Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\...\Run: [EPSDNMON] => "" (No File) Task: {5D3F7C13-6AD5-482A-9BDC-9CE047BC61E2} - System32\Tasks\Google Compatibility Appraiser CL_NCL_9fc87dafd35b51aa => C:\WINDOWS\system32\conhost.exe [1003520 2026-04-17] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aQBmACgAIQAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAG0AYwBiAHUAaQBsAGQAZQByACwAbQBmAHAAbQBwACAALQBFAEEAIAAwACkAKQB7AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgADEAOQAzAC (the data entry has 150 more characters). <==== ATTENTION Task: {E88D9B2C-DDEA-47B2-9582-085153004DB5} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File) Task: {975D3232-A452-48B7-A4D2-A2893B085FD7} - System32\Tasks\Microsoft\Windows\PI\SecureBootEncodeUEFI => %WINDIR%\system32\SecureBootEncodeUEFI.exe (No File) Task: {CAB76809-EDC0-40D2-A888-AD9BEDF4E88A} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (No File) Task: {DF7D34C6-E91F-42B5-B7BC-FF74B15B8FB8} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe LogonUpdateResults (No File) Task: {83D9AF75-38A6-4D8F-A3EE-77F83210FA8C} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC ReadyToReboot (No File) Task: {1334E5CB-1B3B-4BA3-A7EF-2AAE6F086AF8} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery ReadyToReboot (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) 2026-05-05 04:16 - 2026-05-05 04:16 - 000004754 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_9fc87dafd35b51aa 2026-05-05 04:15 - 2026-05-05 04:15 - 000426608 _____ (360.cn) C:\Users\theki\SpectVerifier.exe 2026-05-05 04:15 - 2026-05-05 04:15 - 000000000 ____D C:\Users\theki\AppData\Roaming\scanner_base 2026-05-05 04:15 - 2026-05-05 04:15 - 000000000 ____D C:\ProgramData\scanner_base 2026-05-05 04:14 - 2026-05-05 04:14 - 000000000 ____D C:\Users\theki\AppData\Roaming\RenPy 2026-05-05 04:15 - 2026-05-05 04:15 - 000426608 _____ (360.cn) C:\Users\theki\SpectVerifier.exe 2026-05-05 04:07 - 2026-05-05 04:14 - 000000000 ____D C:\Users\theki\Desktop\Tomodachi Life Living the Dream Folder: C:\Users\theki\Desktop\Ryujinx DLC Updates Folder: C:\WINDOWS\system32\Tasks\MAkF7mCn3tPqp662daybvERzwsKQYqnzM8 ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\regfile: <==== ATTENTION HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.reg: => <==== ATTENTION HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.bat: => <==== ATTENTION HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.cmd: => <==== ATTENTION StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::