Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trying to Clean Up a friend's computer [Solved]


  • This topic is locked This topic is locked

#16
Yisroel

Yisroel

    GeekU Senior

  • GeekU Senior
  • 1,092 posts

Hi moondog830,

All is going in a great direction. We've cleaned up all the stuff, let's do some additional scans to make sure we're good and then we could declare it all clean!

JHlUMFt.png 1 - Scan with Malwarebytes

  • Download Malwarebytes to your Desktop
  • Double-click the file to open it. Install the program.
  • Follow the instruction given on screen.
  • Once installed, launch Malwarebytes from your Desktop.
  • Click Settings>Protection
  • Make sure that "scan for rootkits" option under Scan Options is On
    0zTZMPO.png
  • Go back to Dashboard and click the big, blue Scan Now button.
  • Wait for Malwarebytes to finish the scan
  • If the program will detect anything it will list it in the Scan Results window. Click Quarantine Selected. The program might want to reboot the system. Allow it if it wants to.
  • Once the deletion is done (or after reboot) go to Reports, select the latest Scan Log.
  • Click View Report, then click Export then click Copy to Clipboard.
  • Paste (CTRL+V) the log into your next reply.

ESETOnline.png 2 - Scan with ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.

  • Temporarily disable your antivrus protection: Right-click on the avast! icon in system tray, Select avast! shields control and choose the option to disable avast permenetly.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Re-enable the Avast antivrus by Right-clicking on the avast! icon in system tray and in the avast! shields control choose to enable.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

  • 0

Advertisements


#17
moondog830

moondog830

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 693 posts
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 9/15/19
Scan Time: 10:03 AM
Log File: 9a158906-d7c1-11e9-a7d8-2c59e5a50239.json
 
-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.625
Update Package Version: 1.0.12485
License: Trial
 
-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Newman-HP-2000\Harvey
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 230786
Threats Detected: 14
Threats Quarantined: 14
Time Elapsed: 14 min, 59 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 4
PUP.Optional.Jawego, HKLM\SOFTWARE\QXV0by1QQy1DbGVhbmVyMjAxOQ==, Quarantined, [629], [534889],1.0.12485
PUP.Optional.GoodGame, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Goodgame Empire0, Quarantined, [3893], [597957],1.0.12485
PUP.Optional.GoodGame, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Goodgame Empire1, Quarantined, [3893], [597957],1.0.12485
PUP.Optional.GoodGame, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Goodgame Empire2, Quarantined, [3893], [597957],1.0.12485
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 10
Generic.Malware/Suspicious, C:\USERS\HARVEY\DOWNLOADS\HPSET_2017.11.14.02.EXE, Quarantined, [0], [392686],1.0.12485
PUP.Optional.WinZipMalwareProtector, C:\USERS\HARVEY\DOWNLOADS\WZMP_24 (1).EXE, Quarantined, [12885], [627246],1.0.12485
PUP.Optional.DriverReviver, C:\USERS\HARVEY\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (2).EXE, Quarantined, [4223], [462815],1.0.12485
Generic.Malware/Suspicious, C:\USERS\HARVEY\APPDATA\LOCAL\YAHOO\YSET\WEBEXT_DL.EXE, Quarantined, [0], [392686],1.0.12485
PUP.Optional.MindSpark, C:\USERS\HARVEY\DESKTOP\TRACE, Quarantined, [649], [301125],1.0.12485
PUP.Optional.WinZipMalwareProtector, C:\USERS\HARVEY\DOWNLOADS\WZMP_24.EXE, Quarantined, [12885], [627246],1.0.12485
PUP.Optional.DriverReviver, C:\USERS\HARVEY\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (3).EXE, Quarantined, [4223], [462815],1.0.12485
Generic.Malware/Suspicious, C:\USERS\HARVEY\DOWNLOADS\HPSET_2018.06.28.01.EXE, Quarantined, [0], [392686],1.0.12485
PUP.Optional.DriverReviver, C:\USERS\HARVEY\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (1).EXE, Quarantined, [4223], [462815],1.0.12485
PUP.Optional.DriverReviver, C:\USERS\HARVEY\DOWNLOADS\DRIVERREVIVERSETUP_PPC4.EXE, Quarantined, [4223], [462815],1.0.12485
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)
 
9/15/2019 19:41:35 PM
Files scanned: 224895
Infected files: 29
Cleaned threats: 27
Total scan time 01:55:46
Scan status: Finished
C:\AdwCleaner\Quarantine\v1\20190911.204017\25\WinZip Driver Updater\trz2051.tmp#A4472C1BCB3DE19F a variant of Win64/DriverReviver.A potentially unwanted application cleaned by deleting
 
C:\AdwCleaner\Quarantine\v1\20190911.204017\38\AUTO-PC-CLEANER2019 FOR NEWMAN-HP-2000\offers\a_p_t.exe#290F1B6600FB1A53 a variant of MSIL/GT32SupportGeeks.O potentially unwanted application cleaned by deleting
 
C:\AdwCleaner\Quarantine\v1\20190911.204017\54\RelevantKnowledge\rlservice.exe#08C012A6341A81BC a variant of Win32/Adware.RK application cleaned by deleting
 
C:\FRST\Quarantine\C\Program Files (x86)\DigitalTrailEHF\ie.exe a variant of Win32/Adware.OpenSUpdater.DQ application cleaned by deleting
 
C:\Program Files\AVAST Software\Avast\setup\aswOfferTool.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application error while deleting (Access denied)
 
C:\Program Files\AVAST Software\Avast\setup\offertool_x64_ais-954.vpx Win32/Bundled.Toolbar.Google.D potentially unsafe application error while deleting (Access denied)
 
C:\Program Files (x86)\Internet Explorer\00003467.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Program Files (x86)\Internet Explorer\00021963.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Program Files (x86)\Internet Explorer\00025953.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00000805.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00001313.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00004801.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00005824.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00007022.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00008516.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00010943.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00015911.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00017444.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00018643.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00018701.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00018721.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00018853.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00020228.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00020670.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00026114.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00027537.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Facebook\Games\00028251.tmp a variant of Win32/RiskWare.PEMalform.I application cleaned by deleting
 
C:\Users\Harvey\AppData\Local\Yahoo\yset\YSearchUtil.dll a variant of Win32/YahooSearch.C potentially unwanted application cleaned by deleting
 
C:\Users\Harvey\Downloads\hpset_2017.09.01.01.exe a variant of Win32/YahooSearch.C potentially unwanted application cleaned by deleting
 

  • 0

#18
Yisroel

Yisroel

    GeekU Senior

  • GeekU Senior
  • 1,092 posts

Congratulations! You now appear to be clean :thumbsup:

Now let's do some housekeeping... I will remove my tools and give some safety recommendations, which you should share with the computer owner...

Tools Removal and Creation of a clean restore point

Download KpRm by kernel-panik and save it to your desktop.

  • Right-click kprm_(version).exe and select Run as Administrator.
  • When the tool opens, ensure all boxes are checked and select Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
  • If present, delete any other .bat, .log, .reg, .txt, and any other files created or downloaded during this process, and left on the desktop.
  • I recommend keeping Malwarebytes Anti-Malware installed, it is a great addition to a normal antivirus program. Make sure to update it and run it from time to time. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a Trojan, come see us.

Tips, Information, and Optional Installations

Keeping Programs Updated

Keeping software up-to-date is important as well. Programs such as UCheck, Heimdal Free, or PatchMyPC can help keep the software on your computer up-to-date.

To keep your operating system up-to-date, make sure that Windows Update is enabled on your computer.

Unchecky

Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along with search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

  • Download Unchecky to your desktop
  • Right click on the Unchecky_setup and choose to Run as Administrator.
  • Once open click the Install button.
  • Then click on Finish

Unchecky is now installed and will help you keep unwanted check boxes unchecked


In your next post

KpRm Log


  • 0

#19
moondog830

moondog830

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 693 posts

will get this done tonight ... took my wife out to dinner last night for a change 


  • 0

#20
Yisroel

Yisroel

    GeekU Senior

  • GeekU Senior
  • 1,092 posts

will get this done tonight ... took my wife out to dinner last night for a change

Family always comes before friends!  :yes: 

Thanks for letting us know.


  • 0

#21
moondog830

moondog830

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 693 posts
# Run at 9/18/2019 7:46:54 PM
# KpRm (Kernel-panik) version 1.9
# Run by Harvey from C:\Users\Harvey\Desktop
# Computer Name: NEWMAN-HP-2000
# OS: Windows 8.1 X64 (9600) 
 
- Create Registry Backup -
 
  [OK] Registry Backup: C:\KPRM\backup\2019-09-18-19-46
 
- Search Tools -
 
 
  ## AdwCleaner
     [OK] C:\Users\Harvey\Desktop\adwcleaner_7.4.1.exe deleted (1)
     [OK] C:\AdwCleaner deleted (1)
 
  ## ESET Online Scanner
     [OK] C:\Users\Harvey\Desktop\esetonlinescanner_enu.exe deleted (1)
 
  ## FRST
     [OK] C:\Users\Harvey\Desktop\Addition.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\Fixlog.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST-OlderVersion deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST64.exe deleted (1)
     [OK] C:\FRST deleted (1)
 
- Restore Default System Settings -
 
  [OK] Flush DNS
  [OK] Reset WinSock
  [OK] Hide Hidden file.
  [OK] Show Extensions for known file types
  [OK] Hide protected operating system files
 
- Restore UAC Default Value -
 
  [OK] Set ConsentPromptBehaviorAdmin with default (5) value
  [OK] Set ConsentPromptBehaviorUser with default (3) value
  [OK] Set EnableInstallerDetection with default (0) value
  [OK] Set EnableLUA with default (1) value
  [OK] Set EnableSecureUIAPaths with default (1) value
  [OK] Set EnableUIADesktopToggle with default (0) value
  [OK] Set EnableVirtualization with default (1) value
  [OK] Set FilterAdministratorToken with default (0) value
  [OK] Set PromptOnSecureDesktop with default (1) value
  [OK] Set ValidateAdminCodeSignatures with default (0) value
 
- Clear All System Restore Points -
 
    ~ [OK] RP named Windows Update created at 08/19/2019 20:13:53 deleted
    ~ [OK] RP named Windows Update created at 09/01/2019 15:56:47 deleted
    ~ [OK] RP named Removed DriverUpdate created at 09/08/2019 13:40:37 deleted
    ~ [OK] RP named Restore Point Created by FRST created at 09/08/2019 17:37:55 deleted
    ~ [OK] RP named Windows Update created at 09/15/2019 17:30:29 deleted
 
  [OK] All system restore points have been successfully deleted
 
- Create New System Restore Point -
 
  [OK] Enable System Restore
  [OK] System Restore Point created
 
- Display All System Restore Point -
 
    ~ [I] RP named KpRm created at 09/18/2019 23:53:29 found
 
 
will get Unchecky for my friend ... most older people tend to click on things they shouldn't
 
AGAIN ... thank you so much for your help

  • 0

#22
moondog830

moondog830

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 693 posts
# Run at 9/18/2019 7:46:54 PM
# KpRm (Kernel-panik) version 1.9
# Run by Harvey from C:\Users\Harvey\Desktop
# Computer Name: NEWMAN-HP-2000
# OS: Windows 8.1 X64 (9600) 
 
- Create Registry Backup -
 
  [OK] Registry Backup: C:\KPRM\backup\2019-09-18-19-46
 
- Search Tools -
 
 
  ## AdwCleaner
     [OK] C:\Users\Harvey\Desktop\adwcleaner_7.4.1.exe deleted (1)
     [OK] C:\AdwCleaner deleted (1)
 
  ## ESET Online Scanner
     [OK] C:\Users\Harvey\Desktop\esetonlinescanner_enu.exe deleted (1)
 
  ## FRST
     [OK] C:\Users\Harvey\Desktop\Addition.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\Fixlog.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST-OlderVersion deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST.txt deleted (1)
     [OK] C:\Users\Harvey\Desktop\FRST64.exe deleted (1)
     [OK] C:\FRST deleted (1)
 
- Restore Default System Settings -
 
  [OK] Flush DNS
  [OK] Reset WinSock
  [OK] Hide Hidden file.
  [OK] Show Extensions for known file types
  [OK] Hide protected operating system files
 
- Restore UAC Default Value -
 
  [OK] Set ConsentPromptBehaviorAdmin with default (5) value
  [OK] Set ConsentPromptBehaviorUser with default (3) value
  [OK] Set EnableInstallerDetection with default (0) value
  [OK] Set EnableLUA with default (1) value
  [OK] Set EnableSecureUIAPaths with default (1) value
  [OK] Set EnableUIADesktopToggle with default (0) value
  [OK] Set EnableVirtualization with default (1) value
  [OK] Set FilterAdministratorToken with default (0) value
  [OK] Set PromptOnSecureDesktop with default (1) value
  [OK] Set ValidateAdminCodeSignatures with default (0) value
 
- Clear All System Restore Points -
 
    ~ [OK] RP named Windows Update created at 08/19/2019 20:13:53 deleted
    ~ [OK] RP named Windows Update created at 09/01/2019 15:56:47 deleted
    ~ [OK] RP named Removed DriverUpdate created at 09/08/2019 13:40:37 deleted
    ~ [OK] RP named Restore Point Created by FRST created at 09/08/2019 17:37:55 deleted
    ~ [OK] RP named Windows Update created at 09/15/2019 17:30:29 deleted
 
  [OK] All system restore points have been successfully deleted
 
- Create New System Restore Point -
 
  [OK] Enable System Restore
  [OK] System Restore Point created
 
- Display All System Restore Point -
 
    ~ [I] RP named KpRm created at 09/18/2019 23:53:29 found
 
 
will get Unchecky for my friend ... most older people tend to click on things they shouldn't
 
AGAIN ... thank you so much for your help

  • 0

#23
Yisroel

Yisroel

    GeekU Senior

  • GeekU Senior
  • 1,092 posts

AGAIN ... thank you so much for your help

You're very welcome! Happy to help  :)


  • 0

#24
iMacg3

iMacg3

    GeekU Mod

  • GeekU Moderator
  • 1,043 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP