February 24th, 2009, 06:53 PM
windowsclick.com redirect (UACd.sys.trojan) removal
Windows XP Pro SP2
What you'll need
Windows XP Installation CD
So, my fellow employee in the IT security department had gotten himself infected. Again. This time, his workstation was running like a dog with 3 broken legs, McAffee VShield wasn't scanning anything at all; Spybot S&D wouldn't even start (the TeaTimer Resident starts just fine), and the MalwareBytes AntiMalware scanner's installation program wouldn't even run as well. Safe mode did nothing different.
McAffee's On-Demand scanner did find a few trojan files, and one NTOSKRNL hook file, but as soon as those were deleted, the hook file was right back where it was before.
Rootkit Revealer found 3 different hidden registry entries related to UACd (hidden from Windows API), but if course it had no way of removing those.
Looking on Google, this link (myantispyware.com) came up third, but the initial steps didn't work, due to the fact that the UACd driver didn't show up under "Hidden Drivers" in the Device Manager. Then, another site under myantispyware had a very nice tutorial on using the Windows XP installation CD's Recovery Console to simply list the services and drivers available, and to disable the UACd.sys driver, but for some odd reason, upon searching for the exact same thing in Google when actually cleaning out the machine, the site was no longer there. So, I'm posting about what to do if infected by this particular trojan.
Seemingly random browser redirects to windowsclick.com, especially from search engines such as Yahoo, Google, etc., and from security sites such as Symantec, McAffee, etc. Also, Security programs such as firewalls, antivirus... fail to execute.
What to do
Download MalwareByte's Anti-Malware (MBAM) scanner, and save the install program on your desktop (or somewhere you'll find it later). Don't bother trying to install it now, because, with this trojan, it won't even get the chance to run. Having the XP installation CD ready, reboot the machine, stick the CD into the CD drive. You may or may not have to go into the BIOS to tell it to let the CD try to boot before the harddrive. When it asks you to, press any key to reboot using the CD.
You'll next see the usual steps the CD goes through (installing generic drivers, starting windows, blah blah). Then, when the main menu comes up, press 'R' to boot into the Recovery Console.
You may have to wait a few seconds before it gives you a choice of which windows installation you want to use the Console on. If you only have one Windows XP installation on the harddrive, press 1, and hit enter. Otherwise, choose which installation you want to recover, and hit enter.
It will most likely ask you for an Administrator password (you DO remember the password, don't you?). Type in the password, and hit Enter. The obligatory C:>WINDOWS prompt should pop up.
First, you want to make sure the UACd.sys driver is even in the system. To do this, type in "listsvc" without the quotes. Hit Enter to scroll page by page until you see UACD.sys in the list. Then, press ESC to stop listing, and go back to the prompt.
Assuming you've seen the UACd.sys driver in the list, you'll type in "DISABLE UACd" at the prompt, and hit Enter. Some gook should come up, admonishing you to take note of the state of the driver, and that the state of the driver has been changed to "System_disabled" or something like that. Take the XP CD out, and reboot the computer.
No safe mode is needed here. Reboot as you would normally, and log in as you would normally. Your antivirus should start scanning (you DO have antivirus installed, right?), indicating a few infected files found in the system (how long has it been since you updated your antivirus definitions?) and you should be able to install MBAM with no problems. Update MBAM, and do a Full Scan. This *should* get rid of all traces of the UACd trojan, but just to be sure, look for, and delete these files if you find them:
%System% is a system variable, it usually means "C:\Windows\System32".
%temp% is also a system variable, you may have to search for this directory.
Last edited by NukEvil; February 24th, 2009 at 06:57 PM.
By CyberB0b in forum The Security Tutorials Forum
Last Post: August 15th, 2008, 11:07 AM
By cheyenne1212 in forum Microsoft Security Discussions
Last Post: July 24th, 2007, 03:30 PM
By alakhiyar in forum The Security Tutorials Forum
Last Post: December 17th, 2006, 10:31 AM
By Kamikaze Badger in forum The Security Tutorials Forum
Last Post: August 18th, 2004, 10:01 PM
By khakisrule in forum The Security Tutorials Forum
Last Post: July 10th, 2002, 02:34 PM