content copied
content
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2668376529-3493610534-1459732639-1001_Classes\CLSID\{50726f74-6f6e-2e56-504e-000000000000}\localserver32 -> "C:\Program Files\Proton\VPN\v3.3.2\ProtonVPN.exe" -ToastActivated => No File
AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [3442]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [3442]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [9808]
FirewallRules: [{E11B5D32-7B1F-4BFC-823E-2BC8CE5B3C6F}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{3F25DA88-E1E0-4CD8-AABC-7FF5BC98FACF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{8B7DC141-DB61-478E-B192-86F2B3CA490A}] => (Allow) F:\SteamLibrary\steamapps\common\DarkestDungeon\_windows\Darkest.exe => No File
FirewallRules: [{458A14C3-4CE6-4D98-9EE0-6F5120173688}] => (Allow) F:\SteamLibrary\steamapps\common\DarkestDungeon\_windows\Darkest.exe => No File
FirewallRules: [TCP Query User{21E4F37D-2B81-4E01-8A6B-29C1AA2253B7}C:\users\gamer\appdata\local\discord\app-1.0.9155\discord.exe] => (Allow) C:\users\gamer\appdata\local\discord\app-1.0.9155\discord.exe => No File
FirewallRules: [UDP Query User{0CB642C3-3524-4CAB-8402-ABE05979CC7A}C:\users\gamer\appdata\local\discord\app-1.0.9155\discord.exe] => (Allow) C:\users\gamer\appdata\local\discord\app-1.0.9155\discord.exe => No File
FirewallRules: [TCP Query User{954ACC3A-9FB9-45AF-8C7A-30EBF5D91010}F:\steamlibrary\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe] => (Allow) F:\steamlibrary\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe => No File
FirewallRules: [UDP Query User{02684DE3-0004-4010-9B2C-40029065D07C}F:\steamlibrary\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe] => (Allow) F:\steamlibrary\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe => No File
FirewallRules: [TCP Query User{07552AB7-D43F-4B54-B82A-A16F81207D64}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [UDP Query User{ECCA6494-AE00-4F5A-856B-FBFFAF671672}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [TCP Query User{8F7D2C7C-196D-41E4-A7E7-DE1F8E81BBD3}F:\steamlibrary\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) F:\steamlibrary\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [UDP Query User{CE699A88-BB64-4318-84AB-F660D5D5AF87}F:\steamlibrary\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) F:\steamlibrary\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [TCP Query User{7489268F-AC02-4E89-9246-49F453DD8A37}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [UDP Query User{90FDB987-4485-48B4-B60C-A81365350B88}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [{B68DD88C-EDF9-4878-8E67-45BE3C98B610}] => (Allow) F:\SteamLibrary\steamapps\common\BioShock Remastered\2KLauncher\LauncherPatcher.exe => No File
FirewallRules: [{4590AF80-24C6-4B29-B963-0129861529BE}] => (Allow) F:\SteamLibrary\steamapps\common\BioShock Remastered\2KLauncher\LauncherPatcher.exe => No File
FirewallRules: [{501025DD-D3DC-4B33-BF4A-8FE09A06315F}] => (Allow) F:\SteamLibrary\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe => No File
FirewallRules: [{5AC2D838-3DFA-4D2E-B0CA-3FCA63D6FC38}] => (Allow) F:\SteamLibrary\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe => No File
FirewallRules: [TCP Query User{B933F13F-9124-4D22-89C7-BCB1625DAF37}F:\overwatch\_retail_\overwatch.exe] => (Allow) F:\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [UDP Query User{7A7788C7-6E74-4448-B3CD-9D257BDD7C3E}F:\overwatch\_retail_\overwatch.exe] => (Allow) F:\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [TCP Query User{0A4F0D7E-3D22-4F04-AD98-246966373C5A}F:\steamlibrary\steamapps\common\vrising\vrising_server\vrisingserver.exe] => (Allow) F:\steamlibrary\steamapps\common\vrising\vrising_server\vrisingserver.exe => No File
FirewallRules: [UDP Query User{400B1F39-6371-46E0-BE4B-46E1417698A8}F:\steamlibrary\steamapps\common\vrising\vrising_server\vrisingserver.exe] => (Allow) F:\steamlibrary\steamapps\common\vrising\vrising_server\vrisingserver.exe => No File
FirewallRules: [{B09401FB-D6F9-44A3-8D4E-31F0382CA262}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Factorio Demo\bin\x64\factorio.exe => No File
FirewallRules: [{8129373A-DF21-4ABC-B1C1-2833ECB3C9FB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Factorio Demo\bin\x64\factorio.exe => No File
FirewallRules: [TCP Query User{E0B2100B-C2E5-4755-9A3B-76AD2927005D}F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{6572BE7D-504B-4FB4-9CE5-48E05520268A}F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) F:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [TCP Query User{81B07748-C09C-475D-9417-B529DA66BE73}F:\steamlibrary\steamapps\common\remnant\remnant\binaries\win64\remnant-win64-shipping.exe] => (Allow) F:\steamlibrary\steamapps\common\remnant\remnant\binaries\win64\remnant-win64-shipping.exe => No File
FirewallRules: [UDP Query User{AFB52C8C-A86A-4860-911E-B7D1D635C793}F:\steamlibrary\steamapps\common\remnant\remnant\binaries\win64\remnant-win64-shipping.exe] => (Allow) F:\steamlibrary\steamapps\common\remnant\remnant\binaries\win64\remnant-win64-shipping.exe => No File
FirewallRules: [TCP Query User{B101EE80-4F59-4A5F-81A3-501B69702B40}F:\steamlibrary\steamapps\common\mass effect andromeda\masseffectandromeda.exe] => (Allow) F:\steamlibrary\steamapps\common\mass effect andromeda\masseffectandromeda.exe => No File
FirewallRules: [UDP Query User{6B7976C5-A13C-4582-B0DF-F6227E70A4DB}F:\steamlibrary\steamapps\common\mass effect andromeda\masseffectandromeda.exe] => (Allow) F:\steamlibrary\steamapps\common\mass effect andromeda\masseffectandromeda.exe => No File
FirewallRules: [TCP Query User{A1586AC7-36A9-4939-896F-DC96BDB616B5}F:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) F:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe => No File
FirewallRules: [UDP Query User{A8D089A3-0C23-4787-B020-C70F5F63DF8E}F:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) F:\steamlibrary\steamapps\common\the witcher 2\bin\witcher2.exe => No File
FirewallRules: [{88856E4F-E0D0-4AD0-A3F9-81D54C7F560D}] => (Allow) F:\SteamLibrary\steamapps\common\Metro Last Light\MetroLL.exe => No File
FirewallRules: [{F0A5F58B-836C-46BD-85DC-AA58218D4590}] => (Allow) F:\SteamLibrary\steamapps\common\Metro Last Light\MetroLL.exe => No File
FirewallRules: [TCP Query User{0897F55E-5E62-464D-9F30-63F163FB7A54}F:\steamlibrary\steamapps\common\titanfall2\titanfall2.exe] => (Allow) F:\steamlibrary\steamapps\common\titanfall2\titanfall2.exe => No File
FirewallRules: [UDP Query User{573A41C4-8965-429A-BC9E-6D4D46E19483}F:\steamlibrary\steamapps\common\titanfall2\titanfall2.exe] => (Allow) F:\steamlibrary\steamapps\common\titanfall2\titanfall2.exe => No File
FirewallRules: [{847FE98A-F70E-4B8F-85CA-C85029FE6FA3}] => (Allow) F:\SteamLibrary\steamapps\common\P3R\P3R\Binaries\Win64\P3R.exe => No File
FirewallRules: [{B20A8709-6B97-4B85-8880-812B528621CC}] => (Allow) F:\SteamLibrary\steamapps\common\P3R\P3R\Binaries\Win64\P3R.exe => No File
FirewallRules: [{49977FE8-C091-49B9-8398-64F124DF086E}] => (Allow) F:\SteamLibrary\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{C7DBB675-5988-45D6-8110-116F46FC8392}] => (Allow) F:\SteamLibrary\steamapps\common\Don't Starve Together\bin64\dontstarve_steam_x64.exe => No File
FirewallRules: [{EEF577FC-8220-4DB3-83CC-418D25947DE3}] => (Allow) F:\SteamLibrary\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{91B7C69C-A6EF-4585-B055-ADABB74A5DF0}] => (Allow) F:\SteamLibrary\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [TCP Query User{5D6613D6-70D7-480E-9AFB-4A1C9166F420}F:\steamlibrary\steamapps\common\don't starve together\bin64\dontstarve_dedicated_server_nullrenderer_x64.exe] => (Allow) F:\steamlibrary\steamapps\common\don't starve together\bin64\dontstarve_dedicated_server_nullrenderer_x64.exe => No File
FirewallRules: [UDP Query User{D14D0073-1271-4EA4-861C-B2A77395446B}F:\steamlibrary\steamapps\common\don't starve together\bin64\dontstarve_dedicated_server_nullrenderer_x64.exe] => (Allow) F:\steamlibrary\steamapps\common\don't starve together\bin64\dontstarve_dedicated_server_nullrenderer_x64.exe => No File
FirewallRules: [{8D85DDB4-A7E0-4BB7-BC6F-3CC4A497C87E}] => (Allow) F:\SteamLibrary\steamapps\common\Life Is Strange\Binaries\Win32\LifeIsStrange.exe => No File
FirewallRules: [{F82C5EFE-25C5-4D19-8062-55D274FE0F2D}] => (Allow) F:\SteamLibrary\steamapps\common\Life Is Strange\Binaries\Win32\LifeIsStrange.exe => No File
FirewallRules: [{B703EC4E-DD78-4309-9F1C-B20FE47ACFFE}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe => No File
FirewallRules: [TCP Query User{58BEC1AB-E9D2-4D0B-8E14-2DFDB0C96C82}F:\new folder\goblin_nest_v1.09\goblin nest\goblinnest_v1.09.exe] => (Block) F:\new folder\goblin_nest_v1.09\goblin nest\goblinnest_v1.09.exe => No File
FirewallRules: [UDP Query User{B138B8C6-3008-4A6E-9C56-AEDCD2378CC1}F:\new folder\goblin_nest_v1.09\goblin nest\goblinnest_v1.09.exe] => (Block) F:\new folder\goblin_nest_v1.09\goblin nest\goblinnest_v1.09.exe => No File
FirewallRules: [{FAFD1F47-0744-4639-B864-4339F44BD746}] => (Allow) C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe => No File
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableLUA"=dword:00000001
EndRegedit:
StartPowerShell:
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false
# Enable PUP detection
Set-MpPreference -PUAProtection Enabled
# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4
# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2
# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1
# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled
# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false
# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false
# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false
# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false
# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30
# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false
# Enables script detection
Set-MpPreference -DisableScriptScanning $false
# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1
# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0
# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0
# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true
# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12
# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine
# Updates signatures
Update-MpSignature
EndPowerShell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*
EmptyTemp:
End::
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.