Command.exe & Multidropper and maybe others: Please Help

Hi and Welcome,

We will endevour to help you rid your PC of this infestation but to proceed please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

Please do take note of the instructions for installing and running HijackThis they are crucial steps to take.

 

Yes! But did you run Bitdefender and save a log. I thought you originally posted your Panda log. Perhaps you meant to say that Bitdefender was going to take 75 hours and not Panda.

Complete the instructions in step 7 of the READ ME and attach a new HJT log.

 

Your HJT log is clean. The only problems you show were in your Panda log.

Boot into safe mode and use Windows Explorer to delete the below:

C:\Program Files\Common Files\fzrm <--- the whole folder
C:\Program Files\Common Files\System\EService <--- the whole folder
C:\Program Files\Common Files\Microsoft Shared\MSInfo\cservice.exe
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\drddjh.exe
C:\WINDOWS\drsmartload849a.exe
C:\WINDOWS\Sk9OQVRIRU4gVElMQlJPT0s\m46ikplKlob0pH5gk5LjnXP.vbs
C:\WINDOWS\system32\cmd.dll

 

This is an issue that Spybot finds but cannot clean for some reason. We typical need to edit the registry to fix this. Sometimes we can give you a patch that will work other time we will actual have you go into the registry to take ownership of registry keys so the malware can be removed. Let's see what you have! Attach a log from Spybot and we will go from there.

 

In the top menu Click Mode and select Advanced Mode.

Then in the left column click the + next to Tools

Then click View Report

Then in the menu bar of the right pane click View previous report

Then in the window that comes up select the log from your last run of Spybot. Just keep selecting one of the .txt or .log files until you locate one that has the info about command service in it! You can either copy and paste it from your Spybot window or you can select export to save it to another filename. This normally defaults to SpybotSD.Report.txt

Either way (export to file or copy & paste) get me the log!

 

Then, let's create a new one! First, run a scan and fix with Spybot.

When it finishes the scan, right click in the log windows and select Save full report to file. The default file name is SpybotSD.Results.txt and by default it will save it in Spybot's own log folder. You can save it anywhere you like to make it easy to find so you can upload it.

 

You need to uninstall the below rogue tool!

ScanSpyware v3.8.0.1


The below fix for CmdService may or may not work but it is the simplier fix if it does. So let's try it first and see if it goes away.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

That means that your registry has been modified so that you do not have permission to change the registry keys!

Download and Install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

To take ownership of teh key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the regitry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the registry key and select delete
• Repeat for all three registry keys
• Tell me the results. Any errors?

 

Okay there were more registry keys than Spybot revealed. Try the below.

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE]

To take ownership of teh key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the registry key and select delete
• Repeat for all three registry keys
• Tell me the results. Any errors??? If so, make sure you tell me the exact error message and exactly on which keys it occurs.
• Then if there was an error, boot into safe mode and retry all of the above.
• Again keep track of errors and give a report of the results.

After trying the above, come back and let us know the results.