Problem with cmdService

Chris_in_Richardson · May 29, 2006

Thanks gusy for this site. It has been very helpful.

I have been following the READ & RUN ME FIRST steps down to STEP 6 Request Help. I have attached the BitDefener and Panda Active scan logs.

It looks like the major problem might be cmdService.

Once that is resolved, it appears I may have some uneeded registry entries, programs loaded, and services running, that could be removed to improve overall sluggish system performance.

Please let me know what I can do to request help for the above items.

Thanks,

Chris_in_Richardson (Singapore right now)

Chris_in_Richardson · May 29, 2006

Need Help with cmdService

Thanks guys for this site. It has been very helpful.

I have been following the READ & RUN ME FIRST steps down to STEP 6 Request Help. I have attached the BitDefener and Panda Active scan logs.

It looks like the major problem might be cmdService.

Once that is resolved, it appears I may have some uneeded registry entries, programs loaded, and services running, that could be removed to improve overall sluggish system performance.

Please let me know what I can do to request help for the above items.

Thanks,

Chris_in_Richardson (Singapore right now)

Chris_in_Richardson · May 29, 2006

Re: Need Help with cmdService

It does not appear that the scan logs will upload to this thread.

I posted to the Welcome Board first.

"Howdy from Singapore".

Not sure how to get around this, sorry.....

Chris_in_Richardson

DavidGP · May 29, 2006

Hi chris I have merged the thread/post with your logs into this one.

You still seem tome missing the HijackThis log from the attached logs?

Chris_in_Richardson · May 29, 2006

Thanks Halo!

I did not run HJT this yet.

I will do that now and attach.

chris

Chris_in_Richardson · May 29, 2006

HJT Log attached.

Chris_in_Richardson · May 29, 2006

Here is an update HJT Log. I used CC cleaner to try to increase performance a little bit.

Still not sure how bad the infection is though.

Any help is appreciated. Thanks!!!

chaslang · May 30, 2006

Is cmdService being found by Spybot?

If so, attach a log from Spybot.

Did you add the below lines to your host file and are they necessary:
O1 - Hosts: 172.16.0.40 main.mahinetworks.com main
O1 - Hosts: 172.16.0.84 goliath.mahinetworks.com goliath

Is the below Service somthing you added too? Seems to relate to the above host lines?
O23 - Service: Mahi Send Echo - Unknown owner - C:\WINDOWS\system32\sendecho.exe" /start 2 (file missing)

Now let's work on a couple problems that I can see!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Service... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Service

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O21 - SSODL: IEFilter - {D977A669-21B3-4611-A684-141D77F041D9} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\IEFilter.dll
C:\WINDOWS\system32\Service.exe <--- only delete Service.exe if found. DO NOT DELETE services.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

Chris_in_Richardson · May 30, 2006

Help Cleaning Up

Well, I think I got rid of cmdService, but then two new problems showed up when I ran Panda Active Scan:

Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Q2hyaXMgV2FyaHVyc3Q\kZ1Vurg0pZIVuJpVwak.vbs

So I started back at the begining of the the Read Me First steps and went through them again. It looks like Windows Defender fixed the two problems above because on this next pass of Panda Active Scan they were gone, and Defender said it fixed two problems.

So now I am wondering, what else is potentially wrong here. I don't think I am out of the woods yet, becasue the browser is still very slow.

Logs attached from the most recent run through of the steps. Please help.

Thanks,

Chris (in singapore this week)

Chris_in_Richardson · May 30, 2006

I saw those hosts and the sendecho program already as well.

I deleted them. They were used at my company before we got acquired by the current holders.

I just uploaded new logs. Should I follow instructions in this post above Chaslang or do you want to look at the new logs first?

chris

Chris_in_Richardson · May 30, 2006

Is cmdService being found by Spybot?

- Yes it was. Not anymore though. I used a utility I found on the SpyBot boards to remove it. Not sure if that was good idea or not, but SpyBot is not detecting it anymore.

If so, attach a log from Spybot.

- I did not keep the logs from SpyBot.

Chris_in_Richardson · May 30, 2006

Okay, I think I followed everything.

The two files were there and I deleted them.
There were 130 files in the Prefetch directory.
CCLeaner removed 132 files from recycle bin.

So that all seems to make sense.

New HJT log file attached. What next? Do I have anymore Malware?

Can I get rid of VNC service? I tried to uninstall this app awhile back but appeears not to have completely left.

Chris_in_Richardson · May 30, 2006

"Make sure you tell me how things are working now."

There seems like maybe something is still not working correctly with the browser. If I have two browser sessions opened and terminate one window by selecting the X at top right, it closed both sessions.

Also, simply allowing the mouse cursor to pass across some of the buttons on the Major Geeks boards selected them.

Perhaps the browser is still being used by someone other than me here?

Not sure.

chris

Chris_in_Richardson · May 30, 2006

So I did the system restore procedure and now am off to follow your guide on how not to get here again, by downloading and installing all the apps, including Firefox. I think I am sold on that now.

Unless you see something else in the last HJT log, thank you very much!!!

chris

chaslang · May 30, 2006

Okay your all clean from malware but you did say you wanted to get rid of WinVNC:

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

Here is how you do that:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to VNC Server ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

winvnc

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.

After reboot just verify for yourself that the O23 line is gone.

Also delete the C:\Program Files\UltraVNC folder if it exists.

Other than that, we should be done!

Chris_in_Richardson · Aug 17, 2008

Halo, thanks for the help on this one. Sorry so late on my thanks, but as you know, just now figuring that part out!!!!!

Chris_in_Richardson · Aug 17, 2008

Lifesaver. Thank you.

chris

Log in or Sign up

Problem with cmdService

Chris_in_Richardson Private E-2

Attached Files:

bdscan.txt

Activescan.txt

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2

Attached Files:

hijackthis.log

Chris_in_Richardson Private E-2

Attached Files:

hijackthis1.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Chris_in_Richardson Private E-2

Attached Files:

bdscan3.txt

Activescan3.txt

hijackthis3.log

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2

Attached Files:

hijackthis_chaslanghero.log

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Chris_in_Richardson Private E-2

Chris_in_Richardson Private E-2