Redirect to windowsclick.com site is a result of UACd.sys trojan activity. The trojan horse may represent security risk for the infected computer and uses rootkit-specific techniques designed to hide the software presence in the system.
Once infected, UACd.sys trojan blocks user access to security websites, search results in Google, Yahoo, MSN and other redirect you to windowsclick.com and other non related sites.
Use the following instructions to remove UACd.sys trojan.
Step 1: Disable UACd.sys trojan driver.
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click UACd.sys.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
Step 2: Delete UACd.sys trojan driver and malware files.
- Download Avenger from here and unzip to your desktop.
- Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
UACd.sysFiles to delete:
C:\WINDOWS\system32\wJQs.exeThen click on ‘Execute’.
- You will be asked Are you sure you want to execute the current script?. Click Yes.
- You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
- Your PC will now be rebooted.
Step 3: Remove UACd.sys trojan files and any associated malware.
- Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
- Once downloaded, close all programs and Windows on your computer (including this one).
- Double-click on the icon named mbam-setup.exe to install the application.
- When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- MBAM will now delete all of the files and registry keys and add them to the quarantine.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
UACd.sys trojan creates the following files.
%System%\uacinit.dll
%System%\drivers\UAC[RANDOM CHARACTERS].sys
%System%\UAC[RANDOM CHARACTERS].dll
%System%\UAC[RANDOM CHARACTERS].log
%System%\UAC[RANDOM CHARACTERS].dat
%Temp%\tmp[RANDOM NUMBERS].tmp
If you need help with the instructions, then post your questions in our Spyware Removal forum.
Jas, please follow these steps.
Please note in my entry above 10 minutes ago, I did not type the extra backslashes shown, it looks like each time I entered incorrect 4 digit security code the system generated extra characters. Here is what I typed: SUCCESS! REMOVED windowsclick.com (for search engines) I had this virus, and MBAM did identify all the files above, but showing hidden drivers did Not show UACd.sys, or C:\WINDOWS\system32\wJQs.exe (I had set all files inc system and hidden files to be shown). Thanks to Comment by Derek — January 28, 2009 # and PATRICKS’s reply I continued. And also Thanks to ED and FishersFritz.
You have shown how to remove windowsclick.com (for search engines)
this worked like a charm. i can’t thank you enough.
These instructions worked perfectly! I have been trying to get rid of this virus for a few days and finally got rid of it! Thanks alot!
Thanks sooo much for the simple instructions and your knowledge!!! I had a few issues noted in the comments above: I didn’t need step 1. My computer even appears to be running faster now. Its great! Now, how do I donate to your site?
THERE ARE THREE DIFFERENT BINARY VERSIONS OF MBAM V1.34 FLOATING AROUND THE NET!!!
BEST TECHIE:
http://www.besttechie.net/tools/mbam-setup.exe
BLEEPING COMPUTER:
http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
DOWNLOAD.COM:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
WHO CAN WE TRUST???
MBAM’S WEBSITE LINKS TO DOWNLOAD.COM. THE TWO YOU GIVE ARE LINK TO VERY QUESTIONABLE SITES, AND EACH GIVE A DIFFERENT BINARY, WILL THE REAL MBAM V1.34 PLEASE STAND UP!
All links are ok.
First and second sites are affiliates of Malwarebytes.
Hello,
I did a search for the wjqs.exe file, and the search found it in the system32 folder. So, I ran the script in Avenger and after restart, the Avenger log said that it hadn’r deleted the .exe file because it didn’t exist.
I ran mbam and it found and deleted a few instances of trojan.bho and trojan.agent.
I searched for the wjqs.exe file again, and the search found it in my Local Settings\Temp folder.
Should I change the script to that path to have it delete the file?
Thanks,
Mike
Alright then… here’s my story (Although I didn’t finish reading through the comments above).
I got this virus a few days ago.. well, a week at the most. All it would do (as far as I could see) was redirect the first google result to windowsclick.com, then some random adware site (mostly a fake pornography streaming site). But it was getting very annoying, so I decided I’d follow the steps on here. Step one; Nothing showed up. Step two; Worked.. but then something weird happened, after my PC rebooted, windows was unusually SLOW, VERY VERY, EXTREMELY SLOW. The apps that would open upon windows starting, would take several minutes to appear on my taskbar. Firefox took 20 minutes to open. Websites would take about 5 minutes to load, (Firefox would freeze for long periods of time though) and everything was just very slow. I tried rebooting a few times, things seemed the same. Then I tried installing MBAM, got some errors. Rebooted into safe mode, installed MBAM successfully and scanned. Got 3 malware warnings, successfully deleted. Went back into normal mode, still VERY slow. I’ve been looking around for a while at how to fix this, I see no possible solution. I’m backing up my documents and such, as I will be attempting to reinstall windows… I hope I’ve got all my drivers.
By the way, google no longer redirects to windowsclick.com, so I guess it did fix it in a way :P. Wish me luck!
For the last two days, you are my best company…
No words are enough to show my appreciation of your help.
Your plain guidance and patience helped me to heal my com from this thing.
Send you a sunshine and many many kisses from Greece!
Mike, you can manually remove the file, also you can ask help at our forum.
Daniel, good luck 🙂
Patrik,
Thanks so much for your wonderful help for me and others!
Mike
this was a life saver!!! thanks for your awesome help!!!!
Like others in this thread, I couldn’t get the MBAM program to install. When I first downloaded and then copied mbam from a good pc on to the infected pc desktop, the install file would not even run. I tried a few things and then simply changed the name of the install file by adding a character on to the end of the name, and then ran it again, and it installed the MBAM program on the pc, putting a shortcut on the desktop. Then when I tried to use the shortcut to run MBAM, it would not run the program. Instead of using the shortcut, I went to the \
continued… Instead of using the shortcut on the desktop, I went to the C:\Program Files\Malwarebytes folder, and changed the name of the program file from “mbam” to something else (I used my name). When I tried to run it, it then worked just like STEP 3 said, and ELIMINATED THE VIRUS. The trick I found is to change the names of these files, because the virus must recognize the standard names.
Thanks, Patrick, for the help.
THANK YOU VERY MUCH!!! These directions and links to the programs were awesome. I was getting so annoyed and upset with the windowclick stuff. U are my hero. THANK YOU !!
is there anyother way to remove this uac infection or to diagnose it.. using command line…since not able to go on internet and not able to use avanger.exe..
it will be Gr8 if you can give some kind of solution for this…. any technical way to use command line to detect uacd.sys infection.
regards
Raj
without running any tool or any antivirus software. how can i get list of files that are there in comptuer. some entry in registry or some how file name on command line.
thanks ..loking forward for your kind suggestion.
ASAP.
Regards
Raj
Raj, you can use Recovery console for disabling UACd.sys driver. Read more about Recovery console here.
Thank you so much!!! your easy to follow instructions did it! i did an extensive research online trying to determine how to get rid of this annoying re-direct and your step-2 is what did it! now even Malwarebytes is back to normal scannning… Thanks for your help!!
Regards,
Alex
You lot are bloody brilliant. I was beginning to loose faith in computer techs in general. Just an aside:people who use these redirects deserve none of anyone’s business, money or time; take note of where you are sent as they are buying into these schemes and are partialy to blame.
Thank you again
Thank you so much for your instructions, had to go straight to step 2 then got the ‘blue screen’ with the error message on the first reboot but after the second one was able to use the malware program which I had down loaded earlier. Have now gone straight form google to here! I am a complete novice on computers and do not have a clue beyond the usual desktop applications so thanks so much for helping me fix this without enlisting outside help!! Fingers crossed I have done it.
Wow – I’m shocked, and lost neither life or limb using the marvelous AVENGER trojan removal tool. Whoever posted these instructions – thank you – I couldn’t figure out what was going on, my PC so slow, the redirects from google etc. Goodness knows what info could have been compromised or stolen or electronic banking done before I figured out what was going on!
Again, my thanks and gratitude.
HELP HELP
Got infected this trojan… I was trying to find out how to get rid of it.
But my PC, DELL, XP won’t even fully start.
Trying to boot in safe mode (F8) only have a normal start.
now booted finaly.
Nothing with step1,
Did not find wJQs.exe.
I found UACfreoclbd.sys
Should I remove this one… very suspect since it is a very recent .sys and I haven’t installed anything then.
I searched for UAC*.* files with normal search… could not find them.
Then I downloaded Malwarebytes… and could not install or load it… in a another web site I found the trick. Just rename the installer & also the mbam.exe itself otherwise you won’t get started at all.
Do your scan and now it sees the UAC* files, and a bunch of other nasty staff by the way.
…. and the miracle happened. GONE !!!
hours lost. GREAT POST !!!
Ray, skip fisrt step and go to step 2.
Thanks a million,
removing the uacd.sys with avanger was the key! I regained control over my PC after days of struggling! thanks again.
Greetings from the netherlands
installed Avira which picked up the files and quarintined them but still had the problem. Then used Avenger as stated in step 2. On restart, Avira automatically stopped and allowed me to delete each file i already had in quarintine. Went to search and all was fine. Rescanned with Avira which found a couple more and quarintined. Thanks.