Malware Log Analysis

shared / manegarrr
Login
content copied

content

Start:: CloseProcesses: 2026-05-23 14:46 - 2025-03-22 01:50 - 000000048 _____ C:\Users\fares\AppData\Roaming\msregsvv.dll 2025-03-22 01:50 - 2026-05-23 14:46 - 000000048 _____ () C:\Users\fares\AppData\Roaming\msregsvv.dll CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{03B29243-35DA-4858-920E-B70A007DF5AA}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.217.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{1108FD1C-492F-4251-B9DB-77F0274267B2}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.187.37\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{1C67DF85-7959-43C0-92F8-2CAD0314C31C}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.201.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{2ABD6384-2E18-40E8-8439-F06D21E0B03D}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{2B49DB21-41C5-44C0-8358-CA4C76205AE1}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.209.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{2FDB3305-19B8-4FE2-972B-ED5E97CBBD6E}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{41B09861-5409-4D44-8CA4-D49FBFAA2E6F}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.49\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{448DD314-7FBB-429C-9DAA-C05A00D235A8}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.215.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{4FFB4BD8-A109-4F25-A4DB-313678B19417}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.31\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{5247F326-2FF0-4920-998E-12AA35F0883C}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.213.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{5FC44EBC-3A1F-4FBB-85E5-34405788C8D7}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.187.41\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{6A49690B-7DB6-424B-81CE-F51078F2A58D}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.203.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{6DD6748E-7DAE-47EF-B4D5-03AA1B06D697}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.187.39\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{79F05C14-E714-4C12-9924-93C812894CB0}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.57\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{7EFB4924-4B93-4C43-9832-9C3D05E85214}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.59\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{83F21C4B-8643-4A08-A29A-822AFD835037}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{9C391760-8CB8-4F1E-AB7D-0C9915EFB004}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.211.7\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{A087E49F-1F8E-4603-A200-55537B737421}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.25\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{A78355B5-2A4D-486B-B97A-43448FC8C34D}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.207.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{BB04C6F8-598E-4733-ABB4-07489C863436}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.205.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{BC4C72EF-3055-4A6D-86E1-AE4D24DB63CA}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.35\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{BCF99248-58CE-4562-B227-14D1E171B49D}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.221.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{C88B3957-621C-415B-8EE5-B688FC7EF924}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{D2188EEC-2B0F-488C-8ECA-5285E8ECD87D}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.69\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{D8599F80-3D26-46D2-8CF1-0AD21B0ECF31}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{E3D57E77-FE71-4D06-BD34-D48820074909}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{ECCE2756-C45D-4E13-BC2D-EC9F138997E6}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.199.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-51619415-59191838-3681698077-1001_Classes\CLSID\{F46A78BD-06FC-442C-88DF-0500F08F2379}\InprocServer32 -> C:\Users\fares\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\psuser_64.dll => No File AlternateDataStreams: C:\Users\fares\OneDrive\Desktop\FRSTEnglish.exe:MBAM.Zone.Identifier [225] AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [5110] FirewallRules: [TCP Query User{E1556EB5-E4AC-4474-B54A-2A029BEA2DC0}C:\users\fares\appdata\local\viber\viber.exe] => (Allow) C:\users\fares\appdata\local\viber\viber.exe => No File FirewallRules: [UDP Query User{33C21763-D321-4171-9A12-6CE19840376A}C:\users\fares\appdata\local\viber\viber.exe] => (Allow) C:\users\fares\appdata\local\viber\viber.exe => No File FirewallRules: [TCP Query User{F43286AF-3F45-420F-96AC-A3BC073739C0}C:\users\fares\curseforge\minecraft\install\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Allow) C:\users\fares\curseforge\minecraft\install\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe => No File FirewallRules: [UDP Query User{D85F434F-3D26-4D3E-86F8-A5E2B56CB82E}C:\users\fares\curseforge\minecraft\install\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Allow) C:\users\fares\curseforge\minecraft\install\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe => No File FirewallRules: [{9F97FCD8-E551-4C69-927E-FEBCADD4A622}] => (Allow) D:\SteamLibrary\steamapps\common\Old School RuneScape\bin\win64\osclient.exe => No File FirewallRules: [{2A01227E-A9C3-4BA5-93B6-E1DEA6C26E1B}] => (Allow) D:\SteamLibrary\steamapps\common\Old School RuneScape\bin\win64\osclient.exe => No File FirewallRules: [TCP Query User{A48CABF4-0EFC-4861-98BF-A78D74745BB7}D:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) D:\riot games\riot client\riotclientelectron\riot client.exe => No File FirewallRules: [UDP Query User{A8AFEA77-FCE0-4B6C-B258-ADB0EC675D5F}D:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) D:\riot games\riot client\riotclientelectron\riot client.exe => No File FirewallRules: [{CC487CB1-8B38-4728-AA1A-4525D96A5908}] => (Allow) D:\SteamLibrary\steamapps\common\Beer Strip\BeerStrip.exe => No File FirewallRules: [{85787156-3469-43B3-9CF0-91A5E5884524}] => (Allow) D:\SteamLibrary\steamapps\common\Beer Strip\BeerStrip.exe => No File FirewallRules: [{769AB86E-319E-4F2B-82A8-2487AE634081}] => (Allow) D:\SteamLibrary\steamapps\common\Rust\Rust.exe => No File FirewallRules: [{A80265FE-AAAE-41E3-9D6C-5EECE3622588}] => (Allow) D:\SteamLibrary\steamapps\common\Rust\Rust.exe => No File FirewallRules: [{5A4B0541-F9F3-4C53-9E1A-604A36E926B1}] => (Allow) C:\Program Files (x86)\Overwolf\0.294.2.2\OverwolfBrowser.exe => No File FirewallRules: [{38494D08-8E0A-4A57-8DA3-E9317A08B489}] => (Allow) C:\Program Files (x86)\Overwolf\0.294.2.2\OverwolfBrowser.exe => No File FirewallRules: [{2529603D-CA99-44B9-B801-3A29C0CAB3C0}] => (Block) C:\Program Files (x86)\Overwolf\0.294.2.2\OverwolfBrowser.exe => No File FirewallRules: [{03E8EC01-3A5A-42BE-A6D6-996F501BF2A1}] => (Block) C:\Program Files (x86)\Overwolf\0.294.2.2\OverwolfBrowser.exe => No File HKU\S-1-5-21-51619415-59191838-3681698077-1001\...\Run: [RiotClient] => D:\Riot Games\Riot Client\RiotClientServices.exe --launch-background-mode (No File) Task: {F0C5D104-CC18-4A44-8FB7-C540FA8AC5EF} - \Cedar Ledger Canada 54208-077-1001 -> No File <==== ATTENTION U4 Antares Central Services; no ImagePath U4 CmWebAdmin.exe; no ImagePath U3 CodeMeter.exe; no ImagePath S3 MpKsl946529ea; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1148232C-D8D6-4FD1-9AD9-D1B58F987E1C}\MpKslDrv.sys (No File) HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION File: C:\WINDOWS\System32\drivers\SNTUSB64.SYS File: C:\WINDOWS\System32\drivers\vacrnckd.sys File: C:\WINDOWS\System32\drivers\xb1usb.sys C:\Users\fares\AppData\Roaming\Archetype Gojira\Preferences StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::