Sign in to follow this  
jeremyorme

Chrome, Firefox and Edge browsers jumping to ad pages

Recommended Posts

Hi,

 

My browsers are all jumping to dubious pages. I have tried resetting them and it fixes the problem for a few minutes then it comes back again. I have run the full scan from adaware pro and it found a bunch of things but removing them hasn't helped this problem.

 

Thanks

Jeremy

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Hi jeremnyorme,

 

Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

 

In the Options menu, please select (don't touch the default selections):

  • Reset Proxy Settings
  • Delete Prefetch Files

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s0].txt.

Share this post


Link to post
Share on other sites

Thanks CeciliaB!

 

Here is the log output:

 

# AdwCleaner v5.200 - Logfile created 20/06/2016 at 15:48:03
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-20.2 [server]
# Operating system : Windows 10 Home (X64)
# Username : Jeremy - JEREMY-LAPTOP
# Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe
# Option : Scan
***** [ Services ] *****
Service Found : LavasoftTcpService
Service Found : WCAssistantService
Service Found : 76c57b794e6c8656618f09e27daee20d
Service Found : 7dbea00b08eb7d7f72afadf2fcf50533
***** [ Folders ] *****
Folder Found : C:\ProgramData\lavasoft\web companion
Folder Found : C:\ProgramData\779d90b7-2db7-0
Folder Found : C:\ProgramData\779d90b7-7635-1
Folder Found : C:\ProgramData\Application Data\lavasoft\web companion
Folder Found : C:\ProgramData\Application Data\779d90b7-2db7-0
Folder Found : C:\ProgramData\Application Data\779d90b7-7635-1
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Sear
Folder Found : C:\Program Files (x86)\Max Driver Updater
Folder Found : C:\Program Files (x86)\lavasoft\web companion
Folder Found : C:\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6
Folder Found : C:\Users\Jeremy\AppData\Local\Temp\MAXDriverUpdater
Folder Found : C:\Users\Jeremy\AppData\Roaming\Nosibay
Folder Found : C:\Users\Jeremy\AppData\Roaming\Store
Folder Found : C:\Users\Jeremy\AppData\Roaming\WTools
Folder Found : C:\Users\Jeremy\AppData\Roaming\SpringFiles
Folder Found : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion
Folder Found : C:\Users\Jeremy\AppData\Roaming\store
Folder Found : C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock
Folder Found : C:\Program Files\Caster
***** [ Files ] *****
File Found : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll
File Found : C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini
File Found : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.boostrap.log
File Found : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.installation.log
File Found : C:\Users\Jeremy\AppData\Roaming\Selection Tools.installation.log
File Found : C:\Users\Jeremy\AppData\Roaming\WindApp.boostrap.log
File Found : C:\Users\Jeremy\AppData\Roaming\WindApp.installation.log
File Found : C:\WINDOWS\SysNative\LavasoftTcpService64.dll
File Found : C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
Task Found : WindApp Update
Task Found : Selection Tools Update
Task Found : Selection Tools Update
***** [ Registry ] *****
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E
Key Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKCU\Software\Classes\.bubbledock
Key Found : HKCU\Software\Classes\bubbledock
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Classes\.bubbledock
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Classes\bubbledock
Key Found : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
Key Found : HKCU\Software\Nosibay
Key Found : HKCU\Software\Store
Key Found : HKCU\Software\WajIEnhance
Key Found : HKCU\Software\WTools
Key Found : HKCU\Software\SrpnFiles
Key Found : HKCU\Software\Wizzlabs
Key Found : HKCU\Software\MICROSOFT\IDSC
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\SrpnFiles
Key Found : HKLM\SOFTWARE\Lavasoft\Web Companion
Key Found : HKLM\SOFTWARE\Social2Sear
Key Found : HKLM\SOFTWARE\AVSoftware
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WindApp
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Key Found : [x64] HKLM\SOFTWARE\Social2Sear
Key Found : [x64] HKLM\SOFTWARE\AVSoftware
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Nosibay
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Store
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\WajIEnhance
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\WTools
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\SrpnFiles
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Wizzlabs
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\MICROSOFT\IDSC
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\WindApp
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{1374E61D-8EEB-4E2D-BA96-1176C22CDBBF}]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{0E008854-7C81-4DD1-8FF0-4384B0AF1190}]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{C36091A4-6D37-48B5-8CDB-723E753D2BE8}]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{038658C6-0064-49FD-B2E6-212E012CA257}]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{EFABDB3E-91D1-4C19-B23B-87264222641B}]
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}
Data Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {BA1BE292-1D15-488B-934D-008742212380}
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}
Data Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {BA1BE292-1D15-488B-934D-008742212380}
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]
Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Caster]
Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Caster]
***** [ Web browsers ] *****
*************************
C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]
C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]
C:\AdwCleaner\AdwCleaner[s1].txt - [8828 bytes] - [20/06/2016 15:48:03]
########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [8901 bytes] ##########

Share this post


Link to post
Share on other sites

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

 

Select the Services tab and remove the check mark in front of:

LavasoftTcpService

WCAssistantService

 

Select the Folders tab and remove the check mark in front of:

Everything that contains lavasoft

 

Select the Registry tab and remove the check mark in front of:

Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

Key HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}

 

Key HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
Key HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
Key HKCU\Software\AppDataLow\Software\adawarebp

Key HKLM\SOFTWARE\Lavasoft\Web Companion

Key HKLM\SOFTWARE\AVSoftware

Key HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp
Value HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
Value HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[C1].txt

 

2. Please, start FRST.

Select Addition.txt and then let the program scan the computer.

Attach the two new logs.

 

 

3. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important since false positives can occur).

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

Share this post


Link to post
Share on other sites

The AdwCleaner report:

 

# AdwCleaner v5.200 - Logfile created 20/06/2016 at 17:20:04
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-20.3 [server]
# Operating system : Windows 10 Home (X64)
# Username : Jeremy - JEREMY-LAPTOP
# Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe
# Option : Clean
***** [ Services ] *****
[x] Service Not Deleted : LavasoftTcpService
[x] Service Not Deleted : WCAssistantService
[-] Service Deleted : 76c57b794e6c8656618f09e27daee20d
[-] Service Deleted : 7dbea00b08eb7d7f72afadf2fcf50533
***** [ Folders ] *****
[x] Folder Not Deleted : C:\ProgramData\lavasoft\web companion
[-] Folder Deleted : C:\ProgramData\779d90b7-2db7-0
[-] Folder Deleted : C:\ProgramData\779d90b7-7635-1
[x] Folder Not Deleted : C:\ProgramData\Application Data\lavasoft\web companion
[#] Folder Deleted : C:\ProgramData\Application Data\779d90b7-2db7-0
[#] Folder Deleted : C:\ProgramData\Application Data\779d90b7-7635-1
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Sear
[-] Folder Deleted : C:\Program Files (x86)\Max Driver Updater
[x] Folder Not Deleted : C:\Program Files (x86)\lavasoft\web companion
[-] Folder Deleted : C:\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6
[-] Folder Deleted : C:\Users\Jeremy\AppData\Local\Temp\MAXDriverUpdater
[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Nosibay
[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Store
[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\WTools
[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\SpringFiles
[x] Folder Not Deleted : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion
[#] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\store
[-] Folder Deleted : C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock
[-] Folder Deleted : C:\Program Files\Caster
***** [ Files ] *****
[-] File Deleted : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll
[-] File Deleted : C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini
[-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.boostrap.log
[-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Bubble Dock.installation.log
[-] File Deleted : C:\Users\Jeremy\AppData\Roaming\Selection Tools.installation.log
[-] File Deleted : C:\Users\Jeremy\AppData\Roaming\WindApp.boostrap.log
[-] File Deleted : C:\Users\Jeremy\AppData\Roaming\WindApp.installation.log
[-] File Deleted : C:\WINDOWS\SysNative\LavasoftTcpService64.dll
[-] File Deleted : C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini
***** [ DLLs ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
[-] Task Deleted : WindApp Update
[-] Task Deleted : Selection Tools Update
[-] Task Deleted : Selection Tools Update
***** [ Registry ] *****
[x] Key Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E
[x] Key Not Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
[-] Key Deleted : HKCU\Software\Classes\.bubbledock
[-] Key Deleted : HKCU\Software\Classes\bubbledock
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
[x] Key Not Deleted : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
[-] Key Deleted : HKCU\Software\Nosibay
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\WajIEnhance
[-] Key Deleted : HKCU\Software\WTools
[-] Key Deleted : HKCU\Software\SrpnFiles
[-] Key Deleted : HKCU\Software\Wizzlabs
[-] Key Deleted : HKCU\Software\MICROSOFT\IDSC
[x] Key Not Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[-] Key Deleted : HKLM\SOFTWARE\SrpnFiles
[x] Key Not Deleted : HKLM\SOFTWARE\Lavasoft\Web Companion
[-] Key Deleted : HKLM\SOFTWARE\Social2Sear
[x] Key Not Deleted : HKLM\SOFTWARE\AVSoftware
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bubble Dock
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Selection Tools
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\windapp
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key Deleted : [x64] HKLM\SOFTWARE\Social2Sear
[-] Key Deleted : [x64] HKLM\SOFTWARE\AVSoftware
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}
[x] Key Not Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{1374E61D-8EEB-4E2D-BA96-1176C22CDBBF}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{0E008854-7C81-4DD1-8FF0-4384B0AF1190}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{C36091A4-6D37-48B5-8CDB-723E753D2BE8}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{038658C6-0064-49FD-B2E6-212E012CA257}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{EFABDB3E-91D1-4C19-B23B-87264222641B}]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{BA1BE292-1D15-488B-934D-008742212380}
[#] Data Restored : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[#] Data Restored : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]
[#] Value Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [selection Tools]
[x] Value Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
[x] Value Not Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Caster]
[#] Value Deleted : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Caster]
***** [ Web browsers ] *****
*************************
:: "Tracing" keys deleted
:: "Prefetch" files deleted
:: Proxy settings cleared
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C1].txt - [7553 bytes] - [20/06/2016 17:20:04]
C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]
C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]
C:\AdwCleaner\AdwCleaner[s1].txt - [8992 bytes] - [20/06/2016 15:48:03]
C:\AdwCleaner\AdwCleaner[s2].txt - [9065 bytes] - [20/06/2016 17:08:35]
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [7918 bytes] ##########
List of found threats:
C:\AdwCleaner\FileQuarantine\C\Program Files\Caster\wizzcaster.exe.vir a variant of MSIL/Adware.CsdiMonetize.B application
C:\AdwCleaner\FileQuarantine\C\Program Files (x86)\232BBA00-1466249747-81E1-22A2-10BF482F6BC6\Uninstall.exe.vir Win32/Adware.ConvertAd.AEY application
C:\AdwCleaner\FileQuarantine\C\Users\Jeremy\AppData\Roaming\WTools\Selection Tools\Selection Tools Uninstall.exe.vir Win32/BubbleDock.C potentially unwanted application
C:\AdwCleaner\FileQuarantine\C\Users\Jeremy\AppData\Roaming\WTools\Selection Tools\Selection Tools Update.exe.vir Win32/BubbleDock.C potentially unwanted application
C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.7z.vir Win32/Bundled.Toolbar.Ask.B potentially unsafe application
C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.dll.vir Win32/Bundled.Toolbar.Ask.B potentially unsafe application

 

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

1. Sorry, I missed to list a few filenames in my instruction and some Web Companion files were removed. Please, uninstall Web Companion by Lavasoft, restart the computer and install it again: http://www.webcompanion.com/

 

 

2. Please uninstall:

Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)
Java SE Development Kit 7 Update 40 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170400}) (Version: 1.7.0.400 - Oracle)
Java™ SE Development Kit 6 Update 39 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0160390}) (Version: 1.6.0.390 - Oracle)

Those are old versions of Java with known vulnerabilities that can be exploited by a web page to infect the computer. Most persons don't to have Java installed at all, but if you need it, it's important to always have the latest version.

 

 

3. The following script will delete all files in the recycle bin and in the temporary folders. If you have anything there that you want to keep, please move it.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
Task: {C1699D6E-E6F5-430A-A5FB-C36561F7FCA9} - System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => pcalua.exe -a "C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1M26CC7R\winsdk_web.exe" -d C:\Users\Jeremy\Desktop
ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
AlternateDataStreams: C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeremy\Downloads\FRST64.exe:BDU [0]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com
Hosts:
Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20
CMD: ipconfig /flushdns
EmptyTemp:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

Share this post


Link to post
Share on other sites

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by Jeremy (2016-06-23 08:04:29) Run:1
Running from C:\Users\Jeremy\Desktop
Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)
Boot Mode: Normal
==============================================
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {C1699D6E-E6F5-430A-A5FB-C36561F7FCA9} - System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => pcalua.exe -a "C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1M26CC7R\winsdk_web.exe" -d C:\Users\Jeremy\Desktop
ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e" --disable-quic
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://safebrowsing.biz/?ssid=1466249197&a=1003478&src=sh&uuid=7aa70476-3a02-4fe3-a32d-e79aafac657e"
AlternateDataStreams: C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe:BDU [0]
AlternateDataStreams: C:\Users\Jeremy\Downloads\FRST64.exe:BDU [0]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com
Hosts:
Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20
CMD: ipconfig /flushdns
EmptyTemp:
*****************
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C1699D6E-E6F5-430A-A5FB-C36561F7FCA9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C1699D6E-E6F5-430A-A5FB-C36561F7FCA9}" => key removed successfully
C:\WINDOWS\System32\Tasks\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EEFAE0FD-6EC0-4B85-8196-86FD7FE74299}" => key removed successfully
C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\Users\Jeremy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully.
C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe => ":BDU" ADS removed successfully.
C:\Users\Jeremy\Downloads\adwcleaner_5.200.exe => ":BDU" ADS removed successfully.
"C:\Users\Jeremy\Downloads\FRST64.exe" => ":BDU" ADS not found.
"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully
"HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
========================= Folder: C:\Program Files\030e03feb5f74bf3348e770c6260cc20 ========================
2016-06-18 16:38 - 2016-06-20 16:44 - 0026784 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\06dcc0fab9a3e19ffeaf5bba285bc6fe
2016-06-13 15:17 - 2016-06-13 15:17 - 28838400 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\16a40500ca93a270f44c6a16757098e6.exe
2016-06-13 15:13 - 2016-06-13 15:13 - 0935165 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\33cccbee74c2e06a472ff8ccc8ca29c6.exe
2016-06-18 16:38 - 2016-06-18 16:38 - 0000019 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.cfg
2016-06-13 15:13 - 2016-06-18 16:38 - 0002642 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.inf
2016-06-13 15:13 - 2016-06-13 15:13 - 0079944 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\76c57b794e6c8656618f09e27daee20d.sys
2016-06-13 15:13 - 2016-06-13 15:13 - 0004286 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\a9c06be8aaaa2b370cc46ca767d1f5c6.ico
2016-06-13 15:24 - 2016-06-13 15:24 - 20770304 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\b6b2a7e74dd6c3efe688948052faabef.exe
2016-06-13 15:13 - 2016-06-18 16:38 - 0076453 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\ba86aa26a321dc11f6601770310eed59
2016-06-13 15:24 - 2016-06-20 08:11 - 0762537 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c085066c835f924d7a69d259ff73464c.exe
2016-06-13 15:24 - 2016-06-13 15:24 - 0693165 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\fe2e6be8dcba3137608a20524860e07e.exe
2016-06-18 16:38 - 2016-06-18 16:38 - 0000000 ____D () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb
2016-05-12 19:31 - 2016-05-12 19:31 - 0003262 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\17fd7fd4989bc84ed8e7055e6a297027.ico
2016-06-13 15:13 - 2016-06-13 15:13 - 0004286 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\a9c06be8aaaa2b370cc46ca767d1f5c6.ico
2016-05-12 19:31 - 2016-05-12 19:31 - 0003262 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c1f607efaa89c48aec6491dadf8a75eb\fc50f88ada67e8d36a38dcccadb10edd.ico
2016-06-18 16:38 - 2016-06-20 08:11 - 0000000 ____D () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b
2016-06-20 08:11 - 2016-06-20 08:11 - 23373824 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b\axphcw.dll
2016-06-20 08:11 - 2016-06-20 08:11 - 12332544 _____ () C:\Program Files\030e03feb5f74bf3348e770c6260cc20\c4575512726f0d10239e6f69e9d7904b\fouttc.dll
====== End of Folder: ======
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
=========== EmptyTemp: ==========
BITS transfer queue => 48171 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11911835 B
Java, Flash, Steam htmlcache => 2632 B
Windows/system/drivers => 26005794 B
Edge => 59532403 B
Chrome => 1 B
Firefox => 27553283 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 6148 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 57392 B
NetworkService => 334325 B
UpdatusUser => 0 B
Jeremy => 449640218 B
Classic .NET AppPool => 0 B
ASP.NET V4.0 Integrated => 0 B
DefaultAppPool => 0 B
RecycleBin => 30218400 B
EmptyTemp: => 577.3 MB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 08:08:05 ====

Share this post


Link to post
Share on other sites

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
C:\Program Files\030e03feb5f74bf3348e770c6260cc20
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

Do you notice any adware now?

Or is it time to uninstall FRST and AdwcCleaner?

Share this post


Link to post
Share on other sites

There is still some adware, although it's less frequent than before.

 

Here is Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by Jeremy (2016-06-23 17:28:04) Run:2
Running from C:\Users\Jeremy\Desktop
Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)
Boot Mode: Normal
==============================================
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Program Files\030e03feb5f74bf3348e770c6260cc20
Reboot:
*****************
Restore point was successfully created.
Processes closed successfully.
C:\Program Files\030e03feb5f74bf3348e770c6260cc20 => moved successfully
The system needed a reboot.
==== End of Fixlog 17:28:07 ====

Share this post


Link to post
Share on other sites

Good!

 

1. Please, start AdwCleaner.

Click on the Scan button.

Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[sx].txt.

 

 

2. Please, start FRST.

Select Shortcut.txt and Addition.txt and then let the program scan the computer.

Attach the three new logs (FRST.txt, Addition.txt and Shortcut.txt).

Share this post


Link to post
Share on other sites

AdwCleaner log file:

 

# AdwCleaner v5.200 - Logfile created 24/06/2016 at 19:57:02
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-23.1 [server]
# Operating system : Windows 10 Home (X64)
# Username : Jeremy - JEREMY-LAPTOP
# Running from : C:\Users\Jeremy\Desktop\adwcleaner_5.200.exe
# Option : Scan
***** [ Services ] *****
Service Found : LavasoftTcpService
Service Found : WCAssistantService
***** [ Folders ] *****
Folder Found : C:\ProgramData\lavasoft\web companion
Folder Found : C:\ProgramData\Application Data\lavasoft\web companion
Folder Found : C:\Program Files (x86)\lavasoft\web companion
Folder Found : C:\Users\Jeremy\AppData\Roaming\lavasoft\web companion
***** [ Files ] *****
File Found : C:\WINDOWS\SysWOW64\lavasofttcpservice.dll
File Found : C:\WINDOWS\SysNative\LavasoftTcpService64.dll
File Found : C:\WINDOWS\SysNative\drivers\76c57b794e6c8656618f09e27daee20d.sys
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
Key Found : HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\Lavasoft\Web Companion
Key Found : HKLM\SOFTWARE\AVSoftware
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\AppDataLow\Software\adawarebp
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
Value Found : HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Run [Web Companion]
***** [ Web browsers ] *****
*************************
C:\AdwCleaner\AdwCleaner[C1].txt - [8009 bytes] - [20/06/2016 17:20:04]
C:\AdwCleaner\AdwCleaner[R0].txt - [1896 bytes] - [03/04/2015 17:28:35]
C:\AdwCleaner\AdwCleaner[s0].txt - [1283 bytes] - [03/04/2015 17:31:25]
C:\AdwCleaner\AdwCleaner[s1].txt - [8992 bytes] - [20/06/2016 15:48:03]
C:\AdwCleaner\AdwCleaner[s2].txt - [9065 bytes] - [20/06/2016 17:08:35]
C:\AdwCleaner\AdwCleaner[s3].txt - [3192 bytes] - [24/06/2016 19:57:02]
########## EOF - C:\AdwCleaner\AdwCleaner[s3].txt - [3265 bytes] ##########

Addition.txt

FRST.txt

Shortcut.txt

Share this post


Link to post
Share on other sites

1. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\.DEFAULT -> DefaultScope {BA1BE292-1D15-488B-934D-008742212380} URL =
2016-06-13 15:13 - 2016-06-13 15:13 - 00142495 _____ C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe
2016-06-13 15:13 - 2016-06-13 15:13 - 00079944 _____ C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys
AlternateDataStreams: C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe:BDU [0]
AlternateDataStreams: C:\Users\Jeremy\Downloads\WcInstaller.exe:BDU [0]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com
CMD: ipconfig /flushdns
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

2. Do you see this adware in all browsers?

Please, describe when and how it's visible.

Do you have other computers connected to the same router?

If yes: Is the same adware in them?

Share this post


Link to post
Share on other sites
Sorry for the delayed reply!


Here is the fix log:



Fix result of Farbar Recovery Scan Tool (x64) Version: 02-07-2016

Ran by Jeremy (2016-07-06 09:10:18) Run:3

Running from C:\Users\Jeremy\Desktop

Loaded Profiles: Jeremy (Available Profiles: UpdatusUser & Jeremy & Classic .NET AppPool & ASP.NET V4.0 Integrated & DefaultAppPool)

Boot Mode: Normal

==============================================


fixlist content:

*****************

CreateRestorePoint:

CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {BA1BE292-1D15-488B-934D-008742212380} URL =

2016-06-13 15:13 - 2016-06-13 15:13 - 00142495 _____ C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe

2016-06-13 15:13 - 2016-06-13 15:13 - 00079944 _____ C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys

AlternateDataStreams: C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe:BDU [0]

AlternateDataStreams: C:\Users\Jeremy\Downloads\WcInstaller.exe:BDU [0]

IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com

IE trusted site: HKU\S-1-5-21-665035586-3844912205-1700048427-1001\...\webcompanion.com -> hxxp://webcompanion.com

CMD: ipconfig /flushdns

Reboot:

*****************


Restore point was successfully created.

Processes closed successfully.

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

C:\WINDOWS\33cccbee74c2e06a472ff8ccc8ca29c6.exe => moved successfully

C:\WINDOWS\system32\Drivers\76c57b794e6c8656618f09e27daee20d.sys => moved successfully

C:\Users\Jeremy\Downloads\esetonlinescanner_enu (1).exe => ":BDU" ADS removed successfully.

C:\Users\Jeremy\Downloads\WcInstaller.exe => ":BDU" ADS removed successfully.

"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully

"HKU\S-1-5-21-665035586-3844912205-1700048427-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully


========= ipconfig /flushdns =========



Windows IP Configuration


Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========




The system needed a reboot.


==== End of Fixlog 09:10:21 ====

Share this post


Link to post
Share on other sites

Good! :)

 

Time for final clean-up.


1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Uninstall button.


2. Download OTC http://oldtimer.geekstogo.com/OTC.exe
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.
If any logs remain on the computer you can remove them.


3. It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

Share this post


Link to post
Share on other sites

Sorry, I'll let Lavasoft know that there is a false positive in Ad-Aware.

 

Please, try to download from here: http://www.geekstogo.com/forum/files/file/403-otc-oldtimers-clean-it/

 

If that doesn't help, please disable Ad-Aware while downloading and running OTC.

Edited by CeciliaB

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.Everyone else please begin a New Topic.Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this