content copied
content
Start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Task: {8FBEF3F3-738A-4081-9847-E2072EA718E1} - System32\Tasks\RuntimeBrokerService => C:\Users\Winter\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy\AC\Temp\RuntimeBroker.exe [6288896 2026-05-12] () [File not signed] <==== ATTENTION
Task: {A9195708-88B4-4481-AAD9-F583EA6DE343} - System32\Tasks\WindowsSystemService => C:\Users\Winter\AppData\Local\Microsoft\OfficeBroker\svchost.exe [6288896 2026-05-12] () [File not signed] <==== ATTENTION
HKLM\Software\Microsoft\Active Setup\Installed Components: [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] -> C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install (No File)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] -> C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
2026-05-02 19:32 - 2026-05-02 19:32 - 000000048 ____R C:\Users\Winter\AppData\Local\ACB44F8FE11182494098D036562AC476
2026-05-02 19:32 - 2026-05-02 19:32 - 000000048 ____R () C:\Users\Winter\AppData\Local\ACB44F8FE11182494098D036562AC476
File: C:\Users\Winter\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy\AC\Temp\RuntimeBroker.exe;C:\Users\Winter\AppData\Local\Microsoft\OfficeBroker\svchost.exe
C:\Users\Winter\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy\AC\Temp\RuntimeBroker.exe
C:\Users\Winter\AppData\Local\Microsoft\OfficeBroker\svchost.exe
Folder: C:\Users\Winter\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_gw1n1c2fhyeqy
Folder: C:\Users\Winter\AppData\Local\Microsoft\OfficeBroker
Folder: C:\ProgramData\Whesvc
File: C:\ProgramData\Smilegate\LauncherService\LauncherService.exe;C:\ProgramData\Smilegate\LauncherService\crashpad_handler.exe;C:\Users\Winter\AppData\Local\4051BDD0000f042.pyo;C:\Users\Winter\AppData\Local\ACB44F8FE11182494098D036562AC476;C:\Users\Winter\Downloads\bloodstrike_global_1.003.750004.1774234941.exe;C:\Users\Winter\AppData\Roaming\.cache9050425797200915815.dat
2026-05-12 21:17 - 2026-05-12 21:17 - 000003540 _____ C:\Windows\system32\Tasks\RuntimeBrokerService
2026-05-12 21:17 - 2026-05-12 21:17 - 000003352 _____ C:\Windows\system32\Tasks\WindowsSystemService
Shortcut: C:\Users\Public\Desktop\Call of Duty - MWII Campaign.lnk -> D:\Games\Call of Duty - Modern Warfare II\_start_singleplayer.bat (No File)
Shortcut: C:\Users\Public\Desktop\Call of Duty - MWII Multiplayer.lnk -> D:\Games\Call of Duty - Modern Warfare II\_start_multiplayer.bat (No File)
AlternateDataStreams: C:\Users\Winter\Application Data:087af38c42a2e82c16575997b2d7a77b [394]
AlternateDataStreams: C:\Users\Winter\AppData\Roaming:087af38c42a2e82c16575997b2d7a77b [394]
FirewallRules: [TCP Query User{CC924F69-353A-4D39-9228-327F2C39E125}D:\games\call of duty - modern warfare\modernwarfare.exe] => (Allow) D:\games\call of duty - modern warfare\modernwarfare.exe => No File
FirewallRules: [UDP Query User{69167618-B614-48E1-A873-17209CAE93F8}D:\games\call of duty - modern warfare\modernwarfare.exe] => (Allow) D:\games\call of duty - modern warfare\modernwarfare.exe => No File
FirewallRules: [TCP Query User{7147497D-B438-4B5F-AF41-4094B55061B6}D:\games\call of duty - modern warfare ii\cod22-cod.exe] => (Allow) D:\games\call of duty - modern warfare ii\cod22-cod.exe => No File
FirewallRules: [UDP Query User{F0330E9C-E63F-4ECD-B717-679E0AA8393B}D:\games\call of duty - modern warfare ii\cod22-cod.exe] => (Allow) D:\games\call of duty - modern warfare ii\cod22-cod.exe => No File
FirewallRules: [TCP Query User{D7E907EA-F8A5-4799-AA53-78CD2E9A833B}D:\games\call of duty - modern warfare ii\sp22\sp22-cod.exe] => (Allow) D:\games\call of duty - modern warfare ii\sp22\sp22-cod.exe => No File
FirewallRules: [UDP Query User{19F4F257-B338-4CE3-8256-D21D0C2C8EBA}D:\games\call of duty - modern warfare ii\sp22\sp22-cod.exe] => (Allow) D:\games\call of duty - modern warfare ii\sp22\sp22-cod.exe => No File
FirewallRules: [{E6BDF29C-2323-4A57-B55F-D6207E7A65C7}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
C:\Users\Winter\AppData\Local\Temp*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.