Lavasoft Web Companion


A while ago, I noticed that my default search engine and new tab page in firefox had been changed to Bing. I dismissed this as some stupid thing I had accidentally done, reset both to the defaults, and went back to whatever I was doing.

However, a more pressing problem soon presented itself: Unity (the game engine) kept crashing on start. One of the first links I chanced upon when googling the problem mentioned a program called Lavasoft Ad-Aware, and the gears instantly clicked. I must have accidentally installed some crapware while installing another program! That would also explain the bing crap. I looked around, and found a program I definitely didn’t install called Lavasoft Web Companion. I uninstalled it, and all the Bing stuff went away - but Unity kept crashing on start.

It turns out that even after Web Companion is uninstalled, it leaves behind a nice little DLL in system32 named LavasoftTcpService64.dll. This, for some reason, was causing the Unity launcher to crash. I moved this dll, and Unity launched successfully.

But the problems still didn’t end. For some reason, I could only launch Unity in offline mode; I couldn’t use my credentials to authenticate. I could deal with this, but a few days later, I also found that the game Heroes of the Storm would just hang at an “Authenticating” screen forever, until I hit the Cancel button. Perhaps it was just a coincidence, but just to be sure… I moved LavasoftTcpService64.dll back to its original place, and - yep, Heroes of the Storm worked flawlessly.

I was pretty pissed at this point. I could only assume that this stupid thing was trying to inject itself into all programs that used networking, for who-knows-what nefarious purposes. I tried a couple of scanners - Windows Defender and MalwareBytes - and neither of them caught it. So, I once again turned to Google for answers, and it delivered. Interestingly, the solution was on Lavasoft’s very own forums.

To summarize the instructions on that page, here’s how you really disable the dll:

  1. Download Farbar Recovery Scan Tool.
  2. Paste the following into a file named fixlist.txt:

    CreateRestorePoint:
    CloseProcesses:
    IE trusted site: HKU\S-1-5-21-4195246399-3651317755-855275670-1001\...\webcompanion.com -> hxxp://webcompanion.com
    Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-08-04] (Lavasoft Limited)
    Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-08-04] (Lavasoft Limited)
    Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-08-04] (Lavasoft Limited)
    Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-08-04] (Lavasoft Limited)
    Winsock: Catalog9-x64 05 C:\Windows\system32\LavasoftTcpService64.dll [422400 2015-08-04] (Lavasoft Limited)
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    Reboot:
    
  3. Move FRST[64].exe and fixlist.txt into the same folder.
  4. Make sure you’re not doing anything important - FRST forcibly exits all programs after running.
  5. Run FRST and hit the “fix” button. It’ll exit everything and ask you to restart. Do so.

After restarting, the DLL file will remain as the fixlist.txt only instructs FRST to stop it from hooking into the windows networking system. It should be safe to remove the DLL file now.

At this point, I was good to go, but so many questions still remain. What the was that DLL doing? Was it sending all my web traffic to Lavasoft servers? If it was, why was it crashing Unity? Why did it cause so many problems after removal?

Really, though, I’m just in disbelief that Web Companion was so blatantly mucking with my system. It’s one thing to hear the scare-term “adware”, and laugh off those stupid advertisers who have to include their products as selected-by-default-checkboxes. It’s another thing entirely to actually see it firsthand. I’d be interested to see a rundown on what Lavasoft Web Companion was actually doing.

12/8/2015: Fixed typos and minor grammar mistakes