content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Task: {9CD48070-557E-4DF1-93B2-08526FD35873} - System32\Tasks\Cr_286461593 => C:\Users\mandy\AppData\Local\Temp\tmpf286461593\KB.14.782.4343.exe (No File) <==== ATTENTION
2026-04-21 23:02 - 2026-04-21 23:02 - 000002700 _____ C:\WINDOWS\system32\Tasks\Cr_286461593
2026-04-20 20:45 - 2026-04-20 20:45 - 000000000 ____D C:\Users\mandy\AppData\Local\Yandex
2026-04-18 14:04 - 2026-04-28 16:57 - 000000000 ____D C:\ProgramData\cmddatabase_x64
2026-04-18 14:04 - 2026-04-18 14:04 - 000359904 _____ (Qihu 360 Software Co., Ltd.) C:\Users\mandy\AppData\Local\SynapseVau86.exe
2026-04-18 14:04 - 2026-04-18 14:04 - 000000000 ____D C:\Users\mandy\AppData\Roaming\cmddatabase_x64
2026-04-18 13:59 - 2026-04-18 13:59 - 000000000 ____D C:\Users\mandy\AppData\Roaming\software-setup
2026-04-15 17:18 - 2026-04-15 17:18 - 001509344 _____ (360.cn) C:\Users\mandy\HyperExpl.exe
2026-04-13 23:17 - 2026-05-01 01:28 - 000000000 ____D C:\Users\mandy\nn.exe
2026-04-13 23:17 - 2026-04-13 23:17 - 000000000 ____D C:\Users\mandy\AppData\Roaming\Rivaj
2026-04-13 23:17 - 2026-04-13 23:17 - 000000000 ____D C:\Users\mandy\AppData\Local\Mirillis
2026-04-13 23:15 - 2026-04-28 16:57 - 000000000 ____D C:\ProgramData\com_nt_db_v2_0_win32
2026-04-13 23:15 - 2026-04-13 23:15 - 000000000 ____D C:\Users\mandy\AppData\Roaming\com_nt_db_v2_0_win32
2026-04-15 17:18 - 2026-04-15 17:18 - 001509344 _____ (360.cn) C:\Users\mandy\HyperExpl.exe
2026-04-13 23:15 - 2026-04-13 23:15 - 000000000 ____D C:\Users\mandy\AppData\Roaming\RenPy
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Task: {44E3E1D4-F22B-4BB6-AB34-40FE1399A6B2} - System32\Tasks\Opera scheduled Autoupdate 1771028359 => C:\Users\mandy\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe --scheduledtask $(Arg0) (No File)
2026-05-02 20:13 - 2026-05-02 20:13 - 000011216 _____ C:\Users\mandy\AppData\LocalLow\7f23f8d84ea683ad3fe341e4cf5e79b4d68dbb9944511425c0f44cc84c141e8b
2026-05-02 20:13 - 2026-05-02 20:13 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\ae129330370d2d09440f169bd985f8485502efaac94592118297273404f02c08
2026-05-02 15:31 - 2026-05-02 15:31 - 000002264 _____ C:\Users\mandy\AppData\LocalLow\c17a975ce3eb0eb2da15e0d2dcb3822cabb0e24f84258d8e85dbb8ad91835425
2026-05-01 15:38 - 2026-05-03 01:06 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\acac316b37cf918c272f0c204e4fda2b4ad7ca81885212c8f2f92296194179f5
2026-05-01 15:38 - 2026-05-01 15:38 - 000002264 _____ C:\Users\mandy\AppData\LocalLow\83418ae5ab9051fb6f33cc433fca25e23b24debc0a876824cdd84ce17e6da518
2026-05-01 15:38 - 2026-05-01 15:38 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\fc704dde7e1c0a2e3ff3408c8800c57025da69ae48255dc52f8e52661466aa93
2026-05-01 12:35 - 2026-05-01 12:35 - 000002264 _____ C:\Users\mandy\AppData\LocalLow\6b38c43ea78c012724f3ed77a420fc35b60d054f72877caa6d1958f2597d77d7
2026-05-01 12:33 - 2026-05-01 12:35 - 000234985 _____ C:\Users\mandy\AppData\LocalLow\0136f4d3002f36e24ef38be90631cdf9cf3afea6357b1481a089c7ad613cba31
2026-05-01 12:33 - 2026-05-01 12:35 - 000000466 _____ C:\Users\mandy\AppData\LocalLow\caeee858e7dd69c860cc53ec659b6c104108acd852eb47bdfb71b53a34e3b202
2026-04-26 20:23 - 2026-05-02 16:01 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\0a5f1dc31e015f4133ad2698ad75ba6fbaf54280fe5aee79f865d8af7c117c8b
2026-04-26 20:23 - 2026-04-26 20:23 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\1f0fb1349a68046727e0d2d63a9b911b464b0f98142d53a1b62fd9c2bd240ef2
2026-04-25 20:16 - 2026-04-26 20:29 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\2e572f822aeeabe42b2df2d053a520c013b692bd6ed41e7ef9d5c0ed2910baca
2026-04-25 20:16 - 2026-04-25 20:16 - 000002264 _____ C:\Users\mandy\AppData\LocalLow\02125ce79facaf3311baaee54f0377c45976cbb1ad92b4ca594534d65a7a0ecb
2026-04-25 20:16 - 2026-04-25 20:16 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\d56e2db0dedac74646a73f2ed4accbc143d2de76fb10770c36f4abc14b44c623
2026-04-11 16:23 - 2026-04-11 16:23 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\a917e730f256263f1a3082cb56da03373805c801d845d837dbb9693f832cb55c
2026-04-11 16:23 - 2026-04-11 16:23 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\5332e7db5214c1750e818846eb20d948a6bbf0a205ec68efdfabcd2220c34bd6
2026-04-11 16:22 - 2026-04-11 16:22 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\57fcd13827bd14b913e66ee4fee4228b116e33cc57980368455d393173a8b923
2026-04-11 16:22 - 2026-04-11 16:22 - 000000026 _____ C:\Users\mandy\AppData\LocalLow\4422696c7322c4f9fe385e777acd1fc67a8d07486e71c56802b46b7ed48ea4d4
2026-05-06 18:41 - 2025-03-11 20:18 - 000063239 _____ C:\Users\mandy\AppData\LocalLow\1bd07965a39ed434f6cd5c8055945d01757fba909650104f0d4a6ee8b1e5cb12
2026-05-06 18:41 - 2025-03-11 20:18 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\510e21817a079475659c31da120c1475d87fa88fa884bba2c1de5da1d9b762b6
2026-05-06 18:11 - 2025-02-02 18:11 - 000110343 _____ C:\Users\mandy\AppData\LocalLow\1abc63b7c987f217521b29e18445c9b2a0b8a27bd4397fcda74dd662205af57f
2026-05-06 18:04 - 2025-02-03 21:35 - 000250556 _____ C:\Users\mandy\AppData\LocalLow\5401fb0aa8e235cee4436939101bededff751467363a623e35580dcf71fae135
2026-05-06 18:04 - 2025-02-02 22:28 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\79f5262e9783f6cb99265da07a227f3b4a697bad6669628e7df591ed283266ed
2026-05-06 18:03 - 2025-08-19 01:04 - 000107619 _____ C:\Users\mandy\AppData\LocalLow\1dbf4f663964be4c228578cdc80edf6ae0ba80430ea505822e1d66c3e3c7531b
2026-05-06 18:03 - 2025-08-14 07:05 - 000017930 _____ C:\Users\mandy\AppData\LocalLow\2107ddb8a893c651a5533d66f96e43550a82603e00be29a3931a00304124a8c3
2026-05-06 18:03 - 2025-02-02 22:28 - 000031432 _____ C:\Users\mandy\AppData\LocalLow\d12898625517b083d8002a3cb38cff220e92ca63c0e9fd622d1b982d5c4a283d
2026-05-05 17:20 - 2025-02-04 18:54 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\283c655cd507333ccf40a7d3581da4ba21fa601ca8cc530b458d2a49ad7b4b8e
2026-05-04 20:00 - 2025-05-23 21:11 - 000883543 _____ C:\Users\mandy\AppData\LocalLow\eda39b108ad638a48a673331ae068f49baf340b2c89c11e017eca6260bfb2885
2026-05-04 16:28 - 2025-08-19 01:04 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\6bdfaba225aa137332efc4997d63a42e2094c162dc375f23f19fad1ce5c9ada1
2026-05-03 00:48 - 2026-02-14 15:20 - 000169006 _____ C:\Users\mandy\AppData\LocalLow\41302274f1fe689406b834942c6b1b36654660c9e0b97b35b4bbd911badce8af
2026-05-03 00:48 - 2026-02-14 15:19 - 000015692 _____ C:\Users\mandy\AppData\LocalLow\716f65b8e459208b66a061dc0deffa0ffa40cc3f94729efdaa184bf61f81595c
2026-05-03 00:45 - 2025-12-31 22:27 - 000011216 _____ C:\Users\mandy\AppData\LocalLow\d6b345a359422be284169808fd88ff01ba86fecce9a448f9fa2e795c5486cf18
2026-05-02 15:31 - 2026-01-02 00:28 - 000641722 _____ C:\Users\mandy\AppData\LocalLow\ec65641f37435ba271831a9e2dd0da40f834bf5d3cfafd2246ed6c97fca97026
2026-05-02 15:29 - 2025-02-04 18:54 - 000346748 _____ C:\Users\mandy\AppData\LocalLow\5752342e1f6b5997da6bd26b4ee1e88066d4516920bf2256a193be7e50a78847
2026-05-02 13:52 - 2025-02-02 18:57 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\69a789ecc2248ac851c5b7748341e0df97b19b51fc48632a1b8629e8974d6578
2026-05-02 13:51 - 2025-02-02 18:57 - 000237223 _____ C:\Users\mandy\AppData\LocalLow\e2e71d94b4a2d1ac543c9730c8edeb3f9c24f3df239f5830d59588abcd2d97d3
2026-05-01 18:00 - 2025-03-19 13:46 - 000334872 _____ C:\Users\mandy\AppData\LocalLow\990cfdd12f8d7969c9923718c6ba64d1a800037fd9edb95a2af24209418e536e
2026-05-01 18:00 - 2025-03-19 13:46 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\dc36d2edbd14c885f3053dff4c104a39c5dbcfa4753e8f1e6db79b4c00900220
2026-05-01 16:53 - 2025-08-14 07:05 - 000000130 _____ C:\Users\mandy\AppData\LocalLow\fdee9c05ab084f7ae2094ce3dc8ddfaa1ff2cee0dcb458c49677a247400445d8
2026-04-22 16:26 - 2025-03-23 01:33 - 000965062 _____ C:\Users\mandy\AppData\LocalLow\75fa5c83bf56dd36c9053cce629a95caa6e1c9215c6cd806de0f97d22354b2da
2026-04-18 15:00 - 2025-02-02 19:07 - 000019049 _____ C:\Users\mandy\AppData\LocalLow\a96f17ba3405cc422afcbdb63fe0ada95ee178b25899d636f2afcf2d906959d8
2026-04-15 17:43 - 2026-01-02 00:28 - 000001138 _____ C:\Users\mandy\AppData\LocalLow\170cd8cccefbbea4c2c4959fc00ce33f63a9980135449c68549f2f41ba6b7d97
2026-04-06 13:24 - 2025-04-15 16:31 - 000000466 _____ C:\Users\mandy\AppData\LocalLow\b5613ee8b56fb67ed4fe5f4f0b3c325a5881b47825ea7da18cd467321e418ee4
2026-04-06 13:22 - 2025-04-15 16:31 - 001299285 _____ C:\Users\mandy\AppData\LocalLow\30fd660c3d8b0016cff14e8a4426636f5bf4057dce9dd0e7812ac448f7a15f31
2025-12-03 18:12 - 2025-12-03 18:12 - 000000048 ____R () C:\Users\mandy\AppData\Local\266BB866E9125AE8D51D12B685ABD657
CustomCLSID: HKU\S-1-5-21-3421264388-2035614227-4257178003-1001_Classes\CLSID\{13357088-9834-0409-1600-134951500000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-3421264388-2035614227-4257178003-1001_Classes\CLSID\{1dcb280c-9699-aefe-803c-2007c35cbb5a}\localserver32 -> "C:\Users\mandy\AppData\Local\Programs\Proton\Drive\ProtonDrive.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-3421264388-2035614227-4257178003-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-3421264388-2035614227-4257178003-1001_Classes\CLSID\{50726f74-6f6e-2e56-504e-000000000000}\localserver32 -> "C:\Program Files\Proton\VPN\v4.3.11\ProtonVPN.Client.exe" -ToastActivated => No File
AlternateDataStreams: C:\Users\mandy\Documents\ChromeSetup.exe:MBAM.Zone.Identifier [780]
AlternateDataStreams: C:\Users\mandy\Documents\hydra-installer.exe:MBAM.Zone.Identifier [1984]
AlternateDataStreams: C:\Users\mandy\Documents\OfficeSetup.exe:MBAM.Zone.Identifier [474]
AlternateDataStreams: C:\Users\mandy\Documents\winrar-x64-713.exe:MBAM.Zone.Identifier [342]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [4600]
FirewallRules: [{9D600211-363C-4A3A-978B-EF164A2C2A90}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
FirewallRules: [{528C84F3-85F1-44ED-8135-13DB19F78ED1}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
FirewallRules: [{C590F056-842B-4B9E-A783-D1CFEEAD02AB}] => (Block) C:\Program Files (x86)\Overwolf\0.294.1.1\OverwolfBrowser.exe => No File
FirewallRules: [{D966123F-E67B-4DBC-B485-D045E2332CCF}] => (Block) C:\Program Files (x86)\Overwolf\0.294.1.1\OverwolfBrowser.exe => No File
FirewallRules: [{DF7BFFEF-2D45-4A43-AD83-62282535DFB2}] => (Allow) C:\Program Files (x86)\Overwolf\0.294.1.1\OverwolfBrowser.exe => No File
FirewallRules: [{29B6B963-3B5B-476E-AE95-4B8C7AAEBCB2}] => (Allow) C:\Program Files (x86)\Overwolf\0.294.1.1\OverwolfBrowser.exe => No File
FirewallRules: [{18C89D9C-4979-4E6B-8024-302E51509FD6}] => (Block) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{7D76053C-CA65-432F-90C3-50F98787718F}] => (Block) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{8A3DB729-E4DC-459B-9DAC-30EC2A7385B0}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{C9D85E80-1AB0-4029-BAB6-28AC7B2B3DFF}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{135033EC-C6DB-4847-9C19-BC1DB8D4D62A}] => (Allow) D:\SteamLibrary\steamapps\common\永不停息的黑暗之歌 ~ Endless Black Song\EndlessBlackSong.exe => No File
FirewallRules: [{5047CBF6-DB0C-480D-AB56-D7795FFFF621}] => (Allow) D:\SteamLibrary\steamapps\common\永不停息的黑暗之歌 ~ Endless Black Song\EndlessBlackSong.exe => No File
FirewallRules: [{F4F15EBC-33EF-4A08-B7B2-571F9D2B00DE}] => (Allow) C:\Users\mandy\AppData\Local\Programs\Opera\opera.exe => No File
FirewallRules: [UDP Query User{A0A6361E-207A-47D8-BBD9-FDC0FCB7107E}D:\persona 4 golden\crack\p4g.exe] => (Allow) D:\persona 4 golden\crack\p4g.exe => No File
FirewallRules: [TCP Query User{08072045-5817-4030-B099-E009A8A41603}D:\persona 4 golden\crack\p4g.exe] => (Allow) D:\persona 4 golden\crack\p4g.exe => No File
FirewallRules: [{3A7C8CDE-2383-421E-A182-B5A6305B2616}] => (Allow) C:\Users\mandy\Documents\The Sims 4\Game\Bin\TS4_Launcher_x64.exe => No File
FirewallRules: [{C82D146F-82B4-4909-80A2-D37BB6481208}] => (Allow) C:\Users\mandy\Documents\The Sims 4\Game\Bin\TS4_Launcher_x64.exe => No File
FirewallRules: [{55F00F9C-6FF0-483C-BEEA-3269B851F1AA}] => (Allow) C:\Program Files\Netease\MuMuPlayer\nx_device\12.0\shell\aria2.exe => No File
FirewallRules: [{FE6A0890-C583-4260-8988-5FAE1A75D56C}] => (Allow) C:\Program Files\Netease\MuMuPlayer\nx_device\12.0\shell\MuMuNxDevice.exe => No File
FirewallRules: [{F41CBDAB-D49B-484D-B977-CD187E06EDD9}] => (Allow) C:\Program Files\Netease\MuMuPlayer\nx_main\aria2.exe => No File
FirewallRules: [{48FC3FF9-270D-4DEE-80B5-C30EBF038610}] => (Allow) C:\Program Files\Netease\MuMuPlayer\nx_main\MuMuNxMain.exe => No File
FirewallRules: [{EAF42A1D-D9D2-4989-B5EA-4654C6F6F398}] => (Allow) C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe => No File
FirewallRules: [{DA58BF87-2664-482D-807F-D1C407F35B4C}] => (Allow) C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMHeadless.exe => No File
FirewallRules: [{3BA8CC07-336E-4B0A-9960-6070E8199C9F}] => (Allow) C:\Users\mandy\AppData\Local\Temp\7z6F157E6C\MuMuDownloader.exe => No File
FirewallRules: [UDP Query User{F0818331-FAAF-4257-8514-4BF431220937}C:\users\mandy\appdata\local\programs\hydra\resources\aria2c.exe] => (Block) C:\users\mandy\appdata\local\programs\hydra\resources\aria2c.exe => No File
FirewallRules: [TCP Query User{0E3302F0-060F-479C-8D48-26311CA37012}C:\users\mandy\appdata\local\programs\hydra\resources\aria2c.exe] => (Block) C:\users\mandy\appdata\local\programs\hydra\resources\aria2c.exe => No File
FirewallRules: [{F2488503-D031-4AB9-8B59-77C1D5023D8F}] => (Allow) D:\SteamLibrary\steamapps\common\SaihateStation\saihateeki\Game.exe => No File
FirewallRules: [{B42F9B64-E6C1-4A8D-BA3E-13213844F6AE}] => (Allow) D:\SteamLibrary\steamapps\common\SaihateStation\saihateeki\Game.exe => No File
FirewallRules: [UDP Query User{6D44F212-E15F-4F23-B645-137D6BCBD3FF}D:\steamlibrary\steamapps\common\final fantasy vii remake\end\binaries\win64\ff7remake_.exe] => (Allow) D:\steamlibrary\steamapps\common\final fantasy vii remake\end\binaries\win64\ff7remake_.exe => No File
FirewallRules: [TCP Query User{045CFE53-43A8-4660-9DAA-F2CEC57472D1}D:\steamlibrary\steamapps\common\final fantasy vii remake\end\binaries\win64\ff7remake_.exe] => (Allow) D:\steamlibrary\steamapps\common\final fantasy vii remake\end\binaries\win64\ff7remake_.exe => No File
FirewallRules: [{290A6C43-66BD-40D2-B49A-1B8E2363C745}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Where Winds Meet\Engine\Binaries\Win64r\wwm.exe => No File
FirewallRules: [{A660B495-F40E-48E2-9B6C-975D1F94BC39}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Where Winds Meet\Engine\Binaries\Win64r\wwm.exe => No File
FirewallRules: [UDP Query User{43E28FC8-CCAB-4EBF-97C1-36FB04B910AD}C:\users\mandy\documents\slvoice.exe] => (Allow) C:\users\mandy\documents\slvoice.exe => No File
FirewallRules: [TCP Query User{9073DE7D-CBF9-4590-B11F-09A2D31371A4}C:\users\mandy\documents\slvoice.exe] => (Allow) C:\users\mandy\documents\slvoice.exe => No File
FirewallRules: [{1220D64D-32E0-46FD-8126-7BC867D7B542}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{54321348-8D28-4DA6-B1B0-9FD70F6D76DB}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
2026-04-21 23:02 - 2026-04-21 23:02 - 000002700 _____ C:\WINDOWS\system32\Tasks\Cr_286461593
StartPowerShell:
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable PUP detection
Set-MpPreference -PUAProtection Enabled
# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4
# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2
# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1
# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled
# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false
# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false
# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false
# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false
# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30
# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false
# Enables script detection
Set-MpPreference -DisableScriptScanning $false
# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1
# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0
# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0
# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true
# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12
# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine
# Updates signatures
Update-MpSignature
EndPowerShell:
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.