cmdService

**Peebs85** · 12-22-2005, 11:25 AM

Fellow Analysts,

I am out of practice. A co-worker of mine seems to have got this nasty cmdService that will not go away. I dare say that the HJT log looks pretty clean to me but Spybot cannot remove this entry (whether at startup or in Safe Mode). Would someone give me a hand in fixing this up? I presume that you will need more logs/info, but I will wait to see what you want.

Thanks much,

Logfile of HijackThis v1.99.1
Scan saved at 12:18:43 PM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\PANASO~1\PANASO~1\REMOTE~1\KcNTSRV.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Panasonic\Panasonic DP-CL21\Status Display\sdwakeup.exe
C:\WINNT\explorer.exe
C:\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [sdwakeup.exe] C:\Program Files\Panasonic\Panasonic DP-CL21\Status Display\sdwakeup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csm.corp.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csm.corp.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csm.corp.int
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DP-CL21 Remote Server - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\PANASO~1\REMOTE~1\KcNTSRV.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe

sUBs · 12-22-2005, 12:01 PM

Hi Peebs,

Unless mistaken, SpyBot is complaining about some reg entries that look like these..

Hkey_local_machine\System\controlset001\Services\cmdService >> 001 can be another number

Hkey_local_machine\System\CurrentControlSet\Services\cmdService

You'll need to go to start > run - regedit <Enter>
Naviagate to & delete those keys in red

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

If those keys aren't present, it may be false positives. For more info, please read here.

Either way... let me know how that went

**Peebs85** · 12-22-2005, 12:46 PM

sUBs,

You're not mistaken...the problem is that there are like 16 instances of that and none of them will let me delete them. They all give me this error message (substituting the different names):

Quote:

Cannot delete cmdService: Error while deleting key.

'Permissions' is not an option in the right-click menu.

What next sUBs??

Paul

sUBs · 12-22-2005, 12:51 PM

You have to download Reglite

Launch Reglite & navigate to those keys

Right click, select Properties & 'Take Ownership' of the key

Then try deleting them again

**Peebs85** · 12-22-2005, 01:29 PM

Mentor,

You're a genious. I am again very grateful for the help.

Go sUBs...go sUBs...

See you in the back forums...I'm on break now!

12-22-2005, 11:25 AM	#1 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	cmdService Fellow Analysts, I am out of practice. A co-worker of mine seems to have got this nasty cmdService that will not go away. I dare say that the HJT log looks pretty clean to me but Spybot cannot remove this entry (whether at startup or in Safe Mode). Would someone give me a hand in fixing this up? I presume that you will need more logs/info, but I will wait to see what you want. Thanks much, Logfile of HijackThis v1.99.1 Scan saved at 12:18:43 PM, on 12/22/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Intel\ASF Agent\ASFAgent.exe C:\Program Files\NavNT\defwatch.exe C:\PROGRA~1\PANASO~1\PANASO~1\REMOTE~1\KcNTSRV.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Panasonic\Panasonic DP-CL21\Status Display\sdwakeup.exe C:\WINNT\explorer.exe C:\Hijack This\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [sdwakeup.exe] C:\Program Files\Panasonic\Panasonic DP-CL21\Status Display\sdwakeup.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csm.corp.int O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csm.corp.int O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csm.corp.int O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DP-CL21 Remote Server - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\PANASO~1\REMOTE~1\KcNTSRV.exe O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!

12-22-2005, 12:01 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,333 OS: N/A	Hi Peebs, Unless mistaken, SpyBot is complaining about some reg entries that look like these.. Hkey_local_machine\System\controlset001\Services\cmdService >> 001 can be another number Hkey_local_machine\System\CurrentControlSet\Services\cmdService You'll need to go to start > run - regedit <Enter> Naviagate to & delete those keys in red If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. If those keys aren't present, it may be false positives. For more info, please read here. Either way... let me know how that went __________________ Question - what have you done for the community today?

12-22-2005, 12:51 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,333 OS: N/A	You have to download Reglite Launch Reglite & navigate to those keys Right click, select Properties & 'Take Ownership' of the key Then try deleting them again __________________ Question - what have you done for the community today?

12-22-2005, 01:29 PM	#5 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	Mentor, You're a genious. I am again very grateful for the help. Go sUBs...go sUBs... See you in the back forums...I'm on break now! __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!