content copied
content
Start
CreateRestorePoint:
CloseProcesses:
Folder: C:\ProgramData\dev_component_control
Folder: C:\Users\eetho_uy1reit\AppData\Roaming\xxyuxvqnqzbrqepdvmyt
2026-05-20 07:08 - 2026-05-20 07:08 - 000000000 ____D C:\Users\eetho_uy1reit\AppData\Roaming\RenPy
2026-05-20 07:08 - 2026-05-20 07:08 - 000000000 ____D C:\ProgramData\dev_component_control
C:\Users\eetho_uy1reit\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\panammoooggmlehahpcjckcncfeffcoi
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM-x32\...\Run: [iGC.Lite] => "D:\Program Files (x86)\iGC.Lite\iGC.Lite.exe" (No File)
ShortcutTarget: Intel(R) Extreme Tuning Utility.lnk -> C:\WINDOWS\Installer\{61B9C6B2-DC67-4BA5-9F9A-A7BF210424E8}\PerfTuneIcon.B089625E_E454_492E_B2F2_7E934E4807F0.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S3 cpuz159; \??\C:\WINDOWS\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION
S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File)
S3 HWiNFO_180; \??\C:\Users\EETHO_~1\AppData\Local\Temp\HWiNFO64A_180.SYS (No File) <==== ATTENTION
2026-05-16 10:47 - 2025-12-22 17:43 - 000002264 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\3d0e3071ac51596ace7c9a30e839d3b265281d832d88a2f502ca9602296f42cc
2026-05-16 10:47 - 2025-12-20 08:55 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\26a7f29f28baccf7885d3282f68c31b297a14f1882734fb5461717a490c45576
2026-05-04 19:27 - 2026-03-23 09:29 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\a0383b703f1a2715d88bf8f958d2cd6a44012ec182156efceefd146a775e4d4f
2026-05-01 13:52 - 2026-01-02 10:27 - 000002264 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\92190f4223b5197c5d65c851e9ae4279b9796c5886eaf531b7010a49a1a9b610
2026-05-01 13:52 - 2026-01-02 10:27 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\b4ee184518f263d5e6a3aece56a3a20300879171640d0afda140870d6b54df6e
2026-04-26 09:50 - 2025-12-26 12:46 - 000002264 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\0cd49c19ec25ae712451bf5ec84d922283345266578b6efa8f459a7e8bf09703
2026-04-26 09:50 - 2025-12-26 12:46 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\bbe88c3987e70bc29b976bd07b9eb7028c21cf5cb5ccd5ee4bba468791cea949
2026-04-22 11:15 - 2025-12-19 09:40 - 000000389 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\43df23607b6af4d2b6feab86cb353070db8e290bb86ae966ccaa07de1d4d0bc2
2026-04-22 11:15 - 2025-12-19 09:40 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\97efb0a2e8fb891ad4a1ff234a5278106ced58c0e4e9ab91d4ddeb400601787e
2026-04-21 18:28 - 2026-03-28 10:58 - 000002264 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\01443d4c3cd67dae32ece3739c53bd3562b43d088528e057ffcee2e559432d26
2026-04-21 18:28 - 2026-03-28 10:58 - 000000026 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\da4abaae5a0159e0ec202447b8562d8e60e75633fd55be7c93e17300e08cac55
2026-04-21 08:11 - 2026-01-19 10:47 - 000000130 _____ C:\Users\eetho_uy1reit\AppData\LocalLow\8dabdf22c6ebe4a1f857443f24fbd7df5f5ca492f06ca746bff78f4d4dc07fa3
2025-12-20 16:56 - 2025-12-20 16:56 - 000000048 ____R () C:\Users\eetho_uy1reit\AppData\Local\AF0A028E707B8A8F1880DD2553E2CC80
AlternateDataStreams: C:\Users\eetho_uy1reit\Downloads\FRST64.exe:MBAM.Zone.Identifier [450]
FirewallRules: [TCP Query User{55359025-49B5-4FB4-909D-493E846F598A}S:\games\balatro\balatro.exe] => (Block) S:\games\balatro\balatro.exe => No File
FirewallRules: [UDP Query User{449C5220-DC6F-42B2-848D-D8F83BC87AFC}S:\games\balatro\balatro.exe] => (Block) S:\games\balatro\balatro.exe => No File
FirewallRules: [{701F575C-6AE4-412F-B36E-20A5659C9985}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{15A8BBA8-09D1-4B3D-9BCE-F08C2DA475BA}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{98AB6550-BC50-4655-9E2F-76F9B89E931F}] => (Allow) C:\Program Files\LogiOptionsPlus\logivoice\logioptionsplus_logivoice => No File
FirewallRules: [TCP Query User{5DF71B97-0A28-4F4A-BFA0-748806E3704B}D:\program files\qbittorrent\qbittorrent.exe] => (Allow) D:\program files\qbittorrent\qbittorrent.exe => No File
FirewallRules: [UDP Query User{E1A7A21C-59E0-4F1F-8C88-1A294FA06375}D:\program files\qbittorrent\qbittorrent.exe] => (Allow) D:\program files\qbittorrent\qbittorrent.exe => No File
FirewallRules: [TCP Query User{EA1439C3-9714-4B39-BC90-048A4F95BFAE}G:\steamlibrary\steamapps\common\conan exiles\conansandbox\binaries\win64\conansandbox.exe] => (Allow) G:\steamlibrary\steamapps\common\conan exiles\conansandbox\binaries\win64\conansandbox.exe => No File
FirewallRules: [UDP Query User{8CAA8672-42BA-42C1-BA55-D10116040E3D}G:\steamlibrary\steamapps\common\conan exiles\conansandbox\binaries\win64\conansandbox.exe] => (Allow) G:\steamlibrary\steamapps\common\conan exiles\conansandbox\binaries\win64\conansandbox.exe => No File
FirewallRules: [{C0AAAC6D-2B35-455B-BA29-E02571B2B166}] => (Allow) G:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [{9E50C9ED-AC34-46BE-81A4-035D93D3292F}] => (Allow) G:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [TCP Query User{48F88D5B-117D-450B-BDC8-5ABBE126B7B1}G:\steamlibrary\steamapps\common\forzahorizon4\forzahorizon4.exe] => (Allow) G:\steamlibrary\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
FirewallRules: [UDP Query User{4DD18DFA-24B7-485D-A4C1-61BE1E13E50A}G:\steamlibrary\steamapps\common\forzahorizon4\forzahorizon4.exe] => (Allow) G:\steamlibrary\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
FirewallRules: [TCP Query User{BF63ADD8-0B3E-449F-88BE-9AB9EFD6E4EB}C:\users\eetho_uy1reit\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\wechatappex.exe] => (Allow) C:\users\eetho_uy1reit\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\wechatappex.exe => No File
FirewallRules: [UDP Query User{D7CD3FF9-4B7B-4E74-BE07-AAE640495241}C:\users\eetho_uy1reit\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\wechatappex.exe] => (Allow) C:\users\eetho_uy1reit\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\wechatappex.exe => No File
FirewallRules: [TCP Query User{F1B7F5AC-F1E1-406F-AF58-CAC0E5FFEF92}G:\games\slay the spire 2\slaythespire2.exe] => (Allow) G:\games\slay the spire 2\slaythespire2.exe => No File
FirewallRules: [UDP Query User{0AEA54A5-9D38-49F8-B6BC-4D77CF73FFFB}G:\games\slay the spire 2\slaythespire2.exe] => (Allow) G:\games\slay the spire 2\slaythespire2.exe => No File
FirewallRules: [{6542512B-1464-452B-B72B-A93385CE903C}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SGTool.exe => No File
FirewallRules: [{A2EC8576-0CB4-4CAB-9A1A-889EC026EF2E}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SGTool.exe => No File
FirewallRules: [{EFAA7B2A-0AD6-4727-8DA3-4D7C48A09E84}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SGTool.exe => No File
FirewallRules: [{563E2179-1A56-4C53-A7D5-7BBDF05E0AD5}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SGTool.exe => No File
FirewallRules: [{C7251815-EBB4-4861-ACDD-0DB519F86FAD}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\PinyinUp.exe => No File
FirewallRules: [{B84EB913-C0E2-409D-8BC3-606E5DF9E227}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\PinyinUp.exe => No File
FirewallRules: [{7DA70B4D-476C-480B-AC82-E14BD3832EED}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\PinyinUp.exe => No File
FirewallRules: [{F4DD0F53-FF44-436B-A005-A1C0E06417F5}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\PinyinUp.exe => No File
FirewallRules: [{8FF84E8E-F15E-4F8C-B211-083E0B80EABC}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SogouCloud.exe => No File
FirewallRules: [{AA8B9178-E3A2-40E7-9228-1CB2F154601A}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SogouCloud.exe => No File
FirewallRules: [{C24EC4E8-C78A-4FEF-91CF-318951716A2D}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SogouCloud.exe => No File
FirewallRules: [{23C780CC-AD98-4D70-8C97-386FDA7C1A5C}] => (Allow) C:\Program Files (x86)\SogouInput\16.1.0.3026\SogouCloud.exe => No File
FirewallRules: [TCP Query User{B9E37796-B2B1-4EC4-9C42-217AB1242E94}G:\games\monsterhunterwilds\monsterhunterwilds.exe] => (Allow) G:\games\monsterhunterwilds\monsterhunterwilds.exe => No File
FirewallRules: [UDP Query User{4758F256-2D2F-4FB9-8AE4-1653EE3A68BF}G:\games\monsterhunterwilds\monsterhunterwilds.exe] => (Allow) G:\games\monsterhunterwilds\monsterhunterwilds.exe => No File
FirewallRules: [TCP Query User{69E4939D-AAC7-4AC1-B93C-3991A915B415}G:\games\black myth - wukong\b1\binaries\win64\b1-win64-shipping.exe] => (Allow) G:\games\black myth - wukong\b1\binaries\win64\b1-win64-shipping.exe => No File
FirewallRules: [UDP Query User{4918C8FB-3FAF-4B08-8EAD-B9B95E88C5CA}G:\games\black myth - wukong\b1\binaries\win64\b1-win64-shipping.exe] => (Allow) G:\games\black myth - wukong\b1\binaries\win64\b1-win64-shipping.exe => No File
FirewallRules: [{C672F8CA-BC1C-41F7-8636-072C32936CD8}] => (Allow) G:\Games\Counter-Strike WaRzOnE\hl.exe => No File
FirewallRules: [{6598B5CA-9534-4D11-BBCD-4966458DA00E}] => (Allow) G:\Games\Counter-Strike WaRzOnE\hl.exe => No File
FirewallRules: [TCP Query User{BAD7250B-E68E-4EB1-BC71-D7F6720DD174}G:\counter-strike source\cstrike_win64.exe] => (Allow) G:\counter-strike source\cstrike_win64.exe => No File
FirewallRules: [UDP Query User{EF926B40-B604-45AA-BA63-D1D21DD0A04E}G:\counter-strike source\cstrike_win64.exe] => (Allow) G:\counter-strike source\cstrike_win64.exe => No File
FirewallRules: [{426F54FC-257F-429C-8B88-8EF9271735DF}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.660\RazerAppEngine.exe => No File
FirewallRules: [TCP Query User{4CE44F45-6713-4E1C-8DE1-B07DFA425FD6}G:\qbittorent\slay the spire 2\slaythespire2.exe] => (Allow) G:\qbittorent\slay the spire 2\slaythespire2.exe => No File
FirewallRules: [UDP Query User{88A37415-28C3-4951-832C-73C606A2972B}G:\qbittorent\slay the spire 2\slaythespire2.exe] => (Allow) G:\qbittorent\slay the spire 2\slaythespire2.exe => No File
FirewallRules: [TCP Query User{5E03CCFA-1C89-485E-9776-042EDDC7D8DD}C:\users\eetho_uy1reit\downloads\slay the spire 2\slaythespire2.exe] => (Allow) C:\users\eetho_uy1reit\downloads\slay the spire 2\slaythespire2.exe => No File
FirewallRules: [UDP Query User{FE9AFBFA-6E59-4A0D-9BCC-ECD1085C4083}C:\users\eetho_uy1reit\downloads\slay the spire 2\slaythespire2.exe] => (Allow) C:\users\eetho_uy1reit\downloads\slay the spire 2\slaythespire2.exe => No File
C:\Users\eetho_uy1reit\AppData\Local\Temp\04078928-ed14-4d6a-a3f1-e6b78877ab8f.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\290d1e56-86d4-4795-9251-63e43082a2ff.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\2be7b029-7aa2-4741-8a9a-3a54a8d76b5f.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\343f7b86-1304-4b65-ad51-5f1eafd805c2.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\6733bd65-d824-42e2-a525-397f446a0ed7.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\7d20e466-12ae-45bc-9fee-f95c3814a1f2.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\8d484a0c-5cf7-4ec6-80cb-3402546fd666.tmp.node
C:\Users\eetho_uy1reit\AppData\Local\Temp\a64629dd-dc33-4f6f-9433-43d71f65ec64.tmp.node
G:\Games\Crimson Desert\bin64\driver_amd\SimpleSvm.sys
G:\Games\Crimson Desert\_Redist\QuickSFV.EXE
C:\Users\eetho_uy1reit\Downloads\SACGUI-2.4-RIN\SACGUI-2.4-RIN\gbe_fork.7z
C:\Users\eetho_uy1reit\Downloads\SACGUI-2.4-RIN\SACGUI-2.4-RIN\SACGUI.exe
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\eetho_uy1reit\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.