Spybot unable to fix cmdService entry.

Hello and thank you in advance for the significant help I have received from following the procedures and suggestions within the sticky posts. I have gone through the procedures within the “Read & Run Me First” sticky, “Special Removal Procedures” and have fixed several problems. I went through my HJT log using the on line analysis sites and I can't find any entries that I am unable to account for. To make sure I ran through the procedure in the Read & Run Me First sticky a second time and now the only thing that is showing up is the “cmdService” entry in Spybot S&D that it is unable to fix (even when I allow it to run on a restart).

The symptoms that I am having with the computer are that I am unable to kill some of the processes in Task Manager that I know I have been able to kill before, I get “Access Denied”. Firefox which was seriously hijacked in the beginning of my problems still does not seem to display some flash content that was working before this issue. Specifically on my comcast.net home page.

I searched the forum for “cmdService” and found some posts but the help provided sounded user specific and didn't feel confident in trying to make it fit my situation. Any help that can be provided would be appreciated.

Thank you

 

I need the logs from the two online scans listed in the READ ME. Also you can go ahead and follow the below to remove the service.

Click Start > Run > type in regedit

Manually navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it. If you get any errors let me know!

Now do the same for the key below:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it.

After you complete this, reboot and see if Spybot still detects these entries.

 

Thank you for the quick reply, sorry it took me so long to respond.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
I was able to find the entry above and was able to delete it but the second entry (below) didn't show up in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

I ran a search for “cmdServices” using “Find” and the following entry's were the only ones that showed up.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE

I attached the bitdefender log in my first post (bdrpt.txt). I forgot that Internet explorer partially froze up during the panda active scan so even though it reported that it found no viruses adware etc it wouldn't let me save a log to file. I will attach the first panda scan for reference but I know it reported it found nothing when I did it the second time.

If you think I screwed up in the process some where let me know and I will do it again and start a new thread.

Thank you

 

Please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter cmdService and post back with the results in this thread (call it regsrch.txt).

 

O.k. results are attached, I also went through the procedure in the Read and Run me sticky again and this time the only issues that were reported were during a boot time scan using AVAST. It found something in the system restore and Bitdefender found some things in torrents I had downloaded so I deleted all of my downloads.

All of the other scans reported no threats. I did a clean install of firefox to get it to work correctly and I am now able to kill processes in task manager that I normally am able to.

Thank you again for your help.

 

Please download ADS Spy, save to your desktop but do not run it yet as we will run it later in this fix.

Next, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file cmdfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the cmdfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Inst all3.0/Installer.exe

Again, make sure ALL browser windows are closed when you click FIX.

Now, locate your download of ADS Spy. Extract the contents and double click "ADSSpy.exe" to run the utility. Once the utility has loaded, make sure the first 2 boxes are checked. Now click ""Scan the system for alternate data streams" and remove any that contain any of the files below:

whCC-CLICK.exe
whiehlpr.dll
webhdll.dll
whSurvey.exe
whInstaller.exe
whAgent.exe

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\VCClient ← Delete this whole folder if it exist!

C:\WINDOWS\wallpap.exe

C:\WINDOWS\NDNuninstall7_22.exe

C:\WINDOWS\drsmartload2.dat

C:\WINDOWS\system32\whCC-CLICK.exe

C:\WINDOWS\system32\pskill.exe

C:\WINDOWS\system32\ad.html

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I completed all of the steps that you listed and every thing went smoothly. The only thing is that when I ran ADSSpy there was nothing that contained the items listed but I will take that as a good sign.

Attached new HJT log. Every thing seems to be working as it use to except that there are still processes in Task Manager that when I try to kill them (I stop all unnecessary processes before running Battlefield 2) I get the standard warning about killing a process and asked if I still want to proceed. I then click yes and then I get “The Operation could not be completed. Access Denied”. Before this it would either kill the process when clicking yes or I would get the warning that It was a critical process and could not be killed. I know that some of the processes I try to kill are not critical.

Other than that every thing is working great again.

Thank you again

 

Sorry HJT log didn't make it in the last post.

 

There are certain processes you can't kill because they are being used by windows.

 

Is Spybot still detecting the cmdService entries?

 

Another try on the HJT log.

 

Your HJT log looks good, are you having any further problems?

 

No further problems and spybot only found cookies in a scan I ran today.

I really appreciate your help

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!