etkiaheclc.exe ????

[Virtual Patient]

ok, here is the log from combofix

ComboFix 07-06-18.2
"Angela" - 2007-06-25 12:49:15 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\secure32.html
C:\WINDOWS\system32\etkiaheclc.dat
C:\WINDOWS\system32\etkiaheclc.exe
C:\WINDOWS\system32\etkiaheclc_nav.dat
C:\WINDOWS\system32\etkiaheclc_navps.dat
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\paytime.exe


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-25 12:48 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 19:02 <DIR> d-------- C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\VideoEgg
2007-06-24 14:38 <DIR> d-------- C:\HJT
2007-05-25 16:21 <DIR> d-------- C:\Program Files\SopCast
2007-05-25 12:43 307,200 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 15:22:04 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\SopCast
2007-05-25 11:58:37 -------- d-----w C:\DOCUME~1\ANGELA~1.ANG\APPLIC~1\MSN6
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 06:26:01 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-28 14:10:54 -------- d-----w C:\Program Files\VTTV
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-21 15:54]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [2003-12-12 19:31]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:09]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-24 17:50]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 11:48 C:\WINDOWS\soundman.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 07:55]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 17:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-10-11 10:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 12:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 12:55:03
C:\ComboFix-quarantined-files.txt ... 2007-06-25 12:55

--- E O F ---


I did notice while it was running that it found the file in question ... but it has now vanished from the startup in msconfig ... does this mean it got fixed?

I have no idea how to give you the exact path to the file as previously requested as it was never found where msconfig said it was

c:\windows\system32\etkiaheclc.exe etkiaheclc

^ ^ ^ ^ that is where msconfig said it was.

Virtual Paitent

[crunchie]

Looks like combofix got it. Can you do the following too please. I want to check something else;


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

[Virtual Patient]

Smithfraud log ---------->

SmitFraudFix v2.195

Scan done at 13:27:02.31, 25/06/2007
Run from C:\Documents and Settings\Angela.ANGELA-Q3H6SF49\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MACROE~1\MACEXP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Angela.ANGELA-Q3H6SF49


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Angela.ANGELA-Q3H6SF49\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ANGELA~1.ANG\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 62.31.176.39
DNS Server Search Order: 194.117.134.19
DNS Server Search Order: 195.188.53.175

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 62.31.176.39
DNS Server Search Order: 194.117.134.19
DNS Server Search Order: 195.188.53.175

HKLM\SYSTEM\CCS\Services\Tcpip\..\{22CEEB0B-7223-4006-8E68-4830FD6121BC}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\..\{29A0F093-5D43-49B7-901E-BDAC529C9DD6}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\..\{22CEEB0B-7223-4006-8E68-4830FD6121BC}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29A0F093-5D43-49B7-901E-BDAC529C9DD6}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



am I nearly clean?

Virtual Patient

[crunchie]

Looks like you are clean VP . Everything ok on your end?

[Virtual Patient]

Thank you very much Crunchie, everything is looking good at this end ... no more strange pop ups

Isn't it odd that when I use the computer I get adds for viruses and free mobile phones, but when my young daughter used it she got naked ladies

I really appreciate the time you have taken to help me, thank you

Virtual Patient

[crunchie]

You are welcome . Hopefully the naked ladies have moved on.

[Virtual Patient]

naked ladies have gone too

[crunchie]

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

1. Uncheck "Cookies" under "Internet Explorer".
2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.