content copied
content
Start
CreateRestorePoint:
CloseProcesses:
C:\Users\RomaP\AppData\Local\Google\Chrome\User Data\Default\Extensions\eppiocemhmnlbhjplcgkofciiegomcon
C:\Users\RomaP\AppData\Local\Google\Chrome\User Data\Default\Extensions\jaekigmcljkkalnicnjoafgfjoefkpeg
2025-06-24 08:18 - 2025-06-24 08:18 - 000003718 _____ () C:\Users\RomaP\AppData\Local\9153508281
ShortcutWithArgument: C:\Users\RomaP\Desktop\Microsoft Edge Canary.lnk -> C:\Users\RomaP\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\1.1.5._0" --disable-features=DisableLoadExtensionCommandLineSwitch
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Edge Canary.lnk -> C:\Users\RomaP\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\5.1.6._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Brave.lnk -> C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc.) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\4.6.1._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\1.9.8._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge Canary.lnk -> C:\Users\RomaP\AppData\Local\Microsoft\Edge SxS\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\2.9.4._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\4.3.1._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\2.1.9._0"
ShortcutWithArgument: C:\Users\RomaP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\5.8.8._0"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk -> C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc.) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\4.4.6._0"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\9.5.8._0"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\8.3.9._0"
ShortcutWithArgument: C:\Users\Public\Desktop\Brave.lnk -> C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc.) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\1.7.1._0"
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\6.3.2._0"
ShortcutWithArgument: C:\Users\Public\Desktop\Microsoft Edge.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (Microsoft Corporation) -> --disable-features=DisableLoadExtensionCommandLineSwitch --load-extension="C:\Extension\8.2.8._0"
HKLM\Software\Policies\...\system: [EnableSmartScreen] 0 <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {3F640F27-5E55-4873-A0E3-7E50B00D4710} - System32\Tasks\Driver Booster SkipUAC (RomaP) => C:\Program Files (x86)\IObit\Driver Booster\13.0.0\DriverBooster.exe [8343248 2025-09-23] (IObit CO., LTD -> IObit) <==== ATTENTION
Task: {8C736B9F-CD8B-43B6-9053-36490D14139E} - System32\Tasks\IObit XM2025Sale (One-time) => "C:\Program Files (x86)\IObit\Advanced SystemCare\Pub\Xm25.exe" -> C:\Program Files (x86)\IObit\Advanced SystemCare\Pub\\/rpop <==== ATTENTION
C:\Program Files (x86)\IObit
File: C:\Users\RomaP\AppData\Local\Programs\Python\Python312\wgsa.pyc
StartPowerShell:
# This snippet uses Sysinternals Sigcheck to upload file on VirusTotal.
# Change the line containing the string "INSERTFILEPATHHERE" to the desired filepath
# ---
# It displays the following: entropy, file hashes, catalog name & signing chain, VirusTotal scan results and link to it.
# It is also able to traverse symbolic links and directory junctions.
# ---
# NOTE: If the file is not known prior, it gets uploaded to VirusTotal and the result will be available in a few minutes.
# You can search up the report by visiting the URL "https://www.virustotal.com/gui/file/<SHA256>"
$TempDir = [System.IO.Path]::GetTempPath()
$ZipPath = Join-Path $TempDir "SigcheckFRST.zip"
$ExtractPath = Join-Path $TempDir "SigcheckFRST"
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sigcheck.zip" -OutFile $ZipPath -UseBasicParsing
if (Test-Path $ExtractPath) { Remove-Item $ExtractPath -Recurse -Force }
Expand-Archive -Path $ZipPath -DestinationPath $ExtractPath -Force
$SigcheckExe = Join-Path $ExtractPath "sigcheck.exe"
if (Test-Path $SigcheckExe) {
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = $SigcheckExe
$psi.Arguments = '-accepteula -a -h -i -m -l -vt -vs -nobanner "C:\Users\RomaP\AppData\Local\Programs\Python\Python312\wgsa.pyc"'
$psi.RedirectStandardOutput = $true
$psi.StandardOutputEncoding = [System.Text.Encoding]::Unicode
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$p = [System.Diagnostics.Process]::Start($psi)
$output = $p.StandardOutput.ReadToEnd()
$p.WaitForExit()
Write-Output $output
} else {
Write-Host "Error: Sigcheck does not exist"
}
Remove-Item $ZipPath -Force
EndPowerShell:
Task: {C925C2C4-42E6-4528-9C47-6A4AC6CFF5A4} - System32\Tasks\Microsoft\Windows\WlanSvc\MoProfileManagementbi1V4 => C:\Users\RomaP\AppData\Local\Programs\Python\Python312\pythonw.exe [101656 2023-12-07] (Python Software Foundation -> Python Software Foundation) -> "C:\Users\RomaP\AppData\Local\Programs\Python\Python312\wgsa.pyc" <==== ATTENTION
C:\Users\RomaP\AppData\Local\Programs\Python\Python312\wgsa.pyc
Folder: C:\Users\RomaP\AppData\Local\Programs
FCheck: C:\WINDOWS\SysWOW64\version_IObitDel.dll [2023-02-10] <==== ATTENTION (zero byte File/Folder)
C:\Users\RomaP\Downloads\casto_prices-master
C:\Users\RomaP\Downloads\gphotos_sort-master
C:\Users\RomaP\Downloads\casto_prices-main
2026-06-13 12:09 - 2023-05-18 06:20 - 000000000 ____D C:\Users\RomaP\AppData\Roaming\RenPy
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{03B29243-35DA-4858-920E-B70A007DF5AA}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.217.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{0982FB18-B2DC-43DF-9DA3-A54C41F699EA}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.233.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{1108FD1C-492F-4251-B9DB-77F0274267B2}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.187.37\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{14100442-9664-1407-2647-000000000000}\localserver32 -> "C:\Users\RomaP\AppData\Local\Wondershare\Wondershare NativePush\WsToastNotification.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{1C67DF85-7959-43C0-92F8-2CAD0314C31C}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.201.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{22D49062-B8D3-4DD5-B9C2-A044EA04D5CD}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.223.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{2ABD6384-2E18-40E8-8439-F06D21E0B03D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{2B49DB21-41C5-44C0-8358-CA4C76205AE1}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.209.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{2EF7E390-2F7C-4F9A-9B7D-4A87B56B711D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.173.51\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{2FDB3305-19B8-4FE2-972B-ED5E97CBBD6E}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{41B09861-5409-4D44-8CA4-D49FBFAA2E6F}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.49\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{444c3d34-4024-4c6f-a9da-b47eed58ceb6}\localserver32 -> "C:\Program Files\Skylum\Luminar AI\Luminar AI.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{448DD314-7FBB-429C-9DAA-C05A00D235A8}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.215.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{4FFB4BD8-A109-4F25-A4DB-313678B19417}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.31\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{5247F326-2FF0-4920-998E-12AA35F0883C}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.213.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{5E9DEE2B-5F44-4C87-84B8-D2E7B11D7017}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.229.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{5FC44EBC-3A1F-4FBB-85E5-34405788C8D7}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.187.41\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{608D599A-DCA6-4A7C-BED7-AFCD8465345A}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.175.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{64C6EFB9-8F79-4106-B975-067448DC768F}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{674CB023-C9D4-4286-B1FF-A1FF76AD4B27}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.227.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{6A49690B-7DB6-424B-81CE-F51078F2A58D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.203.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{6DD6748E-7DAE-47EF-B4D5-03AA1B06D697}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.187.39\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{745fba2b-78ca-4eaf-6688-ba4f69a60391}\localserver32 -> "C:\Program Files\Alienware\Alienware Command Center\AWCC.Background.Server.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{79F05C14-E714-4C12-9924-93C812894CB0}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.57\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{7C9A348D-C321-47AC-904F-150312A5430F}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.175.27\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{7EFB4924-4B93-4C43-9832-9C3D05E85214}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.59\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{83F21C4B-8643-4A08-A29A-822AFD835037}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> - => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{8DC94452-5748-435A-B24F-B0F57718821E}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.225.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{9C391760-8CB8-4F1E-AB7D-0C9915EFB004}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.211.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{A087E49F-1F8E-4603-A200-55537B737421}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{A78355B5-2A4D-486B-B97A-43448FC8C34D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.207.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{BB04C6F8-598E-4733-ABB4-07489C863436}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.205.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{BC4C72EF-3055-4A6D-86E1-AE4D24DB63CA}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.35\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{BCF99248-58CE-4562-B227-14D1E171B49D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.221.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{C88B3957-621C-415B-8EE5-B688FC7EF924}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{D2188EEC-2B0F-488C-8ECA-5285E8ECD87D}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.69\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{D8599F80-3D26-46D2-8CF1-0AD21B0ECF31}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{E3D57E77-FE71-4D06-BD34-D48820074909}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{E8791438-3525-48BF-A600-C577AD1674C2}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.173.49\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{ECCE2756-C45D-4E13-BC2D-EC9F138997E6}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.199.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{F1CBF5EB-347F-4E4C-90AC-E43339FC34EC}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.173.55\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-533780750-747756185-301308243-1001_Classes\CLSID\{F46A78BD-06FC-442C-88DF-0500F08F2379}\InprocServer32 -> C:\Users\RomaP\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\psuser_64.dll => No File
ShellIconOverlayIdentifiers: [ tdpico] -> {c88d4dbb-d890-40b6-bcc7-bca43c1eb5ee} => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCSafeFolderShlExt.dll -> No File
AlternateDataStreams: C:\WINDOWS\tracing:? [16]
AlternateDataStreams: C:\Users\RomaP\Downloads\SupportAssistInstaller.exe:MBAM.Zone.Identifier [212]
FirewallRules: [{C2BC5C75-552E-4890-AB88-73AA2D2B8025}] => (Allow) D:\Games\InfinityNikkiGlobal Launcher\InfinityNikkiGlobal\InfinityNikki.exe => No File
FirewallRules: [{BB55D87E-E39A-4C76-80F1-34F705587D36}] => (Allow) D:\Games\InfinityNikkiGlobal Launcher\InfinityNikkiGlobal\X6Game\Binaries\Win64\X6Game-Win64-Shipping.exe => No File
FirewallRules: [{7DAB9250-7D77-4894-B6A0-9F20B45E1E9D}] => (Allow) D:\Games\InfinityNikkiGlobal Launcher\InfinityNikkiGlobal\InfinityNikki.exe => No File
FirewallRules: [{766ABC0A-2DA8-4905-9759-FDF0CA3834A2}] => (Allow) D:\Games\InfinityNikkiGlobal Launcher\InfinityNikkiGlobal\X6Game\Binaries\Win64\X6Game-Win64-Shipping.exe => No File
FirewallRules: [{417F59AC-21F5-45BB-97F7-21AEC9DB7A30}] => (Allow) D:\Games\InfinityNikkiGlobal Launcher\1.0.9\xstarter.exe => No File
FirewallRules: [{D7866492-3B0D-445B-B6E1-AD1E4B0F8F44}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe => No File
FirewallRules: [{045F335F-B166-4C6A-91CA-B0415DD19ECB}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe => No File
FirewallRules: [{F5234FC5-DFDF-4118-971A-9255A22C42FE}] => (Allow) C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe => No File
FirewallRules: [UDP Query User{32454016-63AA-4E1E-B5F4-64A7863ECDD2}C:\users\romap\appdata\local\wondershare\wondershare nativepush\wstoastnotification.exe] => (Allow) C:\users\romap\appdata\local\wondershare\wondershare nativepush\wstoastnotification.exe => No File
FirewallRules: [TCP Query User{DF66D1A2-CEC8-46EA-8679-3CA927A2082F}C:\users\romap\appdata\local\wondershare\wondershare nativepush\wstoastnotification.exe] => (Allow) C:\users\romap\appdata\local\wondershare\wondershare nativepush\wstoastnotification.exe => No File
FirewallRules: [UDP Query User{0CC028E5-867A-43A8-BEB3-51B940E80625}C:\gry\g\fxpgunz\gunz.exe] => (Allow) C:\gry\g\fxpgunz\gunz.exe => No File
FirewallRules: [TCP Query User{8067FBE2-A014-4738-84A9-CFE43B51088B}C:\gry\g\fxpgunz\gunz.exe] => (Allow) C:\gry\g\fxpgunz\gunz.exe => No File
FirewallRules: [UDP Query User{5779C064-5485-4920-A9E4-5C2715ED1E85}C:\program files (x86)\dodi-repacks\dying light platinum edition\dyinglightgame.exe] => (Allow) C:\program files (x86)\dodi-repacks\dying light platinum edition\dyinglightgame.exe => No File
FirewallRules: [TCP Query User{844FF8BB-5A1B-42D3-8D98-1BA53252C064}C:\program files (x86)\dodi-repacks\dying light platinum edition\dyinglightgame.exe] => (Allow) C:\program files (x86)\dodi-repacks\dying light platinum edition\dyinglightgame.exe => No File
FirewallRules: [UDP Query User{25AD9E7F-8C90-4FD9-9B26-00BD1EA85347}C:\gry\g\freestyle gunz\gunz.exe] => (Allow) C:\gry\g\freestyle gunz\gunz.exe => No File
FirewallRules: [TCP Query User{CF05C161-808E-4BFB-999A-01B80ED04696}C:\gry\g\freestyle gunz\gunz.exe] => (Allow) C:\gry\g\freestyle gunz\gunz.exe => No File
FirewallRules: [UDP Query User{B5766AC3-F412-4C17-A5B0-ABBE819FF597}C:\gry\g\gunz\gunz.exe] => (Allow) C:\gry\g\gunz\gunz.exe => No File
FirewallRules: [TCP Query User{2BADC95A-1D2F-4F6C-8051-9CA83F14759B}C:\gry\g\gunz\gunz.exe] => (Allow) C:\gry\g\gunz\gunz.exe => No File
FirewallRules: [{38AE9D80-EEA3-4D77-96A8-EF014AF809F1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SteamVR\bin\win32\vrstartup.exe => No File
FirewallRules: [{75609FA7-BECC-4B0F-A434-0C311569EF5B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SteamVR\bin\win32\vrstartup.exe => No File
FirewallRules: [{9DEE3C30-CD95-4792-836C-41B442225791}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\Launcher.exe => No File
FirewallRules: [{26CE7778-4A76-4BE7-8B8B-017EBA05DF04}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warframe\Tools\Launcher.exe => No File
FirewallRules: [UDP Query User{6BDABDED-4A8C-416A-842E-D4D5F6FB2DB1}C:\gry\g\m2o gaming - gunz the last duel v5\gunz.exe] => (Allow) C:\gry\g\m2o gaming - gunz the last duel v5\gunz.exe => No File
FirewallRules: [TCP Query User{D81F7081-E8BB-40CA-BDDE-5F48136AF08F}C:\gry\g\m2o gaming - gunz the last duel v5\gunz.exe] => (Allow) C:\gry\g\m2o gaming - gunz the last duel v5\gunz.exe => No File
FirewallRules: [UDP Query User{4EED0F1C-A41B-4D0F-AC12-13E02630DA2D}C:\gry\o\one piece odyssey\odyssey\binaries\win64\odyssey-win64-shipping.exe] => (Allow) C:\gry\o\one piece odyssey\odyssey\binaries\win64\odyssey-win64-shipping.exe => No File
FirewallRules: [TCP Query User{7D2EBA79-5C73-4746-BD7C-15D0AAA939D7}C:\gry\o\one piece odyssey\odyssey\binaries\win64\odyssey-win64-shipping.exe] => (Allow) C:\gry\o\one piece odyssey\odyssey\binaries\win64\odyssey-win64-shipping.exe => No File
FirewallRules: [{63047EEF-A257-4D49-9970-16BD2FA357F7}] => (Allow) C:\Users\RomaP\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File
FirewallRules: [{C87E2039-F7B5-48C0-8C48-CBCE0367C954}] => (Allow) C:\Users\RomaP\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File
HKU\S-1-5-21-533780750-747756185-301308243-1001\...\Run: [AF_uuid_514912] => 2cfd7502-c259-4d4b-8c49-13120efa8bc0**** º÷\À*******ÿÿÿ***Ãd*†*€track ad (No File)
HKU\S-1-5-21-533780750-747756185-301308243-1001\...\Run: [AF_counter_514912] => 0 (No File)
Task: {0C16CDD8-80BA-4CA4-AEE3-B213EA43A2E3} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File)
Task: {AA0CC76B-4783-4193-AB8F-7526DD222D07} - System32\Tasks\Microsoft\Windows\Bluetooth\csrss => C:\ProgramData\csrss.exe (No File) <==== ATTENTION
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
R2 ROLI Hardware Driver; "\Program Files\ROLI\ROLI Hardware Driver\srvstart.exe" "ROLI Hardware Driver" -c "\Program Files\ROLI\ROLI Hardware Driver\srvstart_rhd.ini" (No File)
S3 cpuz159; \??\C:\WINDOWS\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION
S3 SIUSBXP; \??\C:\Windows\system32\drivers\SiUSBXp.sys (No File)
2024-02-08 22:24 - 2024-02-08 22:24 - 000006366 _____ () C:\Users\RomaP\AppData\Local\91477623837
2025-05-19 12:39 - 2025-05-19 12:39 - 000003718 _____ () C:\Users\RomaP\AppData\Local\93996176848
Comment: This snippet reverts SmartScreen settings to default
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Warn"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
"EnableWebContentEvaluation"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppHost]
"EnableWebContentEvaluation"=dword:00000001
EndRegedit:
Comment: This snippet reverts User Account Control to default
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableLUA"=dword:00000001
EndRegedit:
C:\Users\RomaP\AppData\Local\Temp\e80c7270-ce8c-445c-8e5e-0505cac48467.tmp.node
HKU\S-1-5-21-533780750-747756185-301308243-1001\...\StartupApproved\Run: => "AF_uuid_514912"
HKU\S-1-5-21-533780750-747756185-301308243-1001\...\StartupApproved\Run: => "AF_counter_514912"
File: C:\Program Files\Virtual Desktop Streamer\VirtualDesktop.Injector64.dll;C:\Program Files\Dell\Dell Display Manager 2\DDM.exe;C:\Program Files\Ableton\Push Driver\x64\AbletonPushCpl.exe;C:\Program Files\Corsair\Corsair iCUE5 Software\cuepkg-2.24.6\cuepkg.exe
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\RomaP\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.