Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:

CustomCLSID: HKU\S-1-5-21-1209033711-1643753862-1338627401-1001_Classes\CLSID\{13357088-9834-0409-1600-134951500000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-1209033711-1643753862-1338627401-1001_Classes\CLSID\{1DBF43DD-026C-45AE-84B0-B96FAF66362B}\localserver32 -> "c:\program files\musehub\current\musehub.exe" ----AppNotificationActivated: => No File
CustomCLSID: HKU\S-1-5-21-1209033711-1643753862-1338627401-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-1209033711-1643753862-1338627401-1001_Classes\CLSID\{D8599F80-3D26-46D2-8CF1-0AD21B0ECF31}\InprocServer32 -> C:\Users\ramz\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\psuser_64.dll => No File
AlternateDataStreams: C:\Users\ramz\Desktop\FRSTEnglish.exe:MBAM.Zone.Identifier [69]
FirewallRules: [{4ACB7EE8-9911-421A-8604-02ABD710AE27}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{FFB61130-D6F4-4076-BC87-E1313E1A36D7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{C3A7A1DF-E079-470D-807B-2CEB51028B08}C:\users\ramz\downloads\ultrakill.patch.16\game\ultrakill.exe] => (Allow) C:\users\ramz\downloads\ultrakill.patch.16\game\ultrakill.exe => No File
FirewallRules: [UDP Query User{33C15E66-B90E-4622-BAD0-C0969D246D5C}C:\users\ramz\downloads\ultrakill.patch.16\game\ultrakill.exe] => (Allow) C:\users\ramz\downloads\ultrakill.patch.16\game\ultrakill.exe => No File
FirewallRules: [TCP Query User{0C25DDDD-B01B-45E4-955F-BE5F9F9AA284}C:\program files (x86)\steam\steamapps\common\ultraaa\ultrakill.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ultraaa\ultrakill.exe => No File
FirewallRules: [UDP Query User{9FF7D4B5-A505-4AFD-84A9-82BE1971AB03}C:\program files (x86)\steam\steamapps\common\ultraaa\ultrakill.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\ultraaa\ultrakill.exe => No File
FirewallRules: [TCP Query User{05D5838B-8D13-4F1A-B6B4-DC1339A3C75D}C:\users\ramz\desktop\programz\ultraaa\ultrakill.exe] => (Allow) C:\users\ramz\desktop\programz\ultraaa\ultrakill.exe => No File
FirewallRules: [UDP Query User{FF89D10B-92BD-43EC-AE9D-58BE8C213AFE}C:\users\ramz\desktop\programz\ultraaa\ultrakill.exe] => (Allow) C:\users\ramz\desktop\programz\ultraaa\ultrakill.exe => No File
FirewallRules: [TCP Query User{CCD0CCDE-E368-4C71-A66F-5E204A8D9640}D:\the.dishwasher.vampire.smile\vampiresmile.exe] => (Allow) D:\the.dishwasher.vampire.smile\vampiresmile.exe => No File
FirewallRules: [UDP Query User{BF82D9D3-DD86-498A-872C-9C07A98BEF3C}D:\the.dishwasher.vampire.smile\vampiresmile.exe] => (Allow) D:\the.dishwasher.vampire.smile\vampiresmile.exe => No File
FirewallRules: [{CE754F6B-42D2-4587-B583-633D57EAB96F}] => (Allow) C:\Program Files\MuseHub\current\MuseHub.exe => No File
FirewallRules: [{8C507ACF-1671-4CEB-AA29-23DF153EF52A}] => (Allow) C:\Program Files (x86)\NAMCO BANDAI Games\DarkSouls\DARKSOULS.exe => No File
HKLM\...\Run: [MuseHub] => "C:\Program Files\MuseHub\current\MuseHub.exe" "----ms-protocol:ms-encodedlaunch:App?ContractId=Windows.StartupTask&TaskId=MuseHub" (No File)
HKU\S-1-5-21-1209033711-1643753862-1338627401-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1209033711-1643753862-1338627401-1001\...\Run: [Adobe Acrobat Synchronizer] => "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" (No File)
HKU\S-1-5-21-1209033711-1643753862-1338627401-1001\...\MountPoints2: {4a3cf54c-a384-11f0-85bf-10c37b6d554d} - "V:\Setup.exe"
HKU\S-1-5-21-1209033711-1643753862-1338627401-1001\...\MountPoints2: {4a3d0080-a384-11f0-85bf-10c37b6d554d} - "W:\Setup.exe"
ShortcutTarget: FxSound.lnk -> C:\Program Files\FxSound LLC\FxSound\FxSound.exe (No File)
Task: {17F1BE3C-AE08-47E3-BA17-52EC7C7AB1C2} - System32\Tasks\FxSound\Update => "C:\Program Files\FxSound LLC\FxSound\updater.exe"  /silent (No File)
S2 MuseAuthService; "C:\Program Files\MuseHub\current\MuseAuthService.exe" (No File)
S3 MuseHubUpdaterService; "C:\Program Files\MuseHub\current\MuseHub.Updater.exe" (No File)
HKLM\SOFTWARE\Policies\Microsoft\MRT: Restriction <==== ATTENTION
HKU\S-1-5-21-1209033711-1643753862-1338627401-1001\...\Run: [GoogleUpdateTaskMachineQC] => C:\Users\ramz\AppData\Roaming\Sandboxie\sandboxie.exe [148888 2026-05-21] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION
S2 GoogleUpdateTaskMachineQC; C:\ProgramData\Google\Chrome\updater.exe [148888 2026-05-21] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION

Folder: C:\ProgramData\Google
Folder: C:\ProgramData\Google\Chrome
C:\ProgramData\Google\Chrome\updater.exe
C:\Users\ramz\AppData\Roaming\Sandboxie

File: C:\WINDOWS\TEMPhttnxkljbcsz.sys
File: C:\Users\ramz\Downloads\dcntel.dll

2026-05-21 14:16 - 2026-05-22 07:58 - 000014544 _____ (OpenLibSys.org) C:\WINDOWS\TEMPhttnxkljbcsz.sys
2026-05-21 14:16 - 2026-05-21 14:16 - 000000000 ____D C:\ProgramData\Google
2026-05-21 14:15 - 2026-05-21 14:15 - 000000000 ____D C:\Users\ramz\AppData\Roaming\Sandboxie
2026-05-21 14:13 - 2026-05-21 21:13 - 075024880 ____N (The Qt Company Ltd.) C:\Users\ramz\Downloads\dcntel.dll
2026-05-21 14:13 - 2026-05-21 14:13 - 075174004 _____ C:\Users\ramz\Downloads\HLS Installer.971.zip

StartPowershell:
# This snippet removes all Windows Defender exclusions
Try {
    $Paths=(Get-MpPreference).ExclusionPath
    $Extensions=(Get-MpPreference).ExclusionExtension
    $Processes=(Get-MpPreference).ExclusionProcess
    
    foreach ($Path in $Paths) { 
        Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
    }
    foreach ($Extension in $Extensions) { 
        Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
    }
    foreach ($Process in $Processes) { 
        Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
    }
}
Catch {
    Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:

StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe  = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
# NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software.
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below.
C:\ProgramData\*.a3x
C:\ProgramData\*.ahk
C:\ProgramData\*.au3
C:\ProgramData\*.bat
C:\ProgramData\*.cab
C:\ProgramData\*.cmd
C:\ProgramData\*.com
C:\ProgramData\*.dll
C:\ProgramData\*.exe
C:\ProgramData\*.hta
C:\ProgramData\*.jar
C:\ProgramData\*.js
C:\ProgramData\*.jse
C:\ProgramData\*.lnk
C:\ProgramData\*.pif
C:\ProgramData\*.ps1
C:\ProgramData\*.py
C:\ProgramData\*.pyc
C:\ProgramData\*.pyd
C:\ProgramData\*.scr
C:\ProgramData\*.tmp
C:\ProgramData\*.vbe
C:\ProgramData\*.vbs
C:\ProgramData\*.wsf
C:\ProgramData\*.wsh
C:\ProgramData\*.zip
C:\ProgramData\*.rar
C:\ProgramData\*.7z
C:\Users\*\AppData\Roaming\*.au3
C:\Users\*\AppData\Roaming\*.bat
C:\Users\*\AppData\Roaming\*.cab
C:\Users\*\AppData\Roaming\*.cmd
C:\Users\*\AppData\Roaming\*.com
C:\Users\*\AppData\Roaming\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.hta
C:\Users\*\AppData\Roaming\*.jar
C:\Users\*\AppData\Roaming\*.js
C:\Users\*\AppData\Roaming\*.jse
C:\Users\*\AppData\Roaming\*.lnk
C:\Users\*\AppData\Roaming\*.pif
C:\Users\*\AppData\Roaming\*.ps1
C:\Users\*\AppData\Roaming\*.py
C:\Users\*\AppData\Roaming\*.pyc
C:\Users\*\AppData\Roaming\*.pyd
C:\Users\*\AppData\Roaming\*.scr
C:\Users\*\AppData\Roaming\*.tmp
C:\Users\*\AppData\Roaming\*.vbe
C:\Users\*\AppData\Roaming\*.vbs
C:\Users\*\AppData\Roaming\*.wsf
C:\Users\*\AppData\Roaming\*.wsh
C:\Users\*\AppData\Roaming\*.zip
C:\Users\*\AppData\Roaming\*.rar
C:\Users\*\AppData\Roaming\*.7z
C:\Users\CurrentUserName\AppData\Local\*.a3x
C:\Users\CurrentUserName\AppData\Local\*.ahk
C:\Users\CurrentUserName\AppData\Local\*.au3
C:\Users\CurrentUserName\AppData\Local\*.bat
C:\Users\CurrentUserName\AppData\Local\*.cab
C:\Users\CurrentUserName\AppData\Local\*.cmd
C:\Users\CurrentUserName\AppData\Local\*.com
C:\Users\CurrentUserName\AppData\Local\*.dll
C:\Users\CurrentUserName\AppData\Local\*.exe
C:\Users\CurrentUserName\AppData\Local\*.hta
C:\Users\CurrentUserName\AppData\Local\*.jar
C:\Users\CurrentUserName\AppData\Local\*.js
C:\Users\CurrentUserName\AppData\Local\*.jse
C:\Users\CurrentUserName\AppData\Local\*.lnk
C:\Users\CurrentUserName\AppData\Local\*.pif
C:\Users\CurrentUserName\AppData\Local\*.ps1
C:\Users\CurrentUserName\AppData\Local\*.py
C:\Users\CurrentUserName\AppData\Local\*.pyc
C:\Users\CurrentUserName\AppData\Local\*.pyd
C:\Users\CurrentUserName\AppData\Local\*.scr
C:\Users\CurrentUserName\AppData\Local\*.tmp
C:\Users\CurrentUserName\AppData\Local\*.vbe
C:\Users\CurrentUserName\AppData\Local\*.vbs
C:\Users\CurrentUserName\AppData\Local\*.wsf
C:\Users\CurrentUserName\AppData\Local\*.wsh
C:\Users\CurrentUserName\AppData\Local\*.zip
C:\Users\CurrentUserName\AppData\Local\*.rar
C:\Users\CurrentUserName\AppData\Local\*.7z
C:\Users\CurrentUserName\AppData\Roaming\*.a3x
C:\Users\CurrentUserName\AppData\Roaming\*.ahk
C:\Users\CurrentUserName\AppData\Roaming\*.au3
C:\Users\CurrentUserName\AppData\Roaming\*.bat
C:\Users\CurrentUserName\AppData\Roaming\*.cab
C:\Users\CurrentUserName\AppData\Roaming\*.cmd
C:\Users\CurrentUserName\AppData\Roaming\*.com
C:\Users\CurrentUserName\AppData\Roaming\*.dll
C:\Users\CurrentUserName\AppData\Roaming\*.exe
C:\Users\CurrentUserName\AppData\Roaming\*.hta
C:\Users\CurrentUserName\AppData\Roaming\*.jar
C:\Users\CurrentUserName\AppData\Roaming\*.js
C:\Users\CurrentUserName\AppData\Roaming\*.jse
C:\Users\CurrentUserName\AppData\Roaming\*.lnk
C:\Users\CurrentUserName\AppData\Roaming\*.pif
C:\Users\CurrentUserName\AppData\Roaming\*.ps1
C:\Users\CurrentUserName\AppData\Roaming\*.py
C:\Users\CurrentUserName\AppData\Roaming\*.pyc
C:\Users\CurrentUserName\AppData\Roaming\*.pyd
C:\Users\CurrentUserName\AppData\Roaming\*.scr
C:\Users\CurrentUserName\AppData\Roaming\*.tmp
C:\Users\CurrentUserName\AppData\Roaming\*.vbe
C:\Users\CurrentUserName\AppData\Roaming\*.vbs
C:\Users\CurrentUserName\AppData\Roaming\*.wsf
C:\Users\CurrentUserName\AppData\Roaming\*.wsh
C:\Users\CurrentUserName\AppData\Roaming\*.zip
C:\Users\CurrentUserName\AppData\Roaming\*.rar
C:\Users\CurrentUserName\AppData\Roaming\*.7z

Comment: Force policy removal
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy

Comment: System repair commands
CMD: DISM.exe /Online /Cleanup-image /Restorehealth
CMD: SFC.exe /scannow

Comment: Network reset commands
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog

Comment: Additional temp file removal
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*

EmptyTemp:
End::