Lair360 Blog

How to remove windowsclick infection

Tagged Under : combofix, UAC, UACtnfmndkx.sys, windowsclick infection

Version: 39.2
Revision: 46 Build 154

How to remove windowsclick infection

Introduction: this malware had infected my machine and I didn’t notice it. But, when I was surfing Google website with Firefox, the links had redirected my current website to a nasty website that served fake anti-virus.

Right, lets get to work and get this out of your system before it is too late!

1.] Download these software with “Firefox” and save it to your C:/ drive.

Important: please look at ComboFix procedure if everything else fails.
After the repair, please follow this guide, again, for a complete scan and removal.

Notes: if you’re using Firefox as your main – browser, you’ll need to right – click and open a new tab. If you don’t, the actual malware will redirect you to a new link.
————————-
Avira Free Edition: http://www.avira.com/en/pages/index.php
Mirror: http://filehippo.com/download_antivir/

ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
Mirror: http://www.forospyware.com/sUBs/ComboFix.exe
Mirror: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

SpywareTerminator: http://spywareterminator.com

CCleaner: http://filehippo.com/download_ccleaner/
————————–

Part One: remove Trojan.Agent.RL and RKIT/TDss.eyj.xxx
————————–
2.] Install SpywareTerminator and Avira.
3.] Update their database.

Notes: if you encounter an error with SpywareTerminator Shield, please ignore it and use the scanner…

4.] Do a “Quick Scan” (Fast Spyware Scan) with SpywareTerminator.
5.] Remove all infected files and this file: CmdLineExt03.dll
6.] Exit Spywareterminator and click on Avira Anti-Virus. The application is located on your window’s taskbar (red umbrella icon).
7.] Double click on the application and select: Local Protection >> Scanner >> Rootkit Search
8.] Select all available drive and run the scan…

Notes: if the application asked you for permission, just select “Quarantine” and continue.

Similar Infected file…
————————–
c:\windows\system32\uacrvkuvdgg.dll
c:\windows\system32\drivers\uaccseutoro.sys
————————–

9.] When Avira finished removing the following “backdoor-rootkit” infection, just click no and cancel the reboot operation…

10.] Right click on Avira and disable “AntiVir Guard”.

Advice: press Crtl + Alt + Del to bring up the process menu. After that, just select the second tab and look this processes: Avguard.exe. But, don’t worry about the errors…its only for ComboFix procedure…

Notes: leave your internet connection as “Enable” for ComboFix.exe
————————–

Part Two: remove UACcseutoro.sys and acovcnt.exe
————————–
11.] Make a folder in your C:/ drive.
12.] Drag your ComboFix into that folder and rename it as: FixCombo.exe.

Notes: if it doesn’t work, please use this method for execution!
————————–
Right click on the actual link and click: “Save Link As”. After that, you’ll need to rename the file into one of these names. However, if that doesn’t work, just make it up…

Renamed files: tool.exe | Fixfile.exe | toolb.exe | FixCombi.exe | FixCombo.exe

13.] Execute the application.
14.] ComboFix will warn you if you haven’t disable Avira. But, click Ok if you already disable Avira’s Shield.
15.] The scanner will trigger another box which contains a list of infected files. The list will look like this…
Notes: I’ve put two different list. This is because, the malware can change its name with random characters. But, they can be detected by combofix without any problems…

c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
——————————————————————-
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\temp\uac52f0.tmp

17.] After the scan, it will ask you to reboot your computer.
All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

18.] At the next reboot, just don’t touch anything and let it remove these pest!
The files which will be remove are shown on combofix…
————————–
c:\documents and settings\Userfolder\Application Data\inst.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\AutoUpdateWin31.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\UACcseutoro.sys
c:\windows\system32\UACalwoglkx.dll
c:\windows\system32\UACbdkqyjia.log
c:\windows\system32\UACktlsummn.log
c:\windows\system32\UACndsuqqrv.log
c:\windows\system32\UACplaqlmxs.dat
c:\windows\system32\UACrvkuvdgg.dll
c:\windows\system32\drivers\UACtnfmndkx.sys
c:\windows\system32\tmp67.tmp
c:\windows\temp\uac52f0.tmp
c:\windows\system32\UACblevabwi.log
c:\windows\system32\UACefnatakr.dll
c:\windows\system32\UACfsaprdmv.dll
c:\windows\system32\UACkjfmxcxi.dll
c:\windows\system32\UAClwnqcbve.dat
c:\windows\system32\UACnfwquyvx.log
c:\windows\system32\UACrjghjnnw.log
c:\windows\system32\UACsdntxukq.dll
c:\windows\system32\UACtfiwcpqk.dll
c:\windows\system32\UACwkmlpjat.dll
K:\Autorun.inf
————————–

19.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part Three: remove ComboFix.exe from your computer
————————–
21.] Click Start >> Run >> Type: Combofix /u
22.] Click Ok or press “Enter” on your keyboard
23.] Disable your System Restore and re-enable it…

Click Start >> Control Panel >> System >> System Restore

24.] Exit “System Properties” and go to “Microsoft.com” for new updates to block these threats from killing your computer…

Alternative method to remove “windowsclick” if your PC is seriously infected…
————————–
1.] Insert your Windows XP disk into your CD-ROM drive.
2.] Wait for it to load and press: ‘R’ to boot into the recovery console.
3.] When the console is ready, press 1 if you only have one “Windows XP” installation on the harddrive, After that, just hit “Enter” (without the quotes).
4.] Type in the “Administrator’s” password and hit “Enter” (without the quotes).
5.] Now, you’ll need to type this command: listsvc and press “Enter” on your keyboard.
6.] Look for a svc called: UACD.sys / UACd.sys
7.] Press “ESC” to stop listing and go back to ‘cmd’ prompt.
8.] Now, all you need to do is type this: “disable UACd.sys” (without quotes).
9.] Exit recovery console – don’t forget to take your XP CD out and reboot the computer.
10.] Go back to stage “ONE” and remove this idiot virus!

Copyrighted By Lair360

Posted by admin in Virus Removal | No Comments | Read more

How to disable “UAC control” on Windows Vista operating system.

Tagged Under : Disable UAC, UAC, UAC control, UAC controle, Vista UAC

Version: 16.3
Revision: 98 Build 14

How to disable “UAC control” on Windows Vista operating systems.
—————————————————–

Introduction: Windows Vista has a built-in function that automatically reduces the potential security breeches in the system. It does that by automatically enabling a feature called User Account Control (or UAC for short). The UAC forces users that are part of the local administrators group to operate as though they were regular users with no administrative privileges. However, the appearance of the repeated message can be distracting

Instruction *1
—————–

1.] Launch ‘MSCONFIG’ from the Run menu.

Start >> Run >> msconfig

code: msconfig

2.] Click on the Tools tab and scroll down, you will eventually find: “Disable UAP”

3.] Click on it and press the ‘Launch’ button.

Notes: when you press Launch, a CMD window will open. When the command is done, you can close the window.

4.] Close ‘MSCONFIG’ and reboot your computer.

Notes: you can re-enable UAC by selecting the “Enable UAP” line and then clicking on the Launch button.

—————–

Instruction *2
—————–

1.] Open Registry Editor.

Start >> Run >> regedit

2.] In Registry Editor, navigate to the following registry key.

HKEY_LOCAL_MACHINE >> Software >> Microsoft >> Windows >> CurrentVersion >> Policies >> System

3.] Locate the following value [DWORD]: EnableLUA

4.] Set the value to ‘0’

Note: Please backup your registry before you make any changes…

5.] Close the Registry Editor and reboot your computer.

Tips: In order to re-enable UAC function, just change the value to 1.

—————–

Instruction *3
—————–

This can be done with the “Local Group Policy” control or an “Active Directory-based GPO,” which is much more suited for large networks where one would like to disable UAC for many computers at once.

1.] Open the Group Policy Editor from your Vista computer.

Start > Run > gpedit.msc

Notes: If you’re using “AD-based GPO,” please use this system launch below. However, this is only for Vista computer.

Start > Run > gpmc.msc

2.] In the Group Policy Editor window, browse…

+ Computer Configuration
+ Windows Settings
+ Security Settings
+ Local Policies
+ Security Options

3.] In the right panel, scroll down and look for the “User Access Control policies.”

4.] Exit Group policy and reboot your computers.

—————–

Instruction *4
—————–

This method is very sneaky. But, you’ll find it without a problem!

1.] Open Control Panel.

2.] Under “User Account and Family settings,” click on the “Add or remove user account,” which is underneath “Setup parental controls.”

3.] Click on one of the user accounts.

4.] Under the user account click on the “Go to the main User Account page” link.

5.] Under “Make changes to your user account” click on the “Change security settings” link.

6.] In the “Turn on User Account Control (UAC) to make your computer more secure,” click to un-select the “Use User Account Control (UAC) to help protect your computer.”

7.] Click on the Ok icon to complete the process.

8.] You will be asked to reboot your computer. But, click no if you want to reboot your computer in a later time.

Notes: To re-enable the UAC control, please follow the guide again and select the checkbox; “Turn on User Account Control (UAC) to make your computer more secure.”

—————–

Instruction *5
—————–

For user who is dumb enough to try instruction 1, 2, 3 or 4. But, fail to disable UAC control; you can use this software below. But, please respect the owner who created the UAC control software!

http://www.tweak-uac.com/

http://www.softpedia.com/get/Security/Security-Related/TweakUAC.shtml

—————–