content copied
content
Start::
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-699025938-3818395997-3756346237-1001_Classes\CLSID\{50726f74-6f6e-2e56-504e-000000000000}\localserver32 -> "C:\Program Files\Proton\VPN\v3.5.1\ProtonVPN.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-699025938-3818395997-3756346237-1001_Classes\CLSID\{5C4D8D77-5B87-40CA-884E-F56858227E5C}\localserver32 -> C:\Users\piper\AppData\Local\Programs\TeamSpeak\notification_helper.exe => No File
CustomCLSID: HKU\S-1-5-21-699025938-3818395997-3756346237-1001_Classes\CLSID\{8B1F50F0-32C9-4F30-A3DB-A813176C961D}\localserver32 -> "c:\program files\musehub\current\musehub.exe" ----AppNotificationActivated: => No File
AlternateDataStreams: C:\WINDOWS\tracing:? [16]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`bfjhjjiihq [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`bfjhjkiihj [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`pgyih [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`vovtfe.qpsu.obnfih [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`vovtfe.qpsu.obnfjhjjiihq [0]
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`vovtfe.qpsu.obnfjhjkiihj [0]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NZXT CAM.lnk:AB04221C49 [3442]
AlternateDataStreams: C:\Users\piper\Application Data:a4f3a4460331e5db92483d18f7474c91 [394]
AlternateDataStreams: C:\Users\piper\AppData\Roaming:a4f3a4460331e5db92483d18f7474c91 [394]
FirewallRules: [{9AE40562-448B-4954-B574-19B3B1EE6E2F}] => (Allow) X:\SteamLibrary\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{39558BAF-9462-4E5C-8F70-8E03B1AEE368}] => (Allow) X:\SteamLibrary\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{1EBA3904-B23B-48A8-88DD-BB8311776B5D}] => (Allow) X:\SteamLibrary\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{27EEE2EE-3F8C-453F-9B72-1E6975813F79}] => (Allow) X:\SteamLibrary\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{399E78F8-5D4E-4D2D-A908-A35234D71BAB}] => (Allow) X:\SteamLibrary\steamapps\common\Rusty's Retirement\RustyLauncher.exe => No File
FirewallRules: [{A4F7CC6F-3B3E-4B35-A124-355C16B575B5}] => (Allow) X:\SteamLibrary\steamapps\common\Rusty's Retirement\RustyLauncher.exe => No File
FirewallRules: [{74FF180F-B007-4F7A-AB7C-884E3A3D9C9B}] => (Allow) X:\SteamLibrary\steamapps\common\Goose Goose Duck\GGDLauncher.exe => No File
FirewallRules: [{A7F7EE9F-BED9-4BFF-BBCA-10AF00F9D33E}] => (Allow) X:\SteamLibrary\steamapps\common\Goose Goose Duck\GGDLauncher.exe => No File
FirewallRules: [{B9F8E4B6-AD5D-4DE7-9FEB-098442B8E019}] => (Allow) X:\SteamLibrary\steamapps\common\Travellers Rest\Windows\TravellersRest.exe => No File
FirewallRules: [{436BFA3C-E42F-481B-BD77-FDD95ED13060}] => (Allow) X:\SteamLibrary\steamapps\common\Travellers Rest\Windows\TravellersRest.exe => No File
FirewallRules: [{018627A4-83D4-433F-90D0-9CFC6B9A668F}] => (Allow) X:\SteamLibrary\steamapps\common\Monster Hunter World\MonsterHunterWorld.exe => No File
FirewallRules: [{5E5650AC-7F8E-47A7-B5F7-529A12A96BC0}] => (Allow) X:\SteamLibrary\steamapps\common\Monster Hunter World\MonsterHunterWorld.exe => No File
FirewallRules: [{F9FEDB9F-BE1B-4162-AB42-4FFE26EAA69A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Car Mechanic Simulator 2021 Demo\playway-launcher-win32-ia32\playway-launcher.exe => No File
FirewallRules: [{22720A5A-9D88-4EAC-91C4-0BA7D871114C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Car Mechanic Simulator 2021 Demo\playway-launcher-win32-ia32\playway-launcher.exe => No File
FirewallRules: [{16005321-C04D-481D-906C-95A9FCC9A762}] => (Allow) C:\Program Files\Topaz Labs LLC\Topaz Video Enhance AI\Topaz Video Enhance AI.exe => No File
FirewallRules: [{86927E20-33D6-46E6-846A-601F5F7D47A4}] => (Allow) C:\Program Files\Topaz Labs LLC\Topaz Video Enhance AI\Topaz Video Enhance AI.exe => No File
FirewallRules: [{5E36B535-E2DD-44FE-AAB9-6B9E0A905202}] => (Allow) C:\Program Files\Topaz Labs LLC\Topaz Video Enhance AI\Topaz Video Enhance AI.exe => No File
FirewallRules: [{2B363A16-FA9A-4D35-9CB3-8C13C42C8F83}] => (Allow) C:\Program Files\Topaz Labs LLC\Topaz Video Enhance AI\Topaz Video Enhance AI.exe => No File
FirewallRules: [{424A1415-EDA0-423F-BEE0-FADEF689DA4E}] => (Allow) C:\Program Files\Audials\Audials 2024\Audials.exe => No File
FirewallRules: [{73486449-C292-4360-8A1B-759E75679D9C}] => (Allow) X:\SteamLibrary\steamapps\common\PlateUp\PlateUp\PlateUp.exe => No File
FirewallRules: [{93ECAC94-7773-4DEC-AD92-141416F1E877}] => (Allow) X:\SteamLibrary\steamapps\common\PlateUp\PlateUp\PlateUp.exe => No File
FirewallRules: [{AF183771-F901-4F45-96BB-B2AACA0526E5}] => (Allow) X:\SteamLibrary\steamapps\common\Enshrouded\enshrouded.exe => No File
FirewallRules: [{C02C03DF-20F9-46BD-8968-D8B498E3BEFA}] => (Allow) X:\SteamLibrary\steamapps\common\Enshrouded\enshrouded.exe => No File
FirewallRules: [{0B31576F-21AA-4955-A013-0B62A567061F}] => (Allow) X:\SteamLibrary\steamapps\common\Marvel's Spider-Man Remastered\Spider-Man.exe => No File
FirewallRules: [{6B2EC679-2F6E-4F57-812A-3417F07A2E9E}] => (Allow) X:\SteamLibrary\steamapps\common\Marvel's Spider-Man Remastered\Spider-Man.exe => No File
FirewallRules: [{077C592D-D5F9-44D0-A82B-904E18906BC4}] => (Allow) X:\SteamLibrary\steamapps\common\Mark of the Ninja Remastered\bin\Ninja.exe => No File
FirewallRules: [{0CD71D91-1E0A-4D66-8E0A-172BFA2757FA}] => (Allow) X:\SteamLibrary\steamapps\common\Mark of the Ninja Remastered\bin\Ninja.exe => No File
FirewallRules: [{A75DE0E3-39FB-4C45-8EDA-3582047B9D43}] => (Allow) C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe => No File
FirewallRules: [{4C87D24F-0839-4883-970A-FB17E0F80446}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe => No File
FirewallRules: [{FE444656-9A0F-45E4-87FC-B3EFAA1243BD}] => (Allow) C:\Program Files (x86)\BlueStacks X\Cloud Game.exe => No File
FirewallRules: [{8B58BAAF-E378-4013-9752-29104669783F}] => (Allow) C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe => No File
FirewallRules: [{83245CB2-574C-43A2-975A-3A46D7031220}] => (Allow) X:\SteamLibrary\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
FirewallRules: [{7AAAD85D-EDFF-4CC6-9CB6-45C579855D67}] => (Allow) X:\SteamLibrary\steamapps\common\dont_starve\bin\dontstarve_steam.exe => No File
FirewallRules: [{521E53BA-9460-4FFF-8817-A1DF9EA81F0C}] => (Allow) X:\SteamLibrary\steamapps\common\Magicka 2\engine\Magicka2.exe => No File
FirewallRules: [{7489381D-8C7D-486D-8569-A979873821B9}] => (Allow) X:\SteamLibrary\steamapps\common\Magicka 2\engine\Magicka2.exe => No File
FirewallRules: [{1BC8B8D0-F1A7-484F-B2A0-F107EF5EC0E7}] => (Allow) X:\SteamLibrary\steamapps\common\Rise of the Tomb Raider\ROTTR.exe => No File
FirewallRules: [{3BF37059-6D61-4B5F-9777-EB50502212D1}] => (Allow) X:\SteamLibrary\steamapps\common\Rise of the Tomb Raider\ROTTR.exe => No File
FirewallRules: [{86BE66DB-54AD-4AB4-8A19-1B8B05B82C77}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Settlement Survival\URP\Settlement SurvivalURP.exe => No File
FirewallRules: [{8D752894-E050-4E39-913F-BA3584A40BC6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Settlement Survival\URP\Settlement SurvivalURP.exe => No File
FirewallRules: [{B9E80D7A-E178-44C0-8965-884DA8F04499}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Settlement Survival\Settlement Survival.exe => No File
FirewallRules: [{58144653-677E-488A-AF09-A29B00106A75}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Settlement Survival\Settlement Survival.exe => No File
FirewallRules: [{838C6C72-D9DB-40F9-98A1-F46BC9100C77}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win32\starbound.exe => No File
FirewallRules: [{65B12BA6-7FC9-4BA8-BAB4-2E88931C5A88}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win32\starbound.exe => No File
FirewallRules: [{BDF99ED3-72C5-400E-AE6C-B0359C3A8996}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\mod_uploader.exe => No File
FirewallRules: [{2C9992EA-C691-4E94-8CD6-15B33619369C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\mod_uploader.exe => No File
FirewallRules: [{0AFFEA22-3A69-4D95-B9C4-438A586F9863}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\starbound_server.exe => No File
FirewallRules: [{C52BB3FB-3E88-426A-BF70-EFE6E8518024}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\starbound_server.exe => No File
FirewallRules: [{9B5956F1-0FB4-49DF-A346-23F28A0CEDCA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\starbound.exe => No File
FirewallRules: [{2A85DAE7-88C5-4D81-A781-75B913DA330F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Starbound\win64\starbound.exe => No File
FirewallRules: [{EC1C1DA7-721B-4354-9C57-0FB388076605}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sons Of The Forest\SonsOfTheForest.exe => No File
FirewallRules: [{9CD672B6-95B7-48BD-AF90-BB71AEB29C4B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sons Of The Forest\SonsOfTheForest.exe => No File
FirewallRules: [{3FA43E58-CE70-4932-8CF0-8CC4669B4CD6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{B4676D72-9644-4920-A0D7-931AE304F462}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{A4ACAEB3-29EB-400F-AEF7-9EBC6599ABB6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{7292CD83-70B9-4404-B89D-D2E54E738B26}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{146605BD-CA6F-4CC0-A35B-02A188DF20B7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stardew Valley\Stardew Valley.exe => No File
FirewallRules: [{87CD28B6-00E8-4113-A775-53F26BCE8234}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stardew Valley\Stardew Valley.exe => No File
FirewallRules: [{0B2F1A44-6DD0-49B2-B173-1E18C2653754}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe => No File
FirewallRules: [{42F423D4-AB30-40DC-ACE6-6E6108578D6D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe => No File
FirewallRules: [{8038CEF5-DF31-49E3-8B39-57AEA31F0FED}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Red Dead Redemption 2\PlayRDR2.exe => No File
FirewallRules: [{A7977611-D214-4145-85C9-4C56567F559F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Red Dead Redemption 2\PlayRDR2.exe => No File
FirewallRules: [{7B89759A-2011-4F68-8428-523B625E0E8F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Satisfactory\FactoryGame.exe => No File
FirewallRules: [{61E61D3F-119A-4811-8855-6C8F652D70AC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Satisfactory\FactoryGame.exe => No File
FirewallRules: [{5F0B5C85-412C-48C8-86AB-B99D625F3C53}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Raft\Raft.exe => No File
FirewallRules: [{90E5681D-25EF-483C-B5AF-E8109EF97F18}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Raft\Raft.exe => No File
FirewallRules: [UDP Query User{53367687-0ECE-4274-899E-DB14A8256672}C:\program files (x86)\steam\steamapps\common\astroneer\astro\binaries\win64\astro-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\astroneer\astro\binaries\win64\astro-win64-shipping.exe => No File
FirewallRules: [TCP Query User{8C6DC64D-C88D-4E57-B062-8B7B9BDA6263}C:\program files (x86)\steam\steamapps\common\astroneer\astro\binaries\win64\astro-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\astroneer\astro\binaries\win64\astro-win64-shipping.exe => No File
FirewallRules: [{3B12B8F9-1DBA-45C7-BB8D-EF5E32D060D4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ASTRONEER\Astro.exe => No File
FirewallRules: [{1E8A708E-EFE6-4A09-A65C-AA71F6E3EE3B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ASTRONEER\Astro.exe => No File
FirewallRules: [{6FD87CA4-1EFF-456E-9CB4-4C1C313EFC8A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Craftopia\Craftopia.exe => No File
FirewallRules: [{3D7BCE68-2062-4103-9E55-C019FEEE1C01}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Craftopia\Craftopia.exe => No File
FirewallRules: [{6D95EB44-8A5D-4427-8420-91CF2D48BDFA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Planet Crafter\Planet Crafter.exe => No File
FirewallRules: [{89D249EF-F28F-4FED-BF31-836B1E4B8CC5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Planet Crafter\Planet Crafter.exe => No File
FirewallRules: [{46A8B1BF-75E8-4591-B0B2-D13C367488C1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{2B9DA88C-99E7-45E2-970D-C3D2F880694B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{1D957A88-A3B8-496F-B4B7-7010EC2529C7}] => (Allow) Z:\SteamLibrary\steamapps\common\Cities Skylines II\Launcher\dowser.exe => No File
FirewallRules: [{9BAB6DCF-C6B9-4F4C-ACE1-ED64DFEF3083}] => (Allow) Z:\SteamLibrary\steamapps\common\Cities Skylines II\Launcher\dowser.exe => No File
FirewallRules: [{E6ECE330-B36C-427C-B4ED-0057023EE691}] => (Allow) X:\SteamLibrary\steamapps\common\Viscera\Binaries\UDKLift.exe => No File
FirewallRules: [{039A01CB-865D-4FC0-81F1-1136F68FB81D}] => (Allow) X:\SteamLibrary\steamapps\common\Viscera\Binaries\UDKLift.exe => No File
FirewallRules: [{C512B137-D0C1-4B6B-B3D1-47A77F322E8C}] => (Allow) X:\SteamLibrary\steamapps\common\Leaf it Alone\Leaf it Alone.exe => No File
FirewallRules: [{5CF9266D-E4D8-4E1D-80F3-08AF8F84C99D}] => (Allow) X:\SteamLibrary\steamapps\common\Leaf it Alone\Leaf it Alone.exe => No File
FirewallRules: [{F11E8078-5F89-4B40-B8B9-9D5DFA114A2D}] => (Allow) X:\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File
FirewallRules: [{21D22A00-370B-413B-9C4E-0C9C2529963F}] => (Allow) X:\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File
FirewallRules: [{1C7344CF-0CB6-4589-9DB1-1C560B0E55F3}] => (Allow) X:\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File
FirewallRules: [{67AF9073-4496-478C-9408-9A984A06E56B}] => (Allow) X:\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File
FirewallRules: [{8FB81670-6EF8-4ED7-A9AB-0718266C7778}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{134D1049-D086-45E9-A956-9D39BF9C49C9}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{9B5548C2-0707-4453-9B17-E207C96A63E5}] => (Block) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File
FirewallRules: [{C268FDCD-6D10-4533-95A8-E1ED730D61FF}] => (Block) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
Task: {A7113C03-899F-4370-A437-AEC3D5DE2872} - \GoogleUpdate -> No File <==== ATTENTION
Task: {FD6F4E7B-F859-4025-A71C-17412B86EA95} - System32\Tasks\Microsoft\Office\Office Serviceability Manager => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe /checkin (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Task: {D8AC8EFD-68F6-47C1-B498-784ED4B35A35} - System32\Tasks\Red Giant Link => "C:\Program Files\Red Giant Link\Red Giant Link.exe" --silent (No File)
2026-05-14 12:36 - 2026-05-14 12:36 - 000000000 ____D C:\Users\piper\AppData\Local\22bfc34d90b64054809542014fc9eb32
2025-11-15 18:15 - 2025-11-15 18:15 - 000000048 ____R () C:\Users\piper\AppData\Local\41A8E72215BA6F875283828CEBD2661B
HKU\S-1-5-21-699025938-3818395997-3756346237-1001\...\Policies\system: [shell] explorer.exe <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
File: C:\WINDOWS\System32\drivers\webshieldfilter.sys
File: C:\WINDOWS\SysWOW64\muachost.exe
Folder: C:\Users\piper\AppData\Local\ServiceApp
Comment: This snippet reverts SmartScreen settings to default
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Warn"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter]
"EnabledV9"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost]
"EnableWebContentEvaluation"=dword:00000001
[HKU\S-1-5-21-699025938-3818395997-3756346237-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost]
"EnableWebContentEvaluation"=dword:00000001
EndRegedit:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
# NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software.
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code.
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below.
C:\ProgramData\*.a3x
C:\ProgramData\*.ahk
C:\ProgramData\*.au3
C:\ProgramData\*.bat
C:\ProgramData\*.cab
C:\ProgramData\*.cmd
C:\ProgramData\*.com
C:\ProgramData\*.dll
C:\ProgramData\*.exe
C:\ProgramData\*.hta
C:\ProgramData\*.jar
C:\ProgramData\*.js
C:\ProgramData\*.jse
C:\ProgramData\*.lnk
C:\ProgramData\*.pif
C:\ProgramData\*.ps1
C:\ProgramData\*.py
C:\ProgramData\*.pyc
C:\ProgramData\*.pyd
C:\ProgramData\*.scr
C:\ProgramData\*.tmp
C:\ProgramData\*.vbe
C:\ProgramData\*.vbs
C:\ProgramData\*.wsf
C:\ProgramData\*.wsh
C:\ProgramData\*.zip
C:\ProgramData\*.rar
C:\ProgramData\*.7z
C:\Users\*\AppData\Roaming\*.au3
C:\Users\*\AppData\Roaming\*.bat
C:\Users\*\AppData\Roaming\*.cab
C:\Users\*\AppData\Roaming\*.cmd
C:\Users\*\AppData\Roaming\*.com
C:\Users\*\AppData\Roaming\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.hta
C:\Users\*\AppData\Roaming\*.jar
C:\Users\*\AppData\Roaming\*.js
C:\Users\*\AppData\Roaming\*.jse
C:\Users\*\AppData\Roaming\*.lnk
C:\Users\*\AppData\Roaming\*.pif
C:\Users\*\AppData\Roaming\*.ps1
C:\Users\*\AppData\Roaming\*.py
C:\Users\*\AppData\Roaming\*.pyc
C:\Users\*\AppData\Roaming\*.pyd
C:\Users\*\AppData\Roaming\*.scr
C:\Users\*\AppData\Roaming\*.tmp
C:\Users\*\AppData\Roaming\*.vbe
C:\Users\*\AppData\Roaming\*.vbs
C:\Users\*\AppData\Roaming\*.wsf
C:\Users\*\AppData\Roaming\*.wsh
C:\Users\*\AppData\Roaming\*.zip
C:\Users\*\AppData\Roaming\*.rar
C:\Users\*\AppData\Roaming\*.7z
C:\Users\CurrentUserName\AppData\Local\*.a3x
C:\Users\CurrentUserName\AppData\Local\*.ahk
C:\Users\CurrentUserName\AppData\Local\*.au3
C:\Users\CurrentUserName\AppData\Local\*.bat
C:\Users\CurrentUserName\AppData\Local\*.cab
C:\Users\CurrentUserName\AppData\Local\*.cmd
C:\Users\CurrentUserName\AppData\Local\*.com
C:\Users\CurrentUserName\AppData\Local\*.dll
C:\Users\CurrentUserName\AppData\Local\*.exe
C:\Users\CurrentUserName\AppData\Local\*.hta
C:\Users\CurrentUserName\AppData\Local\*.jar
C:\Users\CurrentUserName\AppData\Local\*.js
C:\Users\CurrentUserName\AppData\Local\*.jse
C:\Users\CurrentUserName\AppData\Local\*.lnk
C:\Users\CurrentUserName\AppData\Local\*.pif
C:\Users\CurrentUserName\AppData\Local\*.ps1
C:\Users\CurrentUserName\AppData\Local\*.py
C:\Users\CurrentUserName\AppData\Local\*.pyc
C:\Users\CurrentUserName\AppData\Local\*.pyd
C:\Users\CurrentUserName\AppData\Local\*.scr
C:\Users\CurrentUserName\AppData\Local\*.tmp
C:\Users\CurrentUserName\AppData\Local\*.vbe
C:\Users\CurrentUserName\AppData\Local\*.vbs
C:\Users\CurrentUserName\AppData\Local\*.wsf
C:\Users\CurrentUserName\AppData\Local\*.wsh
C:\Users\CurrentUserName\AppData\Local\*.zip
C:\Users\CurrentUserName\AppData\Local\*.rar
C:\Users\CurrentUserName\AppData\Local\*.7z
C:\Users\CurrentUserName\AppData\Roaming\*.a3x
C:\Users\CurrentUserName\AppData\Roaming\*.ahk
C:\Users\CurrentUserName\AppData\Roaming\*.au3
C:\Users\CurrentUserName\AppData\Roaming\*.bat
C:\Users\CurrentUserName\AppData\Roaming\*.cab
C:\Users\CurrentUserName\AppData\Roaming\*.cmd
C:\Users\CurrentUserName\AppData\Roaming\*.com
C:\Users\CurrentUserName\AppData\Roaming\*.dll
C:\Users\CurrentUserName\AppData\Roaming\*.exe
C:\Users\CurrentUserName\AppData\Roaming\*.hta
C:\Users\CurrentUserName\AppData\Roaming\*.jar
C:\Users\CurrentUserName\AppData\Roaming\*.js
C:\Users\CurrentUserName\AppData\Roaming\*.jse
C:\Users\CurrentUserName\AppData\Roaming\*.lnk
C:\Users\CurrentUserName\AppData\Roaming\*.pif
C:\Users\CurrentUserName\AppData\Roaming\*.ps1
C:\Users\CurrentUserName\AppData\Roaming\*.py
C:\Users\CurrentUserName\AppData\Roaming\*.pyc
C:\Users\CurrentUserName\AppData\Roaming\*.pyd
C:\Users\CurrentUserName\AppData\Roaming\*.scr
C:\Users\CurrentUserName\AppData\Roaming\*.tmp
C:\Users\CurrentUserName\AppData\Roaming\*.vbe
C:\Users\CurrentUserName\AppData\Roaming\*.vbs
C:\Users\CurrentUserName\AppData\Roaming\*.wsf
C:\Users\CurrentUserName\AppData\Roaming\*.wsh
C:\Users\CurrentUserName\AppData\Roaming\*.zip
C:\Users\CurrentUserName\AppData\Roaming\*.rar
C:\Users\CurrentUserName\AppData\Roaming\*.7z
Comment: Force policy removal
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy
Comment: System repair commands
CMD: DISM.exe /Online /Cleanup-image /Restorehealth
CMD: SFC.exe /scannow
Comment: Network reset commands
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
Comment: Additional temp file removal
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.