Infection LavasoftTcpService.dll

Hello all, last night after logging in to windows I received a warning from ZoneAlarm Extreme Security that 2 files have been infected with the next:

C:\Windows\System32\LavasoftTcpService64.dll - not-a-virus:HEUR.AdWare.Win32.OptimizerMonitor.heur
C:\Windows\SysWOW64\LavasoftTcpService.dll - not-a-virus:AdWare.Win32.OptimizerMonitor.j

I don't use Lavasoft products on my PC, so when I opened IE11 to check what they were there were no connection. My Internet connection was fine though. Anyway, I checked both files and clicked treat in ZA window and it told me after sometime that it wasn't able to treat them and needed to perform an Advanced Disinfection. After closing all open programs as instructed ZA took 5 or so minutes to finish what it was doing. Before it auto-restarted the PC I got a bunch of Bad Image warnings to my running processes.

After the restart the PC booted and logged in to Windows just fine, I then rescanned the PC with ZA/SuperAntiSpyware/Spybot S&D and found nothing.

I am not sure how I got the infection as I am careful about suspicious websites and only use freeware or licensed paid-for software/games etc. Everything is up-to-date and performing scans on a schedule. Also, I haven't installed anything the last few days. Only downloaded WinDirStat and 7StickyNotes from their official download locations (not installed yet).

So my question would be should I use any other scanners to make sure I don't have any left overs in anywhere on my PC? From what I have read in this forum, Malwarebytes/ TDSSkiller/ Rkill have been suggested before but I would like to wait for response from more experienced people.

Thanks for your time.

Hey guys, an update to the situation.

I went out for a walk and shutdown my PC before doing so. When I came back, I downloaded MBAM and started running a scan. While it was running, ZA showed another warning that the 2 dll's were back.

I haven't let ZA do anything just yet. And started to look deeper on what is going on. Meanwhile, MBAM finished the scan and found 3 entries for OpenCandy PUP, which I removed. Nothing with respect to the 2 dll files.

Anyway, here is what I have found:

- ZA list these dll's as medium threat.
- 1 of the dll's changed location and now both are inside SysWOW64.
- There is a service named LavasoftTCPService installed and running.
- The dll's seem to be digitally signed by Lavasoft and eventhough I am not an expert in these things, seems legit. Can put a screenshot if anyone wants.
- When I opened the service properties I saw that the executable is in Prog Files(x86)\Lavasoft\Web Companion\...
- Then I went to Programs and Features and found Web Companion listed there. Installed on 4/8/2015.
- I clean installed my OS that exact day so whatever it is, it has been there all along. Problem is I have never installed Lavasoft software in this install.

I suspect that web companion came with a freeware program I installed, perhaps I forgot to uncheck a checkbox to install it automatically. Hopefully I have just been dumb and don't have a real infection.

Now I wonder why I didn't get any warnings up until last night.

I will wait for ESET Online to finish and try a manual uninstall. 47% in and so far ESET found:
- Win32/Toolbar.Montiera.I
- Win32/Toolbar.Conduit
both in the category of potentially unwanted application.

How do we get these PUPs and is there a pro-active way of keeping safe? So far I have only been able to scan and remove these later after they somehow manage to get in the PC.

Sorry for jumping in but here's some additional info that might help.

Lavasoft is a legitimate company and probably best known for a free product called Ad-Aware. If you haven't already done so check in Control Panel > Programs and Features for any references to Lavasoft and Ad-Aware. If either or both show up see if you can uninstall.

Another free anti-malware tool I can recommend is called herdProtect. It uses 68 anti-malware search engines. If something questionable is found, whether it be known malware, PUPs, etc, the options to isolate, quarantine and/or remove are pretty easy to follow.

herdProtect - Anti-Malware Multiscanning Platform in the Cloud

One of the best ways to protect your computer is to make regular system images. If malware strikes you can return your computer to its clean condition in usually less than an hour. The machine will be exactly like it was on the day the image was created so the more recent the image the more up to date the restore will be. Here's a couple of tutorials for the native Windows 7 imaging tool and Macrium free.

Backup Complete Computer - Create an Image Backup

Imaging with free Macrium

Hey,

@Moxie: Thanks for the info. I am usually very careful about the opt out installations, I guess I missed this one.

@Marsmimar: I know Lavasoft is a legitimate company I used AdAware before, just not in this OS install. And thanks for the image advice. I use Acronis TI 2010 Home with pluspack and do daily images, but this thing was from the day I installed the OS.

Anyway, ESET found 5 more entries which all are Komodia related. From what I gather Komodia is also a legitimate company but has had a problem recently with SSL validation in their products which left people using their services open to abuse?

Here is a link if you are fluent in understanding this kind of tech talk
Will the madness never end? Komodia SSL certificates are EVERYWHERE | Marc's Security Ramblings

I have uninstalled the Web Companion from Programs and Features after ESET finished scan and fixed its findings. After restart, LavasoftTcpService64.dll and its service (Services - though not started) remained. I then went into registry, backed up just in case and deleted everything Lavasoft. It seems ok for now.

Marking the thread as solved for now. Thank you all for advice and information.