Malware Log Analysis

shared / Genossekeks
Login
content copied

content

Start:: CloseProcesses: 2026-06-22 21:22 - 2026-06-22 21:22 - 000000000 ____D C:\Users\henst\AppData\Roaming\RenPy CustomCLSID: HKU\S-1-5-21-3019318699-767081853-652952333-1002_Classes\CLSID\{23B3E3D8-C162-4A8B-AB0C-0905DCB1DF19}\InprocServer32 -> C:\Users\henst\AppData\Local\Packages\Microsoft.PowerAutomateDesktop_8wekyb3d8bbwe\TempState\RDP\DVCPlugin\x64\Microsoft.Flow.RPA.Desktop.UIAutomation.RDP.DVC.Plugin.dll => No File CustomCLSID: HKU\S-1-5-21-3019318699-767081853-652952333-1002_Classes\CLSID\{6a27a1a9-7be8-1491-04ca-ee68a211c258}\localserver32 -> "C:\Program Files\Google\Play Games\current\service\Service.exe" -ToastActivated => No File ContextMenuHandlers2: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File ContextMenuHandlers3: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File AlternateDataStreams: C:\WINDOWS\tracing:? [16] AlternateDataStreams: C:\ProgramData\droidcam-client-options-v2:8329C6407A [3434] AlternateDataStreams: C:\ProgramData\droidcam-settings:3FFAD04353 [3434] AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [3434] AlternateDataStreams: C:\ProgramData\sldh.dat:136096DD5B [3434] AlternateDataStreams: C:\ProgramData\sldh.dat:6C454B1267 [3434] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [3434] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Privater Modus.lnk:83A68E50E4 [3434] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foundry Virtual Tabletop.lnk:93339CDB46 [3434] AlternateDataStreams: C:\Users\henst\Anwendungsdaten:a4f3a4460331e5db92483d18f7474c91 [394] AlternateDataStreams: C:\Users\henst\Anwendungsdaten:dfc60eccd110e2e3e8f63f01b8c84f49 [394] AlternateDataStreams: C:\Users\henst\Desktop\FRST64English.exe:MBAM.Zone.Identifier [225] AlternateDataStreams: C:\Users\henst\Downloads\Arena groß überarbeitet.jpg:mshield [50] AlternateDataStreams: C:\Users\henst\Downloads\Arena groß.jpg:mshield [48] AlternateDataStreams: C:\Users\henst\Downloads\DroidCam.Client.New.7.0.4.exe:mshield [79] AlternateDataStreams: C:\Users\henst\Downloads\Nibelungen (1).jpg:mshield [100] AlternateDataStreams: C:\Users\henst\Downloads\Nibelungen (2).jpg:mshield [100] AlternateDataStreams: C:\Users\henst\Downloads\Nibelungen.jpg:mshield [96] AlternateDataStreams: C:\Users\henst\Downloads\OperaGXSetup.exe:mshield [66] AlternateDataStreams: C:\Users\henst\Downloads\SteelSeriesGG52.0.0Setup.exe:mshield [78] AlternateDataStreams: C:\Users\henst\AppData\Roaming:a4f3a4460331e5db92483d18f7474c91 [394] AlternateDataStreams: C:\Users\henst\AppData\Roaming:dfc60eccd110e2e3e8f63f01b8c84f49 [394] FirewallRules: [UDP Query User{90B21FCA-5431-42A6-9B60-41467444446E}E:\games\cw\bin\engine_launcher.exe] => (Block) E:\games\cw\bin\engine_launcher.exe => No File FirewallRules: [TCP Query User{23E0A0ED-5026-46D3-BA90-E331C5488A19}E:\games\cw\bin\engine_launcher.exe] => (Block) E:\games\cw\bin\engine_launcher.exe => No File FirewallRules: [{12244C1A-893B-458D-B8D5-6BD5D87210BA}] => (Allow) E:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File FirewallRules: [{2942B982-602A-4C9B-89CB-BEC50B32D7E4}] => (Allow) E:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File FirewallRules: [{0CE3418D-7240-4D9C-BE79-5EB4E67E529B}] => (Allow) E:\SteamLibrary\steamapps\common\Buckshot Roulette\Buckshot Roulette_windows\Buckshot Roulette.exe => No File FirewallRules: [{B2944EE1-10DF-456B-A723-209DBD3B0856}] => (Allow) E:\SteamLibrary\steamapps\common\Buckshot Roulette\Buckshot Roulette_windows\Buckshot Roulette.exe => No File FirewallRules: [{BEFE5BC7-D371-471A-9BED-AD21795FECDA}] => (Allow) E:\SteamLibrary\steamapps\common\Deadlock\game\bin\win64\project8.exe => No File FirewallRules: [{BBC164D6-DB6F-4D26-8B01-D5647AB4D566}] => (Allow) E:\SteamLibrary\steamapps\common\Deadlock\game\bin\win64\project8.exe => No File FirewallRules: [{9AD93BC3-13CE-4A70-9FFF-827E42F54671}] => (Allow) E:\SteamLibrary\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_Vulkan.exe => No File FirewallRules: [{6910DEAC-E023-40B1-8FB2-40607E8AA52B}] => (Allow) E:\SteamLibrary\steamapps\common\Tom Clancy's Rainbow Six Siege\RainbowSix_Vulkan.exe => No File FirewallRules: [UDP Query User{1254C7AA-9554-4E06-9F34-BAAEC2EB3821}E:\steamlibrary\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) E:\steamlibrary\steamapps\common\paladins\binaries\win64\paladins.exe => No File FirewallRules: [TCP Query User{4CF6125A-2C1B-45F4-9BD3-E21F25D4CF0E}E:\steamlibrary\steamapps\common\paladins\binaries\win64\paladins.exe] => (Allow) E:\steamlibrary\steamapps\common\paladins\binaries\win64\paladins.exe => No File FirewallRules: [{F5109047-FC6C-4C33-BAB2-0331B1D9AD5E}] => (Allow) E:\SteamLibrary\steamapps\common\SnowRunner\Sources\Bin\SnowRunner.exe => No File FirewallRules: [{DD1DC794-E094-4316-B774-B4384F12D153}] => (Allow) E:\SteamLibrary\steamapps\common\SnowRunner\Sources\Bin\SnowRunner.exe => No File FirewallRules: [UDP Query User{822C0E77-8398-41CB-A95E-6F44E24F69D7}E:\steamlibrary\steamapps\common\remnant2\remnant2\binaries\win64\remnant2-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\remnant2\remnant2\binaries\win64\remnant2-win64-shipping.exe => No File FirewallRules: [TCP Query User{9551EAA9-5409-4BDF-B52D-52A75463ADFB}E:\steamlibrary\steamapps\common\remnant2\remnant2\binaries\win64\remnant2-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\remnant2\remnant2\binaries\win64\remnant2-win64-shipping.exe => No File FirewallRules: [{8bad63c8-a8be-4925-8154-5f03ee36a175}] => (Allow) D:\LDPlayer\LDPlayer9\dnplayer.exe => No File FirewallRules: [{5dd5d88f-e120-4aba-a7d1-42c2638b477d}] => (Allow) C:\Program Files\ldplayer9box\VBoxNetNAT.exe => No File FirewallRules: [{33ebe0ec-6b0b-4eda-85c9-7f544cf52fc4}] => (Allow) C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe => No File FirewallRules: [{90E5C588-814E-498B-A6D4-F04A87D33F61}] => (Allow) D:\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{A299FC7E-216A-4A9D-90E8-9D19B8429D8F}] => (Allow) D:\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{40A7F0F3-920E-46B7-A2CF-4920A61F7C7B}E:\heroes of the storm\versions\base93810\heroesofthestorm_x64.exe] => (Allow) E:\heroes of the storm\versions\base93810\heroesofthestorm_x64.exe => No File FirewallRules: [UDP Query User{DC5DAFE0-2361-4606-AF73-C114449083AA}E:\heroes of the storm\versions\base93810\heroesofthestorm_x64.exe] => (Allow) E:\heroes of the storm\versions\base93810\heroesofthestorm_x64.exe => No File FirewallRules: [TCP Query User{257480E5-63EE-4A64-B815-6BFD07F725CE}E:\steamlibrary\steamapps\common\railroads online\arr\binaries\win64\arr-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\railroads online\arr\binaries\win64\arr-win64-shipping.exe => No File FirewallRules: [UDP Query User{6C252653-B0B7-47CC-800E-E3152B26A4F9}E:\steamlibrary\steamapps\common\railroads online\arr\binaries\win64\arr-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\railroads online\arr\binaries\win64\arr-win64-shipping.exe => No File FirewallRules: [TCP Query User{063CCF5F-4997-427C-9DA3-410A12D26287}E:\steamlibrary\steamapps\common\trainfort playtest\dwarfstrainfort\binaries\win64\dwarfstrainfort.exe] => (Allow) E:\steamlibrary\steamapps\common\trainfort playtest\dwarfstrainfort\binaries\win64\dwarfstrainfort.exe => No File FirewallRules: [UDP Query User{CC90A86D-D34D-4647-9870-A73ED1FDA460}E:\steamlibrary\steamapps\common\trainfort playtest\dwarfstrainfort\binaries\win64\dwarfstrainfort.exe] => (Allow) E:\steamlibrary\steamapps\common\trainfort playtest\dwarfstrainfort\binaries\win64\dwarfstrainfort.exe => No File FirewallRules: [TCP Query User{1A1E4A65-9717-46E2-AAB4-49E4E66F7E0A}E:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) E:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [UDP Query User{20C2A56B-ACDF-4096-A88B-B8FB6C39A5B5}E:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) E:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [TCP Query User{283DE3E6-7BC8-4BE5-B065-5CC3D7A1CA62}E:\steamlibrary\steamapps\common\battlefield 4\bf4.exe] => (Allow) E:\steamlibrary\steamapps\common\battlefield 4\bf4.exe => No File FirewallRules: [UDP Query User{E3345045-E2B1-4539-B030-097979982034}E:\steamlibrary\steamapps\common\battlefield 4\bf4.exe] => (Allow) E:\steamlibrary\steamapps\common\battlefield 4\bf4.exe => No File FirewallRules: [TCP Query User{893C0F8F-E0F3-4887-B205-42CAF9DDFFD6}C:\program files (x86)\java\jre1.8.0_461\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_461\bin\jp2launcher.exe => No File FirewallRules: [UDP Query User{FA5D791F-906E-4170-91E9-FAD393351997}C:\program files (x86)\java\jre1.8.0_461\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_461\bin\jp2launcher.exe => No File FirewallRules: [TCP Query User{D546477D-2111-4DA0-923F-3093C0F33D8E}E:\steamlibrary\steamapps\common\stellaris\stellaris.exe] => (Allow) E:\steamlibrary\steamapps\common\stellaris\stellaris.exe => No File FirewallRules: [UDP Query User{C8A5D16B-2720-4116-9EE7-30D1CEBA89FF}E:\steamlibrary\steamapps\common\stellaris\stellaris.exe] => (Allow) E:\steamlibrary\steamapps\common\stellaris\stellaris.exe => No File FirewallRules: [{B0D6858F-FD05-4E07-AAE3-5499A7208562}] => (Allow) E:\SteamLibrary\steamapps\common\Blue Protocol Star Resonance\bpsr\BPSR_STEAM.exe => No File FirewallRules: [{E59E5A0E-C24B-4953-826C-8A49EA790D9B}] => (Allow) E:\SteamLibrary\steamapps\common\Blue Protocol Star Resonance\bpsr\BPSR_STEAM.exe => No File FirewallRules: [TCP Query User{2A28E435-4A6A-4C14-B976-A845D3500CA5}E:\steamlibrary\steamapps\common\in the black demo\intheblack\binaries\win64\intheblack-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\in the black demo\intheblack\binaries\win64\intheblack-win64-shipping.exe => No File FirewallRules: [UDP Query User{3B83FFB5-56F0-4F8A-B180-86A193FC19B2}E:\steamlibrary\steamapps\common\in the black demo\intheblack\binaries\win64\intheblack-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\in the black demo\intheblack\binaries\win64\intheblack-win64-shipping.exe => No File FirewallRules: [TCP Query User{0370CEA8-B7AA-4642-94C0-39C7AA5A071B}E:\steamlibrary\steamapps\common\steel ark demo\thelaststation\binaries\win64\thelaststation-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\steel ark demo\thelaststation\binaries\win64\thelaststation-win64-shipping.exe => No File FirewallRules: [UDP Query User{84E5A252-340D-45A0-B643-4191641EF993}E:\steamlibrary\steamapps\common\steel ark demo\thelaststation\binaries\win64\thelaststation-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\steel ark demo\thelaststation\binaries\win64\thelaststation-win64-shipping.exe => No File FirewallRules: [TCP Query User{4FF992CD-BB97-469F-B888-5630B7F7E5A6}C:\program files (x86)\java\jre1.8.0_471\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_471\bin\jp2launcher.exe => No File FirewallRules: [UDP Query User{CF3D9F80-B703-4DF3-8C5E-A053D0AF5791}C:\program files (x86)\java\jre1.8.0_471\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_471\bin\jp2launcher.exe => No File FirewallRules: [TCP Query User{783F401C-5104-4BEA-BF11-4068AE26878E}C:\program files (x86)\java\jre1.8.0_471\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_471\bin\javaw.exe => No File FirewallRules: [UDP Query User{B83B24D9-BFB7-4D41-9F1D-F1E3FD4CFE9A}C:\program files (x86)\java\jre1.8.0_471\bin\javaw.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_471\bin\javaw.exe => No File FirewallRules: [TCP Query User{BF213169-42A9-462E-B22D-5938A97A554D}E:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe] => (Allow) E:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe => No File FirewallRules: [UDP Query User{405FFB83-F65A-4FB8-A834-99B94E2295F0}E:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe] => (Allow) E:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe => No File FirewallRules: [TCP Query User{65FB84B0-6E9D-46D8-98C6-34D19A5F43E7}C:\program files (x86)\java\jre1.8.0_481\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_481\bin\jp2launcher.exe => No File FirewallRules: [UDP Query User{E6CEA04D-2D6D-4774-88A6-7DFD2790821B}C:\program files (x86)\java\jre1.8.0_481\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_481\bin\jp2launcher.exe => No File FirewallRules: [TCP Query User{12513557-E56F-4D95-92B0-B08155489485}E:\overwatch\_retail_\overwatch.exe] => (Allow) E:\overwatch\_retail_\overwatch.exe => No File FirewallRules: [UDP Query User{4E0F4616-62CE-4E99-A412-E9B464B88DAC}E:\overwatch\_retail_\overwatch.exe] => (Allow) E:\overwatch\_retail_\overwatch.exe => No File FirewallRules: [TCP Query User{91CC79B4-D7F3-4DCE-9F9C-53797A0458D7}E:\steamlibrary\steamapps\common\deep rock galactic rogue core playtest\roguecore\binaries\win64\roguecore-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\deep rock galactic rogue core playtest\roguecore\binaries\win64\roguecore-win64-shipping.exe => No File FirewallRules: [UDP Query User{2516558C-36D4-4D87-81D3-3BD3527261A8}E:\steamlibrary\steamapps\common\deep rock galactic rogue core playtest\roguecore\binaries\win64\roguecore-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\deep rock galactic rogue core playtest\roguecore\binaries\win64\roguecore-win64-shipping.exe => No File FirewallRules: [TCP Query User{FF9FD4AD-52E3-474C-A624-CBBC96471E18}E:\steamlibrary\steamapps\common\frostrail playtest\frostrail\binaries\win64\frostrail-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\frostrail playtest\frostrail\binaries\win64\frostrail-win64-shipping.exe => No File FirewallRules: [UDP Query User{18F185E5-05AA-47BC-86EC-3026D93C297C}E:\steamlibrary\steamapps\common\frostrail playtest\frostrail\binaries\win64\frostrail-win64-shipping.exe] => (Allow) E:\steamlibrary\steamapps\common\frostrail playtest\frostrail\binaries\win64\frostrail-win64-shipping.exe => No File FirewallRules: [{0F832A6F-FF8A-498A-8564-4917FA65A1C5}] => (Allow) E:\SteamLibrary\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File FirewallRules: [{B15342F4-D915-4CED-97A0-076DFD337B67}] => (Allow) E:\SteamLibrary\steamapps\common\Albion Online\launcher\AlbionLauncher.exe => No File FirewallRules: [TCP Query User{66C91195-08B5-4DAA-AB69-0D276C29751A}C:\users\henst\appdata\local\discord\app-1.0.9239\discord.exe] => (Block) C:\users\henst\appdata\local\discord\app-1.0.9239\discord.exe => No File FirewallRules: [UDP Query User{8A19F78C-50EF-4354-B408-277B219868E1}C:\users\henst\appdata\local\discord\app-1.0.9239\discord.exe] => (Block) C:\users\henst\appdata\local\discord\app-1.0.9239\discord.exe => No File HKLM-x32\...\Run: [Avira Security startup helper] => "C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" DelayedStartup (No File) HKLM-x32\...\Run: [Arc] => [X] Task: {9941002B-5B70-4220-931E-7874E5CC1158} - System32\Tasks\Avira\System Speedup\SecurityTestScheduler => "C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" SchedulerTest (No File) Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File) S3 mshield; \??\C:\Program Files\NordVPN\NordSec ThreatProtection\1.35.57.3\mshield.sys (No File) S3 travis; \??\C:\Program Files\NordVPN\NordSec ThreatProtection\1.35.57.3\travis.sys (No File) 2024-01-05 20:07 - 2024-01-05 20:07 - 000000024 _____ () C:\Users\henst\AppData\Roaming\C23W6Vk43XTwu662.dat 2024-01-05 20:07 - 2024-01-05 20:07 - 000000024 _____ () C:\Users\henst\AppData\Local\111111680 GroupPolicy-Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION CHR StartupUrls: Default -> "hxxp://en.4yendex.com/?utm_source=sdks&utm_medium=uk02&utm_campaign=2d6540abe0f7a85a10ba8339ea094b15" 2025-11-23 01:32 - 2025-11-23 01:39 - 000001293 _____ () C:\Users\henst\AppData\Local\Temp1.html 2025-11-23 01:39 - 2025-11-23 01:39 - 000010065 _____ () C:\Users\henst\AppData\Local\Temp29.html 2024-05-22 17:15 - 2024-09-30 18:41 - 000000000 _____ () C:\ProgramData\sldh.dat Folder: C:\Users\henst\AppData\Roaming\shadPS4 Folder: C:\Users\henst\AppData\Roaming\shadPS4QtLauncher Folder: C:\Users\henst\AppData\Roaming\PKGInstallS3 Edge StartupUrls: Default -> "hxxp://en.4yendex.com/?utm_source=sdks&utm_medium=en01&utm_campaign=2d6540abe0f7a85a10ba8339ea094b15" StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code. Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::