Just can't get rid of these two

Welcome to MG's!

Please complete the rest of the READ & RUN ME. You have not done step 6 and attached those logs. You have more problems remaining than just the cmdservice issues from Spybot. I see 5 or 6 trojans.

After complete step 6 please do the below.

First look in Add/Remove programs and uninstall Casino Client if found. (Tell me if you find it.)

Did you know you still have one of Symantec Antivirus services running?
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

cmdService

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and attach the contents of the WordPad window and post in this thread.

 

All of the steps in the READ ME are there for a reason. It does not say skip some of them anywhere. You only completed have of step 6. You did the PandaScan but no BitDefender. Did you notice all the items Panda found? This is why we stress that these scans must be run and logs must be attached. BitDefender will also clean whereas Panda does not clean/disinfect. That is why we list BitDefender first. Since it will clean, many things may be fixed before running Panda. And then Panda is a double check. Please run BitDefender and attach the log. Then you should run a new PandaScan as a follow up. I'm sorry to make you do this again but had you followed the steps the first time this would not be necessary. As you can see there were a bunch of baddies detected that must get fixed.

Also add the below patch to your registry to remove the cmdService problem.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now check to make sure Spybot is clean.

 

Run Ccleaner and remove cookies for the Everybodys useraccount. While I look at your logs.

 

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {D634FC8C-1B4E-45EC-61BF-16F3BA4666C4} - C:\WINDOWS\System32\lhhdky.dll
O2 - BHO: (no name) - {5E091B04-7D69-6578-4BF8-CD6DC0F05EA4} - C:\WINDOWS\Hjnjoywp.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\y02mov.dll
O2 - BHO: (no name) - {D634FC8C-1B4E-45EC-61BF-16F3BA4666C4} - C:\WINDOWS\System32\lhhdky.dll
O3 - Toolbar: Search - {F44678FA-678E-1352-29A5-A28278251691} - C:\WINDOWS\Hjnjoywp.dll
O4 - HKLM\..\RunOnce: [45mue6.exe] C:\WINDOWS\System32\45mue6.exe /k
O4 - HKCU\..\Run: [Yrfg] C:\WINDOWS\System32\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [rkwu] C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\RunOnce: [45mue6.exe] C:\WINDOWS\System32\45mue6.exe /k
O18 - Filter: text/html - (no CLSID) - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adopt.hbmediapro[2].txt
C:\Documents and Settings\LocalService\Cookies\system@belnk[1].txt
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt
C:\Documents and Settings\LocalService\Cookies\system@com[2].txt
C:\Documents and Settings\LocalService\Cookies\system@dist.belnk[2].txt
C:\Documents and Settings\LocalService\Cookies\system@i.screensavers[2].txt
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliablestats[2].txt
C:\Documents and Settings\LocalService\Cookies\system@winfixer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\My Documents\SmileyCentralBetaSetup1.1.2.2.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
C:\Program Files\Common Files\rkwu <--- the whole folder
C:\Program Files\CMMan <--- the whole folder
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\Hjnjoywp.dll
C:\WINDOWS\8qck2.sys
C:\WINDOWS\acukeixx.dll
C:\WINDOWS\ajvxbzme.dll
C:\WINDOWS\akkmqoqp.dll
C:\WINDOWS\bkzsnlui.dll
C:\WINDOWS\csnpigok.dll
C:\WINDOWS\dlmblpid.dll
C:\WINDOWS\ejdcmfjn.dll
C:\WINDOWS\eubgyems.dll
C:\WINDOWS\fupcbhhv.dll
C:\WINDOWS\hntuiqec.dll
C:\WINDOWS\hxvlqffd.dll
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\jfjhlhzf.dll
C:\WINDOWS\kfkzgscj.dll
C:\WINDOWS\kwv2.dat
C:\WINDOWS\kzkaalbl.dll
C:\WINDOWS\mpdneisq.dll
C:\WINDOWS\msbb_gdf.dat
C:\WINDOWS\osrwugqz.dll
C:\WINDOWS\scafhjcl.dll
C:\WINDOWS\tmlpcert2005
C:\WINDOWS\uxcickjm.dll
C:\WINDOWS\yafnvlcx.dll
C:\WINDOWS\zhtjqnwz.dll
C:\WINDOWS\System32\lhhdky.dll
C:\WINDOWS\system32\y02mov.dll
C:\WINDOWS\System32\45mue6.exe
C:\WINDOWS\System32\??crosoft.NET\nslookup.exe
C:\WINDOWS\system32\8qck2.sys
C:\WINDOWS\system32\asferror.exe
C:\WINDOWS\system32\batt9491.exe
C:\WINDOWS\system32\cards281.exe
C:\WINDOWS\system32\ctts.exe
C:\WINDOWS\system32\Explorer.exe <--- Only delete this one! DO NOT delete c:\windows\explorer.exe
C:\WINDOWS\system32\PCFlashBangUninstall.exe
C:\WINDOWS\system32\rk.bin
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now while still in safe mode run the registry patch (from previous message ) again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Then get a new PandaActiveScan log and attach it.

 

Are you familiar with using the Windows Registry Editor?

And delete the below too:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

 

You need to the Permissions settings on some of the registry keys so that you have the permission to delete them. That probably were not fixed by the previous patch because you were not allow to fix them based on permisions. The keys we want to change permissions on are:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

What you must do is navigate to each one (one at at time) and do the below. Make sure the full key as displayed above shows at the bottom of the registry editor window before you do anything. That means you have the key selected.

Right click on the registry key in question and select "Permissions". In the list click one at a time on each user name in the upper list and at the bottom, check the box next to "Full Control. Make sure each user name is allowed full control. Then Click OK to exit this permissions window.

Now right click on each of the above registry keys again making sure it appears at the bottom of the window exactly like I have written and then right click on it and select delete.

Tell me if this works.

 

You're welcome! You should now work thru the below to help keep you clean:

How to Protect yourself from malware!