Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: Task: {6B284707-60B8-4551-8E7D-EF2722EE4894} - System32\Tasks\sys_service_v7 => C:\ProgramData\net_trace_socket_v8\Distributed-Navigato.exe (No File) Task: C:\WINDOWS\Tasks\JRTCrypt_core.job => C:\ProgramData\net_trace_socket_v8\Distributed-Navigato.exe 2026-05-26 22:19 - 2026-05-26 23:03 - 000000306 _____ C:\WINDOWS\Tasks\JRTCrypt_core.job 2026-05-26 22:19 - 2026-05-26 22:19 - 000003166 _____ C:\WINDOWS\system32\Tasks\sys_service_v7 2026-05-26 22:19 - 2026-05-26 22:19 - 000003124 _____ C:\WINDOWS\system32\Tasks\JRTCrypt_core 2026-05-26 22:19 - 2026-05-26 22:19 - 000000000 ____D C:\Users\Kevin\AppData\Local\Yandex 2026-05-26 22:23 - 2026-01-23 02:33 - 000000000 ____D C:\Users\Kevin\AppData\Roaming\RenPy CustomCLSID: HKU\S-1-5-21-82443689-1658357570-2764191468-1001_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-82443689-1658357570-2764191468-1001_Classes\CLSID\{8F8F7561-A3E0-4173-9ED5-EF1DB8C91275}\localserver32 -> "c:\program files\alienware\alienware command center\utilities\aw.notificationutility\aw.notificationutility.exe" ----AppNotificationActivated: => No File CustomCLSID: HKU\S-1-5-21-82443689-1658357570-2764191468-1001_Classes\CLSID\{B2EB610A-228E-410C-B71E-95F62CF141DA}\localserver32 -> "c:\program files\alienware\alienware command center\awcc\awcc.exe" ----AppNotificationActivated: => No File CustomCLSID: HKU\S-1-5-21-82443689-1658357570-2764191468-1001_Classes\CLSID\{FBF4478B-9B8E-437E-BA9C-8A41F8F08317}\localserver32 -> "c:\program files\alienware\alienware command center\subsystems\fx\subagent\alienfxsubagent.exe" ----AppNotificationActivated: => No File AlternateDataStreams: C:\ProgramData\sldh.dat:136096DD5B [3442] AlternateDataStreams: C:\ProgramData\sldh.dat:F3D162C601 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller.lnk:93337121EE [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat.lnk:1FA7E99ECA [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe After Effects 2024.lnk:CE5D2E4A72 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk:7661CCE9BF [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator 2024.lnk:B74CC70858 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe InDesign 2024.lnk:493DA0DB77 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Lightroom.lnk:BCD3E320D4 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Media Encoder 2024.lnk:5239ACD094 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop 2024.lnk:D6CCC992C2 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro 2024.lnk:E6BA3D2773 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [3442] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FACEIT AC.lnk:550995E265 [3442] FirewallRules: [{638CA16F-DEF1-4337-AFC5-019E3B9ED6CC}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{F261B4EA-F222-46C1-B50D-F2BACEF6F2E7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{CE73D558-B5DD-421C-8A15-BA7A0DEC1977}D:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) D:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [UDP Query User{6782212B-C556-4AF2-9BDD-48CB3A5606F7}D:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) D:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [TCP Query User{A5209EE2-0C5B-4FE4-8DC4-8C214253FED4}D:\steamlibrary\steamapps\common\battlefield 6\bf6.exe] => (Allow) D:\steamlibrary\steamapps\common\battlefield 6\bf6.exe => No File FirewallRules: [UDP Query User{D694DCF5-3CA2-4F7F-A248-8A7453EEF617}D:\steamlibrary\steamapps\common\battlefield 6\bf6.exe] => (Allow) D:\steamlibrary\steamapps\common\battlefield 6\bf6.exe => No File FirewallRules: [TCP Query User{038E4F43-C1E2-4893-A59F-634EEDA43E46}C:\users\kevin\appdata\local\programs\opera gx\opera.exe] => (Allow) C:\users\kevin\appdata\local\programs\opera gx\opera.exe => No File FirewallRules: [UDP Query User{FF91E469-06C8-431F-86EC-95AE0ECB6641}C:\users\kevin\appdata\local\programs\opera gx\opera.exe] => (Allow) C:\users\kevin\appdata\local\programs\opera gx\opera.exe => No File HKU\S-1-5-21-82443689-1658357570-2764191468-1001\...\MountPoints2: {56062397-fc49-11ef-880d-2cf05d3814fb} - "E:\Autoplay.exe" -auto Task: {212B7047-570A-4922-B5A7-4B2116FD3E13} - System32\Tasks\JRTCrypt_core => C:\ProgramData\net_trace_socket_v8\Distributed-Navigato.exe (No File) Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S3 ACE-SSC-DRV64; \??\C:\Program Files\AntiCheatExpert\SGuard\x64\plugins\ACE-SSC-DRV64.sys (No File) S2 AMDRyzenMasterDriverV27; \??\C:\Program Files\AMD\Performance Profile Client\AMDRyzenMasterDriver.sys (No File) U4 DcpSvc; no ImagePath U4 diagnosticshub.standardcollector.service; no ImagePath U4 Fax; no ImagePath U2 HomeGroupListener; no ImagePath U2 HomeGroupProvider; no ImagePath U4 NvTelemetryContainer; no ImagePath S3 PDFWKRNL; \??\C:\WINDOWS\SystemTemp\USBCPDFW\pdfwkrnl.sys (No File) U4 xbgm; no ImagePath HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION IFEO\software_reporter_tool.exe: [Debugger] %windir%\System32\taskkill.exe IFEO\CompatTelRunner.exe: [Debugger] %windir%\System32\taskkill.exe IFEO\DeviceCensus.exe: [Debugger] %windir%\System32\taskkill.exe File: C:\WINDOWS\system32\DRIVERS\ndextlag.sys 2026-05-26 22:19 - 2026-05-26 22:19 - 001614144 _____ (IO Bureau SA) C:\Users\Kevin\AppData\Local\MicValidator.exe 2026-05-26 22:18 - 2026-05-26 22:18 - 000000000 ____D C:\Users\Kevin\hsqbd4Kdwjtzlp8w Comment: This snippet reverts SmartScreen settings to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Warn" [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] "EnabledV9"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000001 [HKU\S-1-5-21-82443689-1658357570-2764191468-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000001 [HKU\S-1-5-21-82443689-1658357570-2764191468-1001\SOFTWARE\Microsoft\Windows Security Health\State] "AppAndBrowser_StoreAppsSmartScreenOff"=dword:00000001 EndRegedit: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code. Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::