Solved Ads being displayed on click in many pages

[Kaamil Jasani]

I have tried everything but I don't see anything suspicious left and it is getting extremely annoying.

Thanks!

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.




Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

 

[Kaamil Jasani]

This seems to have removed the problem from chrome but I now have new problem, not adware but related to Zemana anti malware. It found an issue with the shortcuts that I had found and had chosen not to fix in case it helped you. Zemana detected this too and said it would 'Repair' the issue. I clicked next. Instead of repairing the issue it simply deleted the shortcuts. When I tried pinning them to the start screen again, The shortcut with the icon for firefox showed up as chrome and Opera showed up as Avast safezone. Upon deleting these and pinning them again, the same thing happened, only this time the shortcut with the name 'Chrome' doesn't have any icon and doesn't do anything on clicking it. If I knew these problems would arise I would have fixed the shortcuts myself. And if I had to download software to fix it I could have done that myself, I was looking for a manual approach. I am not being ungrateful, I really appreciate the help but I think Zemana really isn't good software, I am going to be deleting it. I don't trust software messing with my shortcuts and running in the background without my permission.

I have attached the Zemana log.

 

[TwinHeadedEagle]

Zemana is great software and it was doing only its job by cleaning your computer. You have shortcut hijack malware and Zemana can fix it without problems. My advice is to disable Avast, run Zemana again and clean/repair/delete everything it finds.

 

[Kaamil Jasani]

Wait, you're saying that my shortcuts messed up because Avast was on at the same time?
I tried what you said and it did nothing...

 

[Kaamil Jasani]

Sorry seemed to have excluded a folder, rescanned without exclusion still same...

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition and Shortcut.txt options are checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce three logfiles on your desktop: FRST.txt, Shortcut.txt and Addition.txt.

Please attach them into your next reply.

 

[Kaamil Jasani]

The shortcut problem is definitely not malware, it was a problem with Zemana, removing Zemana fixed the problem. I have scanned with FRST and attached logs. The shortcuts that have arguments are chrome app shortcuts that I do not use, and these are not the ones that were affected. If I need to clean these I will do so manually.

 

[TwinHeadedEagle]

You seem to be one really stubborn padawan. Yes, let's all all start to blame software because we download cracks, keygens, visit porn websites and do shitload of other unsafe activities. And then when software which creation took thousands of work hours try to help you by cleaning your computer you say that it actually creates a problem for you. If you don't want my help and think you can solve everything yourself, then why did you ask for help here?

I spend my free time trying to help you and it seems you do not appreciate it. I don't have to do this, it will take me 2 seconds to close this topic and move on.

 

[Kaamil Jasani]

I am sorry, did not mean to sound ungrateful, like I have said before, I appreciate the help, I was just pointing out that the software caused me problems. I was just hoping for a manual solution. The software did clean out the adware I was having trouble with, but the shortcut issue got extremely annoying. Now that it is gone, everything seems to be working fine again.

Sorry again and thanks.

 

[TwinHeadedEagle]

Your PC isn't clean yet.

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Cleaning.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

 

[Kaamil Jasani]

Contents of opened log file:

# AdwCleaner v5.036 - Logfile created 22/02/2016 at 18:40:51
# Updated 22/02/2016 by Xplode
# Database : 2016-02-22.1 [Server]
# Operating system : Windows 10 Pro (x64)
# Username : ExtraCrafTX - EXTRACRAFTXS
# Running from : D:\User\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : ToolsLib

***** [ Services ] *****

[-] Service Deleted : Spanplus
[-] Service Deleted : Service Mgr DiscoverTreasure
[-] Service Deleted : Update Mgr DiscoverTreasure

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\ApplicationHosting
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\kdigjjbkpjljoknifbgaijaemafihhga
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mgmiemnjjchgkmgbeljfocdjjnpjnmcg
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\libedajeiljdoodmokbppgapcfbignci
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdigjjbkpjljoknifbgaijaemafihhga
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgmiemnjjchgkmgbeljfocdjjnpjnmcg
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Extensions\libedajeiljdoodmokbppgapcfbignci
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\AnyProtectEx
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Store
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bubble Dock
[-] Folder Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Opera Software\Opera Stable\Extensions\npoppdbinhocdoppkfigckiikbefodei

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Mozilla\Firefox\Profiles\6y7pkim9.default\user.js
[-] File Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Mozilla\Firefox\Profiles\8wq9a5sf.dev-edition-default\user.js
[-] File Deleted : C:\Users\ExtraCrafTX\AppData\Roaming\Opera Software\Opera Stable\Local Storage\chrome-extension_npoppdbinhocdoppkfigckiikbefodei_0.localstorage
[-] File Deleted : C:\WINDOWS\SysWOW64\findit.xml

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : APSnotifierPP1
[-] Task Deleted : APSnotifierPP2
[-] Task Deleted : APSnotifierPP3
[-] Task Deleted : amiupdaterExd
[-] Task Deleted : amiupdaterExi

***** [ Registry ] *****

[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION [wb.exe]
[-] Value Deleted : HKLM\SOFTWARE\Classes\.htm\OpenWithProgids [CRSBRWSHTML]
[-] Value Deleted : HKLM\SOFTWARE\Classes\.html\OpenWithProgids [CRSBRWSHTML]
[-] Value Deleted : HKLM\SOFTWARE\Classes\.shtml\OpenWithProgIDs [CRSBRWSHTML]
[-] Value Deleted : HKLM\SOFTWARE\Classes\.webp\OpenWithProgIDs [CRSBRWSHTML]
[-] Value Deleted : HKLM\SOFTWARE\Classes\.xht\OpenWithProgIDs [CRSBRWSHTML]
[-] Key Deleted : HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SEARCHSCOPES\IELNKSRCH
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Mediaplayer\Shiminclusionlist\crossbrowse.exe
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Stpro.exe
[-] Value Deleted : HKLM\SOFTWARE\RegisteredApplications [Crossbrowse]
[-] Key Deleted : HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}
[-] Key Deleted : HKCU\Software\AnyProtect
[-] Key Deleted : HKCU\Software\Crossbrowse
[-] Key Deleted : HKCU\Software\CrossBrowser
[-] Key Deleted : HKCU\Software\Max Computer Cleaner
[-] Key Deleted : HKCU\Software\mtSpanplus
[-] Key Deleted : HKCU\Software\Nosibay
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\tstamptoken
[-] Key Deleted : HKCU\Software\WTools
[-] Key Deleted : HKLM\SOFTWARE\coupoon
[-] Key Deleted : HKLM\SOFTWARE\Crossbrowse
[-] Key Deleted : HKLM\SOFTWARE\MaxComputerCleaner
[-] Key Deleted : HKLM\SOFTWARE\mtSpanplus
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C42C5197-0EE9-4940-893B-F4EF047DFF0F}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4E8B1900-34DE-E742-E6A7-606519AC19B7}
[-] Key Deleted : [x64] HKLM\SOFTWARE\WebBar
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
[-] Key Deleted : HKCU\Software\Classes\.bubbledock
[-] Key Deleted : HKCU\Software\Classes\bubbledock

***** [ Web browsers ] *****

[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : kdigjjbkpjljoknifbgaijaemafihhga
[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : libedajeiljdoodmokbppgapcfbignci
[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : mgmiemnjjchgkmgbeljfocdjjnpjnmcg
[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Secure Preferences] [Extension] Deleted : kdigjjbkpjljoknifbgaijaemafihhga
[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Secure Preferences] [Extension] Deleted : libedajeiljdoodmokbppgapcfbignci
[-] [C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome SxS\User Data\Default\Secure Preferences] [Extension] Deleted : mgmiemnjjchgkmgbeljfocdjjnpjnmcg

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [6104 bytes] - [22/02/2016 18:40:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [5852 bytes] - [22/02/2016 18:37:16]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [6250 bytes] ##########

 

[TwinHeadedEagle]

Yes, there are more and more leftovers:

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[Kaamil Jasani]

Here are the contents of the generated Scan log.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 22/02/2016
Scan Time: 22:24
Logfile: MBAM log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.22.06
Rootkit Database: v2016.02.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: ExtraCrafTX

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 478962
Time Elapsed: 11 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 7
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\CLASSES\Crossbrowse, Quarantined, [dae4d291a6f3b4822df14fd4c34131cf],
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\CLASSES\CRSBRWSHTML, Quarantined, [f5c9184badecb581127441a2b94af30d],
PUP.Optional.SteamClient, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SteamClient, Delete-on-Reboot, [635be97aa0f971c50bb99668d13111ef],
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\DiscoverTreasure, Quarantined, [fdc173f0099001352197c73b31d203fd],
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\Crossbrowse, Quarantined, [605e77ec4d4c9a9c6faf58cb6b99bb45],
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CRSBRWSHTML, Quarantined, [0ab4c99ae2b7c96dc6c0b13209fa60a0],
PUP.Optional.Linkury, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Application Hosting, Quarantined, [89352e35cdccbe7834baf806b44e5ca4],

Registry Values: 8
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\CLASSES\.XHTML\OPENWITHPROGIDS|CRSBRWSHTML, Quarantined, [09b521423861d363f8cf3e0c907410f0],
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\CLASSES\WOW6432NODE\.XHTML\OPENWITHPROGIDS|CRSBRWSHTML, Quarantined, [46782e35b3e691a5f6d184c62dd7fb05],
PUP.Optional.CrossBrowse, HKLM\SOFTWARE\WOW6432NODE\CLASSES\.XHTML\OPENWITHPROGIDS|CRSBRWSHTML, Quarantined, [d0ee92d18e0bb680586fda7074908d73],
PUP.Optional.Linkury.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|Default, http://feed.sonic-search.com/?p=mKO...urfFdVyAIlRxXCltC-SsVFqOFkQ,,&q={searchTerms}, Quarantined, [5a6443209cfd8babad2e06cc897acd33]
PUP.Optional.CrossBrowse, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{05BAAF50-A651-4CBE-A1F4-584D3E239379}, v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe|Name=Crossbrowse (mDNS-In)|Desc=Inbound rule for Crossbrowse to allow mDNS traffic.|EmbedCtxt=Crossbrowse|, Quarantined, [c4fa9ec5afeae353bb012243a75d02fe]
PUP.Optional.Linkury, HKU\S-1-5-21-2112364776-498287602-97896369-1001\ENVIRONMENT|SNF, C:\ProgramData\Spanpluss\snp.sc, Quarantined, [9628c89b8e0b58de3e26a2549a69926e]
PUP.Optional.Linkury, HKU\S-1-5-21-2112364776-498287602-97896369-1001\ENVIRONMENT|SNP, http://feed.snapdo.com?publisher=AP...ate=17/10/2015&barcodeid=50027003&channelid=3, Quarantined, [f1cd1e45a4f5cd69e382fbfb0bf82dd3]
PUP.Optional.Linkury.ShrtCln, HKU\S-1-5-21-2112364776-498287602-97896369-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|Default, http://feed.sonic-search.com/?p=mKO...urfFdVyAIlRxXCltC-SsVFqOFkQ,,&q={searchTerms}, Quarantined, [833be182cecb38fedff9805221e2c33d]

Registry Data: 4
PUP.Optional.Linkury.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DefaultScope, {ielnksrch}, Good: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}), Bad: ({ielnksrch}),Replaced,[8638550e415894a2af29ae42d82ce917]
PUP.Optional.Linkury.ShrtCln, HKU\S-1-5-21-2112364776-498287602-97896369-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar, http://feed.sonic-search.com/?p=mKO...urfFdVyAIlRxXCltC-SsVFqOFkQ,,&q={searchTerms}, Good: (www.google.com), Bad: (http://feed.sonic-search.com/?p=mKO...RxXCltC-SsVFqOFkQ,,&q={searchTerms}),Replaced,[b20c70f32a6fdd59f7dbfcf48d7731cf]
PUP.Optional.Linkury.ShrtCln, HKU\S-1-5-21-2112364776-498287602-97896369-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SearchAssistant, http://feed.sonic-search.com/?p=mKO...urfFdVyAIlRxXCltC-SsVFqOFkQ,,&q={searchTerms}, Good: (www.google.com), Bad: (http://feed.sonic-search.com/?p=mKO...RxXCltC-SsVFqOFkQ,,&q={searchTerms}),Replaced,[0cb2273cd8c1da5cb41e6987c63e25db]
PUP.Optional.Linkury.ShrtCln, HKU\S-1-5-21-2112364776-498287602-97896369-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|Default_Search_URL, http://feed.sonic-search.com/?p=mKO...urfFdVyAIlRxXCltC-SsVFqOFkQ,,&q={searchTerms}, Good: (www.google.com), Bad: (http://feed.sonic-search.com/?p=mKO...RxXCltC-SsVFqOFkQ,,&q={searchTerms}),Replaced,[4975a8bb5a3f7cbae8ecbd33ce36827e]

Folders: 0
(No malicious items detected)

Files: 7
PUP.Optional.SnapDo, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_search.snapdo.com_0.localstorage, Quarantined, [942aacb7abee4aec701218e4aa58768a],
PUP.Optional.SteamClient, C:\Windows\System32\Tasks\SteamClient, Quarantined, [2995164d24752b0b655db04e9171c63a],
PUP.Optional.Yontoo, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.kingtopdeals.com_0.localstorage, Quarantined, [4c722a39900953e3db98bb444db53ec2],
PUP.Optional.SafeFinder, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_search.safefinder.com_0.localstorage, Quarantined, [b40a0c57e4b52412cae932ce6e95758b],
PUP.Optional.Yontoo, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_discovertreasure-a.akamaihd.net_0.localstorage, Quarantined, [d6e8c99a78212a0c5b5bf210946ffd03],
PUP.Optional.SideCubes, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_search.sidecubes.com_0.localstorage, Quarantined, [cbf36ff436630a2c0f77ad5dea1aa15f],
PUP.Optional.PriceMoon, C:\Users\ExtraCrafTX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.pricemoon.co_0.localstorage, Quarantined, [dee090d341583ef8a5ccd28a9e667f81],

Physical Sectors: 0
(No malicious items detected)


(end)

 

[TwinHeadedEagle]

Okay. Final check:

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition and Shortcut.txt options are checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce three logfiles on your desktop: FRST.txt, Shortcut.txt and Addition.txt.

Please attach them into your next reply.

 

[Kaamil Jasani]

Attached.

 

[TwinHeadedEagle]

Okay, the latest Fix:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Kaamil Jasani]

I have attached the fix log.

 

[Kaamil Jasani]

Again, I am very appreciative of your help, but I would have loved to have some indication of what emptytemp: would do... I had no clue it would remove my most visited websites, make all my extensions behave like they've just been installed, resetting my quick access folders, clearing my downloads list... It is really quite annoying having to sign back into all the websites I clicked 'Remember' on...

Just to be sure, thanks for helping me with the malware but just for people who may need to do this in the future I think it would be good, to say the least, to have an idea of what that deletes.

Do you know of any way I can recover this data? Or is it gone forever?

 

[TwinHeadedEagle]

I was trying to warn people about it, but in 99% of cases no one has problems with it. It clears cache and empties temp folder cause a lot of times malware droppers or remnants hide in there.

Since System Restore was disabled on your PC, I don't think we can recover it.