What is AdWare.Win32.AdWrapper.db

Earlier today, Kaspersky found AdWare.Win32.AdWrapper.dbin Installer[1].exe, oddly in the

C:\Documents and Settings\Deven\AppData\Local\Microsoft\Windows\NetCache\Content.IE5\ECVD6FS\, which is odd since Win 8.1 does not have a Documents and Settings folder.

I had Kaspersky remove it. I ran Malwarebytes Anti-Malware to scan my entire hard drive, and it found nothing.

I am now running Microsoft Safety Scanner to triple-check. What else should I do? Thanks!

 

Question Info


Last updated May 16, 2018 Views 216 Applies to:

Hi,

Thanks for posting your query on Microsoft Community.

As per your query, I like to inform you that; AdWare.Win32.AdWrapper.db is a potentially unwanted program that can be get detected, when we run malware/virus scan in the system. This threat may download and install other threats when run into the computer. AdWare.Win32.AdWrapper.db, it will attempt to install other adware, toolbars, browser redirect, and hijack the home page of affected browser.

This malware/virus can be removed by performing full system scan using Windows defender.

Windows Defender protects your PC by scanning it to remove rootkits and other advanced malware that can't always be detected by antimalware programs.

As you told, after running Microsoft Safety Scanner in the system, nothing was found. So, it might be get removed.

As a workaround, you may also perform a full system scan using Windows defender.

Refer to the below link to perform full system scan using Windows defender:

http://windows.microsoft.com/en-US/windows/windows-defender-offline-faq

Hope it helps, reply to us with the status of your issue. We will be happy to assist you.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I can't run Windows Defender alongside Kaspersky. You cannot run two AVs together.

That said, I initiating another full scan with Kaspersky

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

You might not need all of these, but start at the top and reboot after each one.



Remove it with these tools. Check for updates first and then scan with each one at a time until your machine is clean.
 

TDSSKiller Rootkit Removal Utility
http://www.bleepingcomputer.com/download/tdsskiller/


RogueKiller
http://www.bleepingcomputer.com/download/roguekiller/


RKill
http://www.bleepingcomputer.com/download/rkill/


SuperAntiSpyware
http://www.superantispyware.com/

 
AdwCleaner (Free)
http://www.bleepingcomputer.com/download/adwcleaner/
 

Malwarebytes (Get the free version)
https://www.malwarebytes.org/free/
 
When offered, uncheck: Enable free trial of Malwarebytes Anti-Malware Premium.
 
 

Junkware Removal Tool (Free)
http://www.bleepingcomputer.com/download/junkware-removal-tool/
 
 
 
HitmanPro (30 day free trial)
http://www.surfright.nl/en/hitmanpro
 

===== ===== ===== ===== ===== ===== ===== ===== ===== =====
☞ Avoid a post. Backup your data. ☜

Bruce Hagen
MVP: 2004 ~ 2010
2014 ~ Present
Imperial Beach, CA

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

TDSSKiller said I am clean. I forgot to reboot, and I ran RogueKiller

PreScan found Proc.Injected in C:\Windows\SysWOW64\WWAHost.exe, but it appears Proc.Injected is a false positive (http://forum.adlice.com/index.php?topic=273.15)

MBAM said I am clean yesterday (full scan of hard drive)

RogueKiller V10.11.4.0 [Nov  2 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Deven [Administrator]
Started from : C:\Users\Deven\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/02/2015 21:49:18

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] WWAHost.exe(4384) -- C:\Windows\SysWOW64\WWAHost.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\Deven\AppData\Local\Temp\ALSysIO64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\Deven\AppData\Local\Temp\ALSysIO64.sys) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\Program Files (x86)\eSupport.com -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] fb9b252aed9f399781f7ee99c9170a87
[BSP] 1268b7e306b0d2f18181ecb97eb747e3 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953517 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

TDSSKiller Rootkit Removal Utility - Clean
RogueKiller - found Proc.Inject in WWAHost.exe, but this appears to be a false positive. It said some AlsysIO registry keys were suspicious, but I believe these have to do with CoreTemp
RKill -
it found Spybot's old modifications to the HOSTS file, but it didn't find anything else

MBAM - it said I am clean yesterday.

It appears everything is gone

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

If everything is gone, good to hear.

Whatever you plan to do, since they are free I would suggest keeping Malwarebytes and

SuperAntiSpyware and do an occasional scan.

===== ===== ===== ===== ===== ===== ===== ===== ===== =====
☞ Avoid a post. Backup your data. ☜

Bruce Hagen
MVP: 2004 ~ 2010
2014 ~ Present
Imperial Beach, CA

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] fb9b252aed9f399781f7ee99c9170a87
[BSP] 1268b7e306b0d2f18181ecb97eb747e3 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953517 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

I was reviewing the Rogue Killer log. Do you know what this means? (Specifically, VT.Unknown MBR Code)

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Not really. That is something to ask in a Rogue Killer, (adlice) forum. They know how to interpret those logs.

Here is an example:
http://forum.adlice.com/index.php?topic=429.0

===== ===== ===== ===== ===== ===== ===== ===== ===== =====
☞ Avoid a post. Backup your data. ☜

Bruce Hagen
MVP: 2004 ~ 2010
2014 ~ Present
Imperial Beach, CA

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.