content copied
content
Start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
Folder: C:\Users\berto\AppData\Local\ConnectedDevicesPlatform\0fddd7a2c6c239ea\5d2e1b25fc51bc4b0236fd493774ad9f
Task: {84C90158-E63B-47AE-9203-4C7A620E49AF} - System32\Tasks\Dun Verifier Venezuela 57195-376-1001 => C:\Users\berto\AppData\Local\ConnectedDevicesPlatform\0fddd7a2c6c239ea\5d2e1b25fc51bc4b0236fd493774ad9f\pythonw.exe [104280 2026-05-23] (Python Software Foundation -> Python Software Foundation) -> "C:\Users\berto\AppData\Local\ConnectedDevicesPlatform\0fddd7a2c6c239ea\5d2e1b25fc51bc4b0236fd493774ad9f\gamelan.py" <==== ATTENTION
C:\Users\berto\AppData\Local\ConnectedDevicesPlatform\0fddd7a2c6c239ea\5d2e1b25fc51bc4b0236fd493774ad9f
Folder: C:\Users\berto\AppData\Local\ConnectedDevicesPlatform\0fddd7a2c6c239ea
2026-05-23 09:54 - 2026-04-19 20:29 - 000000000 ____D C:\Users\berto\AppData\Roaming\RenPy
FirewallRules: [{F4E09234-1D7F-4891-A385-97412F154DD5}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{5A7BF4DC-FFA9-4A13-A5A8-6D37404D662E}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{22C25255-A95E-4D53-B97A-49495333C8AD}C:\users\berto\appdata\local\programs\plitch\plitch.exe] => (Allow) C:\users\berto\appdata\local\programs\plitch\plitch.exe => No File
FirewallRules: [UDP Query User{270BDDD1-778B-4D50-8BF1-C0B9EA48C06B}C:\users\berto\appdata\local\programs\plitch\plitch.exe] => (Allow) C:\users\berto\appdata\local\programs\plitch\plitch.exe => No File
FirewallRules: [{8464652A-62FA-4095-9D46-73FEC1596FA6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Bloodlines 2\Launcher\dowser.exe => No File
FirewallRules: [{CBFFD4D9-8C3B-4DFF-B2FE-0AB36E386355}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Bloodlines 2\Launcher\dowser.exe => No File
FirewallRules: [TCP Query User{85A8B8D2-3B35-44AB-9061-46F15B281FD4}C:\program files (x86)\starcraft ii\versions\base95299\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base95299\sc2_x64.exe => No File
FirewallRules: [UDP Query User{BAA1B636-5BF9-43CB-9A39-CFDDB1B7BE6F}C:\program files (x86)\starcraft ii\versions\base95299\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base95299\sc2_x64.exe => No File
FirewallRules: [TCP Query User{466F7208-6684-4C90-ADA9-628A354ADB0F}C:\program files (x86)\starcraft ii\versions\base95841\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base95841\sc2_x64.exe => No File
FirewallRules: [UDP Query User{28B81CA9-61A6-4101-B64A-807ACF1FCBDC}C:\program files (x86)\starcraft ii\versions\base95841\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base95841\sc2_x64.exe => No File
FirewallRules: [TCP Query User{6A289416-0540-4CDB-B125-8F86F3B3B20C}C:\users\berto\appdata\local\lovense\remote\lovense_remote.exe] => (Allow) C:\users\berto\appdata\local\lovense\remote\lovense_remote.exe => No File
FirewallRules: [UDP Query User{A36EEC51-DEB6-4738-A81E-1CF4CEAF307F}C:\users\berto\appdata\local\lovense\remote\lovense_remote.exe] => (Allow) C:\users\berto\appdata\local\lovense\remote\lovense_remote.exe => No File
FirewallRules: [TCP Query User{6E691928-F758-4A40-9707-064FB85B1097}C:\program files (x86)\starcraft ii\versions\base96826\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base96826\sc2_x64.exe => No File
FirewallRules: [UDP Query User{A31A10D8-83BE-467D-BD49-AB0ECE1919F2}C:\program files (x86)\starcraft ii\versions\base96826\sc2_x64.exe] => (Allow) C:\program files (x86)\starcraft ii\versions\base96826\sc2_x64.exe => No File
HKU\S-1-5-21-2664321715-2315589813-2789204376-1001\...\Run: [GalaxyClient] => [X]
Task: {106DAC49-204B-4971-8961-07EED8200EBD} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
CHR HomePage: Default -> hxxp://search.conduit.com/?ctid=CT3314958&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP91C63220-4B2A-46A4-8DF4-07D791E80AE6&SSPV=
CHR StartupUrls: Default -> "hxxp://www.mystartsearch.com/?type=hppp&ts=1421181727&from=wpc&uid=HitachiXHDS721010CLA332_JP9960HZ241G0U241G0UX","hxxp://www.oursurfing.com/?type=hp&ts=1441093093&z=2b0ab6fad6a9513eccef361gcz9zdgfg9m0t1o6zbg&from=amt&uid=TOSHIBAXMQ01ABD075_24GTP6AJTXX24GTP6AJT","hxxp://www.mystartsearch.com/?type=hp&ts=1441093548&z=49dd01eb1bc15eb638d7673g2z2z1g1gfm6t4w6q0q&from=cmi&uid=TOSHIBAXMQ01ABD075_24GTP6AJTXX24GTP6AJT","hxxp://nl.search.yahoo.com/?fr=hp-ddc-bd&type=bl-bcr-is-rhb-36__alt__ddc_dsssyc_bd_com"
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\berto\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.