Hi LJ
Hopefully you found the solution, its worth posting your log at one of the
support forums Bill suggests to make sure its only this you have to deal with
but here's abit of info if its detecting 'cmdService' which may help.
http://www.f-secure.com/sw-desc/cmdservices.shtml
The site behind this is 'csx.adservs.com' but Ive seen it install from this
IP address 194.187.45.55, this site also has Qoologic and Trojan Clicker
Variants stored, They are forcing the installs without consent as the initial
download from 194.187.45.55 is a Trojan Downloader called 'Win32.Small.buy'
which then contacts
'Command.adservs.com' to download and run the Command Installation file.
In Hijack This it will show like this :
O23 - Service: Command Service (cmdService) - Unknown owner -
C:\WINDOWS\RUpyturFioIFJZ2VycwAA\command.exe
**Note that is a random named folder, the second time I ran the installer it
was called :
C:\WINDOWS\QW5keU1hbmNoZXN0YQ\command.exe
Then
C:\WINDOWS\YRDyb42z\command.exe
The folder and files are hidden so if you was going to remove this manually
you would have to enable hidden files & folders and also enable Operating
System Files so you can find the folder. (Let us know if you need help with
that)
Its not possible to stop command.exe using task manager as it will give a
access denied message so first get rid of the service then boot into safe
mode and delete the folder.
If you have the above entry showing in the Hijack Log, make a note of what
the folder is called then place a check next to it and close all other open
windows except Hijack This, Then press Fix Checked.
goto start then run and type
cmd
press OK then copy and paste this onto the cmd screen
sc delete cmdService
press enter then type exit and press enter again.
Reboot and enable hidden files and folders and Operating system files then
look for the folder which was shown in the 023 entry of Hijack This and it
will delete without problems. Then run Spybot again while in safe mode.
On my system I had these files inside the random named folder:
kqc4yoY1vAhCtrhXsk.vbs
MD5 387edbb90a5275d1b464eb31f3162c40
asappsrv.dll
MD5 0f8deb5a57d8310b2d7ef90b84480f13
command.exe
MD5 3e2c234dde711c6754f2df994fb3cc94
And also the installer was stored in the temp folder
C:\Documents and Settings\Your UserName\Local Settings\Temp\
cmdinst.exe - Command Desktop Setup
MD5 6aeb8d5c9353739feca9c7759c937bfc
you could run Ccleaner if you have it to remove the temp files, If not then
goto start and run and type cleanmgr and press ok , place checks next to
temporary files and recycle bin then press ok to remove them,
If you have any other problems run Ewido Security Suite on your system as
its free and has daily updates so does great against New infections ( Its
shows its a 14 day trial but it performs fine after that expires, you will
just need to update the scanner manually as the auto updates are part of the
trial)
http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button.
After the update finishes click on 'scanner' from the main menu then click
'Complete System Scan' When ewido finds something, it will pop up a
notification. Select "Remove" and check the boxes "Perform action with all
infections" and "Create encrypted backup" then click on ok.When the scan
finishes, click on "Save Report" and save it to your desktop or c:/drive
incase you need it again.
Hope that helps but let us know if you have any problems
All The Best
Andy
