content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\...\Run: [EPSDNMON] => "" (No File)
Task: {5D3F7C13-6AD5-482A-9BDC-9CE047BC61E2} - System32\Tasks\Google Compatibility Appraiser CL_NCL_9fc87dafd35b51aa => C:\WINDOWS\system32\conhost.exe [1003520 2026-04-17] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aQBmACgAIQAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAG0AYwBiAHUAaQBsAGQAZQByACwAbQBmAHAAbQBwACAALQBFAEEAIAAwACkAKQB7AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgADEAOQAzAC (the data entry has 150 more characters). <==== ATTENTION
Task: {E88D9B2C-DDEA-47B2-9582-085153004DB5} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File)
Task: {975D3232-A452-48B7-A4D2-A2893B085FD7} - System32\Tasks\Microsoft\Windows\PI\SecureBootEncodeUEFI => %WINDIR%\system32\SecureBootEncodeUEFI.exe (No File)
Task: {CAB76809-EDC0-40D2-A888-AD9BEDF4E88A} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (No File)
Task: {DF7D34C6-E91F-42B5-B7BC-FF74B15B8FB8} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe LogonUpdateResults (No File)
Task: {83D9AF75-38A6-4D8F-A3EE-77F83210FA8C} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC ReadyToReboot (No File)
Task: {1334E5CB-1B3B-4BA3-A7EF-2AAE6F086AF8} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery ReadyToReboot (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
2026-05-05 04:16 - 2026-05-05 04:16 - 000004754 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_9fc87dafd35b51aa
2026-05-05 04:15 - 2026-05-05 04:15 - 000426608 _____ (360.cn) C:\Users\theki\SpectVerifier.exe
2026-05-05 04:15 - 2026-05-05 04:15 - 000000000 ____D C:\Users\theki\AppData\Roaming\scanner_base
2026-05-05 04:15 - 2026-05-05 04:15 - 000000000 ____D C:\ProgramData\scanner_base
2026-05-05 04:14 - 2026-05-05 04:14 - 000000000 ____D C:\Users\theki\AppData\Roaming\RenPy
2026-05-05 04:15 - 2026-05-05 04:15 - 000426608 _____ (360.cn) C:\Users\theki\SpectVerifier.exe
2026-05-05 04:07 - 2026-05-05 04:14 - 000000000 ____D C:\Users\theki\Desktop\Tomodachi Life Living the Dream
Folder: C:\Users\theki\Desktop\Ryujinx DLC Updates
Folder: C:\WINDOWS\system32\Tasks\MAkF7mCn3tPqp662daybvERzwsKQYqnzM8
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\regfile: <==== ATTENTION
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.reg: => <==== ATTENTION
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.bat: => <==== ATTENTION
HKU\S-1-5-21-1555439151-2052157521-2443853537-1001\Software\Classes\.cmd: => <==== ATTENTION
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.