Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:

2026-04-27 16:08 - 2026-04-27 16:08 - 000000000 ____D C:\Users\ani7k\AppData\Roaming\RenPy
Task: {56A394C4-A985-4E51-BAA3-C6207C9FD4EB} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe  (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe  (No File)
Task: {0BB36A32-0D9E-4297-AFD7-6BD7B5DB4C9B} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe  (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
S3 MicrosoftEdgeElevationService; "C:\Program Files (x86)\Microsoft\Edge\Application\147.0.3912.72\elevation_service.exe" (No File)
CustomCLSID: HKU\S-1-5-21-2377089395-2495333504-4004962672-1001_Classes\CLSID\{13357088-9834-0409-1600-134951500000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-2377089395-2495333504-4004962672-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-2377089395-2495333504-4004962672-1001_Classes\CLSID\{d1b22d3d-8585-53a6-acb3-0e803c7e8d2a}\localserver32 -> "C:\Users\ani7k\AppData\Local\Microsoft\Teams\current\Teams.exe" --toast => No File
AlternateDataStreams: C:\ProgramData\catcache3.bin:0C23A85016 [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahk2Exe.lnk:0676F50C01 [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey Window Spy.lnk:88F1223DAF [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey.lnk:65D313D927 [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Multipass.lnk:A0BE7C9D0B [3442]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [3254]
FirewallRules: [{1F39F52C-0395-463B-B267-CA2A5B73AA52}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.660\RazerAppEngine.exe => No File
FirewallRules: [UDP Query User{1063E74C-6748-4C2E-8E0E-AF11AD12D70B}C:\program files (x86)\pts\tracerplus desktop 10\tools\webdeploy\tp_desktop_deployserver.exe] => (Allow) C:\program files (x86)\pts\tracerplus desktop 10\tools\webdeploy\tp_desktop_deployserver.exe => No File
FirewallRules: [TCP Query User{6B1D06E8-753F-4720-8C42-DAEBCE7CA531}C:\program files (x86)\pts\tracerplus desktop 10\tools\webdeploy\tp_desktop_deployserver.exe] => (Allow) C:\program files (x86)\pts\tracerplus desktop 10\tools\webdeploy\tp_desktop_deployserver.exe => No File
FirewallRules: [{5FA5BB6E-09C7-4F1E-A8FB-781478019B86}] => (Allow) C:\Program Files\BlueStacks_msi2\HD-Player.exe => No File
FirewallRules: [TCP Query User{84BE930E-12B7-43F3-B5FD-C3C5D376625A}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [UDP Query User{4F17CCD2-70D6-4673-9C27-F47EAE80F780}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [TCP Query User{FE5EF00E-018D-46DE-952B-9BB0B2DDDA0D}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [UDP Query User{9D562643-410D-42FB-98D5-32F1E8C36A64}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [TCP Query User{81951BF3-0608-45FA-BD5C-331B22C60FBE}C:\program files (x86)\airdroidcast\airdroidcast.exe] => (Allow) C:\program files (x86)\airdroidcast\airdroidcast.exe => No File
FirewallRules: [UDP Query User{37BDBA2E-58FF-410B-9321-37AAC68D1129}C:\program files (x86)\airdroidcast\airdroidcast.exe] => (Allow) C:\program files (x86)\airdroidcast\airdroidcast.exe => No File
FirewallRules: [{4343F0FD-83AE-46A7-9946-69597A4306C5}] => (Allow) C:\Users\ani7k\AppData\Roaming\Zoom\bin\Zoom.exe => No File
FirewallRules: [TCP Query User{E503701D-B761-4CB8-B6BF-83F63A1354EC}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Block) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [UDP Query User{76DF8C37-5768-4607-8A32-F58E78BA8EB2}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Block) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [{FA071098-C9D1-4B3C-899E-580681C77B30}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe => No File
FirewallRules: [TCP Query User{D44BBA69-F0DF-437D-A661-743094AF78F0}C:\xboxgames\call of duty\content\cod.exe] => (Allow) C:\xboxgames\call of duty\content\cod.exe => No File
FirewallRules: [UDP Query User{F1B2BC66-0680-4F22-B4DC-0FBF2E891CAE}C:\xboxgames\call of duty\content\cod.exe] => (Allow) C:\xboxgames\call of duty\content\cod.exe => No File
FirewallRules: [TCP Query User{C157BDAD-34D9-42A3-B639-3113A25772E3}C:\users\ani7k\.vscode\extensions\redhat.java-1.36.0-win32-x64\jre\17.0.13-win32-x86_64\bin\java.exe] => (Allow) C:\users\ani7k\.vscode\extensions\redhat.java-1.36.0-win32-x64\jre\17.0.13-win32-x86_64\bin\java.exe => No File
FirewallRules: [UDP Query User{7244F09E-A786-48E7-9DDA-7B4525C5D0C7}C:\users\ani7k\.vscode\extensions\redhat.java-1.36.0-win32-x64\jre\17.0.13-win32-x86_64\bin\java.exe] => (Allow) C:\users\ani7k\.vscode\extensions\redhat.java-1.36.0-win32-x64\jre\17.0.13-win32-x86_64\bin\java.exe => No File
FirewallRules: [TCP Query User{02549E29-A7ED-4AEB-AB4F-643A75D7D810}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [UDP Query User{E27728A2-05AA-4A81-A931-7EBC29E4CA17}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [TCP Query User{035CB5AD-91A3-483B-AAB0-EBE58E3942C7}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File
FirewallRules: [UDP Query User{D5D5E25E-ED44-4CCF-BCD8-7E8E59DE30ED}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

2026-04-27 23:26 - 2026-04-27 23:26 - 000000000 ___HD C:\WINDOWS\msdownld.tmp

File: C:\Program Files\Multipass\bin\multipass.gui.exe

StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan

New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*

EmptyTemp:
End::