February 24th, 2009, 07:53 PM
windowsclick.com redirect (UACd.sys.trojan) removal
Windows XP Pro SP2
What you'll need
Windows XP Installation CD
So, my fellow employee in the IT security department had gotten himself infected. Again. This time, his workstation was running like a dog with 3 broken legs, McAffee VShield wasn't scanning anything at all; Spybot S&D wouldn't even start (the TeaTimer Resident starts just fine), and the MalwareBytes AntiMalware scanner's installation program wouldn't even run as well. Safe mode did nothing different.
McAffee's On-Demand scanner did find a few trojan files, and one NTOSKRNL hook file, but as soon as those were deleted, the hook file was right back where it was before.
Rootkit Revealer found 3 different hidden registry entries related to UACd (hidden from Windows API), but if course it had no way of removing those.
Looking on Google, this link (myantispyware.com) came up third, but the initial steps didn't work, due to the fact that the UACd driver didn't show up under "Hidden Drivers" in the Device Manager. Then, another site under myantispyware had a very nice tutorial on using the Windows XP installation CD's Recovery Console to simply list the services and drivers available, and to disable the UACd.sys driver, but for some odd reason, upon searching for the exact same thing in Google when actually cleaning out the machine, the site was no longer there. So, I'm posting about what to do if infected by this particular trojan.
Seemingly random browser redirects to windowsclick.com, especially from search engines such as Yahoo, Google, etc., and from security sites such as Symantec, McAffee, etc. Also, Security programs such as firewalls, antivirus... fail to execute.
What to do
Download MalwareByte's Anti-Malware (MBAM) scanner, and save the install program on your desktop (or somewhere you'll find it later). Don't bother trying to install it now, because, with this trojan, it won't even get the chance to run. Having the XP installation CD ready, reboot the machine, stick the CD into the CD drive. You may or may not have to go into the BIOS to tell it to let the CD try to boot before the harddrive. When it asks you to, press any key to reboot using the CD.
You'll next see the usual steps the CD goes through (installing generic drivers, starting windows, blah blah). Then, when the main menu comes up, press 'R' to boot into the Recovery Console.
You may have to wait a few seconds before it gives you a choice of which windows installation you want to use the Console on. If you only have one Windows XP installation on the harddrive, press 1, and hit enter. Otherwise, choose which installation you want to recover, and hit enter.
It will most likely ask you for an Administrator password (you DO remember the password, don't you?). Type in the password, and hit Enter. The obligatory C:>WINDOWS prompt should pop up.
First, you want to make sure the UACd.sys driver is even in the system. To do this, type in "listsvc" without the quotes. Hit Enter to scroll page by page until you see UACD.sys in the list. Then, press ESC to stop listing, and go back to the prompt.
Assuming you've seen the UACd.sys driver in the list, you'll type in "DISABLE UACd" at the prompt, and hit Enter. Some gook should come up, admonishing you to take note of the state of the driver, and that the state of the driver has been changed to "System_disabled" or something like that. Take the XP CD out, and reboot the computer.
No safe mode is needed here. Reboot as you would normally, and log in as you would normally. Your antivirus should start scanning (you DO have antivirus installed, right?), indicating a few infected files found in the system (how long has it been since you updated your antivirus definitions?) and you should be able to install MBAM with no problems. Update MBAM, and do a Full Scan. This *should* get rid of all traces of the UACd trojan, but just to be sure, look for, and delete these files if you find them:
%System% is a system variable, it usually means "C:\Windows\System32".
%temp% is also a system variable, you may have to search for this directory.
Last edited by NukEvil; February 24th, 2009 at 07:57 PM.
February 25th, 2009, 04:35 AM
Why would anyone think that they could just "delete" system files?
The best thing to do would be a full REINSTALL and start using the guest account and the policy editor instead of downloading and using multiple antivirus software.
February 25th, 2009, 05:17 PM
True. Problem is, most users have never heard of the policy editor available in XP. It's generally time-consuming if you don't have an image already loaded with the correct policy settings.
Granted, most users will never see, much less be able to operate, the Recovery console as well. But, this particular trojan, while being nearly impossible to delete in normal mode, is easily disabled in the Recovery console, thus turning a 2+ hour process (30+ minutes reinstalling the OS, 30 more minutes to 1 hour updating, service packs, AV definitions, etc.; then another hour, depending, on reloading all the programs/data) to just under 20 minutes (disabling it in recovery mode, rebooting and then scanning and deleting the files involved, then changing all passwords).
March 1st, 2009, 06:16 PM
I had this show up on my computer yesterday, was easily solved by downloading combofix(saving it as fixcombo.exe) and executing it. windowsclick redirect blocks specifically named EXEs from execution, change their name and they run without problem.
no reinstall, no recovery console, just run a program, reboot, program runs again, done
March 8th, 2009, 10:56 PM
if your computer is really screwed up!
If your computer is screwed up to the point where you are not able to execute any of the programs suggested, even after renaming.... this is what I did, except I skipped step 1 since I didn't have it:
Step 1: Disable UACd.sys trojan driver.
• Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
• Click Properties.
• Click Hardware Tab.
• Click Device Manager.
• In the top menu, click View and click Show Hidden Drivers.
• Scroll down to non Plug and Play drivers.
• Click + at left.
• In the list of drivers right click UACd.sys.
• Click Disable.
• Click YES for confirm.
• Close all windows and reboot your computer.
Step 2: Delete UACd.sys trojan driver and malware files.
• Download Avenger from here and unzip to your desktop.
• Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
Files to delete:
Then click on ‘Execute’. When you put the input in, I mean all 4 lines, not just a combination of them.
• You will be asked Are you sure you want to execute the current script?. Click Yes.
• You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
• Your PC will now be rebooted.
Step 3: Remove UACd.sys trojan files and any associated malware.
• Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
• Once downloaded, close all programs and Windows on your computer (including this one).
• Double-click on the icon named mbam-setup.exe to install the application.
• When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select “Perform Quick Scan”, then click Scan.
• MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• MBAM will now delete all of the files and registry keys and add them to the quarantine.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
UACd.sys trojan creates the following files.
A final note.... to do this, you'll probably need a second computer to download the programs. Email the programs to yourself. If you are using gmail, it will not allow an executable through, even if it is zipped. So, rename the .exe extension to something like .bexe. Then, rename back to .exe when you successfully have these files on the infected computer.
Hope this helps. A real ***** masterminded this one. Wish I would have thought of it first, lol.
March 9th, 2009, 01:38 AM
Big T, you forgot to include the url to this avenger app..
March 9th, 2009, 09:23 AM
March 9th, 2009, 06:34 PM
FYI - I thought it would be worth mentioning that the UAC driver was not in my list of drivers in the device manager, but Combofix was able to find and clean it up for me.
Originally Posted by big t
March 17th, 2009, 01:21 AM
and it fixed the problem for me. Be patient and save as "combo-fix"
March 17th, 2009, 11:08 AM
Thanks for the links. Bookmarked
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
By CyberB0b in forum The Security Tutorials Forum
Last Post: August 15th, 2008, 12:07 PM
By cheyenne1212 in forum Microsoft Security Discussions
Last Post: July 24th, 2007, 04:30 PM
By alakhiyar in forum The Security Tutorials Forum
Last Post: December 17th, 2006, 11:31 AM
By Kamikaze Badger in forum The Security Tutorials Forum
Last Post: August 18th, 2004, 11:01 PM
By khakisrule in forum The Security Tutorials Forum
Last Post: July 10th, 2002, 03:34 PM