content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
CHR Extension: (Sound Booster - increase volume up) - C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmigaijibiabddkkmjhlehchpmgbokfj [2026-04-03]
CHR Extension: (Sound Booster - increase volume up) - C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmigaijibiabddkkmjhlehchpmgbokfj [2026-06-09]
CHR Extension: (WASM TTS Engine) - C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\WasmTtsEngine\20260528.1 [2026-05-30] [UpdateUrl:0] <==== ATTENTION
PowerShell: Remove-MpPreference -ExclusionPath "C:\ProgramData\Solara"
Task: {F6963642-F388-4D56-892F-DE1B17A61E0A} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S0 WinSetupMon; system32\DRIVERS\WinSetupMon.sys (No File)
2026-05-26 22:50 - 2026-05-26 22:51 - 000000000 ___HD C:\WINDOWS\msdownld.tmp
2026-05-26 14:59 - 2026-05-26 14:59 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\af14cf69ff6d985c3f101c23a17c6d119145fc4f595df4020539dcc1fbac901e
2026-05-26 14:59 - 2026-05-26 14:59 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\d09b374fed31937c9715cde75da93d445eda2299f535f4d997bc7a6132dd7cbb
2026-05-26 14:57 - 2026-05-26 14:57 - 000002264 _____ C:\Users\Lenovo\AppData\LocalLow\87d9928273e2f1d20f1374812dddd473ad996ab7be2271e88afa2e5113348718
2026-05-26 14:57 - 2026-05-26 14:57 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\1656d4c90429006b16740b425e27aabed0b707f273623bba3e1f48a056cb118b
2026-05-24 21:06 - 2026-05-27 01:20 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\d5e3c4f33a8b1acf12540c393c69ac051780058cb651f40543796a9ef224e75f
2026-05-24 21:06 - 2026-05-24 21:06 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\d09abb6f9d3c2030ead479b6fb5f44b49342ca0c0a24c284b038fd32d5a100b0
2026-05-24 11:48 - 2026-06-09 18:25 - 002617997 _____ C:\Users\Lenovo\AppData\LocalLow\f38c0bbbf1665c96f97ef2069cff1d297f69b5ef59e1c3e7ef44c70f8cfdcf13
2026-05-24 11:48 - 2026-05-24 11:48 - 000005878 _____ C:\Users\Lenovo\AppData\LocalLow\46b84c56e5a39e4acf67351d35eed55fffd81137789b8fe27676f1e1acc8ea45
2026-05-24 11:48 - 2026-05-24 11:48 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\f773c56361b242c9b9fe8e1dbf2c35f9033f7d4d14d43c1e9d31d595a2a2c8be
2026-05-24 11:47 - 2026-06-09 17:17 - 000138906 _____ C:\Users\Lenovo\AppData\LocalLow\448738bfcb1ec1031d2fd25ab475b65cc66538c8b0d30d2dc444d1eb30b82c27
2026-05-24 11:47 - 2026-05-24 11:47 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\e56cb92b74e9927fb92b0488ec1b4aa90a6cc703afce4b2768da689ee2b7b10d
2026-05-24 11:43 - 2026-06-02 16:45 - 000065024 _____ C:\Users\Lenovo\AppData\LocalLow\721c5305d8cd2c514bac9d4f61535f7114d93da02bee3f9c7202c98f588ce853
2026-05-24 11:43 - 2026-05-24 11:43 - 000000026 _____ C:\Users\Lenovo\AppData\LocalLow\be60e99fe15aec03f505963da7031a14420357ba69cec7aaad168a9dd408b0e4
2026-06-18 17:23 - 2026-04-10 16:21 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\7113ec6ff4ee4f5948820ac636549ae7f85a04bf0172e57d22e1e900c551652e
2026-06-18 17:18 - 2026-04-10 16:26 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\90f7343f5fd3f76c78f2a8946cbbf4d48fbed2a19b393de85536341699c64704
2026-06-18 17:17 - 2026-04-13 22:08 - 000129600 _____ C:\Users\Lenovo\AppData\LocalLow\587cfa77128ee8565a05f7633cd4770bb7fb92f2f01294beeaa64d2347599e43
2026-06-18 17:09 - 2026-04-23 17:03 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\6a89ec1c88da00527dda9291110ce9917e4c44020f83205248d0c56075f6cb0a
2026-06-17 20:48 - 2026-04-11 05:25 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\71dab428b2f567221b1d8efd6990ac839b2dba94914b06ccec3c85d5187f0efb
2026-06-17 19:42 - 2026-04-10 21:53 - 000013485 _____ C:\Users\Lenovo\AppData\LocalLow\b39afa1a1bc8465018b6c7e33ac6e8d4f14f729a44ce1b2cfc7ab477ec139f18
2026-06-17 15:09 - 2026-04-15 14:48 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\e93a803bb5ef6d7f148b70c8f7b68d1a23a1e1d82a51e4ae3aeb556ff7ca7f51
2026-06-16 11:32 - 2026-04-15 14:50 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\31ca9a0dd617771048437630e62a0a40797d0b5abd1f1e7cbebff1a6ff13d140
2026-06-16 11:30 - 2026-04-14 20:08 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\6a38cb4f6a9038d6b3421bb538a7d1a5adeef7ffd6b62a694c7b99cc07d12e8d
2026-06-13 09:03 - 2026-05-10 20:13 - 000000298 _____ C:\Users\Lenovo\AppData\LocalLow\2991c9790c9934a4e2aaa2a9fcfd2d3d5075c9cdf0b0c2ff7dfab4edf190b894
2026-06-13 09:03 - 2026-04-10 16:21 - 000726628 _____ C:\Users\Lenovo\AppData\LocalLow\c806779b74effe5880187cbd7036e85fb500805a498acdd5f90e1ecdd5194d4b
2026-06-11 15:59 - 2026-05-10 20:13 - 000178126 _____ C:\Users\Lenovo\AppData\LocalLow\e4eb9b382ba9adbc0a7673c50215bebc82ceffb1fb89ef121b74c6f28fca5436
2026-06-09 21:13 - 2026-04-10 16:12 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\966753c4fa34213b51768bf5524ce7149e8772457d94b771a2e151647cfb345a
2026-06-09 20:29 - 2026-04-10 16:12 - 001077228 _____ C:\Users\Lenovo\AppData\LocalLow\6ee0d3b6ef25004b2bb2770a8b5e7d76b71f23fd3f28e8c3c57056832c7260a6
2026-06-05 19:27 - 2026-04-22 18:30 - 000257963 _____ C:\Users\Lenovo\AppData\LocalLow\0ee335be4b068e49d03568e123798e254c8817b82dfda1ef37e7176cb6599f8d
2026-06-03 19:39 - 2026-04-22 18:30 - 000000130 _____ C:\Users\Lenovo\AppData\LocalLow\515158adeeed3b49d7ff8fcea29fa0055bc35e985f66b4b568f9fb295fc7782d
2026-06-02 22:25 - 2026-04-14 20:08 - 000038055 _____ C:\Users\Lenovo\AppData\LocalLow\fddf362b944a4394d35b4311cc8a13d54a906f514868eb965ff4c7daa5653cfa
2026-05-30 23:38 - 2026-04-11 05:25 - 000052706 _____ C:\Users\Lenovo\AppData\LocalLow\e67ae766d8bc0fe874f9db6c7cca49f016d924a1104917127ad8edde28080cee
2026-05-27 11:28 - 2026-04-29 19:34 - 000364528 _____ C:\Users\Lenovo\AppData\LocalLow\bf53e722dcec20b5a4bc4aa6f861ec4d5c3b7a4dab474408f45720fd8bd3afd6
CustomCLSID: HKU\S-1-5-21-731599559-3819474804-2250905888-1002_Classes\CLSID\{7154076F-06E3-4935-8535-C511230354EF}\localserver32 -> C:\Program Files\Unity Hub\Unity Hub.exe => No File
AlternateDataStreams: C:\Users\Lenovo\Downloads\python-3.13.5-amd64.exe:BDU [0]
FirewallRules: [TCP Query User{F91E817F-61B6-41E7-9DF3-F61CBB2474DF}C:\users\lenovo\appdata\local\discord\app-1.0.9233\discord.exe] => (Allow) C:\users\lenovo\appdata\local\discord\app-1.0.9233\discord.exe => No File
FirewallRules: [UDP Query User{DB389885-72F1-44B2-BB88-40602C0B0035}C:\users\lenovo\appdata\local\discord\app-1.0.9233\discord.exe] => (Allow) C:\users\lenovo\appdata\local\discord\app-1.0.9233\discord.exe => No File
FirewallRules: [{E99ADF1A-79C7-43E5-B42D-F984DB31BB1D}] => (Allow) C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe => No File
FirewallRules: [{87CC0DD4-79CE-4372-BA9C-24507C7F8C0D}] => (Allow) C:\Program Files (x86)\BlueStacks X\Cloud Game.exe => No File
FirewallRules: [{80C16B95-2C98-425E-8B9B-099A0F2E0054}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe => No File
FirewallRules: [{D68D6C08-9406-4125-90F5-17CF04D4E677}] => (Allow) C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe => No File
FirewallRules: [{6DB12179-AD92-4CED-9157-2886D8A5046C}] => (Allow) C:\Program Files\Unity Hub\Unity Hub.exe => No File
Folder: C:\Users\Lenovo\AppData\Local\Adulttale
StartPowerShell:
# This snippet re-enables Windows Defender and applies optimized settings to ensure high protection against malware
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable PUP detection
Set-MpPreference -PUAProtection Enabled
# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4
# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2
# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1
# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled
# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false
# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false
# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false
# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false
# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30
# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false
# Enables script detection
Set-MpPreference -DisableScriptScanning $false
# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1
# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0
# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0
# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true
# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12
# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine
# Updates signatures
Update-MpSignature
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
# NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software.
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code.
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below.
C:\ProgramData\*.a3x
C:\ProgramData\*.ahk
C:\ProgramData\*.au3
C:\ProgramData\*.bat
C:\ProgramData\*.cab
C:\ProgramData\*.cmd
C:\ProgramData\*.com
C:\ProgramData\*.dll
C:\ProgramData\*.exe
C:\ProgramData\*.hta
C:\ProgramData\*.jar
C:\ProgramData\*.js
C:\ProgramData\*.jse
C:\ProgramData\*.lnk
C:\ProgramData\*.pif
C:\ProgramData\*.ps1
C:\ProgramData\*.py
C:\ProgramData\*.pyc
C:\ProgramData\*.pyd
C:\ProgramData\*.scr
C:\ProgramData\*.tmp
C:\ProgramData\*.vbe
C:\ProgramData\*.vbs
C:\ProgramData\*.wsf
C:\ProgramData\*.wsh
C:\ProgramData\*.zip
C:\ProgramData\*.rar
C:\ProgramData\*.7z
C:\Users\*\AppData\Roaming\*.au3
C:\Users\*\AppData\Roaming\*.bat
C:\Users\*\AppData\Roaming\*.cab
C:\Users\*\AppData\Roaming\*.cmd
C:\Users\*\AppData\Roaming\*.com
C:\Users\*\AppData\Roaming\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.hta
C:\Users\*\AppData\Roaming\*.jar
C:\Users\*\AppData\Roaming\*.js
C:\Users\*\AppData\Roaming\*.jse
C:\Users\*\AppData\Roaming\*.lnk
C:\Users\*\AppData\Roaming\*.pif
C:\Users\*\AppData\Roaming\*.ps1
C:\Users\*\AppData\Roaming\*.py
C:\Users\*\AppData\Roaming\*.pyc
C:\Users\*\AppData\Roaming\*.pyd
C:\Users\*\AppData\Roaming\*.scr
C:\Users\*\AppData\Roaming\*.tmp
C:\Users\*\AppData\Roaming\*.vbe
C:\Users\*\AppData\Roaming\*.vbs
C:\Users\*\AppData\Roaming\*.wsf
C:\Users\*\AppData\Roaming\*.wsh
C:\Users\*\AppData\Roaming\*.zip
C:\Users\*\AppData\Roaming\*.rar
C:\Users\*\AppData\Roaming\*.7z
C:\Users\CurrentUserName\AppData\Local\*.a3x
C:\Users\CurrentUserName\AppData\Local\*.ahk
C:\Users\CurrentUserName\AppData\Local\*.au3
C:\Users\CurrentUserName\AppData\Local\*.bat
C:\Users\CurrentUserName\AppData\Local\*.cab
C:\Users\CurrentUserName\AppData\Local\*.cmd
C:\Users\CurrentUserName\AppData\Local\*.com
C:\Users\CurrentUserName\AppData\Local\*.dll
C:\Users\CurrentUserName\AppData\Local\*.exe
C:\Users\CurrentUserName\AppData\Local\*.hta
C:\Users\CurrentUserName\AppData\Local\*.jar
C:\Users\CurrentUserName\AppData\Local\*.js
C:\Users\CurrentUserName\AppData\Local\*.jse
C:\Users\CurrentUserName\AppData\Local\*.lnk
C:\Users\CurrentUserName\AppData\Local\*.pif
C:\Users\CurrentUserName\AppData\Local\*.ps1
C:\Users\CurrentUserName\AppData\Local\*.py
C:\Users\CurrentUserName\AppData\Local\*.pyc
C:\Users\CurrentUserName\AppData\Local\*.pyd
C:\Users\CurrentUserName\AppData\Local\*.scr
C:\Users\CurrentUserName\AppData\Local\*.tmp
C:\Users\CurrentUserName\AppData\Local\*.vbe
C:\Users\CurrentUserName\AppData\Local\*.vbs
C:\Users\CurrentUserName\AppData\Local\*.wsf
C:\Users\CurrentUserName\AppData\Local\*.wsh
C:\Users\CurrentUserName\AppData\Local\*.zip
C:\Users\CurrentUserName\AppData\Local\*.rar
C:\Users\CurrentUserName\AppData\Local\*.7z
C:\Users\CurrentUserName\AppData\Roaming\*.a3x
C:\Users\CurrentUserName\AppData\Roaming\*.ahk
C:\Users\CurrentUserName\AppData\Roaming\*.au3
C:\Users\CurrentUserName\AppData\Roaming\*.bat
C:\Users\CurrentUserName\AppData\Roaming\*.cab
C:\Users\CurrentUserName\AppData\Roaming\*.cmd
C:\Users\CurrentUserName\AppData\Roaming\*.com
C:\Users\CurrentUserName\AppData\Roaming\*.dll
C:\Users\CurrentUserName\AppData\Roaming\*.exe
C:\Users\CurrentUserName\AppData\Roaming\*.hta
C:\Users\CurrentUserName\AppData\Roaming\*.jar
C:\Users\CurrentUserName\AppData\Roaming\*.js
C:\Users\CurrentUserName\AppData\Roaming\*.jse
C:\Users\CurrentUserName\AppData\Roaming\*.lnk
C:\Users\CurrentUserName\AppData\Roaming\*.pif
C:\Users\CurrentUserName\AppData\Roaming\*.ps1
C:\Users\CurrentUserName\AppData\Roaming\*.py
C:\Users\CurrentUserName\AppData\Roaming\*.pyc
C:\Users\CurrentUserName\AppData\Roaming\*.pyd
C:\Users\CurrentUserName\AppData\Roaming\*.scr
C:\Users\CurrentUserName\AppData\Roaming\*.tmp
C:\Users\CurrentUserName\AppData\Roaming\*.vbe
C:\Users\CurrentUserName\AppData\Roaming\*.vbs
C:\Users\CurrentUserName\AppData\Roaming\*.wsf
C:\Users\CurrentUserName\AppData\Roaming\*.wsh
C:\Users\CurrentUserName\AppData\Roaming\*.zip
C:\Users\CurrentUserName\AppData\Roaming\*.rar
C:\Users\CurrentUserName\AppData\Roaming\*.7z
Comment: Force policy removal
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy
Comment: System repair commands
CMD: DISM.exe /Online /Cleanup-image /Restorehealth
CMD: SFC.exe /scannow
Comment: Network reset commands
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
Comment: Additional temp file removal
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.