windowsclick.com redirect (UACd.sys.trojan) removal

[The-Spec]

Why would anyone think that they could just "delete" system files?

The best thing to do would be a full REINSTALL and start using the guest account and the policy editor instead of downloading and using multiple antivirus software.

[NukEvil]

True. Problem is, most users have never heard of the policy editor available in XP. It's generally time-consuming if you don't have an image already loaded with the correct policy settings.

Granted, most users will never see, much less be able to operate, the Recovery console as well. But, this particular trojan, while being nearly impossible to delete in normal mode, is easily disabled in the Recovery console, thus turning a 2+ hour process (30+ minutes reinstalling the OS, 30 more minutes to 1 hour updating, service packs, AV definitions, etc.; then another hour, depending, on reloading all the programs/data) to just under 20 minutes (disabling it in recovery mode, rebooting and then scanning and deleting the files involved, then changing all passwords).

[billybobbubba]

I had this show up on my computer yesterday, was easily solved by downloading combofix(saving it as fixcombo.exe) and executing it. windowsclick redirect blocks specifically named EXEs from execution, change their name and they run without problem.


no reinstall, no recovery console, just run a program, reboot, program runs again, done

[big t]

If your computer is screwed up to the point where you are not able to execute any of the programs suggested, even after renaming.... this is what I did, except I skipped step 1 since I didn't have it:

Step 1: Disable UACd.sys trojan driver.
• Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
• Click Properties.
• Click Hardware Tab.
• Click Device Manager.
• In the top menu, click View and click Show Hidden Drivers.
• Scroll down to non Plug and Play drivers.
• Click + at left.
• In the list of drivers right click UACd.sys.
• Click Disable.
• Click YES for confirm.
• Close all windows and reboot your computer.

Step 2: Delete UACd.sys trojan driver and malware files.
• Download Avenger from here and unzip to your desktop.
• Run Avenger, copy,then paste the following text in Input script Box:

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\wJQs.exe

Then click on ‘Execute’. When you put the input in, I mean all 4 lines, not just a combination of them.

• You will be asked Are you sure you want to execute the current script?. Click Yes.
• You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
• Your PC will now be rebooted.


Step 3: Remove UACd.sys trojan files and any associated malware.
• Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
• Once downloaded, close all programs and Windows on your computer (including this one).
• Double-click on the icon named mbam-setup.exe to install the application.
• When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select “Perform Quick Scan”, then click Scan.
• MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• MBAM will now delete all of the files and registry keys and add them to the quarantine.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
UACd.sys trojan creates the following files.
%System%\uacinit.dll
%System%\drivers\UAC[RANDOM CHARACTERS].sys
%System%\UAC[RANDOM CHARACTERS].dll
%System%\UAC[RANDOM CHARACTERS].log
%System%\UAC[RANDOM CHARACTERS].dat
%Temp%\tmp[RANDOM NUMBERS].tmp



A final note.... to do this, you'll probably need a second computer to download the programs. Email the programs to yourself. If you are using gmail, it will not allow an executable through, even if it is zipped. So, rename the .exe extension to something like .bexe. Then, rename back to .exe when you successfully have these files on the infected computer.

Hope this helps. A real ***** masterminded this one. Wish I would have thought of it first, lol.

[Flycat]

If your computer is screwed up to the point where you are not able to execute any of the programs suggested, even after renaming.... this is what I did, except I skipped step 1 since I didn't have it:

Step 1: Disable UACd.sys trojan driver.

FYI - I thought it would be worth mentioning that the UAC driver was not in my list of drivers in the device manager, but Combofix was able to find and clean it up for me.