Skip to main content

Chrome, Firefox and Edge browsers jumping to ad pages

Comments

17 comments

  • Support

    Hi jeremnyorme,

     

    Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

    Turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

     

    In the Options menu, please select (don't touch the default selections):


    • Reset Proxy Settings

    • Delete Prefetch Files


    Click on the Scan button.
    Wait until the search has finished.

    Click on the Log file button.
    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s0].txt.

    0
  • Customer

    Thanks CeciliaB!

     

    Here is the log output:

     

    # AdwCleaner v5.200 - Logfile created 20/06/2016 at 15:48:03

    # Updated 14/06/2016 by ToolsLib

    # Database : 2016-06-20.2 [server]

    # Operating system : Windows 10 Home (X64)

    # Username : Jeremy - JEREMY-LAPTOP

    # Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe

    # Option : Scan



    ***** [ Services ] *****


    Service Found : LavasoftTcpService

    Service Found : WCAssistantService

    Service Found : 76c57b794e6c8656618f09e27daee20d

    Service Found : 7dbea00b08eb7d7f72afadf2fcf50533


    ***** [ Folders ] *****


    Folder Found : C:\ProgramData\lavasoft\web companion

    Folder Found : C:\ProgramData\779d90b7-2db7-0

    Folder Found : C:\ProgramData\779d90b7-7635-1

    Folder Found : C:\ProgramData\Application Data\lavasoft\web companion

    Folder Found : C:\ProgramData\Application Data\779d90b7-2db7-0

    Folder Found : C:\ProgramData\Application Data\779d90b7-7635-1

    Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Sear

    Folder Found : C:\Program Files (x86)\Max Driver Updater

    Folder Found : C:\Program Files (x86)\lavasoft\web companion

    Folder Found : C:\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6

    Folder Found : C:\Users\Jeremy\AppData\Local\Temp\MAXDriverUpdater

    Folder Found : C:\Users\Jeremy\AppData\Roaming\Nosibay

    Folder Found : C:\Users\Jeremy\AppData\Roaming\Store

    Folder Found : C:\Users\Jeremy\AppData\Roaming\WTools

    Folder Found : C:\Users\Jeremy\AppData\Roaming\SpringFiles

    Folder Found : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion

    Folder Found : C:\Users\Jeremy\AppData\Roaming\store

    Folder Found : C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock

    Folder Found : C:\Program Files\Caster


    ***** [ Files ] *****


    File Found : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll

    File Found : C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini

    File Found : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.boostrap.log

    File Found : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.installation.log

    File Found : C:\Users\Jeremy\AppData\Roaming\Selection Tools.installation.log

    File Found : C:\Users\Jeremy\AppData\Roaming\WindApp.boostrap.log

    File Found : C:\Users\Jeremy\AppData\Roaming\WindApp.installation.log

    File Found : C:\WINDOWS\SysNative\LavasoftTcpService64.dll

    File Found : C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini


    ***** [ DLL ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled tasks ] *****


    Task Found : WindApp Update

    Task Found : Selection Tools Update

    Task Found : Selection Tools Update


    ***** [ Registry ] *****


    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    Key Found : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E

    Key Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    Key Found : HKCU\Software\Classes\.bubbledock

    Key Found : HKCU\Software\Classes\bubbledock

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Classes\.bubbledock

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Classes\bubbledock

    Key Found : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}

    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}

    Key Found : HKCU\Software\Nosibay

    Key Found : HKCU\Software\Store

    Key Found : HKCU\Software\WajIEnhance

    Key Found : HKCU\Software\WTools

    Key Found : HKCU\Software\SrpnFiles

    Key Found : HKCU\Software\Wizzlabs

    Key Found : HKCU\Software\MICROSOFT\IDSC

    Key Found : HKCU\Software\AppDataLow\Software\adawarebp

    Key Found : HKLM\SOFTWARE\SrpnFiles

    Key Found : HKLM\SOFTWARE\Lavasoft\Web Companion

    Key Found : HKLM\SOFTWARE\Social2Sear

    Key Found : HKLM\SOFTWARE\AVSoftware

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WindApp

    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564

    Key Found : [x64] HKLM\SOFTWARE\Social2Sear

    Key Found : [x64] HKLM\SOFTWARE\AVSoftware

    Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Nosibay

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Store

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\WajIEnhance

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\WTools

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\SrpnFiles

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Wizzlabs

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\MICROSOFT\IDSC

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\WindApp

    Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{1374E61D-8EEB-4E2D-BA96-1176C22CDBBF}]

    Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{0E008854-7C81-4DD1-8FF0-4384B0AF1190}]

    Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{C36091A4-6D37-48B5-8CDB-723E753D2BE8}]

    Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{038658C6-0064-49FD-B2E6-212E012CA257}]

    Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{EFABDB3E-91D1-4C19-B23B-87264222641B}]

    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}

    Data Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {BA1BE292-1D15-488B-934D-008742212380}

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}

    Data Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {BA1BE292-1D15-488B-934D-008742212380}

    Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]

    Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]

    Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Caster]

    Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Caster]


    ***** [ Web browsers ] *****



    *************************


    C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]

    C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]

    C:\AdwCleaner\AdwCleaner[s1].txt - [8828 bytes] - [20/06/2016 15:48:03]


    ########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [8901 bytes] ##########

    0
  • Support

    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

     

    Select the Services tab and remove the check mark in front of:

    LavasoftTcpService

    WCAssistantService

     

    Select the Folders tab and remove the check mark in front of:

    Everything that contains lavasoft

     

    Select the Registry tab and remove the check mark in front of:

    Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com


    Key HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}

    Key HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}


     

    Key HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}

    Key HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}

    Key HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}

    Key HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}

    Key HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}

    Key HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}

    Key HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}

    Key HKCU\Software\AppDataLow\Software\adawarebp

    Key HKLM\SOFTWARE\Lavasoft\Web Companion

    Key HKLM\SOFTWARE\AVSoftware

    Key HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp

    Value HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    Value HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    Click on the Clean button.

    Click on OK.
    Click on OK on any message that pops up.
    The computer will be restarted.

    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[C1].txt

     

    2. Please, start FRST.

    Select Addition.txt and then let the program scan the computer.

    Attach the two new logs.

     

     

    3. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
    To shorten the scanning time disable your antivirus program while scanning.

    Select Enable detection of potentially unwanted applications.
    Click Advanced Settings.

    Deselect Remove found threats (important since false positives can occur).

    Select:
    Scan Archives
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

    Click Start.

    When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

    0
  • Support

    1. Sorry, I missed to list a few filenames in my instruction and some Web Companion files were removed. Please, uninstall Web Companion by Lavasoft, restart the computer and install it again: http://www.webcompanion.com/

     

     

    2. Please uninstall:

    Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
    Java SE Development Kit 7 Update 40 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170400}) (Version: 1.7.0.400 - Oracle)
    Java SE Development Kit 6 Update 39 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0160390}) (Version: 1.6.0.390 - Oracle)

    Those are old versions of Java with known vulnerabilities that can be exploited by a web page to infect the computer. Most persons don't to have Java installed at all, but if you need it, it's important to always have the latest version.

     

     

    3. The following script will delete all files in the recycle bin and in the temporary folders. If you have anything there that you want to keep, please move it.

     

    Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    Task: {C1699D6E-E6F5-430A-A5FB-C36561F7FCA9} - System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => pcalua.exe -a "C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1M26CC7R\winsdk_web.exe" -d C:\Users\Jeremy\Desktop
    ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
    ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
    ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
    AlternateDataStreams: C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe:BDU [0]
    AlternateDataStreams: C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe:BDU [0]
    AlternateDataStreams: C:\Users\Jeremy\Downloads\FRST64.exe:BDU [0]
    IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
    IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com
    Hosts:
    Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20
    CMD: ipconfig /flushdns
    EmptyTemp:
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.
    0
  • Customer

    The AdwCleaner report:

     

    # AdwCleaner v5.200 - Logfile created 20/06/2016 at 17:20:04

    # Updated 14/06/2016 by ToolsLib

    # Database : 2016-06-20.3 [server]

    # Operating system : Windows 10 Home (X64)

    # Username : Jeremy - JEREMY-LAPTOP

    # Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe

    # Option : Clean



    ***** [ Services ] *****


    [x] Service Not Deleted : LavasoftTcpService

    [x] Service Not Deleted : WCAssistantService

    [-] Service Deleted : 76c57b794e6c8656618f09e27daee20d

    [-] Service Deleted : 7dbea00b08eb7d7f72afadf2fcf50533


    ***** [ Folders ] *****


    [x] Folder Not Deleted : C:\ProgramData\lavasoft\web companion

    [-] Folder Deleted : C:\ProgramData\779d90b7-2db7-0

    [-] Folder Deleted : C:\ProgramData\779d90b7-7635-1

    [x] Folder Not Deleted : C:\ProgramData\Application Data\lavasoft\web companion

    [#] Folder Deleted : C:\ProgramData\Application Data\779d90b7-2db7-0

    [#] Folder Deleted : C:\ProgramData\Application Data\779d90b7-7635-1

    [-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Sear

    [-] Folder Deleted : C:\Program Files (x86)\Max Driver Updater

    [x] Folder Not Deleted : C:\Program Files (x86)\lavasoft\web companion

    [-] Folder Deleted : C:\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Local\Temp\MAXDriverUpdater

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Nosibay

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Store

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\WTools

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\SpringFiles

    [x] Folder Not Deleted : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion

    [#] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\store

    [-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock

    [-] Folder Deleted : C:\Program Files\Caster


    ***** [ Files ] *****


    [-] File Deleted : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll

    [-] File Deleted : C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini

    [-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.boostrap.log

    [-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.installation.log

    [-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Selection Tools.installation.log

    [-] File Deleted : C:\Users\Jeremy\AppData\Roaming\WindApp.boostrap.log

    [-] File Deleted : C:\Users\Jeremy\AppData\Roaming\WindApp.installation.log

    [-] File Deleted : C:\WINDOWS\SysNative\LavasoftTcpService64.dll

    [-] File Deleted : C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini


    ***** [ DLLs ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled tasks ] *****


    [-] Task Deleted : WindApp Update

    [-] Task Deleted : Selection Tools Update

    [-] Task Deleted : Selection Tools Update


    ***** [ Registry ] *****


    [x] Key Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    [-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E

    [x] Key Not Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    [-] Key Deleted : HKCU\Software\Classes\.bubbledock

    [-] Key Deleted : HKCU\Software\Classes\bubbledock

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}

    [x] Key Not Deleted : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}

    [-] Key Deleted : HKCU\Software\Nosibay

    [-] Key Deleted : HKCU\Software\Store

    [-] Key Deleted : HKCU\Software\WajIEnhance

    [-] Key Deleted : HKCU\Software\WTools

    [-] Key Deleted : HKCU\Software\SrpnFiles

    [-] Key Deleted : HKCU\Software\Wizzlabs

    [-] Key Deleted : HKCU\Software\MICROSOFT\IDSC

    [x] Key Not Deleted : HKCU\Software\AppDataLow\Software\adawarebp

    [-] Key Deleted : HKLM\SOFTWARE\SrpnFiles

    [x] Key Not Deleted : HKLM\SOFTWARE\Lavasoft\Web Companion

    [-] Key Deleted : HKLM\SOFTWARE\Social2Sear

    [x] Key Not Deleted : HKLM\SOFTWARE\AVSoftware

    [-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock

    [-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools

    [-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp

    [-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564

    [-] Key Deleted : [x64] HKLM\SOFTWARE\Social2Sear

    [-] Key Deleted : [x64] HKLM\SOFTWARE\AVSoftware

    [-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}

    [x] Key Not Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp

    [-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{1374E61D-8EEB-4E2D-BA96-1176C22CDBBF}]

    [-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{0E008854-7C81-4DD1-8FF0-4384B0AF1190}]

    [-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{C36091A4-6D37-48B5-8CDB-723E753D2BE8}]

    [-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{038658C6-0064-49FD-B2E6-212E012CA257}]

    [-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{EFABDB3E-91D1-4C19-B23B-87264222641B}]

    [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    [-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    [-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}

    [#] Data Restored : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]

    [#] Data Restored : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]

    [-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]

    [#] Value Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]

    [x] Value Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    [x] Value Not Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    [-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Caster]

    [#] Value Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Caster]


    ***** [ Web browsers ] *****



    *************************


    :: "Tracing" keys deleted

    :: "Prefetch" files deleted

    :: Proxy settings cleared

    :: Winsock settings cleared


    *************************


    C:\AdwCleaner\AdwCleaner[C1].txt - [7553 bytes] - [20/06/2016 17:20:04]

    C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]

    C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]

    C:\AdwCleaner\AdwCleaner[s1].txt - [8992 bytes] - [20/06/2016 15:48:03]

    C:\AdwCleaner\AdwCleaner[s2].txt - [9065 bytes] - [20/06/2016 17:08:35]


    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7918 bytes] ##########



    List of found threats:



    C:\AdwCleaner\FileQuarantine\C\Program Files\Caster\wizzcaster.exe.vir a variant of MSIL/Adware.CsdiMonetize.B application

    C:\AdwCleaner\FileQuarantine\C\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6\Uninstall.exe.vir Win32/Adware.ConvertAd.AEY application

    C:\AdwCleaner\FileQuarantine\C\Users\Jeremy\AppData\Roaming\WTools\Selection Tools\Selection Tools Uninstall.exe.vir Win32/BubbleDock.C potentially unwanted application

    C:\AdwCleaner\FileQuarantine\C\Users\Jeremy\AppData\Roaming\WTools\Selection Tools\Selection Tools Update.exe.vir Win32/BubbleDock.C potentially unwanted application

    C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.7z.vir Win32/Bundled.Toolbar.Ask.B potentially unsafe application

    C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.dll.vir Win32/Bundled.Toolbar.Ask.B potentially unsafe application



     

    Addition.txt

    FRST.txt

    0
  • Customer

    Fixlog.txt:

     

    Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01

    Ran by Jeremy (2016-06-23 08:04:29) Run:1

    Running from C:\Users\Jeremy\Desktop

    Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)

    Boot Mode: Normal

    ==============================================


    fixlist content:

    *****************

    CreateRestorePoint:

    CloseProcesses:

    Task: {C1699D6E-E6F5-430A-A5FB-C36561F7FCA9} - System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => pcalua.exe -a "C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1M26CC7R\winsdk_web.exe" -d C:\Users\Jeremy\Desktop

    ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"

    ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"

    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic

    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"

    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic

    ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"

    AlternateDataStreams: C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe:BDU [0]

    AlternateDataStreams: C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe:BDU [0]

    AlternateDataStreams: C:\Users\Jeremy\Downloads\FRST64.exe:BDU [0]

    IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com

    IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com

    Hosts:

    Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20

    CMD: ipconfig /flushdns

    EmptyTemp:

    *****************


    Restore point was successfully created.

    Processes closed successfully.

    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C1699D6E-E6F5-430A-A5FB-C36561F7FCA9}" => key removed successfully

    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C1699D6E-E6F5-430A-A5FB-C36561F7FCA9}" => key removed successfully

    C:\WINDOWS\System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => moved successfully

    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299}" => key removed successfully

    C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk => Shortcut argument removed successfully.

    C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully.

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully.

    C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.

    C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully.

    C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe => ":BDU" ADS removed successfully.

    C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe => ":BDU" ADS removed successfully.

    "C:\Users\Jeremy\Downloads\FRST64.exe" => ":BDU" ADS not found.

    "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully

    "HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully

    C:\Windows\System32\Drivers\etc\hosts => moved successfully

    Hosts restored successfully.


    ========================= Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20 ========================


    2016-06-18 16:38 - 2016-06-20 16:44 - 0026784 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\06dcc0fab9a3e19ffeaf5bba285bc6fe

    2016-06-13 15:17 - 2016-06-13 15:17 - 28838400 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\16a40500ca93a270f44c6a16757098e6.exe

    2016-06-13 15:13 - 2016-06-13 15:13 - 0935165 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\33cccbee74c2e06a472ff8ccc8ca29c6.exe

    2016-06-18 16:38 - 2016-06-18 16:38 - 0000019 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.cfg

    2016-06-13 15:13 - 2016-06-18 16:38 - 0002642 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.inf

    2016-06-13 15:13 - 2016-06-13 15:13 - 0079944 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.sys

    2016-06-13 15:13 - 2016-06-13 15:13 - 0004286 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\a9c06be8aaaa2b370cc46ca767d1f5c6.ico

    2016-06-13 15:24 - 2016-06-13 15:24 - 20770304 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\b6b2a7e74dd6c3efe688948052faabef.exe

    2016-06-13 15:13 - 2016-06-18 16:38 - 0076453 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\ba86aa26a321dc11f6601770310eed59

    2016-06-13 15:24 - 2016-06-20 08:11 - 0762537 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c085066c835f924d7a69d259ff73464c.exe

    2016-06-13 15:24 - 2016-06-13 15:24 - 0693165 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\fe2e6be8dcba3137608a20524860e07e.exe

    2016-06-18 16:38 - 2016-06-18 16:38 - 0000000 ____D () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb

    2016-05-12 19:31 - 2016-05-12 19:31 - 0003262 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\17fd7fd4989bc84ed8e7055e6a297027.ico

    2016-06-13 15:13 - 2016-06-13 15:13 - 0004286 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\a9c06be8aaaa2b370cc46ca767d1f5c6.ico

    2016-05-12 19:31 - 2016-05-12 19:31 - 0003262 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\fc50f88ada67e8d36a38dcccadb10edd.ico

    2016-06-18 16:38 - 2016-06-20 08:11 - 0000000 ____D () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b

    2016-06-20 08:11 - 2016-06-20 08:11 - 23373824 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b\axphcw.dll

    2016-06-20 08:11 - 2016-06-20 08:11 - 12332544 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b\fouttc.dll


    ====== End of Folder: ======



    ========= ipconfig /flushdns =========



    Windows IP Configuration


    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========



    =========== EmptyTemp: ==========


    BITS transfer queue => 48171 B

    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11911835 B

    Java, Flash, Steam htmlcache => 2632 B

    Windows/system/drivers => 26005794 B

    Edge => 59532403 B

    Chrome => 1 B

    Firefox => 27553283 B

    Opera => 0 B


    Temp, IE cache, history, cookies, recent:

    Default => 6148 B

    ProgramData => 0 B

    Public => 0 B

    systemprofile => 0 B

    systemprofile32 => 0 B

    LocalService => 57392 B

    NetworkService => 334325 B

    UpdatusUser => 0 B

    Jeremy => 449640218 B

    Classic .NET AppPool => 0 B

    ASP.NET V4.0 Integrated => 0 B

    DefaultAppPool => 0 B


    RecycleBin => 30218400 B

    EmptyTemp: => 577.3 MB temporary data Removed.


    ================================



    The system needed a reboot.


    ==== End of Fixlog 08:08:05 ====

    0
  • Support

    Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    C:\Program Files\030e03feb5f74bf3348e770c6260cc20
    Reboot:
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.

     

     

    Do you notice any adware now?

    Or is it time to uninstall FRST and AdwcCleaner?

    0
  • Customer

    There is still some adware, although it's less frequent than before.

     

    Here is Fixlog.txt:

     

    Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01

    Ran by Jeremy (2016-06-23 17:28:04) Run:2

    Running from C:\Users\Jeremy\Desktop

    Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)

    Boot Mode: Normal

    ==============================================


    fixlist content:

    *****************

    CreateRestorePoint:

    CloseProcesses:

    C:\Program Files\030e03feb5f74bf3348e770c6260cc20

    Reboot:

    *****************


    Restore point was successfully created.

    Processes closed successfully.

    C:\Program Files\030e03feb5f74bf3348e770c6260cc20 => moved successfully



    The system needed a reboot.


    ==== End of Fixlog 17:28:07 ====

    0
  • Support

    Good!

     

    1. Please, start AdwCleaner.

    Click on the Scan button.

    Wait until the search has finished.

    Click on the Log file button.
    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[sx].txt.

     

     

    2. Please, start FRST.

    Select Shortcut.txt and Addition.txt and then let the program scan the computer.

    Attach the three new logs (FRST.txt, Addition.txt and Shortcut.txt).

    0
  • Customer

    AdwCleaner log file:

     

    # AdwCleaner v5.200 - Logfile created 24/06/2016 at 19:57:02

    # Updated 14/06/2016 by ToolsLib

    # Database : 2016-06-23.1 [server]

    # Operating system : Windows 10 Home (X64)

    # Username : Jeremy - JEREMY-LAPTOP

    # Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe

    # Option : Scan



    ***** [ Services ] *****


    Service Found : LavasoftTcpService

    Service Found : WCAssistantService


    ***** [ Folders ] *****


    Folder Found : C:\ProgramData\lavasoft\web companion

    Folder Found : C:\ProgramData\Application Data\lavasoft\web companion

    Folder Found : C:\Program Files (x86)\lavasoft\web companion

    Folder Found : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion


    ***** [ Files ] *****


    File Found : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll

    File Found : C:\WINDOWS\SysNative\LavasoftTcpService64.dll

    File Found : C:\WINDOWS\SysNative\drivers\76c57b794e6c8656618f09e27daee20d.sys


    ***** [ DLL ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled tasks ] *****



    ***** [ Registry ] *****


    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    Key Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}

    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}

    Key Found : HKCU\Software\AppDataLow\Software\adawarebp

    Key Found : HKLM\SOFTWARE\Lavasoft\Web Companion

    Key Found : HKLM\SOFTWARE\AVSoftware

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp

    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

    Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

    Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]


    ***** [ Web browsers ] *****



    *************************


    C:\AdwCleaner\AdwCleaner[C1].txt - [8009 bytes] - [20/06/2016 17:20:04]

    C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]

    C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]

    C:\AdwCleaner\AdwCleaner[s1].txt - [8992 bytes] - [20/06/2016 15:48:03]

    C:\AdwCleaner\AdwCleaner[s2].txt - [9065 bytes] - [20/06/2016 17:08:35]

    C:\AdwCleaner\AdwCleaner[s3].txt - [3192 bytes] - [24/06/2016 19:57:02]


    ########## EOF - C:\AdwCleaner\AdwCleaner[s3].txt - [3265 bytes] ##########



    Addition.txt

    FRST.txt

    Shortcut.txt

    0
  • Support

    1. Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    SearchScopes: HKU\.DEFAULT -> DefaultScope {BA1BE292-1D15-488B-934D-008742212380} URL =
    2016-06-13 15:13 - 2016-06-13 15:13 - 00142495 _____ C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe
    2016-06-13 15:13 - 2016-06-13 15:13 - 00079944 _____ C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys
    AlternateDataStreams: C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe:BDU [0]
    AlternateDataStreams: C:\Users\Jeremy\Downloads\WcInstaller.exe:BDU [0]
    IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
    IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com
    CMD: ipconfig /flushdns
    Reboot:
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.

     

     

    2. Do you see this adware in all browsers?

    Please, describe when and how it's visible.

    Do you have other computers connected to the same router?

    If yes: Is the same adware in them?

    0
  • Customer

    Sorry for the delayed reply!




    Here is the fix log:






    Fix result of Farbar Recovery Scan Tool (x64) Version: 02-07-2016


    Ran by Jeremy (2016-07-06 09:10:18) Run:3


    Running from C:\Users\Jeremy\Desktop


    Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)


    Boot Mode: Normal


    ==============================================




    fixlist content:


    *****************


    CreateRestorePoint:


    CloseProcesses:


    SearchScopes: HKU\.DEFAULT -> DefaultScope {BA1BE292-1D15-488B-934D-008742212380} URL =


    2016-06-13 15:13 - 2016-06-13 15:13 - 00142495 _____ C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe


    2016-06-13 15:13 - 2016-06-13 15:13 - 00079944 _____ C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys


    AlternateDataStreams: C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe:BDU [0]


    AlternateDataStreams: C:\Users\Jeremy\Downloads\WcInstaller.exe:BDU [0]


    IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com


    IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com


    CMD: ipconfig /flushdns


    Reboot:


    *****************




    Restore point was successfully created.


    Processes closed successfully.


    HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully


    C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe => moved successfully


    C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys => moved successfully


    C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe => ":BDU" ADS removed successfully.


    C:\Users\Jeremy\Downloads\WcInstaller.exe => ":BDU" ADS removed successfully.


    "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully


    "HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully




    ========= ipconfig /flushdns =========






    Windows IP Configuration




    Successfully flushed the DNS Resolver Cache.




    ========= End of CMD: =========








    The system needed a reboot.




    ==== End of Fixlog 09:10:21 ====


    0
  • Customer

    I don't see the adware in the browsers anymore

     

    Thanks for your help!

    0
  • Support

    Good!

     

    Time for final clean-up.


    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Uninstall button.


    2. Download OTC http://oldtimer.geekstogo.com/OTC.exe
    Close all programs.
    Start OTC program.
    Click the CleanUp! button.
    Select Yes when asked "Begin cleanup process".
    If you are asked to reboot, select Yes.
    If any logs remain on the computer you can remove them.


    3. It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

    0
  • Customer

    The OTC program is blocked by AdAware.

    0
  • Support

    Sorry, I'll let Lavasoft know that there is a false positive in Ad-Aware.

     

    Please, try to download from here: http://www.geekstogo.com/forum/files/file/403-otc-oldtimers-clean-it/

     

    If that doesn't help, please disable Ad-Aware while downloading and running OTC.

    0
  • Support

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.Everyone else please begin a New Topic.Thank you !

    0

Please sign in to leave a comment.