cmdservice removal - can anyone help?

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

and a Malware specalist will be along as soon as possible to review your logs.

 

Please read the directions and run all steps. No logs should be posted inline. They must be attachments. Also HJT must be installed properly.

Also you have skipped quite a bit of the steps.
- no MS Windows Defender
- no Spybot with SDhelper
- no Bitdefender online scan with log attached
- no PandaActiveScan online scan with log attached
- HJT installed exactly where we ask that it not be installed
- log appears to be from safe mode or you are filtering lines. (why doesn't Symantec and other stuff show in the process list).

Did you skip any other steps? Like Ad-Aware SE etc?

Please complete ALL steps of the READ ME, install HJT properly, and attach the requested logs. This is all covered in the first set of directions Halo gave to you.

You have multiple problems besides cmdservice (which I assume you saw in a Spybot log). You really need to perform the whole process so that we can make sure nothing else is hiding in the background. HijackThis logs really show very little of what exists in the malware world.

.

 

Download and install Registrar Lite

Then run Registrar Lite.

Copy and paste the below into the Address box of registrar lit and hit the Enter key.

HKEY_LOCAL_MACHINE\SYSTEM

Then click the Security pull down ont the top menu and choose Take Ownership. Click OK in the next window to approve it. Now exit Registrar Lite and continue.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now you have a few other problems we need to take care of. One of them is a Look 2 Me infection that requires special tools to remove. And there are a few other trojans. Let's fix the Look 2 Me problem with Spy Sweeper. Run the below and attach the requested log:

Running Spy Sweeper

Make sure you reboot after running Spy Sweeper.
Now let's fix the other problems. Note that the O20 lines may already be gone if SpySweeper was able to completely fix them.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\o6lulg3916.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\jt0407dqe.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\outlook
C:\WINDOWS\system32\winlog.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I need to see a followup HJT log. I did not need one in the middle of the steps. Only at the end.

No you did not do anything wrong. Spy Sweeper fixed a few things so they were not in your HJT log anymore. Also HJT removed some files while fixing lines too.

 

You should now uninstall SpySweeper (unless you plan on buying it) then continue with the below.

RUn HJT and fix the below two lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now let me know how things are working!

 

You're welcome.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!