AddLyrics adware

[lkc33]

i apologize if this is a repost. I just started using avast a few days ago.  Whenever I open chrome I get a message saying that it has blocked 3 adware files and moved them to the chest.  The names of the infections are JS:AddLyrics-BA, JS:AddLyrics-AR, JS:AddLyrics-AZ.  All the research I have done comes up with results related to Win32/Addlyrics, I don't know if my problem is related, but so far I have been unsuccessful at removing the threat.  I have also run ADW Cleaner and Malwarebytes AntiMalware and the problem persists. It seems that avast neutralizes this threat when in appears but I would like to eliminate the source of the problem if possible.  Any help would be greatly appreciated. 

[mikaelrask]

hey and welcome to the avast forum.

please attach the logs this guide.

http://forum.avast.com/index.php?topic=53253.0

we need the logs from adwclener, malwarebytes, otl and aswmbr

a malware expert will hep you from there.

[lkc33]

thanks here are the logs for adwcleaner, malwarebytes, otl.  I will have the other log up shortly.

[essexboy]

Let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{0ce6ac61-48e9-426f-9268-6f1e8ece06da}: C:\Program Files\LyricsSeeker\131.xpi [2013/08/29 17:40:28 | 000,005,361 | ---- | M] ()
[2013/10/03 20:50:52 | 000,000,000 | ---D | M] (PlayBryte) -- C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\g7usui2j.default\extensions\playbryte_ext@playbryte.com
O4 - HKU\S-1-5-21-557252231-1302704529-2298709896-1000..\Run: [Apjem] C:\Users\Luke\AppData\Roaming\Asopux\apjem.exe File not found
 
:Files
C:\Users\Luke\AppData\Roaming\Asopux

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool to your desktop.

• Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
• please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• post the contents of JRT.txt into your next message.

[lkc33]

thanks for the help, about 5 minutes into the fix OTL stopped working, because the desktop was gone I had to turn off and reboot, should I try to run the fix again?

I also attached the aswmbr log

[essexboy]

Could you temporarily uninstall MBAM and run the OTL fix again please

[lkc33]

I ran the OTL fix and then the JRT, unfortunately the problem is still there.  Here are the logs.

[essexboy]

Could you run a fresh OTL scan please.  Does this appear in all browsers or just one

[lkc33]

Whenever I open a new chrome window I get a message from avast that it has blocked the same three pieces of adware and moved them to the chest.  This does not happen with mozilla or Internet explorer.  Heres the new OTL log.

[essexboy]

OK lets try this

Start Chrome in incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB

Have the alerts stopped ?

If so then open the extensions   http://forums.anvisoft.com/viewtopic-51-2148-0.html

Disable the extensions one at a time until the alerts stop.. Let me know which extension it is

[lkc33]

I still got the same alert, I tried disabling all extensions just in case, but still got the same message when I opened chrome. 

[lkc33]

btw I also tried uninstalling then reinstalling chrome a couple days ago but that didn't do anything either.

[essexboy]

How are you launching chrome ?  Is it via a shortcut

Could you launch it from the run key (Press windows and R together)

Copy and paste this into the open box and press OK

C:\Users\Luke\AppData\Local\google\Chrome\Application\chrome.exe

Does addlyrics now appear

[lkc33]

It wont let me launch chrome using that address, it comes up with an error message saying that the location is unavailable.  I dont know if this will be helpful but I can get it to launch if I use this "C:\Program Files\Google\Chrome\Application\chrome.exe", I got this address from going to the properties of my chrome shortcut and copying it from there.  However when I launch it that way it does still come up with the addlyrics alert. 

[essexboy]

OK lets uninstall chrome again, but this time after it has been removed using control panel, run the following OTL script to remove the rest.  Then do a fresh install https://www.google.com/intl/en_uk/chrome/browser/

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Luke\AppData\Local\Google
C:\Program Files\Google\Chrome

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.