Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:

HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKU\S-1-5-21-278991036-3600018555-101566279-1001\...\Run: [Teams] => "C:\Users\mbart\AppData\Local\Microsoft\WindowsApps\MSTeams_8wekyb3d8bbwe\ms-teams.exe" msteams:system-initiated (No File)
Task: {AB9DA3AD-F6FE-4DCC-BCC5-731C55DBD578} - System32\Tasks\Lenovo\Vantage\Schedule\NotificationCenter => C:\Program Files (x86)\Lenovo\VantageService\3.13.72.0\ScheduleEventAction.exe  NotificationCenter (No File)
Task: {F33B38B0-3CC9-47A4-A35C-281790A7D045} - System32\Tasks\Lenovo\Vantage\Schedule\VantageTelemetryAddinTask => C:\Program Files (x86)\Lenovo\VantageService\3.5.27.0\ScheduleEventAction.exe  VantageTelemetryAddinTask (No File)
Task: {E80010D3-3239-4EBE-8FC5-AEADE0233B66} - System32\Tasks\Lenovo\Vantage\StartupFixPlan => C:\Program Files (x86)\Lenovo\VantageService\4.2.24.0\\uninstall.exe  /repair (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe  (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {81C17245-7530-4D32-B4A0-87C3D4474099} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot => %systemroot%\system32\MusNotification.exe  RebootDialog (No File)
Task: {011B3526-CA84-477C-80F8-7A94DBCE951E} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC RebootDialog (No File)
Task: {5F13B462-9469-4709-8402-75E88DBC2312} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery RebootDialog (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
Task: {67DB8283-FBD5-49A6-BBFD-8FFF110592DC} - System32\Tasks\Opera scheduled Autoupdate 1677830104 => C:\Users\mbart\AppData\Local\Programs\Opera\launcher.exe  --scheduledautoupdate $(Arg0) (No File)
CustomCLSID: HKU\S-1-5-21-278991036-3600018555-101566279-1001_Classes\CLSID\{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}\InprocServer32 -> C:\Users\mbart\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20031.2\x64\Microsoft.Teams.AddinLoader.dll => No File
CustomCLSID: HKU\S-1-5-21-278991036-3600018555-101566279-1001_Classes\CLSID\{d1b22d3d-8585-53a6-acb3-0e803c7e8d2a}\localserver32 -> "C:\Users\mbart\AppData\Local\Microsoft\Teams\current\Teams.exe" --toast => No File
AlternateDataStreams: C:\Users\mbart\Downloads:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\20220216-SAP S_4 HANA - nowoczesny system ERP.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\287852792_438312431101468_6029237020134636715_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\287956969_5772546469427511_8324078549993551469_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288012687_1022365428482574_2681682800175844767_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288326314_418667016795988_1078948780661951559_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288537076_403915724994547_8311403563413048578_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288596066_1738602293160305_1465157135671637594_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288624193_423867642736690_5274776662651486578_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\288644984_1224404661699764_7066156148163436899_n.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\62-Szablon-budzet-domowy-2020-PLN-v6-3.xlsx:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\9b43d360f9cb487f5064218024729831.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\analiza-stanu-depresyjnego.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\avast_free_antivirus_setup_online.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Badania-profilaktyczne-dla-kobiet.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Bartczak Magdalena CV.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Biedanizm-Weganskie-Opowiesci-2021-aktualizacja.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\black-1641410042260-781.jpg:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\ccsetup574.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Checklista zdjęć w dniu wesela.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\ChromeSetup.exe:com.dropbox.attrs [52]
AlternateDataStreams: C:\Users\mbart\Downloads\deklaracja.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\desktop (Nowy).ini:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\DiscordSetup.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\eic_137514747.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\epanel-setup-1.5.7119.1533 (1).exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\epanel-setup-1.5.7119.1533.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\ERWsetup.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\fs_1644402_par_2021.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Harmonogram darmowy na rok przed + prezent (1).zip:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Harmonogram darmowy na rok przed + prezent.zip:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Magdalena_Bartczak_85885 (watermarked).pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\MBSetup.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Najlepszy SAP certyfikacja dla początkujących.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\OfficeSetup.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\PAN MŁODY - PYTANIA.docx:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\PhotoScapeSetup_V3.7.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\photothumb.db:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\received_355286763378127.mp4:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\sposoby-na-wyjscie-z-depresji.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Twoje dziecko e-book.pdf:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\Untitled document (1).docx:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\USMoneyDlxSunset.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\video-1655643253.mp4:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\vlc-3.0.8-win64.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\winrar-x64-580.exe:com.dropbox.attrs [54]
AlternateDataStreams: C:\Users\mbart\Downloads\wniosek-o-ustalenie-prawa-do-zasilku-pielegnacyjnego-jakiwniosek.pl.pdf:com.dropbox.attrs [54]
FirewallRules: [{BA6C991C-DBD8-416B-81D3-2640DC7B022F}] => (Allow) C:\program files (x86)\wondershare\drfone\drfonetoolkit.exe => No File
FirewallRules: [UDP Query User{C645A741-FB8E-4A95-9D4F-7623BE00DB76}C:\program files (x86)\wondershare\recoverit\drss.exe] => (Allow) C:\program files (x86)\wondershare\recoverit\drss.exe => No File
FirewallRules: [TCP Query User{D19665CE-B984-49C2-A448-51BD24F00822}C:\program files (x86)\wondershare\recoverit\drss.exe] => (Allow) C:\program files (x86)\wondershare\recoverit\drss.exe => No File
FirewallRules: [UDP Query User{78DAF0AD-81FA-4C0F-B958-2F21CB37D9E4}C:\program files (x86)\wondershare\recoverit\drc.exe] => (Allow) C:\program files (x86)\wondershare\recoverit\drc.exe => No File
FirewallRules: [TCP Query User{5A51B29B-5C4E-417B-A19C-2CAC4E58B596}C:\program files (x86)\wondershare\recoverit\drc.exe] => (Allow) C:\program files (x86)\wondershare\recoverit\drc.exe => No File
FirewallRules: [UDP Query User{118A9877-6B03-4C34-BE89-6E50DE440632}C:\users\mbart\appdata\local\temp\2vtecq0ehug1jzcdoivxzovz5mj\onvue.exe] => (Allow) C:\users\mbart\appdata\local\temp\2vtecq0ehug1jzcdoivxzovz5mj\onvue.exe => No File
FirewallRules: [TCP Query User{73C43050-DAEA-4905-B37D-523998D76B6B}C:\users\mbart\appdata\local\temp\2vtecq0ehug1jzcdoivxzovz5mj\onvue.exe] => (Allow) C:\users\mbart\appdata\local\temp\2vtecq0ehug1jzcdoivxzovz5mj\onvue.exe => No File
FirewallRules: [UDP Query User{2733B862-CFC4-46EF-A2E6-9D4B72218846}C:\users\mbart\appdata\local\temp\2vgxli4dnchldeem9dowhxgffui\onvue.exe] => (Allow) C:\users\mbart\appdata\local\temp\2vgxli4dnchldeem9dowhxgffui\onvue.exe => No File
FirewallRules: [TCP Query User{713B129A-65F9-4DF1-970F-9403A3134E82}C:\users\mbart\appdata\local\temp\2vgxli4dnchldeem9dowhxgffui\onvue.exe] => (Allow) C:\users\mbart\appdata\local\temp\2vgxli4dnchldeem9dowhxgffui\onvue.exe => No File
FirewallRules: [UDP Query User{DFF67ED7-E54B-4B5D-902E-ED9299D80A76}C:\users\mbart\appdata\local\discord\app-1.0.9013\discord.exe] => (Block) C:\users\mbart\appdata\local\discord\app-1.0.9013\discord.exe => No File
FirewallRules: [TCP Query User{63C4882F-A599-4865-AC2E-D8631C8EB976}C:\users\mbart\appdata\local\discord\app-1.0.9013\discord.exe] => (Block) C:\users\mbart\appdata\local\discord\app-1.0.9013\discord.exe => No File
FirewallRules: [{5195D205-FB44-4F53-9FDA-D996D3F86C73}] => (Allow) C:\Users\mbart\AppData\Local\Programs\Opera\95.0.4635.46\opera.exe => No File
FirewallRules: [{300FBC10-4BA8-4C5B-BFB6-B78B3E111FD3}] => (Allow) C:\Users\mbart\AppData\Local\Programs\Opera\79.0.4143.22\opera.exe => No File
FirewallRules: [{CB1A3C77-19E6-4192-881C-5DC3ED45BD80}] => (Allow) C:\Users\mbart\AppData\Roaming\Zoom\bin\Zoom.exe => No File
FirewallRules: [{4DC53BD4-BC21-40C4-9431-34C55034DC6A}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.86.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{ED40F6A4-B735-4C5D-A48F-84254AA750AE}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.86.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{655CDAB8-C9EA-413E-B5CF-765ED588D68D}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.86.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{F95EA749-E38A-4D27-AD26-88A07D911FFF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.86.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{F67629A3-B1A7-476A-8A7F-98FFCCC74878}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.87.3406.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{8925BBFD-F0C0-45EC-A1E7-93E4253718CF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.87.3406.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{783501BD-C5EC-4627-8270-CC4103753EF7}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.87.3406.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{7C5EAA72-1027-464A-8DCB-84FF925D0B10}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.87.3406.0_x86__kzf8qxf38zg5c\Skype\Skype.exe => No File
FirewallRules: [{6510DCCF-B4AD-4A9C-A65E-E67252AD519B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe => No File
FirewallRules: [{7A23E45A-A3C4-4D5F-910E-7BA2077C628F}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe => No File
FirewallRules: [{F2D89A41-EFDC-4499-9F3B-F7BE2E54F6C5}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{275701FE-1E99-4628-9DF0-4716164D528D}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{B713FE20-8EF4-45AE-B04C-DA5899D9A15C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SlayTheSpire\jre\bin\javaw.exe => No File
FirewallRules: [{33104CBD-BB06-43DE-AE13-26BED3C395C2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SlayTheSpire\jre\bin\javaw.exe => No File

CHR StartupUrls: Default -> "hxxp://www.google.pl/","hxxp://rts.dsrlte.com?affID=pr_2ec2b50f-df19-464c-907a-de7fc9455fa9","hxxp://do-search.com/?type=hp&ts=1432933342&z=297d3937ba53812f90f1effgbz4cco7t0c2c0cdz6c&from=cor&uid=ST1000LM024XHN-M101MBB_S2RQJ9FC406418","hxxp://www.istartsurf.com/?type=hp&ts=1433956062&z=c57fa78b64e23593496dfd2gaz4c5c3t2w3q6ebqfg&from=cornl&uid=ST1000LM024XHN-M101MBB_S2RQJ9FC406418"

2026-04-21 10:25 - 2026-04-21 10:25 - 001146844 _____ C:\Users\mbart\Downloads\28d1c55b-1b7b-4dd4-9a1a-72709e5d857b.tmp

StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan

New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*

EmptyTemp:
End::