Winlock

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EdwardBe5, Jul 15, 2024.

  1. EdwardBe5

    EdwardBe5 Private E-2

    Hello,
    I downloaded Tetris as recommended elsewhere on Major Geeks, and although Winlock was not installed, I am now subject to adware from Winlock in the form of a periodic popup trying to sell me on buying Winlock.
    My anti-virus doesn't detect it and there seems to be no way to uninstall it.
    Any suggestions would be greatly appreciated.
    Thanks,
    Edward
     

    Attached Files:

    EdwardBe5, Jul 15, 2024
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Jul 15, 2024
    #2
  3. EdwardBe5

    EdwardBe5 Private E-2

    Thanks.
     

    Attached Files:

    EdwardBe5, Jul 15, 2024
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for your patience while I reviewed things.

    I have reviewed the reports and find no evidence of Winlock or any malware on your system. Though Winlock may be mentioned during the downloading process it is not automatically downloaded or installed.
     
    Oh My!, Jul 15, 2024
    #4
  5. EdwardBe5

    EdwardBe5 Private E-2

    Thanks, but my issue is that I am getting periodic popups advertising Winlock as in the screenshot in my original post, so something was installed as adware.
    I have attached the screenshot again to this reply: Screenshot 2024-07-15 120059.png
    It's only an annoyance. Nothing else happens. I just click on the X, and it goes away or it goes away of its own accord.
     
    EdwardBe5, Jul 15, 2024
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Is this while using Firefox? Have you tested Edge?

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
C:\Firewall.reg
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.

    ===================================================

    Malwarebytes AdwCleaner

    -------------------
    • Please download AdwCleaner and save it to your Desktop
    • Close all open programs and browsers
    • Right click on the icon and select Run as administrator
    • Click Scan now
    • Uncheck any detected items you would to keep then click Next
    • If a Preinstalled software was found! screen appears review it if you'd like then click OK
    • Review the list of Preinstalled software and place a check mark in those you do not wish to keep
    • Click Quarantine, then Continue
    • When completed click View Log File
    • Copy and paste the contents in your reply
    • Close the AdwCleaner window
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Launch FRST
    • Type the following in the Search: box
    Code:
    SearchAll: Winlock;Crystal
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Attach the report to your reply
    ===================================================

    Running Firefox in Browser Safe Mode

    --------------------
    • Close any open Firefox windows
    • Hold down the Shift Key and launch Firefox
    • Click Open
    • Check for continued pop-ups
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Pop ups while using Firefox? Have you tested another browser, like Edge?
    • Fixlog
    • AdwCleaner report
    • Search.txt
    • Firefox in Safe Mode?
     
    Oh My!, Jul 15, 2024
    #6
  7. EdwardBe5

    EdwardBe5 Private E-2

    MalwareBytes Log;
    # -------------------------------
    # Malwarebytes AdwCleaner 8.4.2.0
    # -------------------------------
    # Build: 03-04-2024
    # Database: 2024-03-04.1 (Cloud)
    # Support: https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Clean
    # -------------------------------
    # Start: 07-16-2024
    # Duration: 00:00:04
    # OS: Windows 11 (Build 22631.3880)
    # Cleaned: 16
    # Failed: 0


    ***** [ Services ] *****

    Deleted WCAssistantService

    ***** [ Folders ] *****

    Deleted C:\Program Files (x86)\Lavasoft\Web Companion
    Deleted C:\ProgramData\Application Data\Lavasoft\Web Companion
    Deleted C:\ProgramData\Lavasoft\Web Companion
    Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion
    Deleted C:\Users\edwar\AppData\Local\Lavasoft\WEBCOMPANION.EXE_URL_MRPQ523XMEO0CM2M0N5VJ25Z3NZKGEP4
    Deleted C:\Users\edwar\AppData\Roaming\Lavasoft\Web Companion

    ***** [ Files ] *****

    No malicious files cleaned.

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks cleaned.

    ***** [ Registry ] *****

    Deleted HKCU\Software\Lavasoft\Web Companion
    Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
    Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Web Companion
    Deleted HKLM\Software\Wow6432Node\Lavasoft\Web Companion
    Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6d4e6810-65a6-4dde-821e-cf4b6dff7b4e}|DisplayIcon
    Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6d4e6810-65a6-4dde-821e-cf4b6dff7b4e}|DisplayName
    Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6d4e6810-65a6-4dde-821e-cf4b6dff7b4e}|UninstallString
    Deleted HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
    Deleted HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries cleaned.

    ***** [ Chromium URLs ] *****

    No malicious Chromium URLs cleaned.

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries cleaned.

    ***** [ Firefox URLs ] *****

    No malicious Firefox URLs cleaned.

    ***** [ Hosts File Entries ] *****

    No malicious hosts file entries cleaned.

    ***** [ Preinstalled Software ] *****

    No Preinstalled Software cleaned.


    *************************

    [+] Delete Tracing Keys
    [+] Reset Winsock

    *************************

    AdwCleaner[S00].txt - [3278 octets] - [16/07/2024 05:04:59]

    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

    I haven't tried Edge.
    FireFox is continuously open 24/7
    The popups occur whenever I start Tetris, but they occur so infrequently that I can't say they only occur when Tetris is running.
    I have to submit this in order to close FireFox and restart it in safe mode.
    Thanks again.
     

    Attached Files:

    EdwardBe5, Jul 16, 2024
    #7
  8. EdwardBe5

    EdwardBe5 Private E-2

    Now in SAFE mode. I will start Tetris and see if the popups resume.
    Nothing in 10 minutes. Restarting FF.
     
    EdwardBe5, Jul 16, 2024
    #8
  9. EdwardBe5

    EdwardBe5 Private E-2

    It popped up just now. Approximately 15 minutes after starting Tetris.
     
    EdwardBe5, Jul 16, 2024
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    Rather than attaching the Fixlog.txt report you posted the FRST.txt report. If you can locate Fixlog.txt could you attach that to your reply?
     
    Oh My!, Jul 16, 2024
    #10
  11. EdwardBe5

    EdwardBe5 Private E-2

    Thanks again.

    Fix result of Farbar Recovery Scan Tool (x64) Version: 16.07.2024
    Ran by edwar (16-07-2024 04:45:00) Run:1
    Running from C:\Users\edwar\Desktop
    Loaded Profiles: edwar
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    cmd: netsh winsock reset catalog
    cmd: netsh int ip reset resetlog.txt
    Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
    C:\Firewall.reg
    cmd: netsh advfirewall reset
    cmd: netsh advfirewall set allprofiles state ON
    cmd: bitsadmin /reset /allusers
    cmd: ipconfig /flushdns
    Removeproxy:
    hosts:
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    Emptytemp:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.

    ========= netsh winsock reset catalog =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.



    ========= End of CMD: =========


    ========= netsh int ip reset resetlog.txt =========

    Resetting Compartment Forwarding, OK!
    Resetting Compartment, OK!
    Resetting Control Protocol, OK!
    Resetting Echo Sequence Request, OK!
    Resetting Global, OK!
    Resetting Interface, OK!
    Resetting Anycast Address, OK!
    Resetting Multicast Address, OK!
    Resetting Unicast Address, OK!
    Resetting Neighbor, OK!
    Resetting Path, OK!
    Resetting Potential, OK!
    Resetting Prefix Policy, OK!
    Resetting Proxy Neighbor, OK!
    Resetting Route, OK!
    Resetting Site Prefix, OK!
    Resetting Subinterface, OK!
    Resetting Wakeup Pattern, OK!
    Resetting Resolve Neighbor, OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , failed.
    Access is denied.

    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Restart the computer to complete this action.



    ========= End of CMD: =========


    ========= reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg =========

    The operation completed successfully.


    ========= End of Reg: =========

    C:\Firewall.reg => moved successfully

    ========= netsh advfirewall reset =========

    Ok.



    ========= End of CMD: =========


    ========= netsh advfirewall set allprofiles state ON =========

    Ok.



    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright Microsoft Corp.

    {F6617DC9-81BF-4BAB-8535-551F2F502065} canceled.
    1 out of 1 jobs canceled.


    ========= End of CMD: =========


    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========


    ========= RemoveProxy: =========

    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-21-2304351541-1640560375-1197205358-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-2304351541-1640560375-1197205358-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


    ========= End of RemoveProxy: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= sfc /scannow =========


    Beginning system scan. This process will take some time.

    Beginning verification phase of system scan.

    Verification 0% complete.
    Verification 1% complete.
    Verification 1% complete.
    Verification 2% complete.
    Verification 3% complete.
    Verification 3% complete.
    Verification 4% complete.
    Verification 5% complete.
    Verification 5% complete.
    Verification 6% complete.
    Verification 7% complete.
    Verification 7% complete.
    Verification 8% complete.
    Verification 9% complete.
    Verification 9% complete.
    Verification 10% complete.
    Verification 11% complete.
    Verification 11% complete.
    Verification 12% complete.
    Verification 12% complete.
    Verification 13% complete.
    Verification 14% complete.
    Verification 14% complete.
    Verification 15% complete.
    Verification 16% complete.
    Verification 16% complete.
    Verification 17% complete.
    Verification 18% complete.
    Verification 18% complete.
    Verification 19% complete.
    Verification 20% complete.
    Verification 20% complete.
    Verification 21% complete.
    Verification 22% complete.
    Verification 22% complete.
    Verification 23% complete.
    Verification 24% complete.
    Verification 24% complete.
    Verification 25% complete.
    Verification 25% complete.
    Verification 26% complete.
    Verification 27% complete.
    Verification 27% complete.
    Verification 28% complete.
    Verification 29% complete.
    Verification 29% complete.
    Verification 30% complete.
    Verification 31% complete.
    Verification 31% complete.
    Verification 32% complete.
    Verification 33% complete.
    Verification 33% complete.
    Verification 34% complete.
    Verification 35% complete.
    Verification 35% complete.
    Verification 36% complete.
    Verification 36% complete.
    Verification 37% complete.
    Verification 38% complete.
    Verification 38% complete.
    Verification 39% complete.
    Verification 40% complete.
    Verification 40% complete.
    Verification 41% complete.
    Verification 42% complete.
    Verification 42% complete.
    Verification 43% complete.
    Verification 44% complete.
    Verification 44% complete.
    Verification 45% complete.
    Verification 46% complete.
    Verification 46% complete.
    Verification 47% complete.
    Verification 48% complete.
    Verification 48% complete.
    Verification 49% complete.
    Verification 49% complete.
    Verification 50% complete.
    Verification 51% complete.
    Verification 51% complete.
    Verification 52% complete.
    Verification 53% complete.
    Verification 53% complete.
    Verification 54% complete.
    Verification 55% complete.
    Verification 55% complete.
    Verification 56% complete.
    Verification 57% complete.
    Verification 57% complete.
    Verification 58% complete.
    Verification 59% complete.
    Verification 59% complete.
    Verification 60% complete.
    Verification 61% complete.
    Verification 61% complete.
    Verification 62% complete.
    Verification 62% complete.
    Verification 63% complete.
    Verification 64% complete.
    Verification 64% complete.
    Verification 65% complete.
    Verification 66% complete.
    Verification 66% complete.
    Verification 67% complete.
    Verification 68% complete.
    Verification 68% complete.
    Verification 69% complete.
    Verification 70% complete.
    Verification 70% complete.
    Verification 71% complete.
    Verification 72% complete.
    Verification 72% complete.
    Verification 73% complete.
    Verification 73% complete.
    Verification 74% complete.
    Verification 75% complete.
    Verification 75% complete.
    Verification 76% complete.
    Verification 77% complete.
    Verification 77% complete.
    Verification 78% complete.
    Verification 79% complete.
    Verification 79% complete.
    Verification 80% complete.
    Verification 81% complete.
    Verification 81% complete.
    Verification 82% complete.
    Verification 83% complete.
    Verification 83% complete.
    Verification 84% complete.
    Verification 85% complete.
    Verification 85% complete.
    Verification 86% complete.
    Verification 86% complete.
    Verification 87% complete.
    Verification 88% complete.
    Verification 88% complete.
    Verification 89% complete.
    Verification 90% complete.
    Verification 90% complete.
    Verification 91% complete.
    Verification 92% complete.
    Verification 92% complete.
    Verification 93% complete.
    Verification 94% complete.
    Verification 94% complete.
    Verification 95% complete.
    Verification 96% complete.
    Verification 96% complete.
    Verification 97% complete.
    Verification 97% complete.
    Verification 98% complete.
    Verification 99% complete.
    Verification 99% complete.
    Verification 100% complete.

    Windows Resource Protection found corrupt files and successfully repaired them.
    For online repairs, details are included in the CBS log file located at
    windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
    repairs, details are included in the log file provided by the /OFFLOGFILE flag.


    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.22621.2792

    Image Version: 10.0.22631.3880

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 1310720 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 21119325 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
    Windows/system/drivers => 26258768 B
    Edge => 0 B
    Firefox => 1189839497 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 23646 B
    NetworkService => 34870 B
    defaultuser0 => 2815553 B
    defaultuser0.DESKTOP-CALC9J8 => 3118295 B
    edwar => 443600990 B

    RecycleBin => 17370 B
    EmptyTemp: => 1.6 GB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 04:50:25 ====
     

    Attached Files:

    EdwardBe5, Jul 16, 2024
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    I have figured out what the issue is, I am trying to determine if there is any way around it.
     
    Oh My!, Jul 16, 2024
    #12
  13. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for your patience.

    Tetris and WinLock are from the same company, Crystal Office. During the installation process of Tetris it is necessary to acknowledge information regarding WinLock in order to continue the download process. The WinLock program is not installed during the installation of Tetris but the pop-up you are seeing is included with the program. I have not found a way to circumvent the pop-up.

    If the pop-up is troublesome to you there are other Tetris downloads available at other web sites.

    Sorry for the trouble.

    Gary
     
    Oh My!, Jul 16, 2024
    #13
  14. EdwardBe5

    EdwardBe5 Private E-2

    Thanks, it's not that big of a deal. I only have to click on the little X at the top of the popup. Since it's so hard to remove, we should be glad they don't write viruses, I guess.
     
    EdwardBe5, Jul 16, 2024
    #14
  15. Oh My!

    Oh My! Malware Expert Staff Member

    TBH a virus would be easier to deal with. I even tried to modify the .exe file to remove the pop-up possibility but all it did was break the file so it wouldn't run at all.

    Thanks for your understanding.

    Anything else I can assist with before ending things?
     
    Oh My!, Jul 16, 2024
    #15
  16. EdwardBe5

    EdwardBe5 Private E-2

    I tried using Universal Extractor the same way. I'll just live with it. Thanks for all the time you put in to it, Gary. It might be useful to take it off this page, unless other people are not bothered by it:
    https://www.majorgeeks.com/files/details/tetris.html.
    Thanks again.
     
    EdwardBe5, Jul 17, 2024
    #16
  17. Corporal Punishment

    Corporal Punishment Head of Software Shenanigans Staff Member

    Damn - you guys are persistent. :)

    It doesn't shock me that a security company using their own EXE that's rough to get around -- but I do not condone such shenanigans.

    We don't consider a company promoting its own software in their freeware as adware. I guaranty a fair share of people will argue with me about that, but ad-ware is an entirely different animal. Hell off have I can think of a dozen antivirus comanies that do the same thing -- jeez even my quickbooks does that.

    We have it noted on the file that winlock is prompted by the Sofware on install - frankly I have never seen that popup. It looks like it only triggers if you have the program open for an extended period of time -- which isn't very intrusive. I agree I don't like a pop as much as an in program, I think it assumes the user knows winlock is the same company. I will make a more correct post on the download page.


    I have learned that I now suck at tetris.
     
    Corporal Punishment, Jul 17, 2024
    #17
  18. EdwardBe5

    EdwardBe5 Private E-2

    "I have learned that I now suck at tetris."
    You have to mindlessly play it intermittently for hours...o_O
     
    EdwardBe5, Jul 17, 2024
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds