AddLyrics adware

[lkc33]

Unfortunately the the addlyrics alert still popped up when I opened the reinstalled version of chrome.  Here's the OTL log.

[essexboy]

Does this appear on the first home page or is it a second home page ?

Could you now try a browser reset https://support.google.com/chrome/answer/3296214?hl=en-GB

[lkc33]

I tried the browser reset, no luck.  Whenever I open chrome I get 3 notifications from avast saying that it has blocked the same three pieces of adware and moved them to the chest.  This happens every time I open a new window with chrome, even if an existing one is still open. Sorry if I wasn't clear in my description before.   

[essexboy]

This is weird

OK lets now check the registry start commands

Run OTL and paste in the following script and press run scan

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Please attach the resultant log

[lkc33]

here's the log

[essexboy]

This is really intriguing as the registry keys are OK

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]
:Files
C:\Users\Luke\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemjgdpngmhbimofcicjfhibkdbigdmb

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[lkc33]

Heres the log

[essexboy]

Has it gone now ?  If not could you post a screenshot of it please

[lkc33]

I get this same alert every time I open chrome.

[redwolfe_98]

let me add a comment.. i think it is possible that, if you the person is using chrome's "sync", the "lyrics" "scumware" could be being installed by that..

[essexboy]

OK it is running from a JS file.  Could you expand the file path in the alert and let me know what it is

[lkc33]

heres a screenshot of the virus chest, let me know if you need any other info.

[essexboy]

Sorry if you put your mouse over the alert file when you get the popup that will show the full path to the file that is infected.  Then I can remove it

[lkc33]

sorry, my mistake, heres what it shows for each of the three threats
C:\Users\Luke\AppData\Local\Temp\scoped_dir_4544_30527\CRX_INSTALL\bk.js
C:\Users\Luke\AppData\Local\Temp\scoped_dir_4544_30527\CRX_INSTALL\cs.js
C:\Users\Luke\AppData\Local\Temp\scoped_dir_4544_30527\CRX_INSTALL\manifest.json

[essexboy]

OK lets empty the entire folder

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Luke\AppData\Local\Temp\scoped_dir_4544_30527

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.