gone again.
habsolutely
New member
Your first question, what I mean is when I manually find the cmdService entries in the registry (regedit), in the folder that is beneath all 3 cmdService entries, there is a folder named "Zip" that I can not access....not sure what thats all about? (ie...HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\zip)
TaskScheduler was running when I did the services.msc
Restarted the machine after doing everything you said, and the 3 cmdService entries still exist as before...wit that "Zip" folder beneath the "cmdservice" folder in the registry tree
Here's the contents of that txt file:
4/21/06 1:13:29 PM
ECHO is on.
Working on HKLM\Select ,Current
Deleting HKLM\System\CurrentControlSet\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\System\CurrentControlSet\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Default
Deleting HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet001\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Failed
Deleting HKLM\SYSTEM\ControlSet000\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet000\Services\cmdservice
Error: The system was unable to find the specified registry key or value
~~~~~~~~~~
Working on HKLM\Select ,LastKnownGood
Deleting HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet003\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
ImagePath File not found:
ImagePath Folder not found:
ECHO is on.
TaskScheduler was running when I did the services.msc
Restarted the machine after doing everything you said, and the 3 cmdService entries still exist as before...wit that "Zip" folder beneath the "cmdservice" folder in the registry tree
Here's the contents of that txt file:
4/21/06 1:13:29 PM
ECHO is on.
Working on HKLM\Select ,Current
Deleting HKLM\System\CurrentControlSet\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\System\CurrentControlSet\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Default
Deleting HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet001\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Failed
Deleting HKLM\SYSTEM\ControlSet000\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet000\Services\cmdservice
Error: The system was unable to find the specified registry key or value
~~~~~~~~~~
Working on HKLM\Select ,LastKnownGood
Deleting HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_cmdservice
Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet003\Services\cmdservice
Error: Access is denied.
~~~~~~~~~~
ImagePath File not found:
ImagePath Folder not found:
ECHO is on.
Can you go into the registry and find that subkey named zip please? Right click on it and choose export.
Save as type Registry Hive Files if it will allow it. Then send the hiv file to me please at this address:
Katie_3232ATHotmail.com
Change the At to @ for the address to work .
Save as type Registry Hive Files if it will allow it. Then send the hiv file to me please at this address:
Katie_3232ATHotmail.com
Change the At to @ for the address to work .
habsolutely
New member
When I try to save it, it says "the selected branch does not exist. Make sure that the correct path is given"
That's because you don't have access to it. And therefore it is a permissions issue. You cannot remove the parent if the child is protected. IT's the child and so is the reason you can't do much here.
What happens when you right click on zip it and click permissions?
Can you highlight Administrators on the list and then look at the box labeled
Permissions for administrators?
See the boxes in that list?
Can you place a checkmark in Allow Full control? If so, do that and then click apply. Let me know. Then you should be able to delete the key if that worked.
What happens when you right click on zip it and click permissions?
Can you highlight Administrators on the list and then look at the box labeled
Permissions for administrators?
See the boxes in that list?
Can you place a checkmark in Allow Full control? If so, do that and then click apply. Let me know. Then you should be able to delete the key if that worked.
habsolutely
New member
This is just too bizarre.....when I right click on the "zip" and pick permissions, it says you do not have permission to view the current permission settings for zip but you can make permission changes.......so I click OK, and there are no permissions set for this folder, so I click "add" and then save, but it will not allow me to save it, says unable to save permissions, access denied....thats weird as I have full access rights on the network. So I log in as "administrator" on our network, and same thing, wont let me add any permissions to this folder...
habsolutely
New member
Actually did some more messing around, changed some settings on the parent directory (cmdservice), and then was able to add myself as a user for the zip folder as a permission..........deleted the zip folder and then the parent cmdservice folder in all 3 instances in the registry.........just running spybot again to make sure its gone, will post results when spybot has finished....
habsolutely
New member
Sweet......spybot says no immediate threats!
Thanks a bunch guys, really appreciate all the help!
Thanks a bunch guys, really appreciate all the help!
This has been happening more often. I feel that the subkey miust be involved in these other instnces as well. I have been in my own registry creating keys and subkeys with altered permissions. I had no users set at one point for the subkey and then added a user. I changed child permissions inheritance... and on and on.
Do you remember what you did to the parent key?
Adding a user and allowing full access?
I can do all kinds of things, but unless I know what this thing is really doing. it's all guesses. Thanks.
Do you remember what you did to the parent key?
Adding a user and allowing full access?
I can do all kinds of things, but unless I know what this thing is really doing. it's all guesses. Thanks.
habsolutely
New member
Yup, right click then permissions, highlighted my profile in the list, hit advanced, another box pops up, used permissions tab, highlight my profile again, hit edit, select full control, select OK, applied and saved and I was good to go....