etkiaheclc.exe ????

[crunchie]

Can you please do the following.



===============

Go to Add/Remove programs and uninstall the following, if present:

Web Rebates

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SurfAnonymous] C:\Program Files\SurfAnonymous\SurfAnonymous.exe -1
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKCU\..\Run: [JewelQuestSetup.exe] C:\DOWNLO~1\JEWELQ~1.EXE /r

O11 - Options group: [INTERNATIONAL] International*


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Windows SyncroAd
C:\Program Files\Web_Rebates
C:\Program Files\SurfAnonymous

files...

c:\temp\msbb.exe
C:\DOWNLO~1\JEWELQ~1.EXE

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

etkiaheclc.exe

Post back the entire, exact path to the file if it comes back bad.

=======

Once you have done the above, you can go back into msconfig and set it up as you wish again.

[Virtual Patient]

Hi again Crunchie,

Most of the things had already been deleted and were inactive items on the start up but I double checked and did the fixes on hijack this too.

Then it gets messy, I ran the scan at Jotti's which was a problem because I cannot find the file in question on my system as previously mentioned. So I copied the path shown in msconfig start up and here is the result from Jotti's

Service load: 0% 100%

File: etkiaheclc.exe
Status: INFECTED/MALWARE
MD5: 75d1a72744a09ae06d956a8fecd92785
Packers detected: PE_PATCH
Bit9 reports: File not found


Scan taken on 25 Jun 2007 10:57:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Heur.W32
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Crypt-EM
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 X


I need now to find out what is generating the etkiaheclc.exe in star up, and also to find out what Heur.W32 is, and Win32:Crypt-EM. Any ideas where to start? AVG and Adaware were run at the start of this problem, the problem still exists

Virtual Patient

[crunchie]

Post back the entire, exact path to the file if it comes back bad.

Still need to see that please.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[Virtual Patient]

ok, here is the log from combofix

ComboFix 07-06-18.2
"Angela" - 2007-06-25 12:49:15 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\secure32.html
C:\WINDOWS\system32\etkiaheclc.dat
C:\WINDOWS\system32\etkiaheclc.exe
C:\WINDOWS\system32\etkiaheclc_nav.dat
C:\WINDOWS\system32\etkiaheclc_navps.dat
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\paytime.exe


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-25 12:48 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 19:02 <DIR> d-------- C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\VideoEgg
2007-06-24 14:38 <DIR> d-------- C:\HJT
2007-05-25 16:21 <DIR> d-------- C:\Program Files\SopCast
2007-05-25 12:43 307,200 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 15:22:04 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\SopCast
2007-05-25 11:58:37 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\MSN6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 06:26:01 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-28 14:10:54 -------- d-----w C:\Program Files\VTTV
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-21 15:54]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2003-12-12 19:31]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:09]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-24 17:50]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 11:48 C:\WINDOWS\soundman.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 07:55]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 17:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-10-11 10:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 12:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 12:55:03
C:\ComboFix-quarantined-files.txt ... 2007-06-25 12:55

--- E O F ---


I did notice while it was running that it found the file in question ... but it has now vanished from the startup in msconfig ... does this mean it got fixed?

I have no idea how to give you the exact path to the file as previously requested as it was never found where msconfig said it was

c:\windows\system32\etkiaheclc.exe etkiaheclc

^ ^ ^ ^ that is where msconfig said it was.

Virtual Paitent