Help: HJT log file
- Thread starter niko
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
LogFlb
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
clock$.exe
pwqn2.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
O4 - HKLM\..\Run: [pwqn2.exe] C:\WINDOWS\Temp\pwqn2.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: LogFlb - Unknown owner - \\?\C:\Archivos de programa\Archivos comunes\System\clock$.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Archivos de programa\Archivos comunes\System\clock$.exe
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter into Killbox.
C:\WINDOWS\Temp\pwqn2.exe
Once your system has rebooted, turn system restore back on.
Post a fresh HJT log and let me know how your system is running.
Regards Howard :wave: :wave:
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
LogFlb
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
clock$.exe
pwqn2.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
O4 - HKLM\..\Run: [pwqn2.exe] C:\WINDOWS\Temp\pwqn2.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: LogFlb - Unknown owner - \\?\C:\Archivos de programa\Archivos comunes\System\clock$.exe (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Archivos de programa\Archivos comunes\System\clock$.exe
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter into Killbox.
C:\WINDOWS\Temp\pwqn2.exe
Once your system has rebooted, turn system restore back on.
Post a fresh HJT log and let me know how your system is running.
Regards Howard :wave: :wave:
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Well done, your HJT log is now clean.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
If you have any further virus/spyware problems, please post in this thread.
Regards Howard
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Have HJT fix these two entries.
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
Click the fix checked button.
Close HJT.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter into killbox.
C:\WINDOWS\xcrkn1.dll
Once your system has rebooted, turn system restore back on.
search your system for xcrkn1.dll and let me know if and where you find it.
Regards Howard
Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html
Have HJT fix these two entries.
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
Click the fix checked button.
Close HJT.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter into killbox.
C:\WINDOWS\xcrkn1.dll
Once your system has rebooted, turn system restore back on.
search your system for xcrkn1.dll and let me know if and where you find it.
Regards Howard
Same happening
On safe mode I fix those two entries and then with Killbox I try to delete the file, but when it is going to restart, Killbox shows me this message: "PendingFileRenameOperations Registry Data has been Removed by External Process!"
The thing is that I have searched my system for xcrkn1.dll but there isn't any file with that name (I can see hidden and system files).
Everything looks ok until I open Internet Explorer. Then, those entries appear again. But still, I can not find the file xcrkn1.dll.
I have attached the HJT log, but it should be the same as the previous version.
Niko
On safe mode I fix those two entries and then with Killbox I try to delete the file, but when it is going to restart, Killbox shows me this message: "PendingFileRenameOperations Registry Data has been Removed by External Process!"
The thing is that I have searched my system for xcrkn1.dll but there isn't any file with that name (I can see hidden and system files).
Everything looks ok until I open Internet Explorer. Then, those entries appear again. But still, I can not find the file xcrkn1.dll.
I have attached the HJT log, but it should be the same as the previous version.
Niko
howard_hopkinso
Posts: 21,238 +17
Very strange eh?
Download and run these four tools. Follow the instructions for using each tool.
Tool1 Tool2 Tool3 Tool4
Let me know the results please.
Regards Howard
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download and run these four tools. Follow the instructions for using each tool.
Tool1 Tool2 Tool3 Tool4
Let me know the results please.
Regards Howard
This thread is for the use of niko only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
No luck :-(
I tried all of them but no luck :-(
I have attached the first log in case you see anything strange.
I also have attached the capture of the funny pop-up window that opens every 3 web pages I think it also converts some words in links in the web pages, but I have never clicked on them.
Any help is welcome!
Niko
I tried all of them but no luck :-(
I have attached the first log in case you see anything strange.
I also have attached the capture of the funny pop-up window that opens every 3 web pages
I think it also converts some words in links in the web pages, but I have never clicked on them.Any help is welcome!
Niko
Attachments
howard_hopkinso
Posts: 21,238 +17
Have HJT fix the following entries in normal mode.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
Click on the fix checked button, click yes if prompted and close HJT.
Reboot your system.
Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).
Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).
Start the Brute Force Uninstaller by double clicking BFU.exe
In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do its job.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Once that's done, post a fresh HJT log.
Regards Howard
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
Click on the fix checked button, click yes if prompted and close HJT.
Reboot your system.
Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).
Right click on this link http://metallica.geekstogo.com/EGDACCESS.bfu and choose 'Save As' (or 'Save Target As) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU).
Start the Brute Force Uninstaller by double clicking BFU.exe
In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do its job.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Once that's done, post a fresh HJT log.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Try this.
Open a new text document and copy and paste the info below into it.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Close the text document and select yes when asked to save it.
Right click on the text document and select rename.
Click in the name box and clear whatever is there. Rename it to fix.reg and press the enter key. Click yes. Double click on the file and click yes
Reboot your computer and post a fresh HJT log.
Regards Howard
Open a new text document and copy and paste the info below into it.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Close the text document and select yes when asked to save it.
Right click on the text document and select rename.
Click in the name box and clear whatever is there. Rename it to fix.reg and press the enter key. Click yes. Double click on the file and click yes
Reboot your computer and post a fresh HJT log.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
That fix was taken from HERE.
Obviously it doesn`t work.
Apart from those two entries in your HJT log, how is your system running?
The O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
entry is inactive and shouldn`t be causing any problems.
Regards Howard
Obviously it doesn`t work.
Apart from those two entries in your HJT log, how is your system running?
The O2 - BHO: Class - {27A2C10C-2B21-2E4D-B240-7444E79F4691} - C:\WINDOWS\xcrkn1.dll (file missing)
entry is inactive and shouldn`t be causing any problems.
Regards Howard
My system is running well. The thing is that when I am surfing on internet, this annoying pop-up window opens and some words in the web pages become links as well.
According to Security Task Manager, xcrkn1.dll is the first on my list with a ratio of 100% of being dangerous. The program is quite explicit...
Niko
According to Security Task Manager, xcrkn1.dll is the first on my list with a ratio of 100% of being dangerous. The program is quite explicit...
Niko
howard_hopkinso
Posts: 21,238 +17
The problem is I can find very little info for xcrkn1.dll. If you do a Google search, you`ll see what I mean.
HJT says the entry is inactive, hence the file missing entry.
Why it keeps coming back after it`s been fixed I don`t know.
Maybe, Security task manager is giving you a false positive?
Uninstall Security task manager and see what happens.
Regards Howard
HJT says the entry is inactive, hence the file missing entry.
Why it keeps coming back after it`s been fixed I don`t know.
Maybe, Security task manager is giving you a false positive?
Uninstall Security task manager and see what happens.
Regards Howard
Yes, you are right, I already did a google search and that´s because I asked in this forum.
The thing is that this class (xcrkn1.dll) is loaded in Internet Explorer and then the pop-up windows open. I suppose, as any other virus, it changes its name, moves, etc.
I will keep looking for a solution.
Thanks a lot for you help and your time
Niko
The thing is that this class (xcrkn1.dll) is loaded in Internet Explorer and then the pop-up windows open. I suppose, as any other virus, it changes its name, moves, etc.
I will keep looking for a solution.
Thanks a lot for you help and your time
Niko
howard_hopkinso
Posts: 21,238 +17
Download and install Ewido http://www.ewido.net/en/download/
Double-click the Ewido icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
When you have finished updating, exit Ewido.
Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.
Reboot into normal mode and turn system restore back on.
Post the Ewido report and a fresh HJT log as attachments.
Regards Howard
Double-click the Ewido icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
When you have finished updating, exit Ewido.
Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.
Reboot into normal mode and turn system restore back on.
Post the Ewido report and a fresh HJT log as attachments.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
You should delete this file.
C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe
Regards Howard
C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Download The pocket Killbox programme from HERE.
Extract it to your desktop.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you should input into killbox.
C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe
Once your system has rebooted, hopefully the file will be deleted.
Regards Howard
Extract it to your desktop.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you should input into killbox.
C:\WINDOWS\Downloaded Program Files\UERSY_0001_N68M0602NetInstaller.exe
Once your system has rebooted, hopefully the file will be deleted.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Can you actually find the xcrkn1.dll file on your system anywhere?
Regards Howard
Regards Howard
- Status
Similar threads
Latest posts
-
Asus releases firmware update to address game crashes on Intel CPUs- MSIGamer replied
-
Get a Microsoft Office lifetime license for $29, no subscription required- TS Dealmaster replied
