I recently had the opportunity to fix a computer that was having issues with a virus/trojan/rootkit. I included all three in the list because I had no idea what I was looking at when I first heard of the issues. I was told that when the owner of the machine would perform a search in Google, every link that they clicked on would be redirected to a URL that included “windowsclick”.
While doing some research, I found a solution to the issue, but it was a complicated solution. I instructed the owner to install both anti-virus and anti-spyware tools and then run them to see what was found. Upon trying to run an anti-spyware tool, a new problem presented itself: the tools would load but wouldn’t run. Not wanting to give up, I asked the owner to drop off the computer and I’ll have a look. After some research I managed to clean the computer, and here is how I did it.
WindowsClick Wreaking Havoc
As mentioned in the beginning of the post, a computer became infected with an issue that I will simply call “windowsclick” because that was in the URL of the links in Google’s search results. Everytime a search was made in Google, the user would be redirected to spam sites.
On top of that, whenever an anti-spyware tool was executed to try and clean the computer, the tool would load, but wouldn’t run. The executable process would be displayed in the Task Manager, but nothing else would happen.
After doing some research online, I did manage to find some files that are associated with the problem. The owner had search for the files, but found nothing. Spybot Search & Destroy did manage to run, and found the files, but tried to delete them on reboot. The attempts to delete the files didn’t work, and the deletions during restart produced many DOS windows each time Windows restarted.
In the end, however, I decided to use a tool that I have had success with in the past: ComboFix.
The ComboFix Fix
I went online and downloaded ComboFix. When I launched the tool I had the same problem as previous, it would load but wouldn’t run.
To solve this issue, I renamed the “combofix.exe” file to something like “s23adf.exe” (without the quotes). Sure enough, the application launched and I was able to follow the steps.
After following the prompts, and installing the Microsoft Windows Recovery Console, ComboFix performed a scan of the system. It found the files that were related to the “windowsclick” problem. The files were:
- C:\Windows\System32\uacinit.dll
- C:\Windows\System32\drivers\UAC[some random characters].sys
- C:\Windows\System32\UAC[some random characters].dll
- C:\Windows\System32\UAC[some random characters].log
- C:\Windows\System32\UAC[some random characters].dat
I allowed Combofix to restart the computer and delete the files. Actually, it quarantined them in a separate folder call “C:\Qoobox”, which I then deleted.
I launched a web browser and performed a search in Google. The “windowsclick” issue was no longer as the links in the search results took me to the correct pages. I was also able to launch the anti-spyware without any issues.
To ensure that no other viruses/trojans/spyware existed, I performed scans from multiple applications, with each one indicating no threats. The computer is now clean from any nasties, at least for now.
Related Posts
Windows Explorer Won’t Load – Fixed
What You Need to Secure Your Computer
How to Automate Your Computer Maintenance