Spybot unable to remove cmdService entry in Win2000 registry

Welcome to Majorgeeks!

Please do not post any logs inline and also you must run cleaning procedures before HijackThis logs will be accepted.

Start with downloading HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You could try that and see what happens, but I would recommend doing the below since you have a bunch of problems that will affect all user accounts.

CD burner issues are not topics for this forum. For that, you should post in the Hardware Forum.

It does not look to me like you ran the Hoster program. If you had, all of those O1 - Hosts lines should be gone. Did you run it?

Run the Hoster procedure again!

You Windows 2000 version is way out of date. You are running the original version and they are up to an SP4 revision level. This is a major security risk. You must get updated after we remove all malware.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Dcom Helper ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

DcmHlp

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 203.186.128.56 www.abbey.co.uk
O1 - Hosts: 203.186.128.56 abbey.co.uk
O1 - Hosts: 203.186.128.56 www.cahoot.co.uk
O1 - Hosts: 203.186.128.56 cahoot.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.com
O1 - Hosts: 203.186.128.56 co-operativebank.com
O1 - Hosts: 203.186.128.56 www.cajamar.com
O1 - Hosts: 203.186.128.56 cajamar.com
O1 - Hosts: 203.186.128.56 www.unicaja.com
O1 - Hosts: 203.186.128.56 unicaja.com
O1 - Hosts: 203.186.128.56 www.caixagalicia.com
O1 - Hosts: 203.186.128.56 caixagalicia.com
O1 - Hosts: 203.186.128.56 www.caixasabadell.es
O1 - Hosts: 203.186.128.56 caixasabadell.es
O1 - Hosts: 203.186.128.56 www.cajamadrid.com
O1 - Hosts: 203.186.128.56 cajamadrid.com
O1 - Hosts: 203.186.128.56 www.sparda-b.de
O1 - Hosts: 203.186.128.56 sparda-b.de
O1 - Hosts: 203.186.128.56 www.bankingonline.de
O1 - Hosts: 203.186.128.56 www.raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 www.bnhof.de
O1 - Hosts: 203.186.128.56 bnhof.de
O1 - Hosts: 203.186.128.56 www.dkb.de
O1 - Hosts: 203.186.128.56 dkb.de
O1 - Hosts: 203.186.128.56 www.sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 www.berliner-bank.de
O1 - Hosts: 203.186.128.56 berliner-bank.de
O1 - Hosts: 203.186.128.56 www.berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 www.capitalone.co.uk
O1 - Hosts: 203.186.128.56 capitalone.co.uk
O1 - Hosts: 203.186.128.56 www.unicredit.it
O1 - Hosts: 203.186.128.56 unicredit.it
O1 - Hosts: 203.186.128.56 www.sanpaolo.com
O1 - Hosts: 203.186.128.56 sanpaolo.com
O1 - Hosts: 203.186.128.56 bankofscotlandhalifax.co.uk
O1 - Hosts: 203.186.128.56 interactif.creditlyonnais.fr
O1 - Hosts: 203.186.128.56 creditlyonnais.fr
O1 - Hosts: 203.186.128.56 www.creditlyonnais.fr
O1 - Hosts: 203.186.128.56 www.secure.bnpparibas.net
O1 - Hosts: 203.186.128.56 secure.bnpparibas.net
O1 - Hosts: 203.186.128.56 bnpparibas.net
O1 - Hosts: 203.186.128.56 www.bnpparibas.net
O1 - Hosts: 203.186.128.56 www.anbusiness.com
O1 - Hosts: 203.186.128.56 anbusiness.com
O1 - Hosts: 203.186.128.56 www.caixatarragona.es
O1 - Hosts: 203.186.128.56 caixatarragona.es
O1 - Hosts: 203.186.128.56 www.caixaontinyent.es
O1 - Hosts: 203.186.128.56 caixaontinyent.es
O1 - Hosts: 203.186.128.56 www.arquia.es
O1 - Hosts: 203.186.128.56 arquia.es
O1 - Hosts: 203.186.128.56 fibank.es
O1 - Hosts: 203.186.128.56 www.fibank.es
O2 - BHO: (no name) - {0F8C97E3-ADD5-47F8-BE18-A54DCDB76693} - C:\Program Files\DirectX\megoqa.dll
O2 - BHO: (no name) - {37D36E70-4652-43B0-A34B-9F5163DB8E1F} - \
O4 - HKLM\..\Run: [Windows Services] spoolsvc.exe
O4 - HKLM\..\RunServices: [Windows Services] spoolsvc.exe
O4 - HKCU\..\Run: [Windows Services] spoolsvc.exe
O4 - HKCU\..\RunServices: [Windows Services] spoolsvc.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINDOWS\dcmhelp.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\dcmhelp.exe
c:\windows\system32\ld3687.tmp
c:\eied_s7.cab
c:\windows\system32\1024
C:\cxx.exe
C:\ddg.exe
C:\kx.exe
C:\WINDOWS\msdirectx.sys
C:\WINDOWS\msgctrl.exe
C:\WINDOWS\msinit.exe
C:\WINDOWS\SmltbXkgYW5kIENhdA\mA5Qvr40sqc4KHh1xE.vbs
C:\WINDOWS\SYSTEM32\edfimg_22205.exe
C:\WINDOWS\SYSTEM32\eraseme_23877.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\setup_12430.exe
C:\WINDOWS\SYSTEM32\setup_17412.exe
C:\WINDOWS\SYSTEM32\TFTP1016
C:\WINDOWS\SYSTEM32\TFTP1020
C:\WINDOWS\SYSTEM32\TFTP1076
C:\WINDOWS\SYSTEM32\TFTP1124
C:\WINDOWS\SYSTEM32\TFTP1580
C:\WINDOWS\SYSTEM32\TFTP1632
C:\WINDOWS\SYSTEM32\TFTP4132
C:\WINDOWS\SYSTEM32\TFTP544
C:\WINDOWS\SYSTEM32\TFTP572
C:\WINDOWS\SYSTEM32\TFTP692
C:\WINDOWS\SYSTEM32\TFTP748
C:\WINDOWS\SYSTEM32\TFTP824
C:\WINDOWS\SYSTEM32\TFTP848
C:\WINDOWS\SYSTEM32\TFTP924
C:\WINDOWS\System32\spoolsvc.exe <--- only delete spoolsvc.exe if found. DO NOT delete spoolsv.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

You may need to run the SpywareQuake Removal Procedure since you appear to have this infection.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should IMMEDIATELY start working thru the below link. However for you I recommend doing step 2 first, step 1 second, and then work thru the rest (but skip step 3 since you already have ZoneAlarm).


How to Protect yourself from malware!

 

Please run the below and make sure Windows Messenger is uninstalled!

Disable/Remove Windows Messenger

Then complete step 2 and then step 1 of the How to protect thread. After completing those two steps (and also removing Windows Messenger), attach a new HJT log and tell me how things are working.

 

Actually you do not have a System Restore since you are running Windows 2000. That is a boiler plate message that is posted after all malware has been removed. I shouuld have edited out the System Restore part for your system.

You HJT log is clean other than the below two Alexa related items that come preinstalled with Windows. You can fix these with HJT:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

But you show no malware in your HJT log. If you are getting popups, it could be due to the sites you are connected to serving them.

However let's just do an additional scan and see if anything comes up. Run the below and then attach the Ewido log:

Running Ewido Anti-Malware

 

Did you run the below program to remove Windows Messenger? I know you mentioned it, but make sure it worked.

Disable/Remove Windows Messenger

You really should do this because Windows Messenger can be the source of unwanted popups like you are describing.

 

Just for the heck of it, run the below procedure and attach the requested log:

Look2Me VX2 Removal

 

Okay! Then it is more than likely gone. Look2Me Destroyer did not find anything which is good.

Have you completed ALL the other steps in the How to protect thread? If not, please finish all of them.

If you get any popups afterwards, please indicate exactly what the popups are for (include URLs too if you can see them). Also indicate how many browsers Windows were opened, which browers (IE, FireFox, etc) and what websites you were connected to at the time.

 

Chaslang is gone today, possibly until tommorow night. Why are you running a popup blocker at all I wonder aloud, an additional program is not really needed nowadays... The latest IE has popup blocking, as does Opera and Firefox. A 3rd party add-on like Maxthon will add additional popup blocking as well as more features like tabbed browsing.

http://majorgeeks.com/Maxthon_Standard_d1167.html

Let us know if all remains well, Chaslang should be back tommorow.

 

You're welcome. Surf safely.