Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntoskrnl-hook and stuff? [Moved]


  • This topic is locked This topic is locked
3 replies to this topic

#1 RikCab

RikCab

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:27 PM

Posted 07 August 2009 - 09:49 PM

Hi,

My first time every getting something I shouldn't have gotten, lol! Hope you can help. I clicked on a link to a web page, that I shouldn't have and got a popup saying I needed to update my Adobe. It looked good and I clicked away, thinking all was ok! When I did that another popup came and said I may be infected and it wanted me to click on their link, which of coarse I didn't! Instead I tried closing the windows, even with Ctrl-Alt-Del, it wouldn't let me. Then upon returning to my desktop, McAfee said something was trying to access and if I wanted to allow. Again, I said NO! The only way out seemed to reboot, which took some time to shutdown. When the system came back on I got a window saying Google installer had a problem and had to close, never had that before. It did have a "more info" link, which I clicked and a new window opened up saying something about UACD.SYS & WJQS.EXE! I knew I had a problem. After running McAfee, it said something about NTOSKRNL-HOOK and Generic RootKit.d!RootKit. Needless to say it didn't clean it and that started my online search. I would continue to get that popup, about Google Installer needing to close. Also when I did a search and would click on a link I would get the "WindowsClick" and was redirected to another web page.

Ok, try to make it short now, :thumbsup: I know a little about computing and tried a lot, nothing seemed to help until I read here and ran ComboFix, it seemed to work! Had to note some files "UAC******.dll and one UAC******.dat another was Service_Uac.sys, "*" equals random letters. I also ran Kaspersky Online Scan 7.0 and my McAfee again. Everything seems great; system is running normal and no more redirecting. Also, the two file listed in the Registry "UACD.SYS" and "WJQS.EXE" are both gone. Also, one of the programs, not sure which had placed those files I had to write down into a folder called C:\Qoobox\Quarantine.

I have the log file from ComboFix; I was hoping that someone could check it for me. Also, I was hoping to be able to just delete the whole directory "C:\Qoobox\, not sure if that is acceptable. I read here a lot about different things I needed to do, it was also very helpful and informative. The firewall setting, the privacy setting, disabling the restore point before doing all this stuff. You guys are really great! I started out in the old days with my Commodore Vic-20; things have come a long way!

I know I should have talked with you guys before doing everything on my own. But I don't save any passwords on my computer and didn't want to take a chance accessing my email until I believed I was clean. So I couldn't join without opening my email. Also, I'm hoping that this Malware wasn't able to fully install, because I rebooted the system without clicking and I kept getting that Google Installer popup. Well that's it, I'll post the log file as soon as I am directed to!

Again, thank you guys so very much for being here and taking the time to help us less understanding people. I look forward to hearing back from you, have a great night.

Rik

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:27 AM

Posted 07 August 2009 - 10:41 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.

Please do not post the Combofix log, but do keep it if your HJT Helper asks for it later.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:27 PM

Posted 08 August 2009 - 03:31 PM

Thanks Blossom, will do! :thumbsup:

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:27 AM

Posted 09 August 2009 - 01:07 AM

Hello RikCab,

Good job getting the logs posted here: http://www.bleepingcomputer.com/forums/t/248008/ntoskrnl-hook-uacdsys-wjqsexe-generic-rootkitdrootkit/

Now comes the hard part - waiting for the response which can take quite a while.

Now that you have a log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users