TechSpot

Command service issues HELP!!!

By plan b
Dec 16, 2007
  1. I am having an issue with the command service adware. I have the spybot program and it keeps telling me that the command service file is still there and it won't be deleted. and then when i try to remove it using the add/remove program it takes me to the website and it won't let me download the removal file because of my security settings. can someone please help me?
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Cold boot to Safe Mode, then see if that works, then immediately reboot to Safemode and try once more... then run your other scans that will work in SAFE MODE.
     
  3. plan b

    plan b TS Rookie Topic Starter

    what do you mean when you say safe mode??
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Welcome to TechSpot.

    Information on how to boot into safe mode here.
     
  5. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Perhaps this Description of Safe Boot options will be helpful to you.

    • Safe Mode (SAFEBOOT_OPTION=Minimal): This option uses a minimal set of device drivers and services to start Windows.
    • Safe Mode with Networking (SAFEBOOT_OPTION=Network): This option uses a minimal set of device drivers and services to start Windows together with the drivers that you must have to load networking.
    • Safe Mode with Command Prompt (SAFEBOOT_OPTION=Minimal(AlternateShell)): This option is the same as Safe mode, except that Cmd.exe starts instead of Windows Explorer.
    • Enable VGA Mode: This option starts Windows in 640 x 480 mode by using the current video driver (not Vga.sys). This mode is useful if the display is configured for a setting that the monitor cannot display.

    Note Safe mode and Safe mode with Networking load the Vga.sys driver instead.
    • Last Known Good Configuration: This option starts Windows by using the previous good configuration.
    • Directory Service Restore Mode: This mode is valid only for Windows-based domain controllers. This mode performs a directory service repair.
    • Debugging Mode: This option turns on debug mode in Windows. Debugging information can be sent across a serial cable to another computer that is running a debugger. This mode is configured to use COM2.
    • Enable Boot Logging: This option turns on logging when the computer is started with any of the Safe Boot options except Last Known Good Configuration. The Boot Logging text is recorded in the Ntbtlog.txt file in the %SystemRoot% folder.
    • Starts Windows Normally: This option starts Windows in its normal mode.
    • Reboot: This option restarts the computer.
    • Return to OS Choices Menu: On a computer that is configured to starting to more than one operating system, this option returns to the Boot menu.
    An environment variable is set when you use one of the Safe Boot options. The environment variable is SAFEBOOT_OPTION. This variable is set to either Network or to Minimal.

    The default Microsoft VGA driver is used for display at 640 x 480 resolution and in 16 colors. You must log on in all modes by a domain or by the local Security Accounts Manager, depending on which Safe Boot mode you select.


    To use the Safe Boot option, follow these steps:

    1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
    2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
    3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
     
  6. plan b

    plan b TS Rookie Topic Starter

    ok i tried that but it didn't work. any more suggestions??
     
  7. momok

    momok TS Rookie Posts: 2,265

    Hi plan b and welcome to techspot. =)

    Since your system is infected with adware, I suggest you do the following before doing anything else.

    Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

    Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
    Do not copy and paste your logs if not they will be removed.

    Our experts here will tend to your queries thereafter.

    Also, please provide the results of the Antirootkit scan


    Regards,
    momok =)

    This thread is for the use of plan b only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  8. raybay

    raybay TS Evangelist Posts: 7,241   +9

    What didn't work. What thread are you now in?
     
  9. plan b

    plan b TS Rookie Topic Starter

    i tried the safe mode. but it is still there.
     
  10. momok

    momok TS Rookie Posts: 2,265

    Have you followed the instructions I have given? The infection cannot be cleaned so easily just by booting into safe mode and running a scan. So if you haven't I'm afraid we are unable to help you any further until you complete them and post the required logs.
     
  11. plan b

    plan b TS Rookie Topic Starter

    ok here is the hijackthis log.

    here's the avgscan

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Where is your ComboFix log?
    Also, your AVG scan shows "No ACtion taken" for all entries. Re run the scan again and make sure the actions are all set to "Quarantine"

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. Go to start > run and type msconfig. Press the enter key.
      Search for the following entries. Uncheck them to stop them from starting up. Click Ok but do not restart your system yet.

      winlogon
      782a393c


    4. Go to start > run and type services.msc. Press the enter key.
      Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

      DomainService

    5. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe
      O4 - HKLM\..\Run: [782a393c] rundll32.exe "C:\WINDOWS\system32\dcictbyi.dll",b
      O23 - Service: DomainService - - C:\WINDOWS\system32\lnohevae.exe

      Close HJT.

    6. Navigate in Windows Explorer and delete the following files and folders in bold.

      C:\WINDOWS\csrss.exe
      C:\WINDOWS\system32\dcictbyi.dll
      C:\WINDOWS\system32\lnohevae.exe

    7. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of plan b only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. plan b

    plan b TS Rookie Topic Starter

    when i try 2 download combofix it tells me that another program is using this file C:\WINDOWS\system32\cmd
     
  14. momok

    momok TS Rookie Posts: 2,265

    Have you completed the other steps that I asked you to then?
    Search your C:\Windows\system32\ folder for cmd.com and rename it to cmd.com.bak.
    Try running ComboFix again.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...