MCI Monitoring window

I was turning of the Computer and I got a pop up that said
MCI Monitoring window, I clicked end now. After looking up what that could mean, i ran Combofix.

I am running XP sp2, and neither NAV or Adaware or Spybot S&D found anything.

Do I have anything to worry about? Last week I found an infostealer on this machine, that I deleted and haven't turned up anything in scans since then.


Here is the log:

 

Hi racevws,
Welcome to Major Geeks!

I've changed your inline log to an attachment. Please use the Manage Attachments buttons when you post a log. What your Combofix logs shows is that you have malware and of the type that requires several scans and steps to be completely removed. Please follow the instructions in the READ & RUN ME FIRST and attach the requested logs when you finish so one of us can help you.

Thanks!
abri

 

Ok, I went through the whole procedure, and I have some logs that I will attach. The computer seems to be running just fine, I haven't seen the error message again during all the reboots and stuff I have been doing. I just need to know if I need to reset ALL my passwords and stuff (I did so just a couple days ago using a different computer).

 

Hi racevws,
I need your MGlogs.zip. When you ran the MGTools.exe it produced a set of logs called MGlogs.zip which are located among the files directly under C:
Please attach that file here.
Thanks.
abri

 

I looked for the zip log and couldn't find it in the root menu, so I made a zip folder and copied the txt files into it. I will attach them. Thank you for you help, I appreciate it.

 

Hi racevws,

You have some broken stuff. That's good. It means we can delete it now.

1) Please disable your guest account if this hasn't already been done.

2) Go to start> control panel> administrative tools> services> scroll down to "Fskclovsmwi" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok. Exit administrative tools.

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {DE3BC109-88BA-4E51-919B-1E68EF1541FE} - (no file)
O2 - BHO: TChkBHO Class - {E7B1CC13-3822-4A71-8408-00928E16BE45} - blank (file missing)
O2 - BHO: (no name) - {EB40EF13-1394-4ED7-A942-574BF6CE40D1} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Fskclovsmwi - Unknown owner - (no file)

After you click fix, just close hijackthis.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Let me know how things are running now?

abri

 

I did everything from the last post, but could not find:
O23 - Service: Fskclovsmwi - Unknown owner - (no file)

in Hijackthis

ran CCleaner and Getlogs.bat,
attached is the log.

So am I clean now? Do I need to worry about keyloggers or anything being on my machine now?

Thanks,
racevws

 

Hi racevws,

I would like for you to search the registry for that one service you disabled. To do this, please do the following:

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter Fskclovsmwi in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

abri

 

Ok, here is the log-

Thank You,

racevws

 

Hi racevws,

Let's try to get rid of that file:

1) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Fskclovsmwi


REGISTRY::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
"Service"=-
"DeviceDesc"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fskclovsmwi]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fskclovsmwi\Enum]
"0"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
"Service"=-
"DeviceDesc"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Fskclovsmwi]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
"Service"=-
"DeviceDesc"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi]
"DisplayName"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi]
"DisplayName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi\Enum]
"0"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FSKCLOVSMWI]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fskclovsmwi]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fskclovsmwi\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fskclovsmwi\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FSKCLOVSMWI]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Fskclovsmwi]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Fskclovsmwi\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FSKCLOVSMWI]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FSKCLOVSMWI\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fskclovsmwi\Enum]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

2) Now run CCleaner at the default setting with the Windows tab as the top one.


3) Please double click on RegSrch.vbs again as you did before to run it.

• Enter Fskclovsmwi in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Let me know how this went?

abri

 

Ok, I think that may have done it. I have attached the logs,

Thanks,
racevws

 

Hi racevws,

It seems to be gone, even though Combofix said it couldn't delete it. I would say you have less to worry about now than you had a week ago. It's a good idea to change your passwords every so often. Please go ahead with the final cleanup instructions:

abri