TechSpot

Command Service Infection! Help!!! HJT Attached

By unseenforce
May 3, 2006
  1. Just after some help; my PC has ben infected with Command Service which Spybot S&D will not remove. Bizarrely, Spybot removed something called Look2me, which Ewido keeps finding, no matter how many times it deletes it!?
    Ad Aware is finding nothing at all now. Tried scanning in safe mode etc but 3 Command Service files keep returning. I'm at my wits end now, spent 8 hours last night trying to sort this. Hijack This txt attached, no idea what to fix!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions in the order they are given.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. unseenforce

    unseenforce TS Rookie Topic Starter

    Command Service Still There

    Tried all the above; it's still there. Attached a new HJT Log (ran in safe mode) but really not confident with what to fix; can you please help?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    cikuyghj.exe
    lsass.exe /i
    nat2.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    F2 - REG:system.ini: UserInit=userinit.exe

    O2 - BHO: (no name) - {C013A1D3-0A18-4E84-B198-D40E4A918476} - \

    O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i

    O4 - HKLM\..\Run: [rTsRFHHMc] C:\WINDOWS\cikuyghj.exe

    O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/7adpower/nat2.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\lsass.exe /i
    C:\WINDOWS\cikuyghj.exe
    nat2.exe

    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
     
  5. unseenforce

    unseenforce TS Rookie Topic Starter

    Still No Joy With Command Service

    Tried the above then ran Spybot on reboot and it still cant delete 2 Registry Keys:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdservice
    and;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\cmdservice
    Any suggestions? Do I need to re-format and re-install windows? Or is command service a minimal threat? Thanks for your help and time, it's really appreciated.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go and run the Look2Me-Destroyer.exe from HERE.

    Run it from safe mode.

    Post a fresh HJT log.

    Regards Howard :)
     
  7. unseenforce

    unseenforce TS Rookie Topic Starter

    Here's the Log...

    Did as you suggested; Look2me destroyer wouldn'r run in safe mode, it started off OK then when it said it would re-appear it never came back! Anyway ran it in Normal mode then scanned with HJT in Safe Mode, here's the results...
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Regards Howard :)
     
  9. unseenforce

    unseenforce TS Rookie Topic Starter

    Thanks

    After doing some research on the Spybot forums; it appears that Command Service can show up in Spybot scans as a "false positive", so am i right in assuming my system is now OK?
    Anyway ta for your help, you've been a star!
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, your system is clean.

    Thanks for your kind words.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...