i apologize if this is a repost. I just started using avast a few days ago. Whenever I open chrome I get a message saying that it has blocked 3 adware files and moved them to the chest. The names of the infections are JS:AddLyrics-BA, JS:AddLyrics-AR, JS:AddLyrics-AZ. All the research I have done comes up with results related to Win32/Addlyrics, I don’t know if my problem is related, but so far I have been unsuccessful at removing the threat. I have also run ADW Cleaner and Malwarebytes AntiMalware and the problem persists. It seems that avast neutralizes this threat when in appears but I would like to eliminate the source of the problem if possible. Any help would be greatly appreciated.
hey and welcome to the avast forum.
please attach the logs this guide.
http://forum.avast.com/index.php?topic=53253.0
we need the logs from adwclener, malwarebytes, otl and aswmbr
a malware expert will hep you from there.
thanks here are the logs for adwcleaner, malwarebytes, otl. I will have the other log up shortly.
Let me know if this cures it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{0ce6ac61-48e9-426f-9268-6f1e8ece06da}: C:\Program Files\LyricsSeeker\131.xpi [2013/08/29 17:40:28 | 000,005,361 | ---- | M] ()
[2013/10/03 20:50:52 | 000,000,000 | ---D | M] (PlayBryte) -- C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\g7usui2j.default\extensions\playbryte_ext@playbryte.com
O4 - HKU\S-1-5-21-557252231-1302704529-2298709896-1000..\Run: [Apjem] C:\Users\Luke\AppData\Roaming\Asopux\apjem.exe File not found
:Files
C:\Users\Luke\AppData\Roaming\Asopux
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download Junkware Removal Tool to your desktop.
[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.
thanks for the help, about 5 minutes into the fix OTL stopped working, because the desktop was gone I had to turn off and reboot, should I try to run the fix again?
I also attached the aswmbr log
Could you temporarily uninstall MBAM and run the OTL fix again please
I ran the OTL fix and then the JRT, unfortunately the problem is still there. Here are the logs.
Could you run a fresh OTL scan please. Does this appear in all browsers or just one
Whenever I open a new chrome window I get a message from avast that it has blocked the same three pieces of adware and moved them to the chest. This does not happen with mozilla or Internet explorer. Heres the new OTL log.
OK lets try this
Start Chrome in incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB
Have the alerts stopped ?
If so then open the extensions http://forums.anvisoft.com/viewtopic-51-2148-0.html
Disable the extensions one at a time until the alerts stop… Let me know which extension it is
I still got the same alert, I tried disabling all extensions just in case, but still got the same message when I opened chrome.
btw I also tried uninstalling then reinstalling chrome a couple days ago but that didn’t do anything either.
How are you launching chrome ? Is it via a shortcut
Could you launch it from the run key (Press windows and R together)
Copy and paste this into the open box and press OK
C:\Users\Luke\AppData\Local\google\Chrome\Application\chrome.exe
Does addlyrics now appear
It wont let me launch chrome using that address, it comes up with an error message saying that the location is unavailable. I dont know if this will be helpful but I can get it to launch if I use this “C:\Program Files\Google\Chrome\Application\chrome.exe”, I got this address from going to the properties of my chrome shortcut and copying it from there. However when I launch it that way it does still come up with the addlyrics alert.
OK lets uninstall chrome again, but this time after it has been removed using control panel, run the following OTL script to remove the rest. Then do a fresh install https://www.google.com/intl/en_uk/chrome/browser/
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:Files
C:\Users\Luke\AppData\Local\Google
C:\Program Files\Google\Chrome
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Unfortunately the the addlyrics alert still popped up when I opened the reinstalled version of chrome. Here’s the OTL log.
Does this appear on the first home page or is it a second home page ?
Could you now try a browser reset https://support.google.com/chrome/answer/3296214?hl=en-GB
I tried the browser reset, no luck. Whenever I open chrome I get 3 notifications from avast saying that it has blocked the same three pieces of adware and moved them to the chest. This happens every time I open a new window with chrome, even if an existing one is still open. Sorry if I wasn’t clear in my description before.
This is weird
OK lets now check the registry start commands
Run OTL and paste in the following script and press run scan
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
Please attach the resultant log
here’s the log