Win32 Addlyrics / www.buildahome.info

My desktop is currently being assaulted by innumerable AVAST! Warning pop ups about a www.buildahome.info website being blocked, I do not recognize the web address and this pop up will occur an every webpage I visit from Facebook, to Google and even this website. During registration it popped up atleast 18 times.

After a typical scan with AVAST! didn’t solve the issue I attempted a bootscan to see what that might dig up. At 49% it would start finding files infected with Win32 Addlyrics which I could neither repair, quarantine or delete as it would error, claiming something about a file with the same name. The only option that worked was ignore and ignore all.

Thank you in advance to anyone that can help!

Not sure if this is needed, but didn’t want to miss anything!

if you have screenshot of any avast warning pop up and/or scan result…then attach that also

malware removers are notified’

i see you run some IObit programs… you may want to read this

http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

Oh my. All IObit programs have now been removed.

Attached is a screen cap of the Avast! window with the popup in question and the most recent bootscan.

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:

[] The fixes are specific to your problem and should only be used for the issues on this machine.
[
] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[
] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[
]Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that…
http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif
Let’s get going!!

http://i1224.photobucket.com/albums/ee380/jeffce74/RegistryIcon_zps289d6da1.png
Tweaking.com Registry Backup

[]Download the tool found here to your Desktop so it is easy to find.
[
]Double click on the file you just downloaded to install it to your system.

[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
Note The tool should automatically open to the Backup Registry tab.

http://i1224.photobucket.com/albums/ee380/jeffce74/TweakingcomRegBackup_zpsd4be1488.jpg

[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
PRC - [2013/04/25 16:54:10 | 000,335,168 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
PRC - [2013/04/18 20:38:38 | 000,491,840 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe
PRC - [2013/04/18 16:58:08 | 000,574,272 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe
PRC - [2013/04/08 19:02:16 | 000,720,192 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\Monitor.exe
MOD - [2013/01/15 18:48:26 | 000,348,992 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\madexcept_.bpl
MOD - [2013/01/15 18:48:26 | 000,051,008 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\maddisAsm_.bpl
MOD - [2013/01/15 18:48:24 | 000,183,616 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\madbasic_.bpl
SRV - [2013/04/25 16:54:10 | 000,335,168 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe -- (IMFservice)
SRV - [2013/04/18 16:58:08 | 000,574,272 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe -- (AdvancedSystemCareService6)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{EF615D82-A8BA-4810-B29A-79ED6F4FE596}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\SearchScopes\{EF615D82-A8BA-4810-B29A-79ED6F4FE596}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKCU\..\SearchScopes\{EF615D82-A8BA-4810-B29A-79ED6F4FE596}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
O2 - BHO: (Advanced SystemCare Browser Protection) - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\ASCPlugin_Protection.dll (IObit)
O4 - HKCU..\Run: [Advanced SystemCare 6] C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe (IObit)
O33 - MountPoints2\{3e94050c-894c-11df-a810-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3e94050c-894c-11df-a810-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2013/01/31 13:20:39 | 000,055,616 | R--- | M] (Electronic Arts)
[2013/07/24 14:27:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit Toolbar
[2013/02/25 17:14:48 | 000,000,000 | ---D | M] -- C:\Users\Lisatron\AppData\Roaming\IObit

:Files
C:\Users\Lisatron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Attach the new OTL.txt log and let me know how your system is running now. :slight_smile:

Done, and log attached but that pesky pop up is still making an appearance.

In what browser(s) are you experiencing the popups??

Google Chrome.

Ok…with Google Chrome, the fastest and easiest way to fix that is to completely uninstall Chrome and then download and install a new copy. I would suggest you do that and then see if you are still getting the popups. :slight_smile:

Knock on wood everything appears to be ok, no more pop up!

Was it just an issue with Google Chrome then?

check back later and jeffce will remove the Tools used when all is OK

Hi,

Good to hear that fixed it up. Seems like it could have been just a Chrome problem, but there were some other entries we have cleaned up as well.

Before you go, let’s get some updates as well as check for anything else hiding in there…

http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg
Java

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp

http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg

See this page for instructions on how to clear java’s cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
[*]Under Temporary Internet Files, click the Delete Files button.[*]There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Installed Applications and Applets
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Java Control Panel.


http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Here is the Malwarebytes log. I haven’t taken any action as I wasn’t sure what action to take with PUP’s.

malwarebytes PUP are usually safe to remove as it is toolbars and crap that is detected
if you regret, you can always restore it from malwarebytes quarantine. :wink:

and your malwarebytes program was not updated when you did the scan
always click update button before you start a scan so you have latest database

and this is the crap you have

The Webcake ads (popups) is very annoying adware if you are not aware of what you installed. If the Webcake adware is installed it will display ads (coupon codes) on websites where they (Webcake) can supply discount codes for. The website where the underlined links are displayed are Facebook, Amazon, Ebay, Amazon and more. Please be aware what you install on your computer, if you installed this PUP (Potential unwanted program) by mistake you need to look closely what you install during the installation proces of freeware software.
DealPly is a browser plugin which can be easily clasiffied as adware, because of annoying deals, which lead to to worse browsing experience. Dealply is offering a better price finder for e-commerce. However, it produces annoying pop-up screens when you are buying products from Internet stores by advertising relevant deals. The program's website includes removal instructions, but many people have problems removing it from their computer. We advice to think carefully before using DealPly, in order to prevent possible harm to your computer or privacy.

Ah, I see. Very good to know!
In that case, here is the updated scan log.

Looking better…when you get the results from the ESET scan be sure to attach those as well. :slight_smile:

I am having some trouble getting the online scan to work.

I disabled Avast by right clicking on the icon, avast shields control and disabled until next restart. Is that correct?

When I ran the scan it ran for nearly 2 hours, said 0% and 0 files scanned.

Let’s try this scan instead… Once complete be sure to let me know how your system is running. :slight_smile:

Do an online scan with BitDefender QuickScan.
Please be patient as scanning may take some time. If you have problem running the scan, you might want to disable any real time protection that you have.

[]Click here to go to BitDefender QuickScan page.
[*]For Firefox users:
[*]Click on Free Scan Now. You will be prompted to install a plug-in. Please Allow. In case you get stuck, please refresh the page to try again.
[*]A Software Installation window will appear. Click Install Now and the plugin will be installed as an Add-on.
[*]Restart Firefox when done. Go back to the BitDefender QuickScan page again and click on Free Scan Now and proceed accordingly.
[*]For Internet Explorer users:
[*]Click on Free Scan Now. You will be prompted to install an ActiveX control. Please install.
[*]The page will refresh. Click on Free Scan Now again and proceed accordingly.
[*]When scan has completed, click on View report and a Notepad log shall open.
[
]If there are any infections found, you will get a warning and the link to the report will be displayed as the number of infections. Click on it.
[*]Post back the contents of this report. It can also be found at C:\Documents and Settings<username>\Application Data\QuickScan, is the Windows log-in name.