content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{AC34E7F6-620D-4E1D-A4F0-A8001AE85A87}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{373B8D60-6746-4027-8FA9-B1F8252EF5CD}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{2181C4EC-949E-4BCD-BD0E-C0DA98DC6FB1}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{1350E77C-1AD2-45C7-9FDA-3F04102D7FDC}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
2026-04-26 02:38 - 2026-02-26 00:32 - 000000000 ____D C:\Users\Admin\AppData\Roaming\RenPy
CustomCLSID: HKU\S-1-5-21-3827769967-2390880485-2303853151-1001_Classes\CLSID\{52146D8E-DB34-4318-BD40-D061EE9C05C5}\localserver32 -> "NAVER.WIN32_LINEwin8_8ptj331gd3tyt!LINE" -ToastActivated => No File
FirewallRules: [{3E7985E1-39D3-4A47-B48F-1D60B951A496}] => (Allow) D:\Steam\steamapps\common\Helldivers 2\bin\helldivers2.exe => No File
FirewallRules: [{B5105774-3E24-4AB6-9E7F-BAC3B0D03B0F}] => (Allow) D:\Steam\steamapps\common\Helldivers 2\bin\helldivers2.exe => No File
FirewallRules: [UDP Query User{6D191504-5046-48DB-9CB8-C8B04110C935}D:\space\starcitizen\live\bin64\starcitizen.exe] => (Allow) D:\space\starcitizen\live\bin64\starcitizen.exe => No File
FirewallRules: [TCP Query User{644839AC-EA2C-4727-A618-F5EFC787AE91}D:\space\starcitizen\live\bin64\starcitizen.exe] => (Allow) D:\space\starcitizen\live\bin64\starcitizen.exe => No File
FirewallRules: [UDP Query User{29D4ADF9-BDC8-4AA8-90F4-124387548149}C:\users\admin\appdata\local\medal\app-4.2699.0\medal.exe] => (Allow) C:\users\admin\appdata\local\medal\app-4.2699.0\medal.exe => No File
FirewallRules: [TCP Query User{67620AA3-8509-47E5-A78F-326FB4CCE794}C:\users\admin\appdata\local\medal\app-4.2699.0\medal.exe] => (Allow) C:\users\admin\appdata\local\medal\app-4.2699.0\medal.exe => No File
FirewallRules: [{06A696A2-EB3B-4DD2-9097-8A38C75CB317}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_DX11.exe => No File
FirewallRules: [{DB873617-714C-4D8E-9C2D-32B09998E197}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_DX11.exe => No File
FirewallRules: [UDP Query User{18CC042E-1B4E-4519-9B06-904C4FCC3C16}C:\users\admin\appdata\local\medal\app-4.2535.0\medal.exe] => (Allow) C:\users\admin\appdata\local\medal\app-4.2535.0\medal.exe => No File
FirewallRules: [TCP Query User{9A8152B0-154F-45C2-A3CD-A3EAF3FC7E7D}C:\users\admin\appdata\local\medal\app-4.2535.0\medal.exe] => (Allow) C:\users\admin\appdata\local\medal\app-4.2535.0\medal.exe => No File
FirewallRules: [{15671A9C-033B-4510-9A18-F024AD803E0C}] => (Allow) D:\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{F584F5B5-93B5-4987-B692-B0B676E92156}] => (Allow) D:\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [UDP Query User{F65A617E-A89C-45F5-B20F-D1C9CDB63F0D}D:\ue_4.27\engine\binaries\win64\ue4editor.exe] => (Allow) D:\ue_4.27\engine\binaries\win64\ue4editor.exe => No File
FirewallRules: [TCP Query User{E37EC6FE-9FF3-49EF-95E5-F46DF0606683}D:\ue_4.27\engine\binaries\win64\ue4editor.exe] => (Allow) D:\ue_4.27\engine\binaries\win64\ue4editor.exe => No File
FirewallRules: [{8073FB18-C97A-4D9B-828C-FE4BEDD24CD4}] => (Allow) D:\Steam\steamapps\common\ULTRAKILL\ULTRAKILL.exe => No File
FirewallRules: [{4F8FC324-350C-42B4-B372-A3D736B41367}] => (Allow) D:\Steam\steamapps\common\ULTRAKILL\ULTRAKILL.exe => No File
FirewallRules: [{A695D097-82B7-4144-8437-C3C289BDF561}] => (Allow) D:\Steam\steamapps\common\Lethal Company\Lethal Company.exe => No File
FirewallRules: [{3B027C0D-239B-41EE-A7C5-8235710E0888}] => (Allow) D:\Steam\steamapps\common\Lethal Company\Lethal Company.exe => No File
FirewallRules: [{7DEA9210-C468-44BD-840B-ABCCE9BEF789}] => (Allow) D:\Steam\steamapps\common\VTube Studio\VTube Studio.exe => No File
FirewallRules: [{DA65A8F7-712E-415C-89D9-73A895C2AB91}] => (Allow) D:\Steam\steamapps\common\VTube Studio\VTube Studio.exe => No File
FirewallRules: [TCP Query User{4727C331-D9F9-4034-B16B-BDB48ABA3F1C}D:\steam\steamapps\common\battlefield v\bfv.exe] => (Allow) D:\steam\steamapps\common\battlefield v\bfv.exe => No File
FirewallRules: [UDP Query User{7E2905C1-C45D-4CA4-A3A1-5C472B3CB7D1}D:\steam\steamapps\common\battlefield v\bfv.exe] => (Allow) D:\steam\steamapps\common\battlefield v\bfv.exe => No File
FirewallRules: [{DA385547-5A5F-4A79-97D4-90C2C3E258FE}] => (Allow) D:\Steam\steamapps\common\RPG Maker MZ\RPGMZ.exe => No File
FirewallRules: [{1B79F4A1-2DB8-49D4-B2FE-38672A8A003D}] => (Allow) D:\Steam\steamapps\common\RPG Maker MZ\RPGMZ.exe => No File
FirewallRules: [{FC42E762-1356-4C34-A505-B750F695EF9B}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => No File
FirewallRules: [{E6689C2C-D97E-445A-83AB-14A44863FC56}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => No File
FirewallRules: [{0F788A5B-3656-49D5-B9A4-9476E6084FE2}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_BE.exe => No File
FirewallRules: [{6F0F850A-5226-46C0-8D5C-5F4B1B362D36}] => (Allow) D:\Steam\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_BE.exe => No File
FirewallRules: [{12BD0689-077D-470B-B423-F84328BC0743}] => (Allow) D:\overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{443F826B-6951-43E2-9CB7-C34385A8AB45}] => (Allow) D:\overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{BFB6F458-4282-4AE7-973E-ED364E68F24E}] => (Block) D:\overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{7DA384BC-CF1C-4429-B217-4821CE93BF3F}] => (Block) D:\overwolf\0.296.3.3\OverwolfBrowser.exe => No File
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {0BB36A32-0D9E-4297-AFD7-6BD7B5DB4C9B} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\MRT: Restriction <==== ATTENTION
HKLM\SYSTEM\...\Terminal Server: [fDenyTSConnections] = 0 <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {4A819268-FA62-4FA4-AFD1-0DD0B5D3585A} - System32\Tasks\CCleanerCrashReporting => C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_1_tempclean\ccleaner\x64\CCleanerBugReport.exe [5074848 2024-05-20] (PIRIFORM SOFTWARE LIMITED -> Gen Digital Inc. All rights reserved.) -> --product 90 --send dumps|report --path "C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_1_tempclean\ccleaner\LOG" --programpath "C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_1_tempclean\ccleaner" --guid "" --version "6.24.11060" --silent
Task: {BF7DB5BA-F970-4C05-88D9-D8668093FA58} - System32\Tasks\CCleanerSkipUAC - Admin => C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_1_tempclean\ccleaner\CCleaner.exe [39169952 2024-05-20] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
Task: {2987EF5C-87D1-4420-AF6A-FED9FFDEFC83} - System32\Tasks\Remove AdwCleaner Application => C:\Windows\system32\CMD.EXE [339968 2026-05-01] (Microsoft Windows -> Microsoft Corporation) -> /C DEL /F /Q "C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_3_disinfect\malwarebytes_adwcleaner\adwcleaner.exe"
Task: C:\WINDOWS\Tasks\CCleanerCrashReporting.job => C:\Users\Admin\OneDrive\เดสก์ท็อป\tron\resources\stage_1_tempclean\ccleaner\x64\CCleanerBugReport.exe
StartPowerShell:
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable PUP detection
Set-MpPreference -PUAProtection Enabled
# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4
# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2
# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1
# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled
# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false
# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false
# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false
# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false
# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30
# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false
# Enables script detection
Set-MpPreference -DisableScriptScanning $false
# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1
# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0
# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0
# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true
# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12
# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine
# Updates signatures
Update-MpSignature
EndPowerShell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.