Solved Infection LavasoftTcpService.dll

[GokAy]

Hello all, last night after logging in to windows I received a warning from ZoneAlarm Extreme Security that 2 files have been infected with the next:

C:\Windows\System32\LavasoftTcpService64.dll - not-a-virus:HEUR.AdWare.Win32.OptimizerMonitor.heur
C:\Windows\SysWOW64\LavasoftTcpService.dll - not-a-virus:AdWare.Win32.OptimizerMonitor.j

I don't use Lavasoft products on my PC, so when I opened IE11 to check what they were there were no connection. My Internet connection was fine though. Anyway, I checked both files and clicked treat in ZA window and it told me after sometime that it wasn't able to treat them and needed to perform an Advanced Disinfection. After closing all open programs as instructed ZA took 5 or so minutes to finish what it was doing. Before it auto-restarted the PC I got a bunch of Bad Image warnings to my running processes.

After the restart the PC booted and logged in to Windows just fine, I then rescanned the PC with ZA/SuperAntiSpyware/Spybot S&D and found nothing.

I am not sure how I got the infection as I am careful about suspicious websites and only use freeware or licensed paid-for software/games etc. Everything is up-to-date and performing scans on a schedule. Also, I haven't installed anything the last few days. Only downloaded WinDirStat and 7StickyNotes from their official download locations (not installed yet).

So my question would be should I use any other scanners to make sure I don't have any left overs in anywhere on my PC? From what I have read in this forum, Malwarebytes/ TDSSkiller/ Rkill have been suggested before but I would like to wait for response from more experienced people.

Thanks for your time.

 

[Layback Bear]

If it was my computer what I would use is Malwarebytes and Eset online scanner.

https://www.malwarebytes.org/antimalware/

Free Virus Scan | Online Virus Scanner from ESET

I haven't used Z/A in years so I know very little about it.
I haven't read anything good about SpyBot in 5 years.

 

[jamis]

I sometimes run MSERT in addition to NIS, Malwarebytes, & Spybot. It's free, but you have to download a new version every 10 days.

Microsoft Safety Scanner - Free Virus Scan with the Microsoft Safety Scanner

 

[GokAy]

Hey guys, an update to the situation.

I went out for a walk and shutdown my PC before doing so. When I came back, I downloaded MBAM and started running a scan. While it was running, ZA showed another warning that the 2 dll's were back. :sarc:

I haven't let ZA do anything just yet. And started to look deeper on what is going on. Meanwhile, MBAM finished the scan and found 3 entries for OpenCandy PUP, which I removed. Nothing with respect to the 2 dll files.

Anyway, here is what I have found:

- ZA list these dll's as medium threat.
- 1 of the dll's changed location and now both are inside SysWOW64.
- There is a service named LavasoftTCPService installed and running.
- The dll's seem to be digitally signed by Lavasoft and eventhough I am not an expert in these things, seems legit. Can put a screenshot if anyone wants.
- When I opened the service properties I saw that the executable is in Prog Files(x86)\Lavasoft\Web Companion\...
- Then I went to Programs and Features and found Web Companion listed there. Installed on 4/8/2015.
- I clean installed my OS that exact day so whatever it is, it has been there all along. Problem is I have never installed Lavasoft software in this install.

I suspect that web companion came with a freeware program I installed, perhaps I forgot to uncheck a checkbox to install it automatically. Hopefully I have just been dumb and don't have a real infection.

Now I wonder why I didn't get any warnings up until last night.

I will wait for ESET Online to finish and try a manual uninstall. 47% in and so far ESET found:
- Win32/Toolbar.Montiera.I
- Win32/Toolbar.Conduit
both in the category of potentially unwanted application.

How do we get these PUPs and is there a pro-active way of keeping safe? So far I have only been able to scan and remove these later after they somehow manage to get in the PC.

 

[MoxieMomma]

How do we get these PUPs and is there a pro-active way of keeping safe? So far I have only been able to scan and remove these later after they somehow manage to get in the PC.

Hi:

I am not qualified to provide specific malware removal advice.
So, I will leave that to the more expert forum members with proper training, such as jacee and cottonball.

However, to address your specific question about PUPs and their "prevention".
Manual, on-demand scanners, including the Free version of MBAM, can only remove PUPs already on the sytem.
MBAM Premium is highly effective in preventing many PUPs.
More information here, in these articles:
What are the 'PUP' detections, are they threats, and should they be deleted?
Malwarebytes Adopts Aggressive PUP Policy

Having said that, most PUPs find their way on to the system through some sort of user action (or lack thereof). For example, failure to opt out of their installation during the setup wizard of other software is a common way to acquire PUPs. User diligence is very important, along with real-time anti-malware software.

Thank you,

 

[marsmimar]

Sorry for jumping in but here's some additional info that might help.

Lavasoft is a legitimate company and probably best known for a free product called Ad-Aware. If you haven't already done so check in Control Panel > Programs and Features for any references to Lavasoft and Ad-Aware. If either or both show up see if you can uninstall.

Another free anti-malware tool I can recommend is called herdProtect. It uses 68 anti-malware search engines. If something questionable is found, whether it be known malware, PUPs, etc, the options to isolate, quarantine and/or remove are pretty easy to follow.

herdProtect - Anti-Malware Multiscanning Platform in the Cloud

One of the best ways to protect your computer is to make regular system images. If malware strikes you can return your computer to its clean condition in usually less than an hour. The machine will be exactly like it was on the day the image was created so the more recent the image the more up to date the restore will be. Here's a couple of tutorials for the native Windows 7 imaging tool and Macrium free.

http://www.sevenforums.com/tutorials/663-backup-complete-computer-create-image-backup.html

http://www.sevenforums.com/tutorials/73828-imaging-free-macrium.html

 

[MoxieMomma]

^^ Agree, those do appear to be legit Lavasoft files. But I will defer to more expert members on that. ^^
^^ And, yes, having good backups is an important strategy. ^^

As for Herdprotect, I had heard mixed reports about it.
The huge number of search engines can potentially lead to false-positives.
An equally serious concern for me is that it is alleged to employ the work-product of other software developers without full legal permissions. That makes me squeamish, even though the tool is (at least for now) still free.
But it's up to the user whether to try it, of course.

There are other tools, such as adwcleaner and JRT, that also target adware, junkware, PUPs.
However, these are not real-time protection applications, so they cannot *prevent* PUPs, as the OP requests. That's why I mentioned MBAM Premium (I am just a home user with no financial ties to the product or the company).

JMHO

Thanks,

 

[GokAy]

Hey,

@Moxie: Thanks for the info. I am usually very careful about the opt out installations, I guess I missed this one.

@Marsmimar: I know Lavasoft is a legitimate company I used AdAware before, just not in this OS install. And thanks for the image advice. I use Acronis TI 2010 Home with pluspack and do daily images, but this thing was from the day I installed the OS.

Anyway, ESET found 5 more entries which all are Komodia related. From what I gather Komodia is also a legitimate company but has had a problem recently with SSL validation in their products which left people using their services open to abuse?

Here is a link if you are fluent in understanding this kind of tech talk
Will the madness never end? Komodia SSL certificates are EVERYWHERE | Marc's Security Ramblings

I have uninstalled the Web Companion from Programs and Features after ESET finished scan and fixed its findings. After restart, LavasoftTcpService64.dll and its service (Services - though not started) remained. I then went into registry, backed up just in case and deleted everything Lavasoft. It seems ok for now.

Marking the thread as solved for now. Thank you all for advice and information.

 

[Layback Bear]

I see that Malwarebytes and Eset found thing. Here is another great program I have a lot of faith in. It's at Bleeping Computer.

AdwCleaner Download

 

[kabo0m]

Thank you. This information I think is helping me as I am having this issue right now. I wasn't told I was infected but a game that recently got updated won't update because of the LavasoftTcpService.dll file. I did recently allow Ad-Aware to install with another program so I think I will uninstall it. If it doesn't remove then I will either use AdwCleaner Download as mentioned earlier or, if that doesn't work, then Revo Uninstaller.