content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
PDF Architect 9 Edit Module (HKLM\...\{0FAF4273-F00F-43E7-A8AB-4A37225F7A0B}) (Version: 9.1.88.23120 - Avanquest pdfforge GmbH) Hidden
PDF Architect 9 OCR Module (HKLM\...\{6386DF0A-D2E2-42A9-88D2-9EBB2E5D3B2B}) (Version: 9.1.88.23120 - Avanquest pdfforge GmbH) Hidden
PDF Architect 9 OCR TESS Module (HKLM\...\{02B7818D-0D61-4E37-9607-D8453E9B53A2}) (Version: 9.1.88.23120 - Avanquest pdfforge GmbH) Hidden
PDF Architect 9 View Module (HKLM\...\{DDF7712E-19B5-4CF4-8395-AD1D83032E02}) (Version: 9.1.88.23120 - Avanquest pdfforge GmbH) Hidden
Edge HKLM-x32\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl]
CHR HKLM-x32\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok]
CustomCLSID: HKU\S-1-5-21-68856474-3486190891-936517306-1001_Classes\CLSID\{04d5c66b-d515-61ec-258f-a409f9443e98}\localserver32 -> "C:\Program Files\Proton\VPN\v3.0.7\ProtonVPN.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-68856474-3486190891-936517306-1001_Classes\CLSID\{bdf037d5-d1f4-16de-7c00-9c2204d45001}\localserver32 -> "C:\Program Files\Proton\VPN\v3.0.5\ProtonVPN.exe" -ToastActivated => No File
Shortcut: C:\Users\muri-\Desktop\facul\RCE\03.2025\run_nvidia_gpu - Atalho.lnk -> C:\Users\muri-\Documents\ComfyUI_windows_portable_nvidia\ComfyUI_windows_portable\run_nvidia_gpu.bat (No File)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
FirewallRules: [UDP Query User{A7BCD4E1-D268-41B6-BCC8-ACFFF4763F8C}C:\users\muri-\desktop\horror in hongdae-v08.2024-precracked\horror in hongdae.exe] => (Allow) C:\users\muri-\desktop\horror in hongdae-v08.2024-precracked\horror in hongdae.exe => No File
FirewallRules: [TCP Query User{7BAC777E-FD8C-4A6D-8CAB-C7B290256CCC}C:\users\muri-\desktop\horror in hongdae-v08.2024-precracked\horror in hongdae.exe] => (Allow) C:\users\muri-\desktop\horror in hongdae-v08.2024-precracked\horror in hongdae.exe => No File
FirewallRules: [{A21E6B84-841E-41FB-97BA-D83191904975}] => (Allow) C:\Users\muri-\AppData\Local\Temp\scoped_dir20052_2125674989\whatsapp-transfer_11734195220554041301.exe => No File
FirewallRules: [{3D9FACF5-14FF-4063-BEB1-956DB201AC99}] => (Allow) C:\Users\muri-\AppData\Local\Temp\scoped_dir20052_2125674989\whatsapp-transfer_11734195220554041301.exe => No File
FirewallRules: [UDP Query User{4AD38142-480A-4988-BB97-70464B803F2F}C:\xboxgames\call of duty black ops iii\blackops3.exe] => (Allow) C:\xboxgames\call of duty black ops iii\blackops3.exe => No File
FirewallRules: [TCP Query User{4B018C61-CB12-4733-B737-2B2461AF5A9E}C:\xboxgames\call of duty black ops iii\blackops3.exe] => (Allow) C:\xboxgames\call of duty black ops iii\blackops3.exe => No File
FirewallRules: [UDP Query User{0C79B8E0-3E7F-457C-81D9-F6010DABCD26}C:\xboxgames\call of duty - black ops 3\blackops3.exe] => (Allow) C:\xboxgames\call of duty - black ops 3\blackops3.exe => No File
FirewallRules: [TCP Query User{9D81664B-47A5-4540-B7A7-E685A45B35FA}C:\xboxgames\call of duty - black ops 3\blackops3.exe] => (Allow) C:\xboxgames\call of duty - black ops 3\blackops3.exe => No File
FirewallRules: [UDP Query User{27EDB15C-BE7C-44DF-9662-2ED0743D8587}C:\xboxgames\call of duty - black ops\blackops.exe] => (Allow) C:\xboxgames\call of duty - black ops\blackops.exe => No File
FirewallRules: [TCP Query User{58707698-1B24-4CA6-A38F-E372B5177936}C:\xboxgames\call of duty - black ops\blackops.exe] => (Allow) C:\xboxgames\call of duty - black ops\blackops.exe => No File
FirewallRules: [UDP Query User{695AF27E-E272-4983-BDE7-211849139535}C:\users\muri-\desktop\call.of.duty.black.ops.cold.war.ultimate.edition.battle.net.rip-insaneramzes\call of duty black ops cold war\blackopscoldwar.exe] => (Allow) C:\users\muri-\desktop\call.of.duty.black.ops.cold.war.ultimate.edition.battle.net.rip-insaneramzes\call of duty black ops cold war\blackopscoldwar.exe => No File
FirewallRules: [TCP Query User{A93B151F-BF42-441E-BE20-0A6BFCAB86DA}C:\users\muri-\desktop\call.of.duty.black.ops.cold.war.ultimate.edition.battle.net.rip-insaneramzes\call of duty black ops cold war\blackopscoldwar.exe] => (Allow) C:\users\muri-\desktop\call.of.duty.black.ops.cold.war.ultimate.edition.battle.net.rip-insaneramzes\call of duty black ops cold war\blackopscoldwar.exe => No File
FirewallRules: [{46F51CFF-3D2F-48D9-8873-656A0AA75388}] => (Allow) C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe => No File
FirewallRules: [{CDC3B2BF-44B4-4B10-8E17-79A792A68037}] => (Allow) C:\Users\muri-\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{9AF33973-884F-4421-9B28-1797F0CCE5E9}] => (Allow) C:\Users\muri-\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{E737B366-24CA-4686-9490-263BB1A0F110}] => (Allow) C:\Users\muri-\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{B0FD76C2-12CE-4BAE-B01A-91CE405BA20C}] => (Allow) C:\Users\muri-\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [UDP Query User{D05A4314-D2C5-49D2-B2E2-74EF18003170}C:\users\muri-\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\muri-\appdata\local\programs\opera gx\opera.exe => No File
FirewallRules: [TCP Query User{054D879B-3743-4AD2-AA13-DFE8F98A4D96}C:\users\muri-\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\muri-\appdata\local\programs\opera gx\opera.exe => No File
FirewallRules: [{739888C5-D974-4807-8449-E6B9E798FB8B}] => (Allow) C:\Users\muri-\AppData\Local\Temp\scoped_dir10120_1744892599\phone-mirror.exe => No File
FirewallRules: [{4322A8D0-2048-4D22-A7DD-7BA4158AD2B9}] => (Allow) C:\Users\muri-\AppData\Local\Temp\scoped_dir10120_1744892599\phone-mirror.exe => No File
FirewallRules: [{8D72D969-E5AE-4819-AEC5-05DE43FC5B5C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{4009944F-2DB1-457D-A3C7-0F9A88095569}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{6D474C92-28F5-41C0-A9A0-AC1145C6B3C7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{7D748DD8-567E-472D-AED9-EDA59A9A31B6}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{85BA88A1-39A7-4ADF-9BDF-FF0A664AB857}C:\program files (x86)\steam\steamapps\common\battlefield 4\bf4.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\battlefield 4\bf4.exe => No File
FirewallRules: [UDP Query User{6B6BBCAA-455C-4B09-8DAC-6CFA1EFEE97B}C:\program files (x86)\steam\steamapps\common\battlefield 4\bf4.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\battlefield 4\bf4.exe => No File
FirewallRules: [TCP Query User{4D12C370-AB5A-4CA2-9BED-6514F40B7F51}C:\users\muri-\appdata\local\temp\2haujptplbc1cifxmyzegji0t8e\youtube music.exe] => (Allow) C:\users\muri-\appdata\local\temp\2haujptplbc1cifxmyzegji0t8e\youtube music.exe => No File
FirewallRules: [UDP Query User{CF2492FA-7EA6-4E3D-89AB-910E65089174}C:\users\muri-\appdata\local\temp\2haujptplbc1cifxmyzegji0t8e\youtube music.exe] => (Allow) C:\users\muri-\appdata\local\temp\2haujptplbc1cifxmyzegji0t8e\youtube music.exe => No File
FirewallRules: [TCP Query User{43706F41-007B-422A-8EF4-987C2B62409C}C:\users\muri-\appdata\local\temp\2whqusuun6emvyo72qlmscyyqso\youtube music.exe] => (Allow) C:\users\muri-\appdata\local\temp\2whqusuun6emvyo72qlmscyyqso\youtube music.exe => No File
FirewallRules: [UDP Query User{C6757B62-EA8A-4AF0-A103-C99A7249FA4C}C:\users\muri-\appdata\local\temp\2whqusuun6emvyo72qlmscyyqso\youtube music.exe] => (Allow) C:\users\muri-\appdata\local\temp\2whqusuun6emvyo72qlmscyyqso\youtube music.exe => No File
FirewallRules: [{C0822391-BDB4-4986-9399-7AA533FE0A4B}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
FirewallRules: [{AA36317F-7AB7-487B-8B46-EC0F96710128}] => (Allow) C:\Users\muri-\AppData\Roaming\uTorrent Web\utweb.exe => No File
FirewallRules: [{696B03B7-53DC-4667-A433-CAA58F7C73BC}] => (Allow) C:\Users\muri-\AppData\Roaming\uTorrent Web\utweb.exe => No File
FirewallRules: [TCP Query User{78B774C7-E284-47E4-BC3B-413041EAEA73}C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe => No File
FirewallRules: [UDP Query User{172185FF-7CDC-4F97-90F8-AC11445941CA}C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe => No File
HKU\S-1-5-19\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe (No File)
HKU\S-1-5-19\...\RunOnce: [OMENCC_InstallationBooster] => C:\system.sav\util\OMENCC_InstallationBooster.exe (No File)
HKU\S-1-5-20\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe (No File)
HKU\S-1-5-20\...\RunOnce: [OMENCC_InstallationBooster] => C:\system.sav\util\OMENCC_InstallationBooster.exe (No File)
HKU\S-1-5-21-68856474-3486190891-936517306-1001\...\Run: [Teams] => "C:\Users\muri-\AppData\Local\Microsoft\WindowsApps\MSTeams_8wekyb3d8bbwe\ms-teams.exe" msteams:system-initiated (No File)
HKU\S-1-5-21-68856474-3486190891-936517306-1001\...\Run: [faka] => C:\Users\muri-\AppData\Roaming\kdbaf\faka.exe (No File)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A8504530-742B-42BC-895D-2BAD6406F698}] -> "C:\Program Files\AVAST Software\Browser\Application\125.0.25186.78\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level (No File)
Task: {E63B756C-C724-4851-83A6-8E30CB681406} - System32\Tasks\Avast Secure Browser Heartbeat Task (Hourly) => C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --hourly (No File)
Task: {97177349-74CF-4440-9352-A9A6FD5D57A0} - System32\Tasks\Avast Secure Browser Heartbeat Task (Logon) => C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe --type=heartbeat --logon (No File)
Task: {EEA9A5E0-24A5-42D6-8E33-FE61164E4640} - System32\Tasks\AvastUpdateTaskMachineCore => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe /c (No File)
Task: {29EA5715-74C3-4E97-94A8-8A263EDCFA8A} - System32\Tasks\AvastUpdateTaskMachineUA => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe /ua /installsource scheduler (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Task: {EC089278-6F16-412D-B46E-A4B1A43692C6} - System32\Tasks\SystemOptimizerTemp => C:\Users\muri-\AppData\Local\Temp\HP\SystemOptimizerTemp\SystemOptimizer.exe -update (No File) <==== ATTENTION
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=3 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1697.6\npAvastBrowserUpdate3.dll [No File]
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=9 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1697.6\npAvastBrowserUpdate3.dll [No File]
S2 ElevationService; C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe (No File)
2026-06-02 19:57 - 2023-10-14 00:08 - 000000000 ___HD C:\WINDOWS\msdownld.tmp
2026-06-15 09:05 - 2023-09-27 18:41 - 000000000 ____D C:\WINDOWS\SystemTemp0d36105866dfd741489ade3864725f5d
File: C:\Users\muri-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arduino Cloud Agent.lnk
Comment: This snippet removes all Windows Defender exclusions
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
StartPowerShell:
# This snippet re-enables Windows Defender and applies optimized settings to ensure high protection against malware
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable PUP detection
Set-MpPreference -PUAProtection Enabled
# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4
# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2
# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1
# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled
# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false
# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false
# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false
# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false
# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30
# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false
# Enables script detection
Set-MpPreference -DisableScriptScanning $false
# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1
# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0
# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0
# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true
# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12
# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine
# Updates signatures
Update-MpSignature
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code.
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below.
C:\ProgramData\*.a3x
C:\ProgramData\*.ahk
C:\ProgramData\*.au3
C:\ProgramData\*.bat
C:\ProgramData\*.cab
C:\ProgramData\*.cmd
C:\ProgramData\*.com
C:\ProgramData\*.dll
C:\ProgramData\*.exe
C:\ProgramData\*.hta
C:\ProgramData\*.jar
C:\ProgramData\*.js
C:\ProgramData\*.jse
C:\ProgramData\*.lnk
C:\ProgramData\*.pif
C:\ProgramData\*.ps1
C:\ProgramData\*.py
C:\ProgramData\*.pyc
C:\ProgramData\*.pyd
C:\ProgramData\*.scr
C:\ProgramData\*.tmp
C:\ProgramData\*.vbe
C:\ProgramData\*.vbs
C:\ProgramData\*.wsf
C:\ProgramData\*.wsh
C:\ProgramData\*.zip
C:\ProgramData\*.rar
C:\ProgramData\*.7z
C:\Users\*\AppData\Roaming\*.au3
C:\Users\*\AppData\Roaming\*.bat
C:\Users\*\AppData\Roaming\*.cab
C:\Users\*\AppData\Roaming\*.cmd
C:\Users\*\AppData\Roaming\*.com
C:\Users\*\AppData\Roaming\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.hta
C:\Users\*\AppData\Roaming\*.jar
C:\Users\*\AppData\Roaming\*.js
C:\Users\*\AppData\Roaming\*.jse
C:\Users\*\AppData\Roaming\*.lnk
C:\Users\*\AppData\Roaming\*.pif
C:\Users\*\AppData\Roaming\*.ps1
C:\Users\*\AppData\Roaming\*.py
C:\Users\*\AppData\Roaming\*.pyc
C:\Users\*\AppData\Roaming\*.pyd
C:\Users\*\AppData\Roaming\*.scr
C:\Users\*\AppData\Roaming\*.tmp
C:\Users\*\AppData\Roaming\*.vbe
C:\Users\*\AppData\Roaming\*.vbs
C:\Users\*\AppData\Roaming\*.wsf
C:\Users\*\AppData\Roaming\*.wsh
C:\Users\*\AppData\Roaming\*.zip
C:\Users\*\AppData\Roaming\*.rar
C:\Users\*\AppData\Roaming\*.7z
C:\Users\CurrentUserName\AppData\Local\*.a3x
C:\Users\CurrentUserName\AppData\Local\*.ahk
C:\Users\CurrentUserName\AppData\Local\*.au3
C:\Users\CurrentUserName\AppData\Local\*.bat
C:\Users\CurrentUserName\AppData\Local\*.cab
C:\Users\CurrentUserName\AppData\Local\*.cmd
C:\Users\CurrentUserName\AppData\Local\*.com
C:\Users\CurrentUserName\AppData\Local\*.dll
C:\Users\CurrentUserName\AppData\Local\*.exe
C:\Users\CurrentUserName\AppData\Local\*.hta
C:\Users\CurrentUserName\AppData\Local\*.jar
C:\Users\CurrentUserName\AppData\Local\*.js
C:\Users\CurrentUserName\AppData\Local\*.jse
C:\Users\CurrentUserName\AppData\Local\*.lnk
C:\Users\CurrentUserName\AppData\Local\*.pif
C:\Users\CurrentUserName\AppData\Local\*.ps1
C:\Users\CurrentUserName\AppData\Local\*.py
C:\Users\CurrentUserName\AppData\Local\*.pyc
C:\Users\CurrentUserName\AppData\Local\*.pyd
C:\Users\CurrentUserName\AppData\Local\*.scr
C:\Users\CurrentUserName\AppData\Local\*.tmp
C:\Users\CurrentUserName\AppData\Local\*.vbe
C:\Users\CurrentUserName\AppData\Local\*.vbs
C:\Users\CurrentUserName\AppData\Local\*.wsf
C:\Users\CurrentUserName\AppData\Local\*.wsh
C:\Users\CurrentUserName\AppData\Local\*.zip
C:\Users\CurrentUserName\AppData\Local\*.rar
C:\Users\CurrentUserName\AppData\Local\*.7z
C:\Users\CurrentUserName\AppData\Roaming\*.a3x
C:\Users\CurrentUserName\AppData\Roaming\*.ahk
C:\Users\CurrentUserName\AppData\Roaming\*.au3
C:\Users\CurrentUserName\AppData\Roaming\*.bat
C:\Users\CurrentUserName\AppData\Roaming\*.cab
C:\Users\CurrentUserName\AppData\Roaming\*.cmd
C:\Users\CurrentUserName\AppData\Roaming\*.com
C:\Users\CurrentUserName\AppData\Roaming\*.dll
C:\Users\CurrentUserName\AppData\Roaming\*.exe
C:\Users\CurrentUserName\AppData\Roaming\*.hta
C:\Users\CurrentUserName\AppData\Roaming\*.jar
C:\Users\CurrentUserName\AppData\Roaming\*.js
C:\Users\CurrentUserName\AppData\Roaming\*.jse
C:\Users\CurrentUserName\AppData\Roaming\*.lnk
C:\Users\CurrentUserName\AppData\Roaming\*.pif
C:\Users\CurrentUserName\AppData\Roaming\*.ps1
C:\Users\CurrentUserName\AppData\Roaming\*.py
C:\Users\CurrentUserName\AppData\Roaming\*.pyc
C:\Users\CurrentUserName\AppData\Roaming\*.pyd
C:\Users\CurrentUserName\AppData\Roaming\*.scr
C:\Users\CurrentUserName\AppData\Roaming\*.tmp
C:\Users\CurrentUserName\AppData\Roaming\*.vbe
C:\Users\CurrentUserName\AppData\Roaming\*.vbs
C:\Users\CurrentUserName\AppData\Roaming\*.wsf
C:\Users\CurrentUserName\AppData\Roaming\*.wsh
C:\Users\CurrentUserName\AppData\Roaming\*.zip
C:\Users\CurrentUserName\AppData\Roaming\*.rar
C:\Users\CurrentUserName\AppData\Roaming\*.7z
Comment: Force policy removal
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy
Comment: System repair commands
CMD: DISM.exe /Online /Cleanup-image /Restorehealth
CMD: SFC.exe /scannow
Comment: Network reset commands
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
Comment: Additional temp file removal
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.