Solved Am using AdwCleaner but after i do I lose my Web connection

December 3, 2013 at 12:40:27
Specs: Windows 7
I have a ton of spyware/malware on this laptop I am trying to get cleaned up. Everytime I run AdwCleaner to get rid of all the toolbars/spyware, once my computer restarts I can't connect to the web via my Wi-Fi connection. I am thinking that it may be deleting an integral registry used for internet connection or something around those lines but I cant seem to find any info anywhere. Any thoughts or suggestions would be greatly appreciated. Thanks!!
Marshall

message edited by MeanBeanMachine


See More: Am using AdwCleaner but after i do I lose my Web connection

Report •

✔ Best Answer
December 4, 2013 at 01:02:56
"seems I have a problem removing a virus called Zero Access"

Yep, that is what I suspected.

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.
If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
Disconnect from the Internet and any network immediately.
Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
Change all your online passwords from a clean computer.
Take any other steps that you may think is necessary to prevent financial distress due to identity theft.
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451

I can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



#1
December 3, 2013 at 16:51:00
Please Copy and Paste the instructions into a text file, print or write down the steps & info. You will need them, as they are hard to remember, for when you are offline. Cross off each step as you do it.

Note: Is your important stuff backed up, including your emails & address book. Anything can happen, during the clean up.

As we dismantle the infections bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair.

If any program won't run ( due to the infection ) let me know.

Copy and Paste the contents of the log/logs after running each program.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://tigzyrk.blogspot.fr/2012/11/...
If RougeKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#2
December 3, 2013 at 18:36:26
Thanks a bunch for all this info first off!!! On a side note this is gonna be probably a week long project or at least a couple days because I am fixing my Mother-In-Laws laptop and am only over at her house half the week.
I do have all my data backed up with system restore through Windows Backup. Do you suggest doing a back-up data disc as well?
I will post replies once I have started this project tonight.

Report •

#3
December 3, 2013 at 18:50:45
"On a side note this is gonna be probably a week long project"
No problem.

"Do you suggest doing a back-up data disc as well?"
I have all my important stuff ( including address book ) backed up at least twice, 2nd hard drive, thumb drives etc.


Report •

Related Solutions

#4
December 3, 2013 at 19:42:53
Ok. I am beginning to run Un-Hide right now...on one other side note...do you not recommend AdwCleaner?

Report •

#5
December 3, 2013 at 19:46:48
Success so far! Ran Un-Hide and everything seems to be working great. Next I am onto Rogue Killer...here is the Log Report from Un-Hide.
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 12/03/2013 10:57:24 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 225267 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 226 files processed.

Processing the Q:\ drive
Finished processing the Q:\ drive. 0 files processed.

The C:\Users\Owner\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoRun policy was found and deleted!
* NoDesktop policy was found and deleted!
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoRun policy was found and deleted!
* NoDesktop policy was found and deleted!
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!

Program finished at: 12/03/2013 11:03:24 PM
Execution time: 0 hours(s), 6 minute(s), and 0 seconds(s)

Btw, It ran on my drive D: and thats a backup drive...should I have done that?

message edited by MeanBeanMachine


Report •

#6
December 3, 2013 at 21:34:30
Ok I finished running RogueKiller and got the report...seems I have a problem removing a virus called Zero Access. Here is the report.

RogueKiller V8.7.9 [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/rog...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 12/03/2013 23:28:02
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKCU\[...]\System : DisableCMD (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableCMD (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableCMD (0) -> [0x2] The system cannot find the file specified.
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{3000c3af-c448-761c-8408-60d58acd68b8}\n. [x]) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\Users\Owner\AppData\Local\{3000c3af-c448-761c-8408-60d58acd68b8}\U [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\Owner\AppData\Local\{3000c3af-c448-761c-8408-60d58acd68b8}\L [-] --> DELETED

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HM250HI SATA Disk Device +++++
--- User ---
[MBR] 16e2d66bec32eb89fe8c129beefc9791
[BSP] a3822365e81e0f01494ed47717fee0b3 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 220533 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 452061184 | Size: 17638 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 488183808 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12032013_232802.txt >>
RKreport[0]_S_12032013_232645.txt

Thanks a lot for the help so far!!!! Let me know if you have any advice on that Zero Access Removal.


Report •

#7
December 4, 2013 at 01:02:56
✔ Best Answer
"seems I have a problem removing a virus called Zero Access"

Yep, that is what I suspected.

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.
If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
Disconnect from the Internet and any network immediately.
Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
Change all your online passwords from a clean computer.
Take any other steps that you may think is necessary to prevent financial distress due to identity theft.
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451

I can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Report •

#8
December 4, 2013 at 04:00:15
"Btw, It ran on my drive D: and thats a backup drive...should I have done that?"
Yep, that's Ok.

Report •

#9
December 5, 2013 at 12:30:55
Okay, say we don't do the cleaning and I was to backup all important files onto an external hard drive. Then completely format the drive and re-install windows. Would it be clean then? Or is there some way the virus is embedded in word documents, pictures etc. aka important info that she needs backed up?

Report •

#10
December 5, 2013 at 14:36:09
"Okay, say we don't do the cleaning and I was to backup all important files onto an external hard drive"
Run your AV & RogueKiller on that drive, once you have finished the backup.

Should be Ok, but you never know, if ZeroAccess rears it's head again, when put back on the original drive, you know it is in one of those files.


Report •

#11
December 5, 2013 at 14:39:01
"Then completely format the drive and re-install windows"

A format is not enough.

Make sure when you reinstall, you delete ALL partitions & format to NTFS.

W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...

Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...


Report •

#12
December 5, 2013 at 17:36:53
Thanks a lot for the help JohnW. I'm just trying to keep my options open depending on what she decides to do (this is her laptop right now but I will be buying in the coming months). I will let you know when she decides what she wants to do! BTW, you have been a great help to me and I know you are a great help to the community here. I am now a computing.net fan like crazy! And I will be using everytime I have a question or have a chance to answer one thanks to your help and advice! Happy Holidays!!!!

Report •

#13
December 5, 2013 at 18:16:46
"Thanks a lot for the help JohnW"
YW.

I'm here.
http://www.timeanddate.com/worldclo...


Report •

Ask Question