How to remove windowsclick.com redirect [UACd.sys trojan]

Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove windowsclick.com redirect [UACd.sys trojan]

Redirect to windowsclick.com site is a result of UACd.sys trojan activity. The trojan horse may represent security risk for the infected computer and uses rootkit-specific techniques designed to hide the software presence in the system.

Once infected, UACd.sys trojan blocks user access to security websites, search results in Google, Yahoo, MSN and other redirect you to windowsclick.com and other non related sites.

Use the following instructions to remove UACd.sys trojan.

Step 1: Disable UACd.sys trojan driver.

Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
Click Properties.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click UACd.sys.
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.

Step 2: Delete UACd.sys trojan driver and malware files.

Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\wJQs.exe

Then click on ‘Execute’.
You will be asked Are you sure you want to execute the current script?. Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
Your PC will now be rebooted.

Step 3: Remove UACd.sys trojan files and any associated malware.

Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
Once downloaded, close all programs and Windows on your computer (including this one).
Double-click on the icon named mbam-setup.exe to install the application.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Quick Scan”, then click Scan.
MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
MBAM will now delete all of the files and registry keys and add them to the quarantine.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

UACd.sys trojan creates the following files.

%System%\uacinit.dll
%System%\drivers\UAC[RANDOM CHARACTERS].sys
%System%\UAC[RANDOM CHARACTERS].dll
%System%\UAC[RANDOM CHARACTERS].log
%System%\UAC[RANDOM CHARACTERS].dat
%Temp%\tmp[RANDOM NUMBERS].tmp

If you need help with the instructions, then post your questions in our Spyware Removal forum.

Share and Enjoy:

January 24, 2009 on 7:24 am | In Trojan, Tutorials - HowTo | 397 Comments |

397 Comments »

RSS feed for comments on this post. TrackBack URI

Wow, I had this #$%^% intrusion a few days ago and tried removing it manually…what a pain it all caused. Even cleaning out the registry did not help but I did notice in one of the keys that there was a “pending rename” which contained
“UAC(and a number)…”. No wonder it’s so hard to find, it renames itself to proliferate! The method shown above worked flawlessly and the instructions were a breeze to follow. Thanks for all your knowledge and help. I definitely will be back here if anything else crawls in my PC.

Comment by Mark — January 25, 2009 #
When my computer rebooted the Avenger log said
the file was not found, but it seems to have worked anyway.
There was no hardware tab in properties btw,
I have XP, should that tab be there?

Thanks a bunch!

Comment by Nate — January 27, 2009 #
Im having the exact same problem as described above, but UACd.sys or anything that resembles it is not fount in my plug and play drivers. What do I do?

THanks

Comment by Derek — January 28, 2009 #
Derek, skip step 1.

Comment by Patrik — January 28, 2009 #
Used this to remove the trojan but when it rebooted it said there was a fatal crash and switched off again. Upon the second power up it started as per usual.
Is this normal? will it affect my computer?

Comment by Joel — January 29, 2009 #
What program is crashed ?

Comment by Patrik — January 29, 2009 #
Patrik
On the restart boot after the windows xp load the screen went blue and there was a message stating fatal crash – i didn’t write the rest down. I did turn off the machine and restart and it was ok

Comment by Joel — January 29, 2009 #
I have just the first result on google search always redirected on windowsclick.com.
Checked the hidden drivers list and found no UACd.sys driver. No wJQs.exe file as well. That gives a pain in the neck.

Comment by Alex — January 30, 2009 #
OK I downloaded MBAM and it found a nice bunch of malware. Now all seems working well. Thank you.

Comment by Alex — January 30, 2009 #
Amazing! I’ve been trying for 2 wks to get this thing off my PC with no success….But this worked the 1st time!! Thank you!!!

Comment by Susan — February 1, 2009 #
Like Derek, Step one did not reveal any reference found in plug n play.

As PATRIK recommended, Step 2 was attempted & it worked.

This trojan did more than redirect, it also prevented several other programs from opening (like Spybot).

Windows One Live Care saftey scanner5 did not detect it, nor did their Mallicious Removal Tool, Symantecs scanner did not detect it nor did Panda’s or several others.

I appreciate AVENGER & PATRIK !

Comment by ED — February 2, 2009 #
I’ve been having a problem with this for ages and nothing else I tried worked. Avenger fixed it straight away. Thanks so much.

Comment by Joe — February 4, 2009 #
Thanks a lot!!!

Greetings from the Netherlands

Comment by Duch — February 9, 2009 #
Thanks a lot – It saved my life.
Greetings from France

Comment by Thierry — February 9, 2009 #
It worked well.Im so happy of this web site, Malwarebytes’ Anti-Malware and avanger.Special thanks for the author of this article.Actually I am the person(idiot) who installed that malware in my pc by myself.It came as a crack for a software.I executed that “.exe” and suddenly that file dissapeared.Software has not cracked.

I got to know that both IE7 and firefox has infected when I tried to click a link in a google result page.It opened windowsclick.com in a new page.But during that time,there were running ad-aware anniversary edition and bit defender anti virus.Both of them were monitoring real time activities.None of them detected it on the fly.But once I finished using “avanger” as mentioned here,bit defender detected it as a rootkit virus and deleted.(It didnt detect until I remove “UACd.sys” using avanger.)

Now I have uninstalled AdAware Antispyware utility which is useless.It didnt detect even I scan by it manually.Now im using Malwarebytes’ Anti-Malware which detected 5 infected files regarding this malware.I KNOW MOST OF THE MALWARES GET INSTALLED DUE TO USER’S ACTIVITIES.ALTHOUGH I KNEW THAT,THIS TIME I GOT CAUGHT FOR A FAKE SOFTWARE CRACK.THANKS A LOT FOR HELP!!!!!!!

Comment by Asiri — February 9, 2009 #
I still can’t believe it worked. kinda still expect it to show up again

But it seems this worked just fine!!

thanks alot!!

Comment by peter — February 11, 2009 #
I could not find it either but went ahead and used Avenger and it worked. Found both rootkits and disabled them! 1st CLASS!!!! However, I still cannot use system restore function. I can select a date but when it goes to the next screen nothing happens on clicking next…anyone?
thanks again!
Jase

Comment by Jase — February 12, 2009 #
I have zero clue just where I picked up this little bugger, but it has only been since yesterday (or the day before?) that I began having issues. As soon as I started getting the redirects while trying to answer a tech question, I knew I was in trouble (I’ve been on since ’95, and the only viruses I’ve ever had were ones I turned loose on my system deliberately to \

Comment by serloren — February 12, 2009 #
Thank you! This was a nightmare, but this was a lifesaver!

Comment by Chris — February 12, 2009 #
Jase, please follow these steps. I will check your computer.

Comment by Patrik — February 12, 2009 #
I didn’t found the UACd.sys driver but moved on with step 2, where the thing with the avenger worked (exept the wJQs.exe!?) but everything seems to be fine again..

Thanks for the instruction

Comment by FischersFritz — February 13, 2009 #
If you search the registry for “UAC” you will eventually find a sub-listing of “disallowed” items, hence the reason I could not initially get MBAM.exe and SUPERAntiSpyware.exe to work. Deleting this registry entry (or renaming the file) gets you around this. I must admit, a tedious little exercise figuring out what to do, but I was quite happy to find the UAC registry entry and to personally nuke it myself!

Comment by pilm — February 13, 2009 #
I can’t do any of the steps. Anytime I try to go to a website to download a virus program, it says internet explorer cannot display page. any help would be appreciated

Comment by Jeff — February 13, 2009 #
So, I’m trying to do these steps due to this very annoying infection that AdAware completely has overlooked dispite the most recent update … (I digress). Anyway, anytime I try and click the avenger link, or the MBAM link, or ANY other link for a .exe from this website, it says

Comment by Adam — February 13, 2009 #
I had this virus infected and my browser was redirecting to windowsclick.com. I was not able to browse anything, could not even open spybot to remove spyware. I tried so many things. Then I googled this page from another computer. I did not find driver in Hardware->device manager tab. So, I skipped step-1 as told by Patrik in comments. Downloaded Avenger and ran. when the system restarted, it crashed with a blue screen! I switched off again (forced off) and rebooted. It booted and showed a log file, showing UAC*****.sys driver deleted. wJQs.exe cannot be found. I closed the log file, and the system is as same as earlier, except for the fact that system restore points are gone!!

Thanks for the tutorial.

Rudresha

Comment by VJ — February 14, 2009 #
Couldn’t find the driver in step 1, and something on my comp prevented me from downloading Avenger in step 2 (404 on the download page).

However, downloaded Avenger and MBAM on a clean comp, walked them over, and they worked like a charm. Thanks so much for this, I was seriously considering a clean wipe of my comp before I got this to work.

Comment by Zach — February 14, 2009 #
Jeff and Adam, use another computer for downloading Avenger.

Comment by Patrik — February 14, 2009 #
I did’t find the UACd.sys driver, so I followed step 2. After running Avenger with the Input Script and a reboot, the system keeps on rebooting. So I can’t do anything. Please help!

Comment by Hans — February 14, 2009 #
I downloaded both programs on a clean computer, brought them to the infected one, and ran avenger. It seemed to work fine, and I got the restart prompt. I clicked yes, and it shut down(quite slowly). When it rebooted, I got a blue screen saying the computer shut down to protect files from a virus, or something to that effect. Now when I try to boot, I get the windows loading screen, then a black screen. It doesn’t go anywhere from that screen. Is this from the Trojan, or something else?

Comment by Cole — February 14, 2009 #
thank you so much for the instructions. it worked great. my computer is back to normal again.

Comment by Harry — February 14, 2009 #
Thanks a ton guys !!!! You truly are angels… This little bugger kept me up all night trying to fix my laptop… Both IE and Firefox were messed up.. I had to use Opera even to look for a fix.. Folder options had disappeared from Windows explorer.. Both Malwarebytes and Spybot had stopped responding..

I followed your instructions and my comp is back to normal… In fact I was getting message about missing .dll files upon reboot forever now.. I had already given up on that.. This even took care of that… Thanks again and wishing you all a very Happy Valentines Day…

Comment by Ashwin — February 14, 2009 #
Hans and Cole, try it.
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
* Instead of Windows loading as normal, a menu should appear
* Select the “Last Known Good Configuration..” option.
* Press Enter.

Comment by Patrik — February 14, 2009 #
Patrik RULES!!!! Thank you so much for your help.

Comment by Scott — February 14, 2009 #
Windows not booting – I went to step 2, followed the instructions and after a reboot my laptop windows would not load. I went into safe mode which would not load either, but funny enough windows loaded normally after the laptop rebooted. I followed step 3 and I had 39 infections. All is working fine now. Hope this Helps Hans – Thanks.

Comment by DIps — February 15, 2009 #
I’d just like to add my thanks, too. At one point I was even considering wiping the HDD and re-installing everything!

Comment by Terry — February 15, 2009 #
Ok, well it is logging on most of the time now, either is safe or normal mode, but nothing happens when I double click the Mbam-setup.exe file. I ran bit defender, and it found 40 infected files. I quarantined them, and then uninstalled bit defender because it seemed to be causing some crashes. But I still cant use the internet.

Thanks for the help by the way, this trojan is really quite annoying.

Comment by Cole — February 15, 2009 #
Thanks a lot for the help Patrik and Dlps. I really was desperate, but all works fine now.

Comment by Hans — February 15, 2009 #
From Step 2 this advice was absolutely perfect. Step 1 found nothing took about 5 minutes to cure the problem. Had to use a different machine to download avenger Thanks

Comment by Mick — February 15, 2009 #
Thank you so so much. Zone Alarm found nothing, AdAware found nothing. Then I followed your instructions and boom! Fixed! Like several others, I too had to skip part 1. Downloaded Avenger and MBAM from another computer, wrote them to CD, and installed from the CD to the infected computer. After running the avenger scrip, the first reboot crashed — as others have mentioned — but then everything worked fine. MBAM detected 12 or so infections (UAC) and after removing them everything seems fine.

Thank you so much again!

Comment by Carter — February 15, 2009 #
Thank you so much guys u are lifesavers i also tried the whole of last night to fix the problem and im using bitdifender it only detected one adware.net infection but it failed to delete it after trying so many things i even downloaded malwarebyte using opera on my phone and it failed to open up until i followed step 2 onward using my phone to download avenger and it worked like charm and bitdefender started to figure out more infections thanks to malwarebyte which deleted them now my computer works fine now i dont know whether i have to use both malwarebyte and bitdefender on my system ?

Comment by sipho — February 16, 2009 #
…have to use both malwarebyte and bitdefender on my system ?

Its ok.

Comment by Patrik — February 16, 2009 #
Thank you so much to the original poster for this fix. I was up until nearly 5 am trying to clear this last night. I got up and ran step 2 and 3 and it fixed it immediately.

Much appreciation!

Comment by Michaek — February 16, 2009 #
im in big trouble….this got me good….i had to take the download from a good computer and put onto the bad one…once i did this it prompted to reboot..i did…when it rebooted i got the same message that others have..the blue screen, so i followed patriks instructions and went to Last Known Good Configuration…when the computer rebooted it got to the screen that says windows…and thats it..so i manually rebooted the computer and now it continues to check the files on a blue screen and then trys to load and then goes back to checking the files on the blue screen…i can`t even get to my desktop or attempt to do step 3!!! what am i supposed to do know..help!

Comment by chris — February 16, 2009 #
ok…so i got everything taken care of in my last entry…but even once everything is done…when i get online, which is taking close to 10 minutes then i still have almost no pictures/graphics. most times it freezes and when it doesnt freeze and i try to go to another site it just continues to run..not connecting and then freezes! i rebooted the computer but the problem is still there!

Comment by chris — February 16, 2009 #
Patrik, thanks so much for the help. Saved me the hassle of a C:\ format. I appreciate it!

Comment by Adam — February 16, 2009 #
thanks so much! worked like a charm

Comment by adam — February 16, 2009 #
Chris please boot your computer in the Safe mode and run Malwarebytes Anti-malware.

Comment by Patrik — February 17, 2009 #
Thank you so much, i recovered my computer, good utility,
Best Regards

Comment by Mer — February 17, 2009 #
Thank you very much. Fortunately had a second PC to get the required pgms that were unreachable on the infected PC. I had a small problem trying to run Malwarebytes (probably because McAfee was still running.) Turned off McAfee and had to run Malwarebytes and reboot twice before the third pass quit finding items. But after it indicated clear, Firefox runs like it should. What a relief! I wasn’t looking forward to regenerating all those application installs.

Comment by Chas — February 17, 2009 #
Well it worked the first time, blue screened after avenger, but upon restart all seemed fine, two days later turned cpu on and windowsclick open browser4s and took over computer. I tried to use avenger a second time as described above and cunit keeps going into blue screen. Once i was able to get into safe mode, I deleted avenger a and ran antimalware found 18 items I removed tham and rebooted computer still blue screen can not boot into windows, HELP????

Comment by Richard Z — February 17, 2009 #
After several failed attempts at clearing this pain in the #@!, I found this page. I had to skip step 1 and download avenger from a different comp but once I did I was cured. Thanks!

Comment by Trish — February 17, 2009 #
Richard, please follow these steps.

Comment by Patrik — February 17, 2009 #
Patrik,

How high is the security risk after having had this virus (e.g., passwords compromised, backdoors opened, etc)? Should I consider a clean install of Windows?

Comment by Carter — February 18, 2009 #
After removing windowsclick infection, good idea is change all passwords. You also can to check your PC more, using a free online scanners.

Comment by Patrik — February 18, 2009 #
Oh ok, so it is safe to say this is a much more serious security risk than a mere webpage redirect. I think I’m going to clean install the OS just to be sure (not that my computer is really used for anything sensitive, but I’d prefer just not to have to worry about this). If I backup data to a separate HD, is there any chance that HD can reinfect the main drive (assuming MBAM, ZA, and AA all missed something)? Or do Trojans like these only remain a threat even after being removed because of potential changes made to the OS (and data/passwords gathered while they were present)? I guess what I am asking is whether backing up my data to a separate HD, reinitializing the main HD and reinstalling windows and all that involves, will guarantee a clean computer?

Comment by Carter — February 18, 2009 #
Guys, Thanx so mutchh,,,

First i did the steps and when i rebooted my Comp and it strated 2 go on again, I got the BLUESCREEN OF DEATH.

Oh my god, i was going Freaky, I tried sec time , Same, 3e Time it started normaly and i got the log of avanger…

Thanx, I really appriciate!

Comment by TimmieBoy — February 18, 2009 #
Patrik,

My office computer is infected with the windowsclick trojan and it will not allow me to get to the Avenger website to download it… I asked somebody I work with if the Avenger website opened for them and they said it did. Also it’s preventing me from running any sort of spyware removal program (i.e. spybot). Please save me so I don’t lose my job!

Comment by Jeff — February 18, 2009 #
Patrik,
Thank you for all your help. Reading through all of the comments and your responses allowed me get this pesky thing off my computer.
It is really a shame that people with programming talent waste it on virus and such. This has wasted 3 days of my time working through this problem.

Comment by Jodie — February 18, 2009 #
Thank you very much for this posting. This was very helpfu.

Thank you once again!

Comment by Shankar — February 18, 2009 #
will guarantee a clean computer?

Yes

Comment by Patrik — February 19, 2009 #
Jeff, try to download Avenger to another PC and after that copy it to your computer.

Comment by Patrik — February 19, 2009 #
hi there,

forget my last post!

IT WORKED!!!!! THANK YOU VERY VERY MUCH!!!!!

YOU ARE A LIFESAVER!!!!!!

the problem i had running avenger execute was that spyware doctor was running so it would block aveneger from working,
i had no blue screen poblem or anything

THANK YOU VERY MUCH!!!!

Comment by rish — February 19, 2009 #
You sir are my hero, I had to email the zip files from an uninfected computer since the trojan redirected away from those sites but it seems to have worked. Just wanted to thank you

Comment by Anton — February 19, 2009 #
I had problem just installing and starting up program itself like MBAM (Malwarebytes) or AVENGER. Not sure what is plagging my system at the moment.. but one for sure is that it’s blocking executable programs. A trick if you have problem like mine.. Add extension .bat to all program that you want to install. (executable). Also you can look for UACINIT.DLL in %system%/system32.

Comment by Pat Gallant — February 19, 2009 #
When I do a google or yahoo search I get the windowsclick.com redirect. I tried the steps above but I don’t see the UACd.sys under the non plug and play list.

Any help?

Comment by Brad — February 20, 2009 #
Brad, please follow these steps.

Comment by Patrik — February 20, 2009 #
Thanks a lot !!!!! great tips on how to remove this f*%cker! Did cost me a few hours but I’m glad I don’t have to reinstall the whole pc !!
Thanks again!

Comment by Mark — February 20, 2009 #
I can’t thank you enough! This worked like a charm after everything else I tried only removed bits and pieces. Clear instructions, and easy to use and follow.

Comment by Gayle — February 20, 2009 #
I have this problem – but both steps are causing trouble.

With step one, like many people here my computer simply wont restart till i do a “last successful start” – question: Does that undo the avenger delete anyway?

With step 2: and this is probably my bigger problem, the MBAM program simply will not work. I downloaded it on another computer and installed it on the infected one, and i have followed a number of links on this site to trojans that may stop the problem, but they all need you to use MBAM which doesnt work. I’ve tried three of them, and they all cause the same problem with avenger mentioned at one.

My friend suggested using AVG, which i did, and it found a lot of problems and quarantined them, but it hasnt fixed this windows click.

ANy suggestions on getting MBAM to work? I am not all that technically minded with this stuff.

Comment by Heath — February 20, 2009 #
Heath, you should use Avenger for remove UACd trojan before run MBAM.

Comment by Patrik — February 20, 2009 #
Patrik, from my own experience, and those of so many on this site, we thank you for making a better and healthier world by reducing nausea, ulcers, upset stomach, hair-yanking, screech-inducing, and the several and the other human reactions to this infestation. Thanks!

Comment by John — February 21, 2009 #
Hey again patrik, thanks heaps for all your help on here, its much appreciated.

The trouble i have though is that i can’t run avenger – it runs and all but the computer wont start back up – so like you’ve suggested i hit F8 and run last known good start, which gets the computer working again, but it appears that avenger hasnt been successful, and i dont get the avenger log that other refer to here.

Comment by Heath — February 21, 2009 #
Heath, please follow these steps.

Comment by Patrik — February 21, 2009 #
I skipped step one as i could not locate the file. I followed step 2 and it worked ..it cleaned the file. This virus had taken over the google, yahoo toolbar and was opening webpages that i had not selected. thanks

Comment by Christian — February 21, 2009 #
Patrik, you absolutely rock! I thought my life online was over, but I followed your suggestions, and all is well again. The only thing I might add to the instructions is that it might be a good idea for everyone to change all passwords after running the fixes, just to be on the safe side. Many, many thanks for posting your solution!

Comment by Edwin — February 21, 2009 #
Thanks for pointing me to the driver stuff. I got this alongside msantispyware2009 when I was breaking my own rule incautiously browsing as an admin. (Firefox really needs an automatic update service….) I broke msas2009 badly enough that I could resolve anti-malware site names but something was still apparently changing Google search results to do windowsclick.com redirects.

I found I didn’t have a UACd.sys driver in device manager.

Booting the box off UBCD4win (my first time with that … looks quite handy) I found:
- I didn’t have a wJQs.exe file in system32.
- I had plenty of UACxxxx files — .sys, .log, .dat and .tmp — just where you said.
- One of them was uacinit.dll which looks like a legit file. But the date gave it away.

I found that my Windows started OK with all of these just removed. MBAM came up clean after that.

Thanks very much.
T

Comment by umacf24 — February 21, 2009 #
Step 2 worked great! Do I need to do Step 3 as a preventative measure or is it a needed step to remove the Trojan?

Comment by Doom — February 21, 2009 #
Just wanted to say thanks. I found this and tried it and so far so good.

Comment by Ryan — February 21, 2009 #
Thankyou so much – this has been giving me the shits all day – my anti-rootkit found it but could not seem to remove it. Much appreciated

Comment by Emily — February 22, 2009 #
Thank you so much patrik! This worked perfectly. Think I picked up this sneaky little bugger when I was on deviantart.com on Friday.

Comment by AaronT — February 22, 2009 #
Patrik,

You have outdone yourself my friend, I couldnt figure out exactly what was going on I tried SmitFraudfx, Superantispyware, and atf cleaner without much resolve.

I realized why the new hardware icon kept poping up, because of the torjan file masked as a driver. But the system files revealed nothing.

Avenger link and the text you provied worked wonders. The Torjan was then recognized by AVG and I do not have the problem anymore.

Can’t thank you enough Pat!

Comment by Ryan — February 22, 2009 #
Spent all day trying to fix my computer then I found these instructions and they worked! I can’t thank you enough!

Comment by Gayle B — February 22, 2009 #
I just tried this and it seems to have worked. I think the Malwarebytes program also removed some other form of malware that was causing internet explorer (and Viewpoint) errors?

THANK YOU SO MUCH!!

Comment by Holly — February 22, 2009 #
Just in running the Avenger script got rid of this pesky Windowsclick bug.
I will certainly keep this site for future reference.

Thank you!

Comment by Ed H — February 23, 2009 #
Thanks for you time in this matter,the “windowsclick” issue as driving me mad,but with your help and friends time and computer all is fine once more!

Comment by Andrew — February 23, 2009 #
Cheers mate, perfect! : )

Comment by Cam — February 23, 2009 #
Finally – instructions that work!

What an annoying virus.

Comment by NF — February 24, 2009 #
I’m not sure what I’ve done wrong here, but somehow I’ve made my problem worse. I think I got rid of the windowsclick issue, but now our internet connection just does not move. Eventhough the windowsclick thing was annoying, at least my computer was usable. I downloaded and ran Avenger, but could not install the malware program. I have other spyware programs, would they be doing the same thing? Are my two other spyware programs interfering somehow? My virus protection comes up with the following viruses that it says it cannot quarantine: Trojan.Brisv.A!inf, TrojanHorse, Trojan.Wimad, Packed.Generic.200, and Hacktool.Rootkit. Any other advice? I’m about to spend $300 for Geeksquad… Thanks!

Comment by Kimberly — February 24, 2009 #
i belive this worked
but along with the above symptoms like the redirections, my computer would randomly freeze (i could move the mouse, but nothing responded to it)
does anyone know if the freezing is a result of windowsclick, like did anyone get the same freezes and fix it with the above?

its annoying having to save documents every 10 seconds becuase im worried of another freeze

Comment by John L — February 24, 2009 #
Kimberly and John, please follow these steps.

Comment by Patrik — February 25, 2009 #
Please check this forum page… it says even if system is cleaned your machine cannot be regarded as secure after this type of infection. The only safe thing to do is reformat! (which will be fun with a 400gig hd and a load of software…)

Can anyone confirm that this solution makes your system as safe as previous to the infection?

If your having trouble starting exe’s – rename them, this little bugger looks for spybot, malwarebytes exe etc and stops them working.

Also I had a fully updated version of Kaspersky 2009 on Xp sp3, lavasoft adaware & spybot S&D running, none of them found or prevented the infection which makes me feel like shuving my large desktop PC right up Kasperskys A£$@…

Has anyone else been infected whilst using ‘paid’ & updated virus protection software?

rgds

Comment by Jay — February 25, 2009 #
FORUM PAGE MENTIONED ABOVE:

malwareremoval.com/forum/viewtopic.php?f=11&t=39353

Comment by Jay — February 25, 2009 #
I did everything as followed just not step one because there was nothing in my driver as explained. I ran MBAM once more after infections were removed and it is virus free. Thanks for the help in removing this bad trojan. One problem, my internet connection wont work now. I am using another computer. Any help?

Comment by Yvonne — February 26, 2009 #
For Everyone unable to access the internet via a 2nd PC or experiencing blue screens I have been able to disable the UACd.sys driver another way, this then allows Malware Bytes to run.

Boot to your XP installation CD and choose Repair using Recovery Console.

The command LISTSVC should show a list of services, including the hidden UACd.sys.

The command DISABLE UACd.sys will disable it.

A reboot will then restart the PC without loading this driver. It is listed as a boot driver and this is probably the cause of blue screens after avenger deletes it.

Unfortunately this only works on XP

Comment by Ben — February 26, 2009 #
Also noted Avenger has a driver disable instead of driver delete functionality, may help with BSOD as well

Comment by Ben — February 26, 2009 #
Yvonne, please follow these steps.

Comment by Patrik — February 27, 2009 #
Hi,
YOU are GREAT. You save many many hours Work with your excellent Ideas and turorialls. I am not really a newby, but i have trouble more then 1 Week long with “Windowsclick.com” and, more unlikekely DNS Changer at same Time. Thank You for Help.

obelisk219

Comment by obelisk219 — February 27, 2009 #
Thanks a bunch for this article. The Avenger worked as it is said in the article, except the log said it did not find the C:\WINDOWS\system32\wJQs.exe

windowsclick.com doesn’t hijack my browsing anymore.

thanks

Comment by Sree — February 27, 2009 #
Brilliant, as many others I was considering a full wipe and reinstall!! Had to skip step 1 as no UACD drivers visible. Downloaded all the required progs on a clean comp, ran on mine and worked first time. Thanks a lot )

Comment by Rich — February 28, 2009 #
Same with Rich! I didn’t see any drivers with Step 1, so skipped it, and everything ran very smoothly! I can’t even begin to tell you how grateful I am!

System restore is now fully functional! Mozilla has no more problem opening anymore (no longer crashing)! Internet explorer is no longer being redirected to windowsclick.com! Everything is running very smoothly, in fact, the best it’s been in a very long time.

Before I followed your advice Patrik, I noticed how you gave advice to others who were having problems, and I can tell you really care and are very knowledgable about this subject. Your comments were really what encouraged me to try and fix this problem.

Thank you soo much! Oh, and one quick question: now that I have fixed everything, do I still need the Avenger and MBAM programs?

Comment by Esther — March 1, 2009 #
Esther, remove Avenger, but you can to leave Malwarebytes Anti-malware and scan your computer with the program on a regular basis.

Comment by Patrik — March 1, 2009 #
What a relief! Thanks for the posting. I followed steps 2 and 3 and it seems to have fixed the problem.
I did deviate a bit: (1) I used another computer to download the programs and transferred them over using a USB drive. (2) I did not check for updates for mbam. (3) I renamed mbam.exe before I ran it. Thanks again!

Comment by Charles — March 1, 2009 #
This sounds like what I’m dealing with but there’s no VACd.sys in non plug and play drivers. Neither do I get 7.7.7.0 on screen. Can’t download Avenger from anywhere I’ve found. It’s blocked. Already downloaded Malwarebytes from your site, but it won’t run. Do I need to go buy software on disc to solve this? What do you recommend?

Comment by Ken — March 1, 2009 #
I started at step 2. I thought it may have been my newly installed router but it was the windowsclick.com. My two laptops were able to get online but not my desktop. My browser kept rerouting to windowsclick.com whenever I tryed to connect to a web site. I used my laptop to download the corrective programs and they WORKED! THANKS SO MUCH! This COULD have taken 4ever.

Comment by Tina — March 1, 2009 #
Thank you very much for posting this and saving my system. I am very very grateful.

Comment by Nishant — March 1, 2009 #
I get 7.7.7.0 on screen

Ken, looks like your computer infected with wdmaud.sys trojan. Read the article How to remove Google searches redirect virus 7.7.7.0. If you can`t download Avenger, then you can remove c:\windows\system32\wdmaud.sys manually.

Comment by Patrik — March 1, 2009 #
Thanks for posting the solution! Like several others I didnt have the UACd.sys driver mentioned in step 1. Step 2 ran as said. Step 3 ahem, found a few more infections (around 40 yikes) and promptly swatted them

Comment by Richard — March 2, 2009 #
Thanks so much for this. This just saved me and my co-workers so much time. Just bookmarked this site for future use.

Comment by MBraedley — March 2, 2009 #
You Know how i got to this page without the redirect?

Google Chrome! My Saver!!

x)

Comment by Timmieboy — March 2, 2009 #
I’m not getting a 7.7.7 redirect message. I’m getting waiting for: windowsclick.com or bitdefender.com or stopzilla.com or couponmountain.com, then spam websites with any Google search relating to anti-virus or malware. The thing let me download pandasecurity.com, but it didn’t work. It also let me download “BOClean” from Comodo.com, which also didn’t work after download. (Who do you trust?) My system32 file includes a file called wdmaud, but no wdmaud.sys file. What next?

Comment by Ken — March 2, 2009 #
Ken, you have tried the instructions (above) ? If yes, then follow these steps.

Comment by Patrik — March 2, 2009 #
Patrik,
I’d love to download Hijackthis, but virus blocks access to any such download. I just get Explorer cannot display this screen message.

Comment by Ken — March 2, 2009 #
THANK YOU!!!

Comment by Sarah — March 3, 2009 #
Ken, can you use another computer for downloading antispyware software ?

Comment by Patrik — March 3, 2009 #
Brilliant! With a lot of patience (only Avenger was able to run on the system, copied from another pc and started from a usb stick) I managed to get rid of this nasty thing.

THANKS A LOT!!!

Marc

Comment by Marc — March 3, 2009 #
Whatever you’re selling, I’m buying! I was on the phone with Microsoft support for two days trying to get rid of this. I found your site through Dogpile (couldn’t use Google)and truthfully, I was nervous about using it, wondering if it was a scam — particularly after Avenger wouldn’t open, and my Dell computer deleted it from an e-mail as dangerous. I opened it with a zipdrive and went through the process, skipping step 1 because no UACd drivers showed up. Again, I’m thrilled!

Comment by DavidKnows — March 3, 2009 #
um, what do i do if step 2 and 3 is not working (like most everyone else, step 1 wont work for me because i can not find the driver)

ie. the link in step 2 will not pop up – shows a failing site. When i tried the link on another computer (w/o the windowsclick virus that is), it worked. Step 3 also did not allow the pop up. By the way, I have enabled pop-up so I don’t know wat’s wrong…

Comment by faye — March 3, 2009 #
On step 2 where you say to download avenger “here” when I click on the link it doesnt open anything up. please help! thank you!

Comment by tony — March 3, 2009 #
Hi,
On Step where you advise to click ‘here’ to download avenger..it is a dead link on my computer. any advice?

Comment by tony — March 3, 2009 #
Patrik, Fantastic ‘how to’ guide, many thanks for the instructions – followed them exactly & it worked perfectly – computer is now finally back to normal!

Phil

Comment by Phil — March 3, 2009 #
Tony, just checked the link to Avenger, it`s good for me. Use another computer for downloading antispyware programs.

Comment by Patrik — March 3, 2009 #
Hi Patrik-
For some reason when I used internet exlporer (the most recent version) I was not able to open the link. …however I used Netscape and it worked. THANK YOU VERY much Patrik. I was on the phone with Microsoft for 3 hours today…they still didn’t figure it out. I used this program and it took 3 minutes….thank You !

Comment by Tony — March 3, 2009 #
If anybody wants to get in contact with these trojan bastards, here is the whois for windowsclick.com:

Elliott Cameron
15180 Western Springs
Reno, NV 89521
+1 775-851-7682

Comment by chad — March 4, 2009 #
I spent 2 weeks trying to get rid of this damn trojan. If I’d started here first, it would’ve taken 3 minutes. What a lifesaver!

Comment by RD — March 5, 2009 #
Yeah! Norton wanted $99 to fix this, even though I pay for their AV software. I only had to do step 2, but had to download the avenger file to a thumb drive. Then Spyware Doctor found the threat, which Norton and Spyware did not find before, so I didnt have to do step 3.

Thanks, I can quit obsessing over this niusance!

Comment by TT — March 5, 2009 #
Hi,
Awesome guide followed first 2 steps without a problem, intsalle mbam but it will not run . Any ideas

Comment by Al — March 5, 2009 #
Al, please follow these steps.

Comment by Patrik — March 5, 2009 #
OMG!!! you all so awesome i love you guys so much. no more irritating windowclick annoyance for me. i couldn’t follow step 1 cause i couldn’t find it, but step 2 and 3 work a charm. WOOHOO IM HAPPY *does happy dance*

Comment by AJ — March 6, 2009 #
What AJ said! I’m dancing too, and done obsessing. It’s a wonderful thing you do, Patrik. Thanks soooooo much.

Comment by Ken — March 6, 2009 #
great guide, thanks +

Comment by ts — March 7, 2009 #
I was having the same problems on my daughter’s machine and it took me a while to figure out what the problem actually was, but once I did, your advice worked perfectly.

The redirects were annoying, buy even worsee was not being able to run any software to find out what the heck was going on! That was driving me NUTS!!

Thanks for this. It saved me a complete re-format, which I was getting very close to doing!

Comment by Steve — March 7, 2009 #
I have been to several sites claiming they have a ‘fix’ for this Trojan, but all were useless. I couldn’t open the programs they wanted me to use, as it was blocked by the virus, therefore spent hours researching and trying, researching and trying….
Using the method above, upon the first reboot it sent the computer into a loop of rebooting and trying to fix the C:\… but I restored to previous settings, it scanned, loaded… and the damn trojan was deleted! Am running Malware now (which wouldn’t load before) and finding all sorts of nasty things.
Thank you thank you thank you.

Comment by Cass — March 7, 2009 #
I have the windowsclick problem in Internet Explorer and Firefox..I ended up uninstalling firefox and using Safari [which was already installed]. I had MalawareBytes already installed too, just now it doesn’t open and I don\’t know what I’m supposed to rename anyway..I downloaded avenger and everything went fine until the reboot, my computer was off for a second, and then it started up again but got stuck on the \

Comment by Roya — March 8, 2009 #
my post got cut off for some reason. Heres the rest:

Windows XP Media Center Edition screen with the loading bar for a couple of minutes,a nd then the screen would go back again, start up and get stuck on the XP screen again in a circle for 20 minutes..the same thing happened the next 2 times I tried after resetting the power with the surge protector. The third time I pressed F8 continuously and selected the last known good configuration and it worked but nothing has changed and avenger is still on the desktop with no logs or anything..I don’t know what to do

Comment by Roya — March 8, 2009 #
It wont load the site to get avenger off of. I cal load the malware but it wont open up when I try to open it. Please help

Comment by Adam — March 8, 2009 #
Roya, please follow these steps.

Comment by Patrik — March 8, 2009 #
Adam, try rename avenger.exe to myapp.exe and run it again.

Comment by Patrik — March 8, 2009 #
followed instructions from this site in downloading malwarbytes and changing the name of the setup file and the exe file. worked great!

channelprosmb.com/blog/entry/1468/Web-Browser-is-being-re-directed-to-windowsclick.com/

Comment by jj — March 8, 2009 #
You guys are awesome…. worked just like discribed. Thanks a million.

Comment by Rob — March 9, 2009 #
I downloaded the avenger program, and i pasted the script in the text box. it did nt let me delete the drivers. i am still having trouble.

Comment by Justin — March 9, 2009 #
Thanks for your advice. This was very annoying and couldn’t remove from my computer. Great site

Comment by jamie — March 9, 2009 #
In the past week I have encountered three computers that had the UACd.SYS loading. All three also had Antivirus 360 loading. AV360 is easy to stomp & using Avenger & Malwarebytes, I got rid of the UACd. I also cleaned the registry info showing “disallowed” sites. I made sure that all the UAC*.* files in the system32 folder were gone. Now that the machine behaves itself & all seems to run fine, I fine another problem. The UACxxxx.dll that was deleted is showing up in Norton 2009 as “Packed.Generic.200″ everytime I reboot. The file isn’t there anymore. I have re-run Avenger & it cannot find it. All views are enabled in explorer & I cannot find it. I can boot to Wininternals & still can’t find it. Is Norton just crazy or is it still there somewhere? I have reformatted two of the machines to get rid of it but I really need to figure out how to fully resolve the issue.
I have been cleaning viruses for over 20 years.
This bug is kicking my butt!

Any Ideas?

Comment by Ed — March 9, 2009 #
Ed, please follow these steps.

Comment by Patrik — March 9, 2009 #
thanks so much for this! extremely helpful

Comment by Stephanie — March 10, 2009 #
Worked great! Thanks

Comment by Tony P — March 10, 2009 #
Dear Patrik,

thank you so much for your help. All the processes worked really well. Your website is extremely helpful, indeed.

Comment by Peter — March 10, 2009 #
where do would I rename it at. I am confuse on where I would put the myapp.exe at. It wont let me even access the swandog website for avenger.

Comment by Adam — March 10, 2009 #
Patrik,

You are my hero and I owe you a huge favor. I ran thru the steps and my PC is my own again.

THANK YOU!!!

Comment by DempsDawg — March 11, 2009 #
Patrik, this was a lifesaver. Everything worked great – the instructions were so helpful and using my computer is fun again. Thank you so much for working on the side of good and not evil

Comment by Vanessa — March 11, 2009 #
Patrik, when I tried to run Avenger I got an Error code – Could not register clean up . Aborting excution! Is there something I can do to resolve this> Thanks

Comment by Jas — March 13, 2009 #
Jas, please follow these steps.

Comment by Patrik — March 13, 2009 #
Please note in my entry above 10 minutes ago, I did not type the extra backslashes shown, it looks like each time I entered incorrect 4 digit security code the system generated extra characters. Here is what I typed: SUCCESS! REMOVED windowsclick.com (for search engines) I had this virus, and MBAM did identify all the files above, but showing hidden drivers did Not show UACd.sys, or C:\WINDOWS\system32\wJQs.exe (I had set all files inc system and hidden files to be shown). Thanks to Comment by Derek — January 28, 2009 # and PATRICKS’s reply I continued. And also Thanks to ED and FishersFritz.
You have shown how to remove windowsclick.com (for search engines)

Comment by Gary Hall — March 14, 2009 #
this worked like a charm. i can’t thank you enough.

Comment by Mike — March 14, 2009 #
These instructions worked perfectly! I have been trying to get rid of this virus for a few days and finally got rid of it! Thanks alot!

Comment by Javier — March 15, 2009 #
Thanks sooo much for the simple instructions and your knowledge!!! I had a few issues noted in the comments above: I didn’t need step 1. My computer even appears to be running faster now. Its great! Now, how do I donate to your site?

Comment by Brian W. — March 15, 2009 #
THERE ARE THREE DIFFERENT BINARY VERSIONS OF MBAM V1.34 FLOATING AROUND THE NET!!!

BEST TECHIE:
http://www.besttechie.net/tools/mbam-setup.exe

BLEEPING COMPUTER:
http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

DOWNLOAD.COM:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

WHO CAN WE TRUST???

MBAM’S WEBSITE LINKS TO DOWNLOAD.COM. THE TWO YOU GIVE ARE LINK TO VERY QUESTIONABLE SITES, AND EACH GIVE A DIFFERENT BINARY, WILL THE REAL MBAM V1.34 PLEASE STAND UP!

Comment by Cor'e — March 16, 2009 #
All links are ok.
First and second sites are affiliates of Malwarebytes.

Comment by Patrik — March 16, 2009 #
Hello,
I did a search for the wjqs.exe file, and the search found it in the system32 folder. So, I ran the script in Avenger and after restart, the Avenger log said that it hadn’r deleted the .exe file because it didn’t exist.

I ran mbam and it found and deleted a few instances of trojan.bho and trojan.agent.

I searched for the wjqs.exe file again, and the search found it in my Local Settings\Temp folder.

Should I change the script to that path to have it delete the file?

Thanks,
Mike

Comment by Mike B — March 20, 2009 #
Alright then… here’s my story (Although I didn’t finish reading through the comments above).

I got this virus a few days ago.. well, a week at the most. All it would do (as far as I could see) was redirect the first google result to windowsclick.com, then some random adware site (mostly a fake pornography streaming site). But it was getting very annoying, so I decided I’d follow the steps on here. Step one; Nothing showed up. Step two; Worked.. but then something weird happened, after my PC rebooted, windows was unusually SLOW, VERY VERY, EXTREMELY SLOW. The apps that would open upon windows starting, would take several minutes to appear on my taskbar. Firefox took 20 minutes to open. Websites would take about 5 minutes to load, (Firefox would freeze for long periods of time though) and everything was just very slow. I tried rebooting a few times, things seemed the same. Then I tried installing MBAM, got some errors. Rebooted into safe mode, installed MBAM successfully and scanned. Got 3 malware warnings, successfully deleted. Went back into normal mode, still VERY slow. I’ve been looking around for a while at how to fix this, I see no possible solution. I’m backing up my documents and such, as I will be attempting to reinstall windows… I hope I’ve got all my drivers.
By the way, google no longer redirects to windowsclick.com, so I guess it did fix it in a way . Wish me luck!

Comment by Daniel C — March 21, 2009 #
For the last two days, you are my best company…
No words are enough to show my appreciation of your help.
Your plain guidance and patience helped me to heal my com from this thing.

Send you a sunshine and many many kisses from Greece!

Comment by Natalia — March 21, 2009 #
Mike, you can manually remove the file, also you can ask help at our forum.

Comment by Patrik — March 21, 2009 #
Daniel, good luck

Comment by Patrik — March 21, 2009 #
Patrik,
Thanks so much for your wonderful help for me and others!
Mike

Comment by Mike B — March 21, 2009 #
this was a life saver!!! thanks for your awesome help!!!!

Comment by Cherie — March 21, 2009 #
Like others in this thread, I couldn’t get the MBAM program to install. When I first downloaded and then copied mbam from a good pc on to the infected pc desktop, the install file would not even run. I tried a few things and then simply changed the name of the install file by adding a character on to the end of the name, and then ran it again, and it installed the MBAM program on the pc, putting a shortcut on the desktop. Then when I tried to use the shortcut to run MBAM, it would not run the program. Instead of using the shortcut, I went to the \

Comment by Steve — March 24, 2009 #
continued… Instead of using the shortcut on the desktop, I went to the C:\Program Files\Malwarebytes folder, and changed the name of the program file from “mbam” to something else (I used my name). When I tried to run it, it then worked just like STEP 3 said, and ELIMINATED THE VIRUS. The trick I found is to change the names of these files, because the virus must recognize the standard names.

Thanks, Patrick, for the help.

Comment by Steve — March 24, 2009 #
THANK YOU VERY MUCH!!! These directions and links to the programs were awesome. I was getting so annoyed and upset with the windowclick stuff. U are my hero. THANK YOU !!

Comment by Clint Sully — March 24, 2009 #
is there anyother way to remove this uac infection or to diagnose it.. using command line…since not able to go on internet and not able to use avanger.exe..
it will be Gr8 if you can give some kind of solution for this…. any technical way to use command line to detect uacd.sys infection.

regards
Raj

Comment by Rahul — March 25, 2009 #
without running any tool or any antivirus software. how can i get list of files that are there in comptuer. some entry in registry or some how file name on command line.

thanks ..loking forward for your kind suggestion.
ASAP.

Regards
Raj

Comment by Rahul — March 25, 2009 #
Raj, you can use Recovery console for disabling UACd.sys driver. Read more about Recovery console here.

Comment by Patrik — March 25, 2009 #
Thank you so much!!! your easy to follow instructions did it! i did an extensive research online trying to determine how to get rid of this annoying re-direct and your step-2 is what did it! now even Malwarebytes is back to normal scannning… Thanks for your help!!

Regards,

Alex

Comment by al — March 25, 2009 #
You lot are bloody brilliant. I was beginning to loose faith in computer techs in general. Just an aside:people who use these redirects deserve none of anyone’s business, money or time; take note of where you are sent as they are buying into these schemes and are partialy to blame.

Thank you again

Comment by Ex-Bootneck — March 25, 2009 #
Thank you so much for your instructions, had to go straight to step 2 then got the ‘blue screen’ with the error message on the first reboot but after the second one was able to use the malware program which I had down loaded earlier. Have now gone straight form google to here! I am a complete novice on computers and do not have a clue beyond the usual desktop applications so thanks so much for helping me fix this without enlisting outside help!! Fingers crossed I have done it.

Comment by caz — March 26, 2009 #
Wow – I’m shocked, and lost neither life or limb using the marvelous AVENGER trojan removal tool. Whoever posted these instructions – thank you – I couldn’t figure out what was going on, my PC so slow, the redirects from google etc. Goodness knows what info could have been compromised or stolen or electronic banking done before I figured out what was going on!

Again, my thanks and gratitude.

Comment by Robbie — March 26, 2009 #
HELP HELP

Got infected this trojan… I was trying to find out how to get rid of it.

But my PC, DELL, XP won’t even fully start.
Trying to boot in safe mode (F8) only have a normal start.

Comment by Ray — March 27, 2009 #
now booted finaly.
Nothing with step1,

Did not find wJQs.exe.
I found UACfreoclbd.sys

Should I remove this one… very suspect since it is a very recent .sys and I haven’t installed anything then.

Comment by Ray — March 27, 2009 #
I searched for UAC*.* files with normal search… could not find them.

Then I downloaded Malwarebytes… and could not install or load it… in a another web site I found the trick. Just rename the installer & also the mbam.exe itself otherwise you won’t get started at all.

Do your scan and now it sees the UAC* files, and a bunch of other nasty staff by the way.

…. and the miracle happened. GONE !!!
hours lost. GREAT POST !!!

Comment by Ray — March 27, 2009 #
Ray, skip fisrt step and go to step 2.

Comment by Patrik — March 28, 2009 #
Thanks a million,
removing the uacd.sys with avanger was the key! I regained control over my PC after days of struggling! thanks again.
Greetings from the netherlands

Comment by JB27 — March 28, 2009 #
installed Avira which picked up the files and quarintined them but still had the problem. Then used Avenger as stated in step 2. On restart, Avira automatically stopped and allowed me to delete each file i already had in quarintine. Went to search and all was fine. Rescanned with Avira which found a couple more and quarintined. Thanks.

Comment by drew — March 31, 2009 #
DUDE!!!

You are a genious!!!!

Greetings from Montreal!

Comment by Marko — March 31, 2009 #
Thanks Very Much Patrick!

The avenger trick stops this one in its tracks as allows Malwarebytes and my Kasperskp to remove it!

I shall mention that this UACd.sys trojan caused the following problem so as to help fellow sufferers, (maybe google will pick it up):

When trying to access a USB Stick I constantly got the following error

The maximum number of secrets that may be stored in a single system has been exceeded

I was searching for fixes to this problem specifically, until I noticed wierd UAC reg entries and a Uacinit.dll file in a file called AVENGER (this was previously undeleteable)on the C:\\ drive prior to even even reading the above and before downloading the Avenger program!!! Wierd (hopefully not a ploy) but true.

This trojan (for me) came with the lovely WinPC Defender malware program which somehow got onto my system.
NASTY! but you have saved me reinstalling xp and many many more hours stressing.

THANK YOU

Comment by Matt — April 1, 2009 #
Oh and here’s a relevant post on virus list…

http://www.viruslist.com/en/weblog?weblogid=208187548

This is the kaspersky definition of the trojan I had:

Trojan-Downloader.Win32.Fraudload

All sorted…Thanks again.

Comment by Matt — April 1, 2009 #
Used your information to get rid of windowsclick problem and it worked GREAT and was VERY EASY !!!
Thanks for your help

Comment by Todd — April 3, 2009 #
Okay, so I didn’t have either of the files in step 1.
I downloaded avenger, and when I type C:\WINDOWS\system32\wJQs.exe or uacd.sys in Avenger, I recieve a message stating:
Error: Invalid Script. A valid script must begin with a command directive. Aborting Mission!
*sigh* I’m so sick of this silly trojan! Please help me… Thank-You So much!

Comment by Rebecca — April 3, 2009 #
THANK-YOU!!!
I tried following the steps you’ve posted and it wasn’t working for me… I almost completely restored my computer. But, something was telling that I wasn’t doing something right because so many people have had success… Okay, I’m rambling, sorry. Long story short, I didn’t realise that you have to type Folders to delete: or post another command in front of what you want to delete. So, I copy and pasted the data you have here and now my computer is working WODNERFULLY and I don’t have to deal with that annoyances of windowsclick.com or the headache of having to reinstall everything after a computer restore. THANK-YOU, THANK-YOU, THANK-YOU!
God Bless!
♥ Rebecca

Comment by Rebecca — April 3, 2009 #
Whew, I came very close to reformatting. I tried several other cleaners and wasted cash on the highly recommended ‘Spyware Doctor’, but to no avail.

I didn’t have the file in step one. So from step 2, I downloaded avenger and Malwarebytes onto a memory stick on a different machine and renamed them. I copied the files to my desktop installed, run them and hey presto! Got the buggers!

You have been a great help. Thank You!

Comment by Kofi — April 4, 2009 #
YAY!!!!! thankx ALOT, i was struggling trying to remove this shit from my computer… i dont know how i got this fucking virus but im glad its gone. Again, thanks a ton. For those people who are reading these messages and thinking that this will just further mess up your computer, forget that, download and install the software above, run the script and say bye bye to those pesky redirect viruses. anyways godbless the interweb and fuck the programmers who write these damn viruses..

Comment by Mario — April 5, 2009 #
Thanks for your great advice. Your site is brilliant. Followed the instructions and it worked perfectly. (Mbam hadn’t installed properly when using advice from other sites.) Suggestions on this site helped me – I downloaded the setup file to a new folder called abc and renamed it abce.exe. The virus has now been completely removed. Do you recommend malwarebytes full version as an all-purpose virus checker?

Comment by eamon — April 6, 2009 #
Malwarebytes full version is very good antispyware program, but anyway you should use also good antivirus.

Comment by Patrik — April 6, 2009 #
I would like to thank you for this information. I followed your Avenger recommended steps and it worked like a charm.

I suspect the source of infection came from a website linked in a Yahoo! News story. Wouldn’t be the first time a hyperlinked site on there has downloaded something on a computer.

Comment by Scott — April 7, 2009 #
Thanks guys, info here is really usefull
my antivirus wasnt working properly till i followed your advice
Thanks again

Comment by Rob — April 7, 2009 #
OMG thank u guys sooo much. I HATE viruses lol. Peace and love

Comment by Albert — April 9, 2009 #
Patrik,
I bow to you, sir. I cannot thank you enough. I am so grateful. As had so many others, I had tried everything I knew for two weeks with no success, but I followed your intructions shown above, and like several other users experienced, the driver- UACd.sys trojan driver- did not show in the first step, but the rest of it worked beautifully. Thankfully, it was on a friend’s pc, not mine, and all of his malware protection was very out of date. Thanks, again. The world needs more people like you. I have a question. I only learned of Malwarebytes while researching/trying to get rid of this virus. I have been using Trend and have realized it is very weak. I notice software and free scanner programs mentioned on your site. Would you mind telling me which systems you recommend- specifically, as your site lists several of many of the same type products. And are rootkit finders/killers, and all the new-to-me products I only became aware of researching the removal of windowsclick necessary? Or am I safe enough just running malwarebytes and whatever? As you can tell, I am not very advanced and am begging for your guidance. I want to be protected, but it seems like we can take our defenses to an unnecessary/overkill level. Please let me know your thoughts. Thanks again, very much.

Comment by Rick — April 10, 2009 #
Rick, read the topic.

Comment by Patrik — April 11, 2009 #
Before coming here, I ran symantec antivirus adn ad-aware in safe mode, and deleted all history, cookies, etc. on both Fire Fox and IE. It seemed to fix the problem for Fire fox, the redirect stopped being an issue. But IE still didn’t work. I ran Hijackthis but it found nothing (at least not that I could tell). Then I came here, and skipped step one since it wasn’t visible. Avenger and MBAM found and deleted the UAC trojan.

After working on this for 4 hours today, it’s nice to feel relief once again (I don\’t know how some of you who posted here went for weeks with this trojan). Thanks Patrick.

Comment by Jarom — April 11, 2009 #
I was sooo close to giving up on this one and reformatting!!

Even tho UACd.sys wasn’t visible in device manager, the fix worked!!!

THANKS!!!

Comment by Enio — April 14, 2009 #
Thanks a lot guys, this one was a real pain in the *%ss.. It even affected my Avira Profesional Rootkit. Your solution worked like a charm.
Again many many thanks!

Comment by JanRoelof — April 15, 2009 #
Client got this trojan. He was panicking all over the place !
Glad I didn’t immidiatly formatted the pc. Now the problem was over in like half an hour

Good tut ! Nice job, Patrick !! ^_^

Greetings from the Netherlands

Comment by PG — April 17, 2009 #
Thanks a lot for the guide!! It worked flawlessly. After following the instructions of the useless technical service of ESET-Nod32 and wasting over a day scanning my PC, in just fifteen minutes I got rid of the annoying “windowsclick” trojan.

Thanks again!!!!!!!!

Comment by Alberto — April 17, 2009 #
Thank you Patrik,
This annoyance has made its way to Australia. I tried step 1, but it didn’t show up in the Non Plug and Play drivers. So I tried Step 2 and the virus disappeared immediately. Incredible! All hail Avenger.

Comment by Bern — April 23, 2009 #
You did more than save my computer, you saved my business. It took 5 solid days, numerous malware programs, reg editors etc etc, nothing worked, no anitvirus programs, Nothing!! avenger worked a treat. Thank you so much for your help. THANK YOU !!!!!!!

Comment by Paul — April 27, 2009 #
Thanks a lot, your website saved my computer and my sanity, and probably me from murdering someone.

Thank you VERY MUCH.. the instructions on this website take care of this Virus/Ad/Google rapist perfectly..
I actually had to find this page and email all the links to myself so I could download them onto the infected PC..

Thanks Again, you’ve done a great service for humanity

Comment by anonymous — May 5, 2009 #
I’d had this windowsclick for a few months…it was driving me mad, computer kept freezing when i logged on. Not knowing much about computers and being at my wits end i tried your suggestion. It has worked a treat, i had to skip step one as well. but it worked beautifully. MASSIVE THANK YOU

Comment by anonymous — May 7, 2009 #
Okay, I am baffled – can anyone explain why I have this trojan (yes, I honestly have it) but the file UACd.sys which is supposed to exist under NON PLUG & PLAY DRIVERS does not? Even a search comes up with zero results. Has it renamed itself?

Comment by Biff — May 7, 2009 #
Biff, skip 1 step.

Comment by Patrik — May 7, 2009 #
Worked perfectly – Thanks

Comment by Kevin — May 8, 2009 #
Thanks to Patrik and so many others – I was finally able to remove the windowsclick trojan after several tries and retries. Like so many others, step 1 didn’t find the driver, and my advice to others is to read through all the comments before you dive in – you may save yourself some time.

I do have one question – I now have AVG, Spybot S&D, and MBAM all loaded on my PC – will this cause system conflicts? I paid for AVG and was in the process of working back and forth through several e-mails with their technical staff – then Googled “windowsclick” at work and found this site and decided to proceed with the advice here. Also, I had not been able to run Spybot in recent months, even after deleting and reinstalling – but after running the processes here successfully, was able to launch Spybot again!

Thanks!

Comment by Dan — May 8, 2009 #
Thank you so much!!! Without your help, I could have been in trouble since it was my work computer that was infected.

Comment by Benito — May 8, 2009 #
Thank you so much for going to the trouble of putting together such a detailed and EFFECTIVE solution to this trojan!!! It saved me a ton of headaches!

Comment by Wes — May 8, 2009 #
Dan, if you using a full version of MBAM (with autoprotection), then the better to leave only one antispyware program (SpyBot or MBAM).

Comment by Patrik — May 8, 2009 #
Thanks Patrik. I only downloaded the free MBAM, so don’t think I’m using the full version. Would the full MBAM version offer everything currently included through AVG?

Again, thanks for all your help!

Comment by Dan — May 9, 2009 #
MalwareBytes Anti-malware full version features scheduled scanning, scheduled updating and real time protection to ensure protection from installation or re-installation of potential threats as you surf the Internet.
AVG – antivirus program, MBAM – antispyware program.
You can use AVG + MBAM, or AVG + SpyBot.

Comment by Patrik — May 9, 2009 #
Patrik,

I went through step number 1 and did not find dthe driver in the plug and play. I downloaded and ran avenger in step number 2. I have Malwarebytes installed on my machine but it will not start. both Malwarebytes and Spybot will not run. Is there something else i need to do before this will work?

thanks in advance,
Huy

Comment by Huy — May 10, 2009 #
Probably you have a new variant of UACd.sys trojan infection. Please follow these steps.

Comment by Patrik — May 10, 2009 #
Hmmm, followed the instructions and all seems good, just the 63 malware items found on my kids’ laptop!

Thank you.

Comment by Patrick — May 12, 2009 #
I LOVE YOU!!! THANK YOU THIS WAS CAUSING ME RIDICULOUS PROBLEMS!!!THANK YOU!

Comment by Phil — May 13, 2009 #
thankyou Patrik.
guys like u are the angels in the cyberspace, superheroes who save ppl like us from such demons.

Comment by Riq — May 14, 2009 #
thanks for all the input. I finally got it. The name change did the trick.

Comment by Pat T — May 17, 2009 #
Absolutely the best and clearest instructions. Worked like a charm and am having no problems since.

Even tho you are asked to download these things they are so worth it and are completely spam free!

Comment by Mike — May 17, 2009 #
Thanks so much for posting this, the instructions were great. I had to skip step one but after running through 2 and 3 no more problems.

Many thanks!!!!

Comment by Hayden — May 18, 2009 #
Thanks for this page. I am fixing a friends Windows XP, and found your info very helpful.

I migrated to Apple Mac a couple of years ago myself, and have never looked back. Fixing my friends Windows XP just reminds me of yet another reason I love OS X. To anyone thinking of migrating to the Macintosh platform, I highly recommend it. Cheers, Tim.

Comment by Tim — May 18, 2009 #
Thank you so much or sharing your knowledge.
FTR – when downloading MBAM, running it after saving it to my desktop did not work. However I deleted that downloaded file and simply chose the “run” option when downloading again and it worked out perfectly. Everything looks to be back to normal – thanks again!

Comment by Marc — May 18, 2009 #
Hello all, I noticed this windowsclick problem just two days ago, and already my pc has shot itself. I am using a seperate pc just to post in this forum because i can not run internet explorer – it just opens, then freezes my pc, and I have to turn it off manualy. I also noticed a viewmgr.exe startup message appearing, stating that viewmgr.exe has encountered a problem and needs to close. How can I get rid of this malware when I can not access internet explorer to download any antimalware program such as avenger???

Comment by SIMON — May 19, 2009 #
Download Avenger to another computer, then copy it to infected PC using CD or flash disk.

Comment by Patrik — May 19, 2009 #
just like to say thanks for all the help you have given to us all, this is a great site and if i have anymore problems this will be the first site i will visit

Comment by brian — May 19, 2009 #
Thanks so much – solved my problem. I had to go to safe mode to install MBAM, but it seemed to work. I also had the initial crash before I could even log in, but a 2nd reboot worked.

I will have to now go and see how I can donate money to this site – you saved me time and money!

Comment by Colleen — May 19, 2009 #
MBAM picked this up, but I couldn’t see that hidden driver mentioned in step 1. Instead, I’ve followed the advice here:
forum.avast.com/index.php?action=printpage;topic=44103.0
and things are definitely improving:
- can run MBAM directly without having to rename it,
- browser redirects have gone.
However, the registry key keeps coming back, so still need to deal with that.

Comment by Matt — May 20, 2009 #
This looks very promising so far:
forum.avast.com/index.php?action=printpage;topic=44103.0
still seeing a UAC registry key, though.

Comment by Matt — May 20, 2009 #
Thank you very much indeed for the help!

I tried Malwarebytes but it wouldn’t run, even when I renamed it slightly. Avenger sorted it out for me instantly. I only managed to locate the info on here as I also have a Yahoo search toolbar (which still ran ok) that was added as part of my AVG 8.5. Google was totally disabled/highjacked by windowsclick.com

Thank you once again.

Comment by nic — May 23, 2009 #
This seems to be working thus far…
Here is a list of programs that it either inhibits or stops alltogether. A good way to tell if you have this =)
-PowerIso *it will say that the Virtual drive manager is not properly installed and that you should reinstall it. Upon reinstall it will continue to give you this message.
-Spybot S&D
-Malware Antimalware – you can rename the exe and get it running. But without doing these steps it may not find anything.
-Multimedia Fusion developer edition
-Internet explorer(redirects)
-EPSON programs
-quick scan etc
-System Restore – BIG PAIN IN THE butt!!
-Disk clean up(sometimes)
-Bittorrent(for me atleast)
-AVG free edition
-Steam
-portal
-half-life 2
-Empire Total War
-etc.
(because these are all run through steam)
-Windows Media Player *Your media sharing will have been turned off.
-Age of Empires III *for me atleast
-Equation Wizard *for me atleast
-VLC media player *huge delay in either program startup or video playback
Everything else on my computer worked fine while i had this virus/trojan. Just thought id put out a list…

Comment by Perry — May 23, 2009 #
Wow, I don’t know what did it (I’ve been trying to fix it for so long) but you guys did it! Avenger worked like a charm. Thank You.

Thank You, Thank You.

Comment by Roberto — May 23, 2009 #
Thanks a lot! My ZoneAlarm antispyware/antivirus didn’t catch this stuff and couldn’t get rid of it. This was really helpful and worked like a charm. Only issue: something was keeping me from running the Malwarebytes program–I had to rename the setup file, then rename the executable once setup ran. I am (hopefully) clear of the windowsclick.com malware now…

Comment by Brian S — May 24, 2009 #
I didn’t find the driver in step 1 either but ran avenger which said it deleted it.

Avenger also said that it couldnt find wJQs.exe but i later found out this was because trend micro had already quarantined it so if ur getting the same result from avenger that could be why.

Great step by step though

Comment by Jesse — May 25, 2009 #
I downloaded avenger, and when I type C:\WINDOWS\system32\wJQs.exe or uacd.sys in Avenger, I recieve a message stating:
Error: Invalid Script. A valid script must begin with a command directive. Aborting Mission!
And i did a windows search and it isnt finding it what am i doing wrong?
Thanks

Comment by manny — May 25, 2009 #
manny, please checkup inserted script or ask help at our Spyware removal forum.

Comment by Patrik — May 25, 2009 #
THANK YOU SO MUCH!!! I FINALLY GOT THE BUGGER! I just purchased Kaspersky not to long ago and it kept saing UACD.BLA BLA BLA BUGGER 24/7 was detected, however when I clicked take action it done nothing, and this kept appearing every time I logged on.

I left Step 1 because under non-plug and play there was no UACD… so I got Avenger, however when I clicked reboot, my system froze upon restarting ( likely another virus I gotta find now) but I hit the mains, logged in again, and the message from Kaspersky was still there, yet I knew why. I went back into Avenger, copied the text again however it said its already waiting action upon reboot, do you wanna reboot now so I said yes and the celebrations start there.

I honestly cant thank you enough-the trojan was such a pain.

By the way, COULD YOU PLEASE TELL ME WHERE I AM LIKELY TO OF PICKED THIS UP, LIKE WAS IT FROM A DOWNLOAD, POP-UP ect…

U R A G O D!!!!!

Comment by stephen — May 25, 2009 #
Avenger executes from my desktop but it doesn’t seem to run on reboot. I don’t see anything and can’t find an avenger.txt log.

Comment by Kate — May 26, 2009 #
Kate, ask help at our Spyware removal forum.

Comment by Patrik — May 27, 2009 #
Thanks for the help BUT

According to a recent MBAM quick scan I now still have a uacinit.dll located in c:\windows\system32\ (wich is invisible)and this f*cker is unremovable. At the same time Kaspersky still shows that my comp is infected by trojan.win32.TDSS.adzz so to make it short, no more redirections but still f*cked by this s*it. Sorry but having spent hours today to get rid of this because I can’t reformat without saving the whole system first, I’m exhausted. Any help??

Thanks from FRANCE

Comment by XB — May 27, 2009 #
Try remove uacinit.dll file using following script:
Files to delete: %windir%\uacinit.dll

or ask help at our Spyware removal forum.

Comment by Patrik — May 27, 2009 #
Hi Patrick,

I did that too, of course. Eventually the problems (redirection + infection) were solved by reinstalling kaspersky and MBAM plus some reboots. The key here is to work with kaspersky updated, MBAM updated, all I already known and avenger wich I didn’t know at the time. Also, don’t hesitate to rename the exe, wich I did even before reading this topic.

BTW, since this topic seems to grow a little more each time we visit it, we may create a new contest: how much time did you spent since the first symptoms to the time you finally managed to solve all the problems (not just the redirection problem but the persistent infection too)? As for me, and I have 8 y in IT (not for a living though, it’s a passion) I spent 6H yesterday…

Good luck all and many thanks Pat’ for having put me on the right tracks…

Comment by XB — May 27, 2009 #
I have successfully removed uacd.sys and associated problems thanks to the information in this forum after 3 days of frustration.
Patrik you really deserve lots of people’s admiration.

Comment by beeonline — May 27, 2009 #
Well I won’t leave you all without sharing the details of my own experience, simply because it is, from my own point of view, the extra stuff you may want to know in addition to the great tut from Patrick (for instance I managed to fix all my problems without the help of any other comp’ to download or browse). And I must add I hate having to deal with hijack/smitstuff etc. I don’t say there useless, I just say I prefer the less effort.

1/ You are infected, and when you try to google something,

Comment by XB — May 27, 2009 #
[SUITE]“something/windowsClickStuff” redirects you. No matter, let it go, close the window wich will begin to open, you will be then back to google,type now for instance “Malware bytes anti malware” AND then use the CACHED google page to access a page from where you should be able to download what is requested.

2/ Once downloaded, rename MBAM (I noticed it wouldn’t launch so I figured the s*cker was the cause of it and I rename setup exe with etup.exe).

Comment by XB — May 27, 2009 #
[SUITE II]Try to launch it when installation is finished. It shouldn’t work (of course, the s*cker knows its dirty job!. No matter. Go to Program Files\Malware, you get the idea… There, rename the MBAM executable (not the one with “gui” in it). Then launch MBAM from there. Run a quick scan. Just that. Such scan not only found some really nasty malwares on my comp (Vundo) but this scan immdiatly resolved the redirection problem after the required reboot to eliminate the dirty itemswich were spotted by MBAM.

===> So, if your aim is simply to get rid of the redirection problem it shouldn’t take more than 10 or 15 minutes

Comment by XB — May 27, 2009 #
[SUITE III]to solve it if you follow the above instructions.

Now, the great stuff Patrick introduced me to. Avenger. Download it, run it, type the script(you should’nt need the second line, the first is the most important one but up to you). Click on \

Comment by XB — May 27, 2009 #
[SUITE IV]Let Avenger do its job, laucnh teh script, a reboot will be necessary, the main part of the s*cker should by now be gone (the UAC*.sys stuff).
Now, run another quick scan with MBAM. Perhaps it will show you a remaining registry trace AND UACINIT.DLL in %Windir% (i.e C:\Windows\System32 for us usual mortals ) If it’s the case, then this may indicate, if I’m not wrong, that YOU MAY STILL BE INFECTED EVEN IF THE REDIRECTION PROBLEM IS GONE. Don’t panic…

Comment by XB — May 27, 2009 #
[SUITE V]3/Download Kaspersky AV evaluation, update it, change the settings to the highest level (don’t hesitate to check additional parameters in that capacity).
Now, run a quick scan (Memory+bootsectors+Starup objects), check the results AND check that the proactive defense is running. Wait for like 5 minutes
until a window should show up telling you Kaspersky found some “trojan.win32TDSS.xyz (here it’s TDSS wich is important to spot) and/or UACcbhgcfhcf.dll
or UACjezghferzf.dll (for instance, for the format is UAC(Anythingwithletters).DLL). Delete them with Kaspersky, don’t reboot, go back to MBAM, select
all the stuff it found (the registry entry and UACINIT.DLL + possible other stuff) and accept to reboot again.

Comment by XB — May 27, 2009 #
[SUITE VI (we're almost through!]4/ Now you should be as clean as the first day (at least almost), for security purposes and pleasure too, run (not at the same time of course!!)
MBAM until it tells you everything is ok (a quick scan is sufficient but for the paranoids a full scan may be as well executed), then do the same
with Kaspersky. Don’t forget: PAUSE either MBAM protection or scan or Kaspersky Protection or scan when running a scan!

5/ Additional notes: in MY case, MBAM adn Kaspersky seemed to have been successfully corrupted by the s*cker we’re talking about.
For instance, Kaspersky bases were dated December 2008 despite my downloading of the latest version available and an update.

Comment by XB — May 27, 2009 #
[SUITE VII & END]As for MBAM, I figured that it may have been corrupted in the end also, so I reinstalled it. Last, perhaps I was definitively got
rid of this infamous malware just because at one moment I just had the files Kaspersky had spotted deleted AND THEN WITHOUT REBOOT
I was launching the deleting of what MBAM had found. At least that’s the only way I can figure to explain why all of a sudden after
teh reboot all was OKAY. So don’t forget it, the redirection stuff, even annoying is one thing, another thing is the remains of the malware
wich “may” be still active and compromising for your system even if teh redirection problem is solved… So check and double check with MBAM
and Kaspersky until they tell you it’s okay. Thencreate a restore point (now the restoring functionality should work) and after taht delete all
the others since they may simply be … infected!

Hope this helps,

Thanks all & especially Patrick, Avenger was the core of the cure (yes I’m a poet:)), forgive my English,

best regards from FRANCE

Comment by XB — May 27, 2009 #
XB, thank you for the information

Comment by Patrik — May 28, 2009 #
Great thing. It worked. Got this UAC / Trojan-TDSS removed from my system. Thx

Comment by Kai — May 28, 2009 #
is there any other things which are linked to the UACD.sys trojen which i well need to delete once ive deleted the UACD.sys trojen, i would like to know asap as i need to make sure my pc is clean of any vurises and malware or any other things that are bad for my pc

many thanks Ryan Bates

Comment by Ryan bates — May 28, 2009 #
Ryan,

Wait for Patrick answer but here is mine: if youwant to be sure your system is not compromised, run a FULL system scan in safe mode with MBAM & Kaspersky with highest/deepest scan settings (it may take a while, though). If they find nothing, then as far as i’m concerned you’re safe. If really you were hit by this s*cker and need to be 300 percent sure, then I don’t see any other solution than reformatting and reinstall. Antiviruses & the like will NEVER offer 100% certitude of not being compromised.

Anyway, don’t panic, if the scans I recommend you to run end in negative results, then it’s ok.

Comment by XB — May 29, 2009 #
Ryan, XB is right
You can also check your PC using an online scanner – http://www.myantispyware.com/online-scanners

Comment by Patrik — May 29, 2009 #
thanks for the advice i will take that on board,
there is one other question i have an it is, dose the UACD.sys trojen stop my nortan anit vuris from doing a full system scan even when i have told it to and i have even tryed in safe mode?

many thanks Ryan Bates

Comment by Ryan bates — May 29, 2009 #
Thanks Patrick fro your advice. I would just add, incase of one of you would want to format and reinstall, you should be aware that the infection “may” have originated, in the first place, by the use of “ware” (crack, keygen, you name it) so upon reinstall, please check and double check with kaspersky every piece of software, including the operating system, you are intalling. that way, you should be safe, provided you create a “copy” of the new and clean system by using a soft like norton ghost or better, “easyrecovery” (you will need an external DD for storing the image but, well, this is the best solution i’ve found in years for reinstalling a full image in less than 1/2 hours)

Good luck all!

Comment by XB — May 29, 2009 #
Ryan, please be more explicit: are you actually unable to run a full system scan in safe mode with Nort*n AV or do you simply WONDER if it’s possible that the trojan would be able to make it impossible to realize? if your concern is well expressed by the second part of the alternative, I would say taht yes, the trojan (and many others of its kind) are capable of such things as disabling avs and other security softwares or firewalls. But please try to use Kaspersky and MBAM to be sure you’re not compromised (and read again carefully all the comments to the patrick’s tutorial) : download the norton removal tool you will found on their website (they had to design one many years ago because most of their clients including me at the time found difficult to say the less to desinstall Norton AV by the usal ways) , so download this tool, download a Kaspersky AV evaluation version, then disconnect if you wish, or block access to internet through your firewall, then run the removal tool , rebbot, install kaspersky AV, reboot, press F8 to access safe mode, and run a full system scan; Oh and you may do the sam ewith MalwareBytesAnti Malware, please read our posts!!

best regards from FRANCE

Comment by XB — May 30, 2009 #
Just thought it may be helpful to others to add some additional info about my experience with the windowsclick virus. The first noticeable indication of my pc being infected was Google search results being displayed in a larger font size. I spent a significant amount of time trying to rectify this and assume that it was part of the virus’ plan, as because I was distracted it gave it time to go to work. For some reason windwsclick did not appear to affect any links to sites saved in my ‘favourites‘. This also caused a delay in me picking it up. When I clicked on my desktop email icon it sent me straight to my usual email address page (No windowsclick diversion box) but at the same time another web address was indicated. I therefore assume my email was compromised, so I’ve changed my password.

After downloading Avenger and successfully eliminating windowsclick, AVG scan detected a new virus -

Location -
C:/System Volume Information/_Restore

Virus found -
Win32Cryptor

I deleted the Avenger program, ran another AVG scan, and all was well.

However…I now have a problem with something called adwpopup.com Which kicks in intermittently just like windowsclick and directs me to sites such as ‘Online Pharmacy’.

Comment by nic — May 30, 2009 #
However…I now have a problem with something called adwpopup.com Which kicks in intermittently just like windowsclick and directs me to sites such as ‘Online Pharmacy’.

Nic, please follow these steps. I will help at our Spyware removal forum.

Comment by Patrik — May 30, 2009 #
Ok, so I’ve been watching this site for over a week since I’ve had this virus. Mine is actually C:\WINDOWS\system32\uacinit.dll
I couldn’t open malware bytes until I renamed it as someone had said. My taskmanager would work using ctrl+alt+dlt, I have to go to ‘run’. I’ve had lots of problems with this, but to make the story short, basically, I can remove the file, but I’m guessing since it’s attached to system32, when I reboot it, windows won’t work unless I ‘restore to last known good configuration’. And that basically starts the whole process all over again. So how can I get rid of the evil thing for good, without removing something that will prevent windows for working properly?

Comment by Melanie — June 1, 2009 #
Melanie,please ask help at our Spyware removal forum.

Comment by Patrik — June 1, 2009 #
I found this forum and I have had a malware infestation on a machine at work. I can’t execute MBAM, HijackThis, Norton, or ComboFix. At first I could access the registry bu now I can’t do that either. Google redirects to windowsclick.com and some stupid AV thing comes up. Does anyone know how I can get shell function back for the registry and anti-spyware s/w ?

Thanks in advance….
PaulD

Comment by PaulD — June 1, 2009 #
PaulD, ask help at our forum.

Comment by Patrik — June 2, 2009 #
I apologize if this has been answered in the past posts but I’m going cross eyed trying to figure out what to do…I’m at my wits end.
Patrick (or anyone else) please help….the other day WinPC defender somehow downloaded itself onto my computer. I finally got it uninstalled (I think) but now I have tons of problems.
I’m getting:
*redirected to windowsclick.com
*My lists of searches (on yahoo) has a different look
*I cannot restore to an earlier date (would that even help my problems),
*I’m not sure if this is legit or not but as I get logged on, the Windows Genuine Advantage Notifications comes up.
*I also get the following small error boxes after I’ve logged on… SetWindowPos Failed (and once you click that box to close) Error Code 1406 (pops up)
PLEASE PLEASE PLEASE help me if you can. I apologize if you’ve answered these already. I would prefer not to spend a tone of money on software to remove but if there is a FREE version of something that you think might help, I would be so grateful!

Comment by Allie — June 2, 2009 #
Allie, use instructions above or ask help at our Spyware Removal forum.

Comment by Patrik — June 3, 2009 #
After a long communication with my security system pc tools (spyware doctor) people, I think they’ve finally cracked it. I’ve just downloaded their most recent updates for the software and it seems to have got rid of the problem after two weeks of trying!
It was annoying as hell – I just hope I don’t speak too soon. Good luck everyone.

Comment by Boris — June 3, 2009 #
well ALLIE, please read all our posts even if it seems a boring thing to do, it’s not so much time to spend after all, try our different solutions & if needed, in the end you will always find help with Patrik on the forum

Comment by XB — June 4, 2009 #
the avenger is not running what should i do?

Comment by lavonna — June 5, 2009 #
lavonna, try:
1. rename Avenger.exe to myapp.exe (or use any random name)
2. run Avenger in Safe mode

Comment by Patrik — June 5, 2009 #
You guys are geniuses! Thank you so much! I’ve just spent the past 18 hours trying to remove these suckers and finally I did. Avenger didn’t do much but the Malwarebytes Antivirus download picked up 46 infected files, including trojans and adware that an 8 hour full Windows scan did not even notice. Thank you again! I can go to sleep now!

Comment by Rux — June 6, 2009 #
I am having trouble with the windowsclick.com redirector as well, but when I go to device manager and look at hidden devices I don’t see the driver to disable.

Any suggestions?

Thanks

Comment by Dan — June 9, 2009 #
Dan, skip first step or ask help at our forum.

Comment by Patrik — June 9, 2009 #
This one is a real pain. Not only does it create a hidden HKLM\Software\UAC registry key that you can delete, it also creates hidden HKLM\System\ControlSet001\Services\UACd.sys and the same in \ControlSet002\ (found with sysinternals rootkit detector) which have permissions set so >Reg Delete won’t work. So you think you’re clear, and you are not. Ended up using a bootable CD with a Linux Registry editor to remove these and Kaspersky could then track down the offending dlls.

Comment by Peter — June 10, 2009 #
Thank you so much this was easy and quick.

Comment by celia — June 10, 2009 #
Thank you very much for helping with this problem. I too was getting redirected to windowsclick.com and all my search results had weird appearances. I downloaded Avenger and it worked like magic. I tried thinking back to when the problem occured and it began to happen right after i updated to Internet Explorer 8. Don’t know if it had anything to do with my problem, but it began happening right after. Once again, thank you!!! I feel relieved that everything is back to normal.

Comment by Gabby — June 10, 2009 #
You Guys are just fantastic. I was really getting racked off with this windowsclick thing. My PC is back to normal and its thanks to you. I’m just glad there are people like you working to wipe out the prats that put this stuff out there. They makee all our lives hell. Thanks again.

Comment by Mark H — June 16, 2009 #
I do not see the file UACD.sys when I perform your instructions…what do I do!?!?!?!

Comment by Erick — June 16, 2009 #
Erick, you can ask help at our Spyware removal forum.

Comment by Patrik — June 17, 2009 #
OMG!!!! U r a lifesaver! my comp runs soooo great now!!! thank you thank you thank you!!!!….

Comment by billiejo — June 20, 2009 #
Oh wow It works!!! lol I’ve been tryin to get rid of this thing for over a week now. Thank you very very much! =D

Comment by Reem — June 22, 2009 #
hi guys,
im having a bit of a problem, i installed the avenger softare and set it all up by inputting:

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\wJQs.exe

into the box, but when i click execute, an error appears saying:

Error:could not register clean up.
Aborting execution (error 0: the operation completed successfully.)

i have no idea what this means and would like some help on how to fix it if possible.

thanks, Josh.

Comment by Josh — July 1, 2009 #
Josh, if you using Windows Vista, then run Avenger as Administator. Also you can ask help at our Spyware removal forum.

Comment by Patrik — July 1, 2009 #
no im running it ox XP, but will ask anyway. thanks.

Comment by Josh — July 2, 2009 #
thank you thank you thank you!!!!!!!!!!!

Comment by Anna — July 4, 2009 #
I had to skip step 1.

I was able to install MBAM, but I can’t run it.

I have tried to rename it, tried it in a different account, and my computer won’t get safe mode to work. Is there anything else I can try? Thanks.

Comment by Drew — July 7, 2009 #
Drew, ask help at our Spyware removal forum.

Comment by Patrik — July 7, 2009 #
Actually, I reinstalled and this time renamed the folder before it was created and it worked. MBAM found the UAC and deleted it.

Thank you for the guide.

Comment by Drew — July 7, 2009 #
Would you have a solution for why sometimes my computer freezes but i can still move the cursor? I’ve already done the other steps. Also, im not sure if this is relative but sometimes my wireless internet does something weird and stops working but the wired not still works :S

Comment by JJJason — July 8, 2009 #
last post i meant net* and it has only started happening since i downloaded the antimalware software

Comment by JJJason — July 8, 2009 #
JJJason, make a new topic at our Spyware removal forum. I will check your PC. Probaly your PC still infected.

Comment by Patrik — July 8, 2009 #
Not sure how I picked this one up, was also stopping me from playing games on my computer, they were crashing at title screens.

However as soon as I ran the Avenger script everything is working perfectly, thanks

Comment by Dean — July 12, 2009 #
How can we get this trojan ? Im trying to guess where I got it, but cant remember D:

Comment by Thiago DeMolay — July 14, 2009 #
Probably you have downloaded and installed a fake movie player or fake adobe flash player or …

Comment by Patrik — July 15, 2009 #
Great! It worked perfectly! Thanks!
Question, I suspect the Trajon came through a USB key, because I got the same infection on another computer right after plugging the key.

How can I clean the key safely?

Thanks
Gilles

Comment by Gilles — July 15, 2009 #
Hey Patrik, I was just wondering, is it possible for routers/modems to be infected by viruses. And if so, how do you get rid of them? I read in a magazine that it was possible… :O

Comment by JJJASON — July 18, 2009 #
Yes, it`s possible. To get rid of them, you need to reset modem setting to defaults using RESET button at backside. After that to configure a modem again (ask your service provider, how to).

Comment by Patrik — July 18, 2009 #
Thank you i searched more than 6 hours for a solution for this problem and it was so easy to follow your instruction.
thank you man (K)

Comment by Big_Rick — July 18, 2009 #
Thank you, Thank you, Thank you. It worked. I was going crazy with windowsclick redirecting me everytime I tried to open up a website through google. You guys are the best. Once again thanks!

Comment by TJ — July 18, 2009 #
If you had a Paypal link for donations I would send you $10, all I can afford as a student.

Your solution worked with a few bumps along the way.

I spent “only” about 2 hours with other fixes til I found yours.

Thanks!

Comment by Ace — July 20, 2009 #
Glad to help you

Comment by Patrik — July 21, 2009 #
Patrik, can you please help me:

Ok so..i couldnt do step 1, Because I could’nt find the filed that were stated.

Step two worked well, after reboot however i got a message “Exception processing message c00000013 Paramerers 75b6bf7c 4 75 blah blah”
And i just clicked cancel.

My UACd still showed though (You see i have a Google Installer error, which is apparently a UACd.)

Im stuck on the (MBAM) i downloaded it, but it wont open. I tried downloading the other one, didn’t work. I did close all windows, even restarted and the first thing i did was double click on the setup icon. But still it wont open, it just has that timer near mouse pointer and then nothing.

Any help please?

Regards,

Mo

Comment by Mo — July 21, 2009 #
Mo, ask for help at our Spyware removal forum.

Comment by Patrik — July 21, 2009 #
Thank you so much!!!!!! This is amazing!!!!

Comment by Jenni — July 22, 2009 #
i followed the steps, and when i scanned, i keep getting the same results, and it tells me to restart. then i restart and scan again, and the same results show up again.

how do i permanently get rid of it? =
thanks in advance

Comment by lp — July 22, 2009 #
If I download Avenger will it delete songs in itunes and delete word documents and pictures?

Comment by Deep — July 22, 2009 #
“it tells me to restart” – whats it ? MBAM or Avenger ? Make a new topic at our Spyware removal forum.

Comment by Patrik — July 22, 2009 #
Deep, NO. Avenger will remove only malware files and drivers.

Comment by Patrik — July 22, 2009 #
Thanks so much for this infrmation

it is really helpful nd im really greatful

Comment by Ryan Houston — July 23, 2009 #
THANK YOU!! This worked great! If you were here I would hug you!

Comment by Margaret — July 23, 2009 #
I have struggled with this too. Ran Avenger and now re-running MalwareBytes, so we’ll see.

I was having the trouble with the trojan blocking the running (executing) of malwarebytes and other anti-crap software. I renamed the folders from the default during installation and went back & renamed the executible (m_bam.exe versus default of mbam.exe in the renamed MalwareBytes folder and it ran without issue.

Comment by Big Dutchman — July 24, 2009 #
I have the Virus but I cant find it in the Device Manager. Does UACd.sys have another name?

Comment by Joe Li — July 29, 2009 #
Joe, skip first step.

Comment by Patrik — July 29, 2009 #
ok.

Comment by Joe Li — July 29, 2009 #
Hi, I have followed all the above instructions, and, after running the Malwarebytes scan it said to restart so it could remove the virus. Upon restart all was good, BUT THEN next morning i switch on comp and the same virus is back! it says Trojen.Agent – C:\WINDOWS\system32\uacinit.dll
what can i do?
Thanks

Comment by Krupa — July 29, 2009 #
Thanks a lot Patrik. My computer is now working all because of you. Your the best!!

Comment by Joe Li — July 29, 2009 #
Krupa, ask for help at our Spyware removal forum.

Comment by Patrik — July 29, 2009 #
Thanks three days of sheer confusion this is coldest trojan horse ive ever rode suggestions worked i was going nuts Malwarebytes frist progam worth paying for

Comment by cosmoe e — July 30, 2009 #
Had to do second step because I don’t have the UACd.sys driver listed. Didn’t work.

Comment by Casey — July 31, 2009 #
I tried malwarebytes and I got the blue screen of death about 45 minutes into the scan. Avenger didn’t do anything. I use Trend Micro antivirus and it can’t find it. There’s nothing named UAC… anywhere in the registry or and device drivers. But I get problems when I try to open programs (they usually eventually open). Boxes pop up with the following three .dll’s:

UACenjcvorlfpwrbqipf.dll
UACmrfxxtjphbsufoebr.dll
UACvtiobmqhdxerjkevd.dll

I really have no idea what to do at this point. Any help is greatly appreciated.

Comment by Casey — July 31, 2009 #
Casey, try to repeat step 2. Also you can ask for help at our Spyware removal forum.

Comment by Patrik — July 31, 2009 #
My computer is randonly playing ads and audio clips from the internet. How do I stop this?

Also, I have installed Malware and tried to run it. I have renamed the mbam.exe file to other names as suggested above, but it still will not run.

Help please!

Comment by Joel — August 2, 2009 #
Joel, if above instructions does not help you, than ask for help at our Spyware removal forum.

Comment by Patrik — August 2, 2009 #
Thank you so much. Very good instructions and you helped people all the way. Works so well. I had a lot of malware so again thank you.

Comment by Al — August 4, 2009 #
Worked perfectly! Saved my work computer. Thanks for the info!

Comment by John — August 4, 2009 #
This Windowsclick virus had me angry for a couple days. I thought i would have to reformat(and dont have a disk). Found this site/help quickly and.. poof,.,. gone like the wind! Thank you sooo much for the removal software. I feel safe again.LOL
*after downloading, program wouldn’t open. I restarted the machine and everything went smooth. Thanks again!

Comment by Matt — August 5, 2009 #
Wow I having huge issues with this and im pretty neat with PCs, could not load malabytes or antispyware to kill the malaware, kept redirecting me to websites i did not want. Loaded avanger and followed the command even though the first stage i never had that exact file in my non plug and play list, and it worked i can now install malaware and antispyware to kill any threat

awesome job guys 100% genuine deal here, im happy

Comment by Robsta — August 6, 2009 #
Step 1 didn’t work for me so I went on to the following steps and it seems that it worked. The only thing is that I couldn’t run MBAM after I download it. So I rebooted my machine and I did it in safe mode.
Thanks so much for your help.

Comment by Mario — August 7, 2009 #
Per the instruction in step 2, after I type the script to be run, before I click “execute” should I have any of the boxes checked? The “Scan for rootkits” box was checked by default. Should I leave it checked? What about the other box “Automatically disable any rootkits found”, should this be checked as well? I’m wondering if this might be why some people had problems and others didn’t after running step 2.

Comment by Jeff — August 7, 2009 #
I cant fine the UACd at device manager.
I already see hidden files
help me…

Comment by satyo — August 9, 2009 #
Whoever made Avenger freakin ROCKS! Thanks guys!

I am saved, for now…

Comment by PDAWG — August 9, 2009 #
Hi Patrick. Please Help..
I followed Step2, no help. I downloaded and Installed MBAM but I can’t run it. It stays there in Windows Task Manager but it never comes up on the screen. Can you help please?

Comment by Zulf — August 10, 2009 #
Hi Patrick, I was able to run it as this “C:\Program Files\Malwarebytes’ Anti-Malware\fix-mbam.exe” /killall
It removed around 21 items. I think I’m all set, you are the man. Thanks and take care.

Comment by Zulf — August 10, 2009 #
Well I did another MBAM scan and it says just like the last time that a file named “UACINIT.DLL” will be removed once I reboot the PC however after first reboot it remove it.

I don’t even see it in the system32 folder, I do have the ‘hide protected system files option unchecked.
Is it just an error from MBAM or should I be concerned?
Thank You Patrick.

Comment by Zulf — August 10, 2009 #
Well, UACd wasn’t found in my drivers, but Avenger says it deleted it. However, the wJQs file wasn’t found by Avenger. I had some difficulties getting Malwarebytes to work, but finally did. Everything seems to be working properly now.

Comment by Matt — August 10, 2009 #
I got rid of UACd.sys trojan on August 10 with ComboFix (I renamed it Combo-Fix before I downloaded it – note the hyphen). It’s straightforward, but there’s no cancel button, so make sure you have all of your antivirus programs disabled before starting ComboFix. It took about 10-15 minutes to run the program, and it takes minimal input while it’s working. My computer was rebooted once by ComboFix. Malewarebyte’s Anti-Maleware found 4 more UACd related files afterward. Now my computer is acting normally. Thanks for all of your help.

bleepingcomputer.com/combofix/how-to-use-combofix

Comment by Ken — August 10, 2009 #
Patrik, please advise on which boxes should be checked (if any) when running Avenger, in step 2.

Thanks, Jeff

Comment by Jeff — August 11, 2009 #
Hey Patrik,

I have recently used a combo of malwarebytes and superantispyware to remove alot of UAC*** files, including uacinit.dll (i think). I was thinking of running these step just as a safety precaution. Is this a bad idea????

Comment by Knox — August 11, 2009 #
Reading through these postings I think I have a similar problem but it seems to be very persistent.

Following step 1 I found now UAC_ file to remove
Following step 2 Installed Avenger says it deleted the driver successfully but no file existed.
Attempting step 3 I have downloaded MBAM several time with various attempts at changing the installed and exe name and location. It appears to install successfully but then will not run. No error appears.

I have run AVG which has found several problems, but correcting them did nothing. I have run Adaware with the same result.

Upon start up AVG resident shield found a handful of UAC_________ dll files, but could not remove them.

What do I do next?

Comment by Rob — August 12, 2009 #
Jeff, don`t make any changes. You should insert script and click Execute.

Comment by Patrik — August 12, 2009 #
satyo, skip first step.

Comment by Patrik — August 12, 2009 #
Zulf, you need to run Avenger with above script to remove hidden UACd.sys driver.

Comment by Patrik — August 12, 2009 #
Knox, run MalwareBytes and perform a full scan, If the program finds uacinit.dll, then you should follow above steps (start from step 2).

Comment by Patrik — August 12, 2009 #
Rob, try step 2 again.

Comment by Patrik — August 12, 2009 #
Patrik, you said “don`t make any changes”, but I’m still unsure which (if any) boxes should be checked. Can you please state the proper configuration?

Should the “Scan for rootkits” box be checked: Yes or No?

Should the “Automatically disable any rootkits found” box be checked: yes or No?

Comment by Jeff — August 12, 2009 #
“Scan for rootkits”: Yes
“Automatically disable any rootkits found”: No

Comment by Patrik — August 12, 2009 #
I had this, windowsclick.com redirect [UACd.sys trojan], and the windows antivirus pro to deal with at the same time. Not sure if they came together or not. After about a week of combating to no avail, I found this website. I would like to offer you my first born! No, seriously though, thank you so very much. I couldn’t of done it without your help. Kisses

Comment by Kimi — August 13, 2009 #
I have tried step one, nothing there. As for step two, I’ve run Avenger, went through the restart, and I’m not sure what happens next – I was never given a confirmation of the program actually “doing” anything. As for step three, I cannot get my machine to run the Anti Malware program. Either nothing happens when I click on it, or it opens, and I get a “program has stopped responding” error. Please help me out if possible.

Comment by Bryan M — August 13, 2009 #
Bryan, try repeat step 2 again, then run MBAM.

Comment by Patrik — August 14, 2009 #
I had problem just installing and starting up program itself like MBAM (Malwarebytes) or AVENGER. Not sure what is plagging my system at the moment.. but one for sure is that it’s blocking executable programs. A trick if you have problem like mine.. Add extension .bat to all program that you want to install. (executable). Also you can look for UACINIT.DLL in %system%/system32.

Comment by Pat Gallant — February 19, 2009 #

Thank for your comment.My uacinit.dll it was hidden in the registry ,and do not leave me execute nothing.
For anyone ,that other steps no works and can´t runs malwarebyte or spybot,etc… Run regedit and search uacinit.dll
thanks a lot everyone

Comment by ZASCA! — August 14, 2009 #
eliminate these files and similars too:
%System%\UACvhpmkrfj.dll
%System%\UACsbqqqrer.dat
%System%\UACvpucimny.dll
%System%\UACrtvmepob.dll
%System%\UAClxwbpfsx.dll
%System%\UAChyawqckt.dll
%System%\uacinit.dll
%System%\UACsvnllvia.log
%System%\drivers\UACabdvbfhe.sys

and registry entries:
key: HKLM\System\CurrentControlSet\Services\UACd
value: imagepath = \

Comment by ZASCA! — August 15, 2009 #
I ran Avenger per the instructions in step 2. I deleted the UACd.sys file but did not find the wJQs.exe file and no rootkits were found. So I reran and still no wJQs.exe and no rootkits to delete. I still can’t run MBAM. I also noticed I have the b.exe file. Should I type that into Avenger to be deleted?

Comment by Jeff — August 16, 2009 #
Yeah, I have a problem running mbam… nothing happens when I try to open it. I’ve read about this before, where the solution was to rename the .exe but in my case this did not help.

Comment by dkwan — August 16, 2009 #
Jeff, please make a new topic at our Spyware removal forum.

Comment by Patrik — August 17, 2009 #
Thanks a lot!!!

Greetings from France

Comment by Shad — August 23, 2009 #
I followed step 2 and 3. Problem solved. Thanks!!!

Comment by Fred — August 23, 2009 #
I too ran the Avenger pack and I stopped being redirected to random sites, but I still cant run or open malware bytes or spybot search and detroy

Comment by Steve — August 25, 2009 #
Steve, ask for help at our Spyware removal forum.

Comment by Patrik — August 25, 2009 #
I have followed the steps above but whenever I try to run MBAM or any other program that scans the computer it closes the program and when I try to open it again it says “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.” I have gone through and deleted
%System%\UACvhpmkrfj.dll
%System%\UACsbqqqrer.dat
%System%\UACvpucimny.dll
%System%\UACrtvmepob.dll
%System%\UAClxwbpfsx.dll
%System%\UAChyawqckt.dll
%System%\uacinit.dll
%System%\UACsvnllvia.log
%System%\drivers\UACabdvbfhe.sys
and stuff. Also, sometimes when i reboot I get a system shutdown window that pops up telling me that something happened and the computer is shutting down in 1 min. When the timer runs out i get a black screen and the computer doesn’t shut down. Please help!

Comment by Spencer — August 27, 2009 #
I followed step 2 and Avenger removed ‘UACd.sys’ but not ‘C:\WINDOWS\system32\wJQs.exe ‘. Did something go wrong?
I then tried to install MBAM, but once I double clicked it and attempted to run it, it wouldn’t open/run/work. Help?
I also tried going to the forums. I downloaded HijackThis but once I attempted to run it, nothing happened. Help again please?

Comment by Daniel — August 27, 2009 #
Spencer, probably your computer infected with braviax trojan. Ask for help at our Spyware removal forum.

Comment by Patrik — August 28, 2009 #
UACd.sys is not showing in device manager!!

Comment by curt — August 28, 2009 #
curt, skip first step.

Comment by Patrik — August 29, 2009 #
I did all this, but Avira Antivir still tells me that there are some UACD hidden files on my computer – which it can’t destroy :

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath

What to do about it ?

Thanx !

Comment by Marie — August 30, 2009 #
I need so much help. I got UACd.sys and i read the 3 step thing to get rid of it and its not listed under plug and play drivers so i tried to skip step 1 like it said in the help blog but i cant even figure out. i think i downloaded avenger but i dont know what unzip means! how do u do that? also whator where is Input script Box?

Comment by Shanda Manning — August 30, 2009 #
Marie, try to repeat step 2.

Comment by Patrik — August 31, 2009 #
None of this is working. There arent any files named UACd.sys. and i downloaded MBAM and when i click on it it doesnt even load. What do i do?!

Comment by Whitney — September 1, 2009 #
Whitney, ask for help at our Spyware removal forum.

Comment by Patrik — September 2, 2009 #
Shanda, unziping requires something like WinRar or the basic unzipping tool loaded on most Windows OS computers. If internet explorer is not working try using Firefox. Typically a trojan or virus will infect the primary internet browser but not a secondary one, just make sure to say do not make firefox primary browser when installing. Use a microsoft trusted link to Winrar before you download to prevent any other infection. Hope this helps and if you have any other questions let me know, I’m fighting the trojan manually trying to find other ways of fighting it. Also, it may pose as a registry file, but it wont appear there.

Comment by Sam — September 2, 2009 #
i had this windows click problem about a month ago i had 2 skip step 1 but followed step 2 & 3 everything worked great till recently my computer loads slow again it freezes and wont always display a web page because i kept malwarebytes from last time i did a scan it said backdoor & rootkit but malwarebytes wont remove them this time so i did step 2 again but now it wont complete a scan it starts a quick scan but when it gets to performing extra heuristics scan it freezes i have tried avg which i used to use b4 malwarebytes but that wont move them either

Comment by marissa — September 5, 2009 #
marissa, if Avenger does not remove UACd.sys driver (main component of UACd trojan), then probably your PC infected with a new version of the trojan. Ask for help at our Spyware removal forum.

Comment by Patrik — September 5, 2009 #
i have asked for help at spyware removal forum but i have no replies please help

Comment by marissa — September 6, 2009 #
patrick when i think back i was watching a video online before and it looked like the security system came up saying i was infected everything was flashing before my eyes it wanted me to buy something which i cant remember now does this help to what might be wrong with my computer

Comment by marissa — September 6, 2009 #
i dont no if this helps but i got it off avg scan history c:\windows\temp\kqdsmpfxbv.eve trojan horse 2.rca and c:\windows\temp\kqdsmpfxbe.exe(204) trojan horse agent.rca

Comment by marissa — September 6, 2009 #
I went to Device Manger, clicked on view, show hidden drivers and looked through Non-Play and Play Drivers and I cannot find the “UACd.sys”. Whats wrong? My computer still says I am infected.
):

Comment by Natalie — September 6, 2009 #
marissa, i have asked you at forum.

Comment by Patrik — September 7, 2009 #
Natalie, skip first step.

Comment by Patrik — September 7, 2009 #
The steps above didnt work for me i followed all steps. I also know for a fact that its a UACd.sys trojan

Comment by Dylan — September 9, 2009 #
Dylan, try step 2 again. If it does not help you, then ask for help in our Spyware removal forum.

Comment by Patrik — September 10, 2009 #
hello everyone, i am a broke college student with no money to spend on computer repairs or any sort of internet security. i have been raging war on these viruses but they keeping stoping me at every angle i go at.
i tried step one, and could not find the virus
i tried step two, and the virus brings up the \

Comment by Ian — September 11, 2009 #
(CONTINUED…
page cannot be displayed.
i then try to load avenger via jump drive and every time i insert the jumb drive my computer completely cuts off. I DONT KNOW WHAT ELSE TO DO, SOMEONE PLEASE HELP ME I MUST HAVE MY COMPUTER WORKING TONIGHT!

Comment by Ian — September 11, 2009 #
Try use CD disk to move files. Also try to download Avenger through a proxy server (look google for a free one).

Comment by Patrik — September 11, 2009 #
Hi Patrick, I followed steps 1 and 2 and Malwarebytes found 4 items which it deleted on reboot. But whenever I open Windows my “Windows security center” pops up saying no antivirus found and then another window pops up saying download protection. However, I already have Kaspersky antivirus installed. How can I check to see if windowsclick is completely gone? Thanks!

Comment by psr — September 11, 2009 #
psr, make a new topic in our Spyware removal forum. I will check your PC.

Comment by Patrik — September 12, 2009 #
Can’t install the MBAM in safe mode & my computer won’t let me go to normal mode. When I choose normal mode it goes to the blue screen & reboots.

Comment by Laurie — January 9, 2010 #
I skipped step 1 because i couldn’t find the driver. i downloaded avenger, followed the steps, my computer restarted. with this:

Beginning to process script file:

Rootkit scan active.

Hidden driver “H8SRTd.sys” found!
ImagePath: \systemroot\system32\drivers\H8SRTujebfkmbyy.sys
Start Type: 1 (System)

Rootkit scan completed.

Error: registry key “\Registry\Machine\System\CurrentControlSet\Services\UACd.sys” not found!
Deletion of driver “UACd.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist

Error: file “C:\WINDOWS\system32\wJQs.exe” not found!
Deletion of file “C:\WINDOWS\system32\wJQs.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

it says that there was an error and the files do not exist. so is the trojan removed or not?

Comment by Ying — January 9, 2010 #
Laurie, ask for help in our Spyware removal forum.

Comment by Patrik — January 9, 2010 #
Ying, read the aricle: How to remove H8SRT troajn.

Comment by Patrik — January 9, 2010 #
I did the first step, didn’t work, so ran avenger and said it found some of the files but not others, just downloaded MBAM but then i got a message from windows saying it will not run properly. This problem started yesterday when i accidentally downloaded malware defense, and to try and fix that i got pc doctor but it seems like the problem with malware defense has been fixed but i still have this uad.sys thing. please help me

Comment by Grace — January 10, 2010 #
i got the same message that ying above posted, so i think i have the H8SRT trojan too

Comment by Grace — January 10, 2010 #
I followed the steps on how to remove the H8SRT trojan and i think now everythings all set except for the fact that my computer is now a million times slower, i dont know what is causing this, it takes forever for everything to load once i reboot the system. yesterday, my computer before all these trojans was relatively fast. what do i do?

Comment by Grace — January 10, 2010 #
one last thing, sorry. when i ran avenger earlier before removing the H8SRT, it said it couldnt find the UAcD.sys driver but the reason i knew my computer was infected by that is because i kept getting a warning from windows telling me that i had it. i havent gotten any in the past few hours so im hoping that means that it’s gone? i dont know

Comment by Grace — January 10, 2010 #
Grace, ask for help in our Spyware removal forum.

Comment by Patrik — January 11, 2010 #
For those who have trouble installing Malwarebytes’, there is a pretty simple solution. This trojan blocks specifically named .exes, so if you change the name of the install file and then that of the application itself, it will run fine.

Comment by Luke — January 14, 2010 #
Thank you very much…

Comment by Onkol Consulting — February 2, 2010 #
all these posts cannot be real no one mentions getting the request for money to remove everything ao i dont believe a word of any of this

Comment by jeff — August 8, 2010 #