Start::
CreateRestorePoint:
CloseProcesses:

IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
2026-05-03 20:29 - 2022-03-26 16:37 - 000000000 ____D C:\Users\czako\AppData\Roaming\Lavasoft
2026-05-03 20:29 - 2022-03-26 16:37 - 000000000 ____D C:\ProgramData\Lavasoft
2026-05-03 20:29 - 2022-03-26 16:37 - 000000000 ____D C:\Program Files (x86)\Lavasoft
CustomCLSID: HKU\S-1-5-21-2513414555-1048960068-4039487233-1001_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 -> C:\Users\czako\AppData\Local\Kingsoft\WPS Office\12.2.0.19805\office6\kwpsmenushellext64.dll => No File
CustomCLSID: HKU\S-1-5-21-2513414555-1048960068-4039487233-1001_Classes\CLSID\{d1b22d3d-8585-53a6-acb3-0e803c7e8d2a}\localserver32 -> "C:\ProgramData\czako\Microsoft\Teams\current\Teams.exe" --toast => No File
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
ContextMenuHandlers1_S-1-5-21-2513414555-1048960068-4039487233-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\czako\AppData\Local\Kingsoft\WPS Office\12.2.0.19805\office6\kwpsmenushellext64.dll -> No File
ContextMenuHandlers4_S-1-5-21-2513414555-1048960068-4039487233-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\czako\AppData\Local\Kingsoft\WPS Office\12.2.0.19805\office6\kwpsmenushellext64.dll -> No File
AlternateDataStreams: C:\Windows\tracing:? [16]
AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [2594]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [2594]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk:C8B6D970BF [2594]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk:F20EF51E1F [2594]
AlternateDataStreams: C:\Users\czako\OneDrive\Asztali gép\FRSTEnglish.exe.exe:MBAM.Zone.Identifier [225]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [7946]
FirewallRules: [{9BC334DA-B4BB-4292-ACFE-0941CE5EB817}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{C506F2CD-B5A8-4088-956B-C98442A3BB73}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{02115913-4467-471A-8891-36FBF5D8F20A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ABInfinite\Launcher\arena_breakout_infinite_launcher.exe => No File
FirewallRules: [{BF095A13-44A1-47E4-A552-63BCB94FA6B1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ABInfinite\Launcher\arena_breakout_infinite_launcher.exe => No File
FirewallRules: [{152D8636-666E-4509-8C30-91C7E65BF461}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Blue Protocol Star Resonance\bpsr\BPSR_STEAM.exe => No File
FirewallRules: [{6A065B6C-646C-4BE6-8178-8A9AB593D0A4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Blue Protocol Star Resonance\bpsr\BPSR_STEAM.exe => No File
FirewallRules: [TCP Query User{086DF731-E67C-4D84-84CD-C31FDD49E3AA}C:\users\czako\appdata\local\temp\rar$exa3188.43833.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa3188.43833.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [UDP Query User{24449EA3-6A3B-4685-8F13-5E3828EB7F33}C:\users\czako\appdata\local\temp\rar$exa3188.43833.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa3188.43833.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [TCP Query User{14BECF6F-620F-484F-B541-E28AC8C489EE}C:\users\czako\appdata\local\temp\rar$exa11148.10546.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa11148.10546.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [UDP Query User{4B5565F1-56DC-4237-ACB0-E897954E354C}C:\users\czako\appdata\local\temp\rar$exa11148.10546.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa11148.10546.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [TCP Query User{4834261A-1EFB-499B-857D-76E8E4E65FF5}C:\users\czako\appdata\local\temp\rar$exa3836.4793.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa3836.4793.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [UDP Query User{AC05D635-4A14-45DD-82F6-1E8EE43FB5FA}C:\users\czako\appdata\local\temp\rar$exa3836.4793.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa3836.4793.rartemp\the jackbox party pack 4\the jackbox party pack 4.exe => No File
FirewallRules: [TCP Query User{4143529D-8138-49F9-8026-C8C81802C6FF}C:\users\czako\appdata\local\temp\rar$exa8936.12420.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa8936.12420.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe => No File
FirewallRules: [UDP Query User{2F9CB5FC-6394-46FD-B570-D844DAFEDC7A}C:\users\czako\appdata\local\temp\rar$exa8936.12420.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa8936.12420.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe => No File
FirewallRules: [TCP Query User{19AA5748-4DF0-4D6E-85CD-DBA1FD6E2B91}C:\users\czako\appdata\local\temp\rar$exa8936.22263.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa8936.22263.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe => No File
FirewallRules: [UDP Query User{6681E68C-A809-4960-82DA-53808461BE47}C:\users\czako\appdata\local\temp\rar$exa8936.22263.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe] => (Allow) C:\users\czako\appdata\local\temp\rar$exa8936.22263.rartemp\citra-windows-msvc-20240303-0ff3440\tomodachi life\head-mingw\citra-qt.exe => No File
HKU\S-1-5-21-2513414555-1048960068-4039487233-1001\...\Run: [utweb] => "C:\Users\czako\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED (No File)
HKU\S-1-5-21-2513414555-1048960068-4039487233-1001\...\Run: [EpicGamesLauncher] => "C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe" -silent -launchcontext=boot (No File)
HKU\S-1-5-21-2513414555-1048960068-4039487233-1001\...\Run: [SignalRgb] => "C:\Users\czako\AppData\Local\VortxEngine\SignalRgbLauncher.exe" --silent (No File)
Task: {C79D7B29-4D03-4433-AF13-9911F3BE8D2F} - System32\Tasks\Opera scheduled Autoupdate 1648305453 => C:\Users\czako\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe  --scheduledtask --bypasslauncher $(Arg0) (No File)
S2 AMDRyzenMasterDriverV19; \??\C:\Windows\system32\AMDRyzenMasterDriver.sys (No File)
S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File)
2026-01-20 21:57 - 2026-01-20 21:57 - 000000048 ____R () C:\Users\czako\AppData\Local\D844DB69F892053FB8B455E81CC52138
2026-02-24 20:12 - 2026-02-24 20:12 - 000000048 ____R () C:\Users\czako\AppData\Local\F6606343BCC6D682AE389FF4CAC25E30
Web Companion (HKLM-x32\...\{99c5472d-0d27-4a15-a75c-76a4b675d0ff}) (Version: 8.9.0.371 - Lavasoft) <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

IE trusted site: HKU\S-1-5-21-2513414555-1048960068-4039487233-1001\...\webcompanion.com -> hxxp://webcompanion.com

StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan

New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*

EmptyTemp:
End::