Vraag & Antwoord

Beveiliging & privacy

verzoek hulp bij Hijack Log

Anoniem
None
10 antwoorden
 • Hallo Kanjers,

  Ik ben bezig met het opschonen van een PC van een kennis en heb graag een deskundig advies over deze Hijack.

  Wie helpt mij

  Thanx in advance

  Zabbie

  Logfile of HijackThis v1.98.0
  Scan saved at 18:45:46, on 6-7-2004
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Microsoft Works\WksSb.exe
  C:\WINDOWS\SOUNDMAN.EXE
  C:\ati-cpanel\atiptaxx.exe
  C:\WINDOWS\hmqd.exe
  C:\Program Files\McAfee.com\Agent\mcagent.exe
  C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
  C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
  C:\WINDOWS\System32\pnphostu.exe
  C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
  C:\WINDOWS\System32\drivers\CDAC11BA.EXE
  C:\WINDOWS\system32\slserv.exe
  C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
  C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
  C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\Program Files\Internet Explorer\IEXPLORE.EXE
  C:\WINDOWS\AppPatch\xmleula.exe
  C:\_HijackThis\HijackThis.exe

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  O2 - BHO: (no name) - SOFTWARE - (no file)
  O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
  O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
  O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
  O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [ATIPTA] C:\ati-cpanel\atiptaxx.exe
  O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
  O4 - HKLM\..\Run: [Jxfg] C:\WINDOWS\hmqd.exe
  O4 - HKLM\..\Run: [xmleula] C:\WINDOWS\AppPatch\xmleula.exe
  O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
  O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
  O4 - HKLM\..\Run: [pnphostu] C:\WINDOWS\System32\pnphostu.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
  O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
 • ik kijk even
 • Ga even voor je kijken.

  Edit: te laat pcguy gaat al voor je kijken.
 • run hijackthis opnieuw met alle vensters gesloten en laat de volgende items fixen:

  R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  O2 - BHO: (no name) - SOFTWARE - (no file)
  O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
  O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
  O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
  O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab

  reboot en post een nieuwe log

  edit/ (thnx andré, owja deze keys moest ik laten fixen van pestpatrol waar ik via startuplist.php terecht kwam)
  deze ook fixen:
  O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

  verwijder daarna in regedit (uitvoeren intikken: "regedit") indien aanwezig deze items:
  HKEY_CLASSES_ROOT\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
  HKEY_CLASSES_ROOT\interface\{707e6f76-9ffb-4920-a976-ea101271bc25}
  HKEY_CLASSES_ROOT\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}
  HKEY_LOCAL_MACHINE\software\classes\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
  HKEY_LOCAL_MACHINE\software\classes\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}

  verwijder daarna indien aanwezig c:\windows\jeired.dll (het bestand jeired.dll)


  en de volgende kan ik geen info over vinden:
  O4 - HKLM\..\Run: [xmleula] C:\WINDOWS\AppPatch\xmleula.exe
  O4 - HKLM\..\Run: [pnphostu] C:\WINDOWS\System32\pnphostu.exe
 • [code:1:c32bc442dd]C:\WINDOWS\hmqd.exe
  C:\WINDOWS\System32\pnphostu.exe
  C:\WINDOWS\system32\slserv.exe
  C:\WINDOWS\AppPatch\xmleula.exe

  R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
  O2 - BHO: (no name) - SOFTWARE - (no file)
  O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
  O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
  O4 - HKLM\..\Run: [Jxfg] C:\WINDOWS\hmqd.exe
  O4 - HKLM\..\Run: [xmleula] C:\WINDOWS\AppPatch\xmleula.exe
  O4 - HKLM\..\Run: [pnphostu] C:\WINDOWS\System32\pnphostu.exe
  O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab[/code:1:c32bc442dd]

  Om compleet te zijn.
 • Ik heb ook wat Win updates toegepast.
  Hier is de nieuwe log.
  Ik wacht even af

  Tia,

  zabadak

  Logfile of HijackThis v1.98.0
  Scan saved at 19:55:41, on 7-7-2004
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
  C:\WINDOWS\System32\drivers\CDAC11BA.EXE
  C:\WINDOWS\system32\slserv.exe
  C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
  C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
  C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
  C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Microsoft Works\WksSb.exe
  C:\WINDOWS\SOUNDMAN.EXE
  C:\ati-cpanel\atiptaxx.exe
  C:\WINDOWS\hmqd.exe
  C:\Program Files\McAfee.com\Agent\mcagent.exe
  C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
  C:\WINDOWS\AppPatch\xmleula.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
  C:\WINDOWS\System32\bdheptk.exe
  C:\_Toon\HijackThis\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wxs.nl/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
  O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
  O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [ATIPTA] C:\ati-cpanel\atiptaxx.exe
  O4 - HKLM\..\Run: [Jxfg] C:\WINDOWS\hmqd.exe
  O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
  O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
  O4 - HKLM\..\Run: [xmleula] C:\WINDOWS\AppPatch\xmleula.exe
  O4 - HKLM\..\Run: [bdheptk] C:\WINDOWS\System32\bdheptk.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
 • ik kijk wel even voor je (en nu niet te ff)
 • beeindig in taakbeheer de volgende processen:

  hmqd.exe
  xmleula.exe
  bdheptk.exe

  run hijackthis opnieuw en laat de volgende items fixen
  [list:745cd3d69f]
  O4 - HKLM\..\Run: [Jxfg] C:\WINDOWS\hmqd.exe
  O4 - HKLM\..\Run: [xmleula] C:\WINDOWS\AppPatch\xmleula.exe
  O4 - HKLM\..\Run: [bdheptk] C:\WINDOWS\System32\bdheptk.exe[/list:u:745cd3d69f]

  reboot en post een nieuwe log
 • Dit is een nieuwe scan.
  Ik moest die bestanden onder DOS verwijderen, dat is volgens mij gelukt. Verwijderen onder Taakbeheer/processen lukt niet omdat hij direct weer aktief werd.

  Hopenlijk is de boel nu schoon…

  TIA

  Zabadak

  Logfile of HijackThis v1.98.0
  Scan saved at 17:50:02, on 13-7-2004
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
  C:\WINDOWS\System32\drivers\CDAC11BA.EXE
  C:\WINDOWS\system32\slserv.exe
  C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
  C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
  C:\Program Files\Microsoft Works\WksSb.exe
  C:\WINDOWS\SOUNDMAN.EXE
  C:\ati-cpanel\atiptaxx.exe
  C:\Program Files\McAfee.com\Agent\mcagent.exe
  C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
  C:\WINDOWS\System32\tricdxxa.exe
  C:\_Hijack\HijackThis\HijackThis.exe

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
  O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
  O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [ATIPTA] C:\ati-cpanel\atiptaxx.exe
  O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
  O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
  O4 - HKLM\..\Run: [tricdxxa] C:\WINDOWS\System32\tricdxxa.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
 • Ik zie er ineens een nieuwe tussen zitten.

  Start taakbeheer en sluit het volgende proces:
  tricdxxa.exe


  Sluit alle vensters en start HijackThis op en verwijder:

  O4 - HKLM\..\Run: [tricdxxa] C:\WINDOWS\System32\tricdxxa.exe

  Ook weer in veilige modus verwijderen:

  C:\WINDOWS\System32\tricdxxa.exe <= dit bestand


  Plaats dan een nieuw Hijacklog

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.