TechSpot

Command Service & Smitfraud

By handsomehary
Sep 9, 2006
  1. I need help with these two problems. I have checked elsewhere and they tell me that Hijackthis says there are no problems, but when I scan with Spybot and Adaware it says my problems are still here. I think I have used every program out there to get rid of it so I am looking for some real good advice.. Here is my HJT file.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs as attachments into this thread, only after doing the above. See HERE for instructions.

    Regards Howard :wave: :wave:

    This thread is for the use of handsomehary only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. handsomehary

    handsomehary TS Rookie Topic Starter

    HJT LOG files

    Here are my log files. Ewido doesn't show anything on a scan and neither does AVG but Spybot and Adaware both show Registry infections
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your new thread into this one. Please don`t open any more threads for this. Thanks.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Other than the above inactive entry, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of handsomehary only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. handsomehary

    handsomehary TS Rookie Topic Starter

    Still have the same problem.

    Spybot says I still have the Smitfraud-C.Toolbar888 and Command Service still in my Registry. And they cannot be deleted by normal means. SMitfraud has one entry in my registry and Command Service has three, one of which can be deleted but comes back after being deleted.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All I can suggest, is you run Spybot and Ad-Aware from safe mode. Delete whatever they find, this includes anything in quarantine.

    I cant see anything nasty in your HJT log.

    If the Smitfraudfix doesn`t find anything, and you`re not getting any popups, I don`t see what else we can do.

    Regards Howard :)
     
  7. handsomehary

    handsomehary TS Rookie Topic Starter

    Smitfraud

    OK Well thanks for trying. I have run spybot from Safe and it cannot delete. Thanks for trying. BTW this is what Spybot says.
    Command Service: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

    Command Service: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

    Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this.

    Please download delcmdservice (by Marckie), and save it to your Desktop.

    Unzip the content to your Desktop (a folder named delcmdservice)
    Double-click on the delcmdservice folder
    Double-click on delreg.bat to launch the tool
    When the tool has finished, please reboot your computer
    Once rebooted, please scan and let me know if it was successful.

    Regards Howard :)
     
  9. handsomehary

    handsomehary TS Rookie Topic Starter

    Scan Results of Spybot and delcmdservice

    That cured part of my problem now all I have is the smitfraud

    -- Search result list ---
    Smitfraud-C.Toolbar888: Class ID (Registry key, fixing failed)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Ccleaner programme from HERE.

    Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. Click on issues, then the scan for issues button. Click the fix selected issues button, followed by the fix all selected issues button. Do this several times, until no more issues are found.

    Go to add remove programme in your control panel and uninstall anything to do with(if there).

    Toolbar888

    Close control panel.

    Go to C:\program files and delete the Toolbar888 folder(if there).

    Download and install the latest version of SS&D from HERE. Make sure you have the latest definition files. Click the immunize button in the lefthand pane, then click the green immunize cross in the righthand pane.

    Do a full scan and fix whatever it finds. Click the recovery button in the lefthand pane and click the purge button in the righthand pane.

    Close SS&D.

    Run SS&D again and see if it still finds the Smitfraud-C Toolbar888 entry.

    Regards Howard :)

    This thread is for the use of handsomehary only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. handsomehary

    handsomehary TS Rookie Topic Starter

    ActiveX problem

    CCleaner says it is an activeX problem. InProcServer32
    C:\WinNT\system32\mljhhif.dll and I can't find it and it wont let me delete it in the registry.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into Killbox.

    C:\WinNT\system32\mljhhif.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Please let me know the outcome.

    Regards Howard :)

    This thread is for the use of handsomehary only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. handsomehary

    handsomehary TS Rookie Topic Starter

    mljhhif.dll File is gone

    File is gone but it still will not allow me to delete the registry. That WinAntiVirusPro keeps installing a Cookie..
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Autoruns programme.

    Post a fresh HJT log and the Autoruns log.

    Regards Howard :)
     
  15. handsomehary

    handsomehary TS Rookie Topic Starter

    HJT Autoruns

    Thanks for doing this. This thing is really stuck. Thanks for taking the time to help.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these two entries.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    Click the fix checked button and close HJT.

    Download and run this TOOL.

    See if that helps. If not, go HERE, download and run all four tools. Run each tool from safe mode.

    Let me know the outcome please.

    Regards Howard :)

    This thread is for the use of handsomehary only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. handsomehary

    handsomehary TS Rookie Topic Starter

    Same results

    WinAntiVirusPro Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

    I tried everything in safe mode and Adaware says I still have it. Maybe I just have to live with the Winantivirus problem for the time being. I think we have tried everything or just about everything.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It seems that Ad-Aware is having a few problems with false positives at the moment. More info is available HERE and HERE. I`m not saying this is definitely true in your case, but it might be.

    Regards Howard :)
     
  19. handsomehary

    handsomehary TS Rookie Topic Starter

    Problems

    I am not doubting that Ad=Aware might be having problems but my problem is being detected by Ad-Aware, Spybot, and CCleaner so I think whatever my problem is I don't think it is because of False Positives. I guess I will just have to live with it for the time being.
    Thanks for the help, I do appreciate you taking the time to help me.

    Jim
     
  20. handsomehary

    handsomehary TS Rookie Topic Starter

    I don't know what happened or how it happened but my Smitfraud is gone..Thank you for your help!!
     
  21. plan b

    plan b TS Rookie

    i wanted to know if i could get that delcmdservice download?? Can someone help me out please??
     
  22. momok

    momok TS Rookie Posts: 2,265

    It wouldn't hurt to be more specific with your post. Also this post looks related to one of your other threads in the forum. Please use your other thread for help.

    Thread closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...