Redirect to windowsclick.com site is a result of UACd.sys trojan activity. The trojan horse may represent security risk for the infected computer and uses rootkit-specific techniques designed to hide the software presence in the system.
Once infected, UACd.sys trojan blocks user access to security websites, search results in Google, Yahoo, MSN and other redirect you to windowsclick.com and other non related sites.
Use the following instructions to remove UACd.sys trojan.
Step 1: Disable UACd.sys trojan driver.
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click UACd.sys.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
Step 2: Delete UACd.sys trojan driver and malware files.
- Download Avenger from here and unzip to your desktop.
- Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
UACd.sysFiles to delete:
C:\WINDOWS\system32\wJQs.exeThen click on ‘Execute’.
- You will be asked Are you sure you want to execute the current script?. Click Yes.
- You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
- Your PC will now be rebooted.
Step 3: Remove UACd.sys trojan files and any associated malware.
- Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
- Once downloaded, close all programs and Windows on your computer (including this one).
- Double-click on the icon named mbam-setup.exe to install the application.
- When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- MBAM will now delete all of the files and registry keys and add them to the quarantine.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
UACd.sys trojan creates the following files.
%System%\uacinit.dll
%System%\drivers\UAC[RANDOM CHARACTERS].sys
%System%\UAC[RANDOM CHARACTERS].dll
%System%\UAC[RANDOM CHARACTERS].log
%System%\UAC[RANDOM CHARACTERS].dat
%Temp%\tmp[RANDOM NUMBERS].tmp
If you need help with the instructions, then post your questions in our Spyware Removal forum.
Try remove uacinit.dll file using following script:
Files to delete:%windir%\uacinit.dll
or ask help at our Spyware removal forum.
Hi Patrick,
I did that too, of course. Eventually the problems (redirection + infection) were solved by reinstalling kaspersky and MBAM plus some reboots. The key here is to work with kaspersky updated, MBAM updated, all I already known and avenger wich I didn’t know at the time. Also, don’t hesitate to rename the exe, wich I did even before reading this topic.
BTW, since this topic seems to grow a little more each time we visit it, we may create a new contest: how much time did you spent since the first symptoms to the time you finally managed to solve all the problems (not just the redirection problem but the persistent infection too)? As for me, and I have 8 y in IT (not for a living though, it’s a passion) I spent 6H yesterday…
Good luck all and many thanks Pat’ for having put me on the right tracks…
I have successfully removed uacd.sys and associated problems thanks to the information in this forum after 3 days of frustration.
Patrik you really deserve lots of people’s admiration.
Well I won’t leave you all without sharing the details of my own experience, simply because it is, from my own point of view, the extra stuff you may want to know in addition to the great tut from Patrick (for instance I managed to fix all my problems without the help of any other comp’ to download or browse). And I must add I hate having to deal with hijack/smitstuff etc. I don’t say there useless, I just say I prefer the less effort.
1/ You are infected, and when you try to google something,
[SUITE]”something/windowsClickStuff” redirects you. No matter, let it go, close the window wich will begin to open, you will be then back to google,type now for instance “Malware bytes anti malware” AND then use the CACHED google page to access a page from where you should be able to download what is requested.
2/ Once downloaded, rename MBAM (I noticed it wouldn’t launch so I figured the s*cker was the cause of it and I rename setup exe with etup.exe).
[SUITE II]Try to launch it when installation is finished. It shouldn’t work (of course, the s*cker knows its dirty job!. No matter. Go to Program Files\Malware, you get the idea… There, rename the MBAM executable (not the one with “gui” in it). Then launch MBAM from there. Run a quick scan. Just that. Such scan not only found some really nasty malwares on my comp (Vundo) but this scan immdiatly resolved the redirection problem after the required reboot to eliminate the dirty itemswich were spotted by MBAM.
===> So, if your aim is simply to get rid of the redirection problem it shouldn’t take more than 10 or 15 minutes
[SUITE III]to solve it if you follow the above instructions.
Now, the great stuff Patrick introduced me to. Avenger. Download it, run it, type the script(you should’nt need the second line, the first is the most important one but up to you). Click on \
[SUITE IV]Let Avenger do its job, laucnh teh script, a reboot will be necessary, the main part of the s*cker should by now be gone (the UAC*.sys stuff).
Now, run another quick scan with MBAM. Perhaps it will show you a remaining registry trace AND UACINIT.DLL in %Windir% (i.e C:\Windows\System32 for us usual mortals :)) If it’s the case, then this may indicate, if I’m not wrong, that YOU MAY STILL BE INFECTED EVEN IF THE REDIRECTION PROBLEM IS GONE. Don’t panic…
[SUITE V]3/Download Kaspersky AV evaluation, update it, change the settings to the highest level (don’t hesitate to check additional parameters in that capacity).
Now, run a quick scan (Memory+bootsectors+Starup objects), check the results AND check that the proactive defense is running. Wait for like 5 minutes
until a window should show up telling you Kaspersky found some “trojan.win32TDSS.xyz (here it’s TDSS wich is important to spot) and/or UACcbhgcfhcf.dll
or UACjezghferzf.dll (for instance, for the format is UAC(Anythingwithletters).DLL). Delete them with Kaspersky, don’t reboot, go back to MBAM, select
all the stuff it found (the registry entry and UACINIT.DLL + possible other stuff) and accept to reboot again.
[SUITE VI (we’re almost through!]4/ Now you should be as clean as the first day (at least almost), for security purposes and pleasure too, run (not at the same time of course!!)
MBAM until it tells you everything is ok (a quick scan is sufficient but for the paranoids a full scan may be as well executed), then do the same
with Kaspersky. Don’t forget: PAUSE either MBAM protection or scan or Kaspersky Protection or scan when running a scan!
5/ Additional notes: in MY case, MBAM adn Kaspersky seemed to have been successfully corrupted by the s*cker we’re talking about.
For instance, Kaspersky bases were dated December 2008 despite my downloading of the latest version available and an update.
[SUITE VII & END]As for MBAM, I figured that it may have been corrupted in the end also, so I reinstalled it. Last, perhaps I was definitively got
rid of this infamous malware just because at one moment I just had the files Kaspersky had spotted deleted AND THEN WITHOUT REBOOT
I was launching the deleting of what MBAM had found. At least that’s the only way I can figure to explain why all of a sudden after
teh reboot all was OKAY. So don’t forget it, the redirection stuff, even annoying is one thing, another thing is the remains of the malware
wich “may” be still active and compromising for your system even if teh redirection problem is solved… So check and double check with MBAM
and Kaspersky until they tell you it’s okay. Thencreate a restore point (now the restoring functionality should work) and after taht delete all
the others since they may simply be … infected!
Hope this helps,
Thanks all & especially Patrick, Avenger was the core of the cure (yes I’m a poet:)), forgive my English,
best regards from FRANCE
XB, thank you for the information 🙂
Great thing. It worked. Got this UAC / Trojan-TDSS removed from my system. Thx
is there any other things which are linked to the UACD.sys trojen which i well need to delete once ive deleted the UACD.sys trojen, i would like to know asap as i need to make sure my pc is clean of any vurises and malware or any other things that are bad for my pc
many thanks Ryan Bates
Ryan,
Wait for Patrick answer but here is mine: if youwant to be sure your system is not compromised, run a FULL system scan in safe mode with MBAM & Kaspersky with highest/deepest scan settings (it may take a while, though). If they find nothing, then as far as i’m concerned you’re safe. If really you were hit by this s*cker and need to be 300 percent sure, then I don’t see any other solution than reformatting and reinstall. Antiviruses & the like will NEVER offer 100% certitude of not being compromised.
Anyway, don’t panic, if the scans I recommend you to run end in negative results, then it’s ok.
Ryan, XB is right 🙂
You can also check your PC using an online scanner – http://www.myantispyware.com/online-scanners
thanks for the advice i will take that on board,
there is one other question i have an it is, dose the UACD.sys trojen stop my nortan anit vuris from doing a full system scan even when i have told it to and i have even tryed in safe mode?
many thanks Ryan Bates
Thanks Patrick fro your advice. I would just add, incase of one of you would want to format and reinstall, you should be aware that the infection “may” have originated, in the first place, by the use of “ware” (crack, keygen, you name it) so upon reinstall, please check and double check with kaspersky every piece of software, including the operating system, you are intalling. that way, you should be safe, provided you create a “copy” of the new and clean system by using a soft like norton ghost or better, “easyrecovery” (you will need an external DD for storing the image but, well, this is the best solution i’ve found in years for reinstalling a full image in less than 1/2 hours)
Good luck all!
Ryan, please be more explicit: are you actually unable to run a full system scan in safe mode with Nort*n AV or do you simply WONDER if it’s possible that the trojan would be able to make it impossible to realize? if your concern is well expressed by the second part of the alternative, I would say taht yes, the trojan (and many others of its kind) are capable of such things as disabling avs and other security softwares or firewalls. But please try to use Kaspersky and MBAM to be sure you’re not compromised (and read again carefully all the comments to the patrick’s tutorial) : download the norton removal tool you will found on their website (they had to design one many years ago because most of their clients including me at the time found difficult to say the less to desinstall Norton AV by the usal ways) , so download this tool, download a Kaspersky AV evaluation version, then disconnect if you wish, or block access to internet through your firewall, then run the removal tool , rebbot, install kaspersky AV, reboot, press F8 to access safe mode, and run a full system scan; Oh and you may do the sam ewith MalwareBytesAnti Malware, please read our posts!!
best regards from FRANCE
Just thought it may be helpful to others to add some additional info about my experience with the windowsclick virus. The first noticeable indication of my pc being infected was Google search results being displayed in a larger font size. I spent a significant amount of time trying to rectify this and assume that it was part of the virus’ plan, as because I was distracted it gave it time to go to work. For some reason windwsclick did not appear to affect any links to sites saved in my ‘favourites‘. This also caused a delay in me picking it up. When I clicked on my desktop email icon it sent me straight to my usual email address page (No windowsclick diversion box) but at the same time another web address was indicated. I therefore assume my email was compromised, so I’ve changed my password.
After downloading Avenger and successfully eliminating windowsclick, AVG scan detected a new virus –
Location –
C:/System Volume Information/_Restore
Virus found –
Win32Cryptor
I deleted the Avenger program, ran another AVG scan, and all was well.
However…I now have a problem with something called adwpopup.com Which kicks in intermittently just like windowsclick and directs me to sites such as ‘Online Pharmacy’.
Nic, please follow these steps. I will help at our Spyware removal forum.
Ok, so I’ve been watching this site for over a week since I’ve had this virus. Mine is actually C:\WINDOWS\system32\uacinit.dll
I couldn’t open malware bytes until I renamed it as someone had said. My taskmanager would work using ctrl+alt+dlt, I have to go to ‘run’. I’ve had lots of problems with this, but to make the story short, basically, I can remove the file, but I’m guessing since it’s attached to system32, when I reboot it, windows won’t work unless I ‘restore to last known good configuration’. And that basically starts the whole process all over again. So how can I get rid of the evil thing for good, without removing something that will prevent windows for working properly?
Melanie,please ask help at our Spyware removal forum.
I found this forum and I have had a malware infestation on a machine at work. I can’t execute MBAM, HijackThis, Norton, or ComboFix. At first I could access the registry bu now I can’t do that either. Google redirects to windowsclick.com and some stupid AV thing comes up. Does anyone know how I can get shell function back for the registry and anti-spyware s/w ?
Thanks in advance….
PaulD
PaulD, ask help at our forum.
I apologize if this has been answered in the past posts but I’m going cross eyed trying to figure out what to do…I’m at my wits end.
Patrick (or anyone else) please help….the other day WinPC defender somehow downloaded itself onto my computer. I finally got it uninstalled (I think) but now I have tons of problems.
I’m getting:
*redirected to windowsclick.com
*My lists of searches (on yahoo) has a different look
*I cannot restore to an earlier date (would that even help my problems),
*I’m not sure if this is legit or not but as I get logged on, the Windows Genuine Advantage Notifications comes up.
*I also get the following small error boxes after I’ve logged on… SetWindowPos Failed (and once you click that box to close) Error Code 1406 (pops up)
PLEASE PLEASE PLEASE help me if you can. I apologize if you’ve answered these already. I would prefer not to spend a tone of money on software to remove but if there is a FREE version of something that you think might help, I would be so grateful!
Allie, use instructions above or ask help at our Spyware Removal forum.
After a long communication with my security system pc tools (spyware doctor) people, I think they’ve finally cracked it. I’ve just downloaded their most recent updates for the software and it seems to have got rid of the problem after two weeks of trying!
It was annoying as hell – I just hope I don’t speak too soon. Good luck everyone.
well ALLIE, please read all our posts even if it seems a boring thing to do, it’s not so much time to spend after all, try our different solutions & if needed, in the end you will always find help with Patrik on the forum
the avenger is not running what should i do?