# Remove PUP application from DVD Drive (F:) CDROM

1. Perform a Clean Boot in Windows 10

Only that part of the tutorial - other sections describe other methods

After you restart - run Rkill again

Then run HitmanPro

If it's already running, Perform a Clean Boot in Windows 10 after it finishes

Note: I think you have to tell Hitman that you don't have a license to get to the 30 day trial
Let me know if that doesn't get it up and running
I don't want you to think that you have to buy Hitman for this process
2. simrick said:
@Slartybart -
I have noticed these same 2 items on systems I have scanned this week. I think they may be nothing.

* NetTcpPortSharing => %systemroot%\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [Incorrect ImagePath]

* PrintNotify => C:\WINDOWS\system32\spool\drivers\W32X86\3\PrintConfig.dll [Incorrect ServiceDLL]

I know the missing services thing is a bug that keeps reappearing.
The temp file, well, that looks to be a problem; not sure what it is.

* C:\Users\MyrnaZ\AppData\Local\Temp\{7E6122F0-DB5E-430A-A6AE-6F73E75D1A32}\{BCCE466F-5194-418B-B7A4-55A77A6E62F6}.exe (PID: 16284) [T-HEUR]
Thanks,

I think we've covered all of the bases - not sure if everything has been done - yet.

I think the best course is to keep moving forward. I'll look through the thread for logs and do a recap of things suggested and logs found.

Here's what I'm thinking

Clean Boot to disable all non MS services and disable all Startups
Rkill just to be safe (I don't think it found anything to kill, but I'd have to look at the log again)
<!> Rkill only found one object to kill, so yes it should be run.
Run HitmanPro

TDSSkiller - I have to check - did I suggest that in this thread or was that in another thread
<!> I might change my mind on TDSSKiller and suggest BitDefender Rescue.
<!> I don't think both are necessary, wouldn't hurt. What do you think, TDSSkiller, Bitdefender, or both ... or some other tool?

Since Mbam started us down the Poweliks Trojan path, I think it's at least warranted to query the registry
reg query "HKCU\software\classes\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}" /s

The key wasn't found on my machine, so it's probably a safe bet to delete it if found on Myrna's machine
<!> To make an informed decision, I'd have to see the results of the query - any thoughts?
<!> Google results for the key

I started writing instructions in my text editor, but Bitdefender kept putting the file in quarantine - that's when I said
"Hey why not get an offline Bitdefender Rescue CD involved on Myrna's machine"

More scans can't hurt, but I don't want to wear Myrna out with tech overload.
3. Code:
HitmanPro 3.7.14.265
www.hitmanpro.com

Computer name . . . . : MYRNAZ-HP
Windows . . . . . . . : 10.0.0.10586.X86/2
User name . . . . . . : MYRNAZ-HP\MyrnaZ
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2016-08-18 16:53:32
Scan mode . . . . . . : Normal
Scan duration . . . . : 19m 24s
Disk access mode  . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot  . . . . . . . : No

Threats . . . . . . . : 0
Traces  . . . . . . . : 167

Objects scanned . . . : 1,730,318
Files scanned . . . . : 104,052
Remnants scanned  . . : 582,956 files / 1,043,310 keys

Potential Unwanted Programs _________________________________________________

C:\Program Files\Reimage\ (ReimageRepair)
C:\Program Files\Reimage\Reimage Protector\ (ReimageRepair)
C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe (ReimageRepair)
Size . . . . . . . : 6,476,144 bytes
Age  . . . . . . . : 3.2 days (2016-08-15 12:38:00)
Entropy  . . . . . : 6.5
SHA-256  . . . . . : BAB6C5192B19C2A989D503543DCBA7F43F847FA6BA6F99099F2ED81B0E41266D
Product  . . . . . : Reimage Real Time Protection
Publisher  . . . . : Reimage®
Description  . . . : Reimage Real Time Protection
Version  . . . . . : 2.0.1.1
RSA Key Size . . . : 2048
LanguageID . . . . : 1033
Authenticode . . . : Valid
Fuzzy  . . . . . . : -12.0
Forensic Cluster
-151.3s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_5FC06980614234371AC1CAF7D2C583C5
-149.4s C:\Windows\Prefetch\SETHC.EXE-6A2DC453.pf
-146.7s C:\Windows\Prefetch\ATBROKER.EXE-2E15A492.pf
-146.4s C:\Users\MyrnaZ\AppData\Local\Temp\nsoE6A2.tmp\
-146.1s C:\Windows\Reimage.ini
-143.8s C:\Windows\Prefetch\SQLITE3.EXE-8A938E27.pf
-143.7s C:\Windows\Prefetch\NSE963.TMP-E0C072FE.pf
-136.7s C:\Windows\Prefetch\REIMAGEREPAIR.EXE-799D0DD2.pf
-107.0s C:\Windows\Prefetch\NS7D97.TMP-2C66561A.pf
-94.5s C:\Windows\Prefetch\NSAF48.TMP-A8EF311A.pf
-81.6s C:\Windows\Prefetch\NSDF51.TMP-0AF7FFFB.pf
-79.6s C:\Windows\Prefetch\NSE7CE.TMP-61983207.pf
-69.4s C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf
-69.2s C:\Users\MyrnaZ\AppData\Local\Temp\nsoE6A2.tmp\stack.dll
-69.1s C:\Users\MyrnaZ\AppData\Local\Temp\nsoE6A2.tmp\xml.dll
-69.0s C:\Users\MyrnaZ\AppData\Local\Temp\repair_version.xml
-68.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\repair_version[1].xml
-68.7s C:\Users\MyrnaZ\AppData\Local\Temp\ack.txt
-67.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\events4mem[1].htm
-67.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\events4mem[1].htm
-65.7s C:\Windows\Prefetch\NS1B82.TMP-5C6B334C.pf
-64.6s C:\Users\MyrnaZ\AppData\Local\Temp\ReimagePackage.exe
-64.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\ReimagePackage1842[1].exe
-60.3s C:\Windows\Prefetch\NS313D.TMP-D9873CCA.pf
-58.3s C:\Windows\Prefetch\NS3A47.TMP-53982896.pf
-56.6s C:\Windows\Prefetch\NS42B5.TMP-00DA5334.pf
-44.2s C:\Windows\Prefetch\NS7290.TMP-93162ABD.pf
-42.2s C:\Windows\Prefetch\NS7A51.TMP-9F9B8469.pf
-40.2s C:\Windows\Prefetch\NS81F3.TMP-498C5D9D.pf
-39.2s C:\Users\MyrnaZ\AppData\Local\Temp\nsoE6A2.tmp\registry.dll
-38.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\installer[1].xml
-37.6s C:\Users\MyrnaZ\AppData\Local\Temp\repair setup log.txt
-35.9s C:\Windows\Prefetch\NS929E.TMP-8BC4021F.pf
-30.9s C:\Windows\Prefetch\NSA636.TMP-C2343D22.pf
-29.9s C:\Program Files\Reimage\
-28.4s C:\Windows\Prefetch\REIMAGEPACKAGE.EXE-B144F924.pf
-24.3s C:\Windows\Prefetch\LZMA.EXE-7095A461.pf
-24.3s C:\Windows\Prefetch\NSB72F.TMP-E9C1D5D7.pf
-21.6s C:\Windows\Prefetch\NSCAB8.TMP-12D920E0.pf
-16.4s C:\Users\MyrnaZ\AppData\Local\Temp\nseE281.tmp\
-16.1s C:\Users\MyrnaZ\AppData\Local\Temp\nseE281.tmp\stack.dll
-16.0s C:\Users\MyrnaZ\AppData\Local\Temp\protector_version.xml
-15.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\protector_version[1].xml
-15.9s C:\Users\MyrnaZ\AppData\Local\Temp\nseE281.tmp\xml.dll
-15.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\scan_agent_events[1].htm
-14.0s C:\Windows\Prefetch\NSE61C.TMP-B190D88E.pf
-13.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\ProtectorPackage2011[1].exe
-7.9s C:\Windows\Prefetch\NSDC4D.TMP-473F9E9D.pf
-6.1s C:\Windows\Prefetch\PROTECTORUPDATER.EXE-6B34391D.pf
-6.0s C:\Users\MyrnaZ\AppData\Local\Temp\nsfB09.tmp\
-4.6s C:\Windows\Prefetch\NSC13.TMP-492F97CA.pf
-2.5s C:\Windows\Prefetch\NS1490.TMP-84B89B85.pf
-1.2s C:\Program Files\Reimage\Reimage Protector\
0.0s C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
0.3s C:\Windows\Prefetch\UNIPROTECTORPACKAGE.EXE-4C4EE480.pf
10.6s C:\Windows\Prefetch\NS23F3.TMP-3B2ECE65.pf
12.9s C:\Windows\Prefetch\REIGUARD.EXE-D89BDA1F.pf
16.1s C:\Windows\Prefetch\REISYSTEM.EXE-3896CB89.pf
16.3s C:\Users\MyrnaZ\AppData\Local\Temp\nsfB09.tmp\stack.dll
17.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\scan_agent_events[1].htm
17.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\cfl1842[1].rei
18.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\install_end[1].htm
19.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\events4mem[1].htm
19.3s C:\Windows\Temp\reimage.log
19.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\events4mem[1].htm
22.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x00000000000000c7.db
26.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\132[1]
28.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\splash_screen[1]
28.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\layout[1].htm
28.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\splash_screen[1]
29.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\en[1].css
29.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\gui[1].css
29.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\general[1].js
29.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\ok_hover[1]
29.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\animation[1].js
29.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\start_repair_green_btn[1]
29.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\xml[1].js
29.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\start_repair_green_btn_hot[1]
29.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\182x39_start_repair_1[1]
29.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\gui[1].js
29.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\guiEx[1].js
29.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\logging[1].js
29.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\fixtree[1].js
29.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\wz_jsgraphics[1].htm
29.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\graph[1].js
29.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\AC_OETags[1].htm
29.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\md5[1].htm
30.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\close2[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\user_m[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\info_icon3[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\button_Yes[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\button_No[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\button_Reboot_modified[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\button_OK[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\button_restart[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\button_Ignore[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\button_TryAgain[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\button_Exit[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\upper_button_t[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\button_renew[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\corner_bee_scan[1]
30.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\corner_bee1[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\progress_round_43sec[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\progress_round-full[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\q_mark2[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\gauge_back3[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\gauge_needle2[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\thermo_liquid_top[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\thermo_lines[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\big_x[1]
30.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\big_v[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\balloon_01[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\balloon_02[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\balloon_03[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\balloon_04[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\balloon_05[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\balloon_06[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\balloon_07[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\balloon_08[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\balloon_09[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\balloon_10[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\popup_BG[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\call-center-left[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\call-center-middle[1]
30.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\call-center-right[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\ok[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\stop_btn2[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\red_led[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\progressbar_green_left2[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\progressbar_gray[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\progressbar_green3[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\progressbar_green_right_middle[1]
30.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\progressbar_gray_right2[1]
30.8s C:\Windows\Prefetch\REIMAGE.EXE-4681D307.pf
30.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\empty_sign[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\thermo_liquid_middle[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\thermo_back[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\threat_bar_new[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\threat_bar_indicator[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\arrow_down[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reset_explorer[1]
31.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\GUI_skin_annual_register[1]
31.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\events4mem[2].htm
32.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\events4mem[2].htm
32.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\orange_led[1]
33.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\green_led[1]
34.1s C:\Users\MyrnaZ\AppData\Local\Temp\reimage.log
38.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\rei1842[1].ini
38.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\ApplicationList[1].ini
59.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\gui_start_pixel[1].htm
62.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\folder_icon_fff[1]
63.4s C:\Windows\Prefetch\IPCONFIG.EXE-912F3D5B.pf
66.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\v_sign_anim[1]
77.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\small-bar_greyBG[1]
77.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\small-bar_whiteBG[1]
102.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\small-bar_indicator[1]
108.6s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
108.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[1].htm
109.6s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_334ED69A36BF882B447815998BE46E97
109.8s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0CCA7F4B3366C6FAA13012C139D5D8C6_22CF49082707ABA47B0D221989F9C715
113.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[1].htm
116.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[1].htm
118.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[1].htm
120.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[2].htm
124.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[2].htm
125.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[2].htm
126.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[2].htm
129.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[3].htm
131.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[3].htm
135.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[3].htm
138.3s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_84C532476A9C33613C668534EC557102
138.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[3].htm
141.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[4].htm
141.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[4].htm
141.6s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[4].htm
145.8s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_81F72B4CE54BBA14B10B56CA4A0F4392
146.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[4].htm
148.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[5].htm
152.5s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[5].htm
154.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[5].htm
156.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[5].htm
160.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[6].htm
164.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\sand_anim[2]
164.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\x_sign_anim[1]
170.1s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FE
174.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[6].htm
180.4s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[6].htm
182.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[6].htm
183.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[7].htm
185.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[7].htm
187.1s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[7].htm
190.3s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[7].htm
190.7s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F8AAE6A916F668584D043F6543292194_F45F43EB73D03DDA599355E10897F726
190.9s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[8].htm
195.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[8].htm
197.9s C:\Users\MyrnaZ\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_3EAEAB67121169D5C037E4B1278DEA7C
198.0s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\C8EP8F3S\reimageavmem[8].htm
200.7s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\H5VL8Q1Q\reimageavmem[8].htm
204.8s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\9EOOJB6P\reimageavmem[9].htm
211.2s C:\Users\MyrnaZ\AppData\Local\Microsoft\Windows\INetCache\IE\XPKN9IF6\reimageavmem[9].htm

C:\Windows\Reimage.ini (ReimageRepair)
HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL\ (ReimageRepair)
HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}\ (ReimageRepair)
HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\ (ReimageRepair)
HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ (ReimageRepair)
HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\ (ReimageRepair)
HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine\ (ReimageRepair)
HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\ (ReimageRepair)
HKLM\SOFTWARE\Reimage\ (ReimageRepair)
HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.\ (ReimageRepair)
HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Reimage\ (ReimageRepair)

C:\Users\MyrnaZ\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\YX85F5T7.txt
4. If I can not run the ESET to its completion what do I do about the 8 threats it detects before finishing?
5. Slartybart said:
Thanks,

I think we've covered all of the bases - not sure if everything has been done - yet.

I think the best course is to keep moving forward. I'll look through the thread for logs and do a recap of things suggested and logs found.
Sounds good.

Slartybart said:
Here's what I'm thinking

Clean Boot to disable all non MS services and disable all Startups
Rkill just to be safe (I don't think it found anything to kill, but I'd have to look at the log again)
<!> Rkill only found one object to kill, so yes it should be run.
Run HitmanPro

TDSSkiller - I have to check - did I suggest that in this thread or was that in another thread
<!> I might change my mind on TDSSKiller and suggest BitDefender Rescue.
<!> I don't think both are necessary, wouldn't hurt. What do you think, TDSSkiller, Bitdefender, or both ... or some other tool?
I've never used BitDefender Rescue. But, I think we are still waiting for the results of TDSSKiller?

Based on what I've read about this threat, the reg key is activated by a call to the particular CLSID, so, I doubt we'll find a rootkit (but, never know). I am thinking we will want to get to Ccleaner eventually, and get screenshots of Startup tabs to determine if anything needs to be disabled/removed that way, and run the cleaner on the registry to get rid of ReImage leftovers as well?

Slartybart said:
Since Mbam started us down the Poweliks Trojan path, I think it's at least warranted to query the registry
reg query "HKCU\software\classes\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}" /s
Agreed.
Slartybart said:
The key wasn't found on my machine, so it's probably a safe bet to delete it if found on Myrna's machine
<!> To make an informed decision, I'd have to see the results of the query - any thoughts?
<!> Google results for the key

Nor mine.

Slartybart said:
I started writing instructions in my text editor, but Bitdefender kept putting the file in quarantine - that's when I said
"Hey why not get an offline Bitdefender Rescue CD involved on Myrna's machine"

More scans can't hurt, but I don't want to wear Myrna out with tech overload.
Better more scans, than leftover infection!
6. myrnsterMash said:
If I can not run the ESET to its completion what do I do about the 8 threats it detects before finishing?
If, when you first ran the ESET scan, you selected to have it auto-clean threats, then those 8 will be in your quarantine. To access them you can try running the scan again, selecting only memory and the Users sub-folder under C drive. They should show up again (at least that's what their instructions said int he past - hopefully they haven't changed that with their updated scan function).
7. Looks to me like HMPro found a bunch of Reimage leftovers, a bunch of cookies and one Ask toolbar. I don't see anything else. @Slartybart can confirm. :)
8. Slartybart said:
More scans can't hurt, but I don't want to wear Myrna out with tech overload.
You have to be joking, if I am not learning something.....well, it is the difference between knowledgeable and embellishers ("yeah, my brother works for the government in IT and he told me all about this....blah blah blah"), then your computer, pc, laptop, whatever starts melting into green goo while you hear the Wicked Witch's cackle screeching "I'm melting."

My Computer

9. myrnsterMash said:
You have to be joking, if I am not learning something.....well, it is the difference between knowledgeable and embellishers ("yeah, my brother works for the government in IT and he told me all about this....blah blah blah"), then your computer, pc, laptop, whatever starts melting into green goo while you hear the Wicked Witch's cackle screeching "I'm melting."

A real trooper!
When all is said and done, and you have the all-clear, we'll get you set up with Macrium imaging, so if anything ever happens again, you simply restore an image and you're back in business in a matter of minutes/hours, instead of days. Just need an external hard drive for that.
10. simrick said:
If, when you first ran the ESET scan, you selected to have it auto-clean threats.
I was only given options about PUPS and whether to auto delete them, (I did NOT check off the auto delete, because I wanted the info before deleting), but I can not find any log, because it would stop running after it detected the 8 threats. Trust me, I looooooooked, and searched. This info has to exist somewhere, right, but where? Did I make another wrong decision? I like to know and record exactly what I am removing before initiation.
