SET.tmp files and Trojans part 1

Hi,

I hope I've gone through everything properly. I'm suspecting a keylogger, also found SET.tmp files and SAS removed some Trojan files.

Please have a look, hopefully nothing too difficult to remove. Thanks for all your hard work.

 

Here's the MGlogs.zip attachment.

 

No obvious signs that it's a keylogger. Just some bad drivers being loaded and a potential MBR infection.

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Conduit Engine
• Java(TM) 6 Update 21 <-- outdated

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
c:\program files\zeraha.org
[COLOR="DarkRed"]Driver::[/COLOR]
ujmwnzy2
uzmwnzy2
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\ujmwnzy2.sys
c:\windows\system32\drivers\uzmwnzy2.sys
c:\windows\system32\drivers\SETD86.tmp
c:\windows\system32\drivers\SET19B.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\AMove.exe
C:\WINDOWS\AntiV.EXE
C:\WINDOWS\AExec.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\Doug\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150070}
C:\Documents and Settings\Doug\Local Settings\Application Data\AVG Security Toolbar
c:\program files\ConduitEngine
C:\Documents and Settings\Doug\Local Settings\Application Data\Conduit
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):af,3d,cb,0f,bd,c4,78,76,f9,c3,b5,9e,d9,39,3b,56,fa,b4,79,e8,6f,
   f0,75,fd,71,b6,27,2d,1d,84,84,a4,31,64,ee,62,98,f7,b9,27,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a1dc2c53-2417-42f6-82f2-d49556880164}]
@Denied: (Full) (Everyone)
"Model"=dword:0000010b
"Therad"=dword:0000000f
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"avg@igeared"=-

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Hi

I noticed you mention my MBR - before I proceed I probably should have mentioned that my external drive is partitioned and I'm running TrueCrypt.

Under those circumstances, does everything you mentioned still hold true?

Thanks

 

Code:

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume H:\
Status: MBR Rootkit Detected!

Path: Volume J:\
Status: MBR Rootkit Detected!

Path: Volume K:\
Status: MBR Rootkit Detected!

The above is shown in your RootRepeal log.

The only thing I mentioned is that there are some bad drivers being loaded and a potential MBR infection. I will have a better understanding once you complete the scans requested.

 

I've been keeping this PC offline and not using it other than to follow your instructions, so can't comment much on how it is running, but it does seem faster.

Every once in a while before, the screen would flash for a split second, sometimes not even noticeable unless you were watching for it. That is why I was curious about a key-logger or something taking snapshots of my work at certain intervals. I don't notice it now.

Here are the latest set of logs, and by the way thank you so much for the quick replies!

 

Previously I would get some blue screens, seemed random, different reasons - I think one was page fault in non paged memory area, another with hibernation, sorry I can't remember more right now. I'll hibernate and restart a few times to see what happens.

 

YOU HAVE AN INFECTED MASTER BOOT RECORD (MBR)!​

_________________________________________________________________​

WARNING​

MBR infections are only worsening and sometimes (rarely) make the computer unbootable after attempting to correct it. We recommend that you back up your data before hand. Then continue with the below if you wish to attempt to remove this infection:
_________________________________________________________________​

Do you have your Windows XP CD? We need it to restore a clean MBR.
If you do not have your Windows XP CD, you can create one with the Recovery Console (which is really all we need), here: Download Windows XP Recovery Console

Then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

If you can get to the command prompt of the Recovery Console, type fixmbr and hit enter. After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

If you were able to run fixmbr, rerun MBRCheck and attach a new log. Also tell me how things are working.

 

I was worried but went for it. It fixed the MBR on C: Hopefully less crashes in the future. Seems to be running fine, won't know really until it's been used more extensively I guess.

Here's the MBRCheck log,

thanks once again

 

Yes you should notice less crashes now

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\SETD86.tmp
c:\windows\system32\drivers\SET19B.tmp
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]Rootkit::[/COLOR]
c:\windows\system32\drivers\ujmwnzy2.sys
c:\windows\system32\drivers\uzmwnzy2.sys

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

Then just let me know how the PC is running whenever you get a chance.

 

Thanks I've finished that and attached the files. Starting to feel much better about this, at 1 point before I asked for help I was considering just starting fresh.

That's the last thing I can do on here till about 9 PM EST. Thanks once again!

 

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  *ujmwnzy2*
  *uzmwnzy2*
  *SETD86*
  *SET19B*
  *xwgvvnpf*
  :service
  *ujmwnzy2*
  *uzmwnzy2*
  *xwgvvnpf*
  :filefind
  *ujmwnzy2*
  *uzmwnzy2*
  *SETD86*
  *SET19B*
  *xwgvvnpf*
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

Download Autoruns by SysInternals to your desktop.

• See the download links under this icon:
• Create a folder on your desktop called "autoruns"
• Extract the contents of the Autoruns.zip file into the autoruns folder you created.
• Now open this folder by double-clicking it.
• Now double-click autoruns.exe to run. (Vista and Win7 right-click and select Run as administrator)
  Note: Autoruns will automatically start scanning your system for autorun entries. This process is typically finished within 15 seconds.
• When you see Ready at the bottom-left corner of the Autoruns program, the scan is complete.
• Now click File > Save
• Change the Save as type: to Text (*.txt)
• Save AutoRuns.txt to your desktop or another location you can easily access it.
• Attach AutoRuns.txt to your next message. (How to attach items to your post)

 

You're really starting to amaze me sniffing out these nasties! You seem to have limitless tricks up your sleeve.

Here are the latest logs.

 

Please download GrantPerms by Farbar to your desktop.

• Open GrantPerms.zip and extract GrantPerms.exe to your desktop.
• Run GrantPerms.exe by double-clicking on it. (Vista and Win7 right-click and select Run as administrator)
• Copy the text in the below code box and paste it into the text-field available in GrantPerms.
  
  Code:

  C:\WINDOWS\system32\drivers\uzmwnzy2.sys
  C:\WINDOWS\system32\drivers\ujmwnzy2.sys
  

• Now click the Unlock button.
• Click the OK button when you see Unlock operation completed.
• Now click the List Permissions button.
  Note: Notepad will open afterwards.
• This Perms.txt log file is on your desktop.
• Attach Perms.txt to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [COLOR="DarkRed"]:services [/COLOR]
  xwgvvnpf
  uzmwnzy2
  ujmwnzy2
  [COLOR="DarkRed"]:files[/COLOR]
  C:\WINDOWS\system32\drivers\uzmwnzy2.sys
  C:\WINDOWS\system32\drivers\ujmwnzy2.sys
  sc config ujmwnzy2 start= disabled /c
  sc config uzmwnzy2 start= disabled /c
  sc config xwgvvnpf start= disabled /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyjava]
  [emptytemp]
  [emptyflash]
  [resethosts]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

 

This one didn't work out so well. I may have stopped it while OTL was still working - I waited for about 10 min though.

By the way, I'm still noticing some of that screen flicker, other than that it <seems> ok.

Thanks

 

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  %systemdrive%\MGtools
  %systemdrive%
  %userprofile%\desktop
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

Here are the latest.

As you see I have Teamviewer, I've used it to help set up anti malware on a friends computer. By doing so am I opening myself up, or it it safe to use if I suspect they have a virus / malware?

Thanks

 

It's safe. You are the one in control of their PC. The worst they can do is move their mouse around while you're trying to work

These last 3 logs look good. OTL may have crapped out on you, but according to its logs, those files I wanted to delete/move are now gone. Let's do the below just to make sure and tell me how things are running.

Please download The Avenger by Swandog46 to your desktop.

• See the download links under this icon:
• Open avenger.zip and extract avenger.exe to your desktop
• Run avenger.exe by double-clicking on it.
• Click OK at the warning to continue to use The Avenger.
  Note: Do not change any of the check box options!
• Shut down your protection software now to avoid possible conflicts.
• Copy everything in the code box below, and paste it into the Input script here: text-field.
  
  Code:

  [COLOR="DarkRed"]Files to delete:[/COLOR]
  C:\WINDOWS\system32\drivers\uzmwnzy2.sys
  C:\WINDOWS\system32\drivers\ujmwnzy2.sys
  

• Now click the button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
• Attach avenger.txt to your next message. (How to attach items to your post)

 

Thanks for the info on TeamViewer. Trust me I know about people trying to use their mouse at the same time. rolleyes

Looks like you got those files. Its running good, that intermittent screen flash is there, could be a bad driver or something I guess :confused It just did it again almost seems to studder, off, on, off, on again very quickly, or shifts slightly during the flash, not sure.

Thanks

 

OOps! forgot the attachment!

 

My guess is that it's something related to either AVG and/or ZoneAlarm. You may try to completely uninstall both and see if the same problems persists. It does not appear to be malware related at this point though. You can seek additional help at our Software forum if you'd like.

I would start looking at your Event Logs for errors like the below which are currently present.

Code:

[ Application Events ]
Error - 10/13/2011 10:41:13 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:15 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:19 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:22 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:25 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:29 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:32 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:34 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/13/2011 10:41:38 PM | Computer Name = ACER-5363B4030C | Source = MsiInstaller | ID = 1013
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101:
 StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed
 on your system, therefore the installation can not continue. We recommend that 
you uninstall this product first and then try to launch the installation again.
 
Error - 10/23/2011 3:32:54 PM | Computer Name = ACER-5363B4030C | Source = JavaQuickStarterService | ID = 1
Description = 
 
[ System Events ]
Error - 10/24/2011 9:58:19 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:29 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:29 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:39 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:50 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:57 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:58:57 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:59:00 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:59:00 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058
 
Error - 10/24/2011 9:59:10 PM | Computer Name = ACER-5363B4030C | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
 service which failed to start because of the following error:   %%1058

Perhaps these programs may be causing the issue too:

• Tweak UI
• TweakNow RegCleaner

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

All done. Disabled and reenabled system restore. I'm planning on cleaning up lots of unnecessary programs and OEM tools that I've never used.

Never mind if it's beyond your scope here, I know you must be busy, but I'm curious how bad this thing was and what the potential damage the stuff that was on the pc could have done.

You saved me lots of headaches and got things cleaned up in no time - I'm really impressed! Thanks a Billions

 

This is hard to say as I don't think I was the only one helping you with removal -- according to some of your previous CFScripts. Some of the files were wanting to stick around despite certain fixes. I did not see any indication that ports were opened up so it is highly unlikely anything was actually taken from the PC (passwords, any information entered/stored on the PC). Just seemed like a more destructive type of infection without any real purpose of financial gain unlike most of the infections we see nowadays.

You're most welcome. Surf safely!

 

Don't knock yourself, you were the only help I had. I did try a few things, not with Combofix though. If you saw older CFScripts, they were from previous instructions right here on this board back in 2006 or 2007 I think. If you saw log files then it was me running it repeatedly because in I before posting I realized I hadn't followed Read and Run me first properly.

Thanks once again!

 

You're welcome. Surf safely!

 

Was something done here that may have changed any of the other user accounts on this PC? My secondary account, which was also an administrator is now showing "unknown account type" and cannot do administrator actions.

The reason this is a dilemma for me is that after cleaning it up I changed my password - but haven't used it for some time since. So I have access to the PC via an "unknown account type" (which should have administrator privileges).

Any suggestions here?

Thank you

 

No.

May just try going into User Accounts via Control Panel and seeing what permissions are set now.

 

That's where I get the 'unknown account type'. should i take this over to another forum?

thanks

 

No problem.

Yes try our Software forum.

From your logs: