TechSpot

Help: HJT log file

By niko
Aug 26, 2006
  1. I have a pop up window annoying me and probably something else. I have attached my HJT log file.

    Security Task Manager suspicious files (can not delete them):
    • xcrkn1.dll
    • pwqn2.exe

    Thanks for any help or comment ;-)

    Niko
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    LogFlb

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    clock$.exe
    pwqn2.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)

    O4 - HKLM\..\Run: [pwqn2.exe] C:\WINDOWS\Temp\pwqn2.exe

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)

    O23 - Service: LogFlb - Unknown owner - \\?\C:\Archivos de programa\Archivos comunes\System\clock$.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Archivos de programa\Archivos comunes\System\clock$.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into Killbox.

    C:\WINDOWS\Temp\pwqn2.exe

    Once your system has rebooted, turn system restore back on.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :wave: :wave:

    This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. niko

    niko TS Rookie Topic Starter

    Thanks

    Thanks a lot Howard :) It seems perfect now. Anyway I post the fresh HJT log so you can confirm it.

    Really appreciated your help ;-)

    Niko
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. niko

    niko TS Rookie Topic Starter

    xcrkn1.dll is back :-(

    Hi Howard,

    After I open Internet Explorer this file (xcrkn1.dll) appears again :-(

    I have posted the HJT log. Any idea?

    Thanks

    Niko
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Have HJT fix these two entries.

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)

    Click the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\xcrkn1.dll

    Once your system has rebooted, turn system restore back on.

    search your system for xcrkn1.dll and let me know if and where you find it.

    Regards Howard :)
     
  7. niko

    niko TS Rookie Topic Starter

    Same happening

    On safe mode I fix those two entries and then with Killbox I try to delete the file, but when it is going to restart, Killbox shows me this message: "PendingFileRenameOperations Registry Data has been Removed by External Process!"

    The thing is that I have searched my system for xcrkn1.dll but there isn't any file with that name (I can see hidden and system files).

    Everything looks ok until I open Internet Explorer. Then, those entries appear again. But still, I can not find the file xcrkn1.dll.

    I have attached the HJT log, but it should be the same as the previous version.

    Niko
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very strange eh?

    Download and run these four tools. Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4

    Let me know the results please.

    Regards Howard :)

    This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. niko

    niko TS Rookie Topic Starter

    No luck :-(

    I tried all of them but no luck :-(

    I have attached the first log in case you see anything strange.

    I also have attached the capture of the funny pop-up window that opens every 3 web pages :) I think it also converts some words in links in the web pages, but I have never clicked on them.

    Any help is welcome!

    Niko
     

    Attached Files:

  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix the following entries in normal mode.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)

    Click on the fix checked button, click yes if prompted and close HJT.

    Reboot your system.

    Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

    Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).

    Start the Brute Force Uninstaller by double clicking BFU.exe

    In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
    Press execute and let it do its job.

    Wait for the complete script execution box to popup and press OK.
    Press exit to terminate the BFU program.

    Once that's done, post a fresh HJT log.



    Regards Howard :)
     
  11. niko

    niko TS Rookie Topic Starter

    Still there

    Here you have the fresh HJT log, but it is still there :(

    Btw, thanks for your time ;)

    Any other idea?

    Niko
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this.

    Open a new text document and copy and paste the info below into it.

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

    Close the text document and select yes when asked to save it.

    Right click on the text document and select rename.

    Click in the name box and clear whatever is there. Rename it to fix.reg and press the enter key. Click yes. Double click on the file and click yes

    Reboot your computer and post a fresh HJT log.

    Regards Howard :)
     
  13. niko

    niko TS Rookie Topic Starter

    When I double click on fix.reg says the file is not a registry command sequence. Is the text correct?

    Niko
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That fix was taken from HERE.

    Obviously it doesn`t work.

    Apart from those two entries in your HJT log, how is your system running?

    The O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
    entry is inactive and shouldn`t be causing any problems.

    Regards Howard :)
     
  15. niko

    niko TS Rookie Topic Starter

    My system is running well. The thing is that when I am surfing on internet, this annoying pop-up window opens and some words in the web pages become links as well.

    According to Security Task Manager, xcrkn1.dll is the first on my list with a ratio of 100% of being dangerous. The program is quite explicit...

    Niko
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The problem is I can find very little info for xcrkn1.dll. If you do a Google search, you`ll see what I mean.

    HJT says the entry is inactive, hence the file missing entry.

    Why it keeps coming back after it`s been fixed I don`t know.

    Maybe, Security task manager is giving you a false positive?

    Uninstall Security task manager and see what happens.

    Regards Howard :)
     
  17. niko

    niko TS Rookie Topic Starter

    Yes, you are right, I already did a google search and that´s because I asked in this forum.

    The thing is that this class (xcrkn1.dll) is loaded in Internet Explorer and then the pop-up windows open. I suppose, as any other virus, it changes its name, moves, etc.

    I will keep looking for a solution.

    Thanks a lot for you help and your time ;)

    Niko
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and install Ewido http://www.ewido.net/en/download/
    Double-click the Ewido icon on your desktop to run it.
    On the top of the main screen click Shield. Click the word active to change it to inactive.
    On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
    When you have finished updating, exit Ewido.

    Make sure all windows are closed. Run Ewido.
    Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
    When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
    Then click 'Apply all actions'.
    Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

    Reboot into normal mode and turn system restore back on.

    Post the Ewido report and a fresh HJT log as attachments.

    Regards Howard :)
     
  19. niko

    niko TS Rookie Topic Starter

    Log

    I have already scanned my system with Ad-aware, Spybot and now with Ewido.

    Attached the log.

    Niko
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should delete this file.

    C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe

    Regards Howard :)
     
  21. niko

    niko TS Rookie Topic Starter

    Deleted but still is there :-(

    Niko
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download The pocket Killbox programme from HERE.

    Extract it to your desktop.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you should input into killbox.

    C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe

    Once your system has rebooted, hopefully the file will be deleted.

    Regards Howard :)
     
  23. niko

    niko TS Rookie Topic Starter

    Sorry, this file:

    C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe

    has already been deleted. I meant xcrkn1.dll is still there.

    Niko
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you actually find the xcrkn1.dll file on your system anywhere?

    Regards Howard :)
     
  25. niko

    niko TS Rookie Topic Starter

    No, I can not. But even if I fix it with HJT it appears again when I open Internet Explorer.

    I dont really now if there is any relation between this file and the virus/malware/spyware that it opening these pop-ups.

    Regards,

    Niko
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...