etkiaheclc.exe ????

**crunchie** · June 25th, 2007, 07:46 AM

Originally Posted by crunchie

Post back the entire, exact path to the file if it comes back bad.

Still need to see that please.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**Virtual Patient** · June 25th, 2007, 08:05 AM

ok, here is the log from combofix

ComboFix 07-06-18.2
"Angela" - 2007-06-25 12:49:15 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\secure32.html
C:\WINDOWS\system32\etkiaheclc.dat
C:\WINDOWS\system32\etkiaheclc.exe
C:\WINDOWS\system32\etkiaheclc_nav.dat
C:\WINDOWS\system32\etkiaheclc_navps.dat
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\paytime.exe

((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))

2007-06-25 12:48 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 19:02 <DIR> d-------- C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\VideoEgg
2007-06-24 14:38 <DIR> d-------- C:\HJT
2007-05-25 16:21 <DIR> d-------- C:\Program Files\SopCast
2007-05-25 12:43 307,200 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 15:22:04 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\SopCast
2007-05-25 11:58:37 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\MSN6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 06:26:01 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-28 14:10:54 -------- d-----w C:\Program Files\VTTV
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-21 15:54]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2003-12-12 19:31]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:09]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-24 17:50]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 11:48 C:\WINDOWS\soundman.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 07:55]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 17:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-10-11 10:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 12:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 12:55:03
C:\ComboFix-quarantined-files.txt ... 2007-06-25 12:55

--- E O F ---

I did notice while it was running that it found the file in question ... but it has now vanished from the startup in msconfig ... does this mean it got fixed?

I have no idea how to give you the exact path to the file as previously requested as it was never found where msconfig said it was

c:\windows\system32\etkiaheclc.exe etkiaheclc

^ ^ ^ ^ that is where msconfig said it was.

Virtual Paitent

Thread: etkiaheclc.exe ????

Thread Tools

Search Thread

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions