I need some help.

It appears that despite having an anti-virus program, I've been infected by the windowsclick.com trojan.

I do websearches and find results for how to fix it, but if i click them the trojan kicks in. It appears to prevent me from getting to symantec.com, trendmicro.com, etc as well.

Could someone find the instructions for removal and post them here?

roger

How to remove windowsclick.com redirect [UACd.sys trojan] (http://www.myantispyware.com/2009/01/24/how-to-remove-windowsclickcom-redirect-uacdsys-trojan/)

Redirect to windowsclick.com site is a result of UACd.sys trojan activity. The trojan horse may represent security risk for the infected computer and uses rootkit-specific techniques designed to hide the software presence in the system.
Once infected, UACd.sys trojan blocks user access to security websites, search results in Google, Yahoo, MSN and other redirect you to windowsclick.com and other non related sites.

Use the following instructions to remove UACd.sys trojan.

Step 1: Disable UACd.sys trojan driver.

Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
Click Properties.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click UACd.sys.
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.Step 2: Delete UACd.sys trojan driver and malware files.

Download Avenger from here (http://swandog46.geekstogo.com/avenger.zip) and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
UACd.sys
Files to delete:
C:\WINDOWS\system32\wJQs.exe
Then click on ‘Execute’.
You will be asked Are you sure you want to execute the current script?. Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
Your PC will now be rebooted.Step 3: Remove UACd.sys trojan files and any associated malware.

Download Malwarebytes Anti-Malware (http://www.myantispyware.com/2008/08/28/malwarebytes-anti-malware-free-spyware-malware-trojan-remover/) (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
Once downloaded, close all programs and Windows on your computer (including this one).
Double-click on the icon named mbam-setup.exe to install the application.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Quick Scan”, then click Scan.
MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
MBAM will now delete all of the files and registry keys and add them to the quarantine.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.UACd.sys trojan creates the following files.

%System%\drivers\UAC[RANDOM CHARACTERS].sys
%System%\UAC[RANDOM CHARACTERS].dll
%System%\UAC[RANDOM CHARACTERS].log
%System%\UAC[RANDOM CHARACTERS].dat
%Temp%\tmp[RANDOM NUMBERS].tmp

meh.

Maybe that's not it. I don't have any of the UAC stuff on my system.

hmmm

malwarebytes ought to take care of it anyways - whatever it is. or so i've found.

I'll try that next. I was able to get in-touch with trendmicro support and they sent me to some tool that runs in safemode, so i'm running that now.

cool!

It appears that despite having an anti-virus program, I've been infected by the windowsclick.com trojan.



Wade,

I looked at my company's internal virus database and this redirect can be caused by a few different trojans. The instructions that DT provided could possibly remove one of the more common variants, but with this particular virus, I do not see a very high reliability rate for it being cleaned completely by any anti-virus software vendor. Because of the nature of the trojans most commonly involved for this type of infection, the safest recommended fix for it is actually a complete reformat and re-install on your computer.

Several variants of this trojan have very nasty keyloggers and backdoors open that pull any kind of financial information or login information (and passwords) that your computer may have. You may very well have gotten a tame version of this trojan that does none of these things, but it is highly recommended that you go through and change any passwords or PIN numbers that may be compromised.

As for the original comment that you caught this despite having anti-virus software installed, my company probably doesn't appreciate me saying this, but many of the newer worms/trojans/viruses are propagating new variants faster then most AV companies can push out new signatures to prevent them. This in no way means I am recommending people to not use anti-virus because that is way too dangerous, but this type of worm usually is prevented by using something such as no-script for firefox and being very sure to never allow scripts to run on sites unless it is a known script/site that you are sure is fine.

Anyhow, give DT's recommendation a try, but on this particular trojan (depending on which one you have), I would not feel confident that it can be fully cleaned off due to how it infects the system.

wowsers Alan. That blows!

wowsers Alan. That blows!


Hmm, I re-read my post and it came across more doom and gloom then I meant it to.

I guess to clarify what I meant..

There are several trojan variants that can be noticed with a redirect to windowsclick.com. Some are really nasty and others are not too bad.

If you can identify which one you have, it can help provide more information if you are better off just doing a full wipe or not. The problem with most of the variants of this trojan is that they have all kinds of programming that prevents many legit antivirus software products from actually identifying the infection (much less clean it off).

So I guess what I meant to say is first off, unplug the system from the internet and stop using it if possible. Then try to identify what type of virus you have on it if possible. If it is an easy one, then just follow the proper removal procedure. If a nasty one, I would just suggest a wipe and rebuild.

there are a couple websites out there where you can upload the infected files and it will specify better which variant it is aren't there? I know I used one before...

Well, the trendmicro thing did diddly.

If anyone has suggestions on how to know which one it is, i'm all ears. Going to try the malware app above.

:sigh:

I can't d/l the malware tool because of the stupid trojan/whatever.

Wade, the virus is likely resident in memory and is going to keep frustrating your ability to load tools to try to detect/identify/remove it.

I am by no means an expert with viruses, but my guess is that you are going to have to use some kind of safe boot disk to boot up your system so it loads off of the disc/cd and not off of the drive. Then in the safe mode, you can possibly do a scan of the file system. I don't have the best walk through instructions of how to do that though I fear, I just know that is a common step done when a virus infects a system and refuses to allow any tools be installed to remove it.

hey wade - could you get to another type of website or your email? I can try emailing it to you...

Wade, the virus is likely resident in memory and is going to keep frustrating your ability to load tools to try to detect/identify/remove it.

I am by no means an expert with viruses, but my guess is that you are going to have to use some kind of safe boot disk to boot up your system so it loads off of the disc/cd and not off of the drive. Then in the safe mode, you can possibly do a scan of the file system. I don't have the best walk through instructions of how to do that though I fear, I just know that is a common step done when a virus infects a system and refuses to allow any tools be installed to remove it.

Yeah, I'm muddling through with trendmicro support doing basically this. Didn't help that my cable went out for an hour or so.

I fear a reformat will be necessary which becomes problematic because i don't know where my external hdd ran off to in my move this summer.

hey wade - could you get to another type of website or your email? I can try emailing it to you...

That's what i ended up doing - e-mailing from my work computer. But the malware app woudln't run at all after d/ling, but for whatever reason trend micro's apps are running (they're just not fixing anything yet).

odd. i found with the malware app the thing to do was start up in safe mode unplugged to the interweb

odd. i found with the malware app the thing to do was start up in safe mode unplugged to the interweb

Depending on what variation of this trojan he has, safe mode might not be enough. If trendmicro has him booting from a boot disc (not even using the OS on the computer, but using the OS from the cdrom), then he should be ok to try to run whatever executables he needs. The only issue is that it can't be an installer, it has to be an actual executable since it won't be able to install the application to the boot disc. (Unless the boot disc is a special one from an anti-virus vendor that has the application already installed on it)

Trendmicro just has me using safe mode. ANd malware in safe mode with the internet unplugged still doesn't work.

boinked. that's one hell of a trojan! yikes

I hate the a-holes that do this bullcrap.

I thought I was taking reasonable precautions.

I REALLY don't want to have to format.

Alan T - any idea if my data files are suspect? Any reason I shouldn't be able to copy my docs, etc onto an external HD?

I hate the a-holes that do this bullcrap.

I thought I was taking reasonable precautions.

I REALLY don't want to have to format.

Alan T - any idea if my data files are suspect? Any reason I shouldn't be able to copy my docs, etc onto an external HD?


Without knowing exactly which trojan you have, it is hard to say for certain if they are infected or not. It should be easy enough to copy them all to some kind of external drive that you can then scan later however so you do not lose your data. I wouldn't copy them over to another system until you scan that drive however.

I guess I'm skeptical of the "scan" since it's finding nothing now ;).

But I guess I could run the malware app then.

I guess I'm skeptical of the "scan" since it's finding nothing now ;).

But I guess I could run the malware app then.

The way that I understand how this trojan works is it infects your system in a way where you can not install new anti-virus software and it prevents your currently installed AV from working properly.

Once you have a clean system, you should be able to scan the individual files to see if they are infected from an external drive.

I am not one who bashes other vendor antivirus products, so I'll say it this way.. sometimes various vendors have better or worse "hit rate" on different trojan variations. If you don't feel confident with your AV software scanning the external drive afterward, you could get one of the free AV products that are out there with a relatively high hit rate on scans recently to double check it to give you more confidence.

One thing to keep in mind however is some trojans as a part of their programming are instructed to detect new mounted drives and then spread themselves to the drive as well. So, I really wouldn't use any files from it until you are confident that it is clean.

Roger that.

So, if I hook it up, but don't open any files but immediately scan i shouldn't have the concern of it spreading to a newly effected drive?

Well if it's any consolation you reminded me (and motivated me) that I ought to update my avast definitions. So there's something good from all of this.

Roger that.

So, if I hook it up, but don't open any files but immediately scan i shouldn't have the concern of it spreading to a newly effected drive?

As long as you don't have any auto-run applications or anything on your system that automatically opens anything on that drive that would be a reasonable expectation I would think. Word documents or Jpeg images or Media files that are infected can't just copy themselves over to new drives or systems on their own. Only by launching or running them do you infect new systems. So if something on that drive is infected, as long as your system doesn't autorun anything from it I would think you are ok.

As long as you don't have any auto-run applications or anything on your system that automatically opens anything on that drive that would be a reasonable expectation I would think. Word documents or Jpeg images or Media files that are infected can't just copy themselves over to new drives or systems on their own. Only by launching or running them do you infect new systems. So if something on that drive is infected, as long as your system doesn't autorun anything from it I would think you are ok.

Ok, thanks.

I appreciate your help and realize that these are just with your best information.

My own fault for going asleep at the wheel on my backups.

I found my old HD and am kicking myeslf because of how easy it was to find.

if your anti-virus won't run/install, change the name of the file/executable

i think i had the same thing wade moore has and i got rid of it with a fully updated Malwarebytes Anti-Malware.

At least I hope its gone.

My av runs, but malwarebytes doesn't. I'll try the renaming trick.

sweet! it's installing!

but once it installs that trick doesn't work to actually runt he program :(.

but once it installs that trick doesn't work to actually runt he program :(.

hmm - not in safe mode or anything?

Did you rename the shortcut or the actual executable file?

Make sure you rename the actual file, don't use the shortcut at all.


Another trick to try is to select and run the executable by using the keyboard as opposed to the mouse.

i did the actual file.

I'm copying files to my external drive, so i'll have to try the keyboard thing in a bit.