Malware Log Analysis

Start:: CloseProcesses: C:\WINDOWS\policy\SDK_RUN PowerShell: Remove-MpPreference -ExclusionPath "C:\Users\Matthew\AppData\Local\Temp\Rar$EXa10072.8492.rartemp\Activator" PowerShell: Remove-MpPreference -ExclusionPath "C:\Windows\System32\SppExtComObjHook.dll" PowerShell: Remove-MpPreference -ExclusionPath "C:\Users\Matthew\Documents\Rainmeter\Skins\" C:\Users\Matthew\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\eppiocemhmnlbhjplcgkofciiegomcon S4 AmdTools64; \SystemRoot\System32\drivers\AmdTools64.sys (No File) 2026-06-22 17:51 - 2025-07-25 04:19 - 000000000 ____D C:\ProgramData\temp Task: {6B6AC081-751A-4DD7-9567-A6FCCCEFC9A7} - System32\Tasks\NeITDeviceUpdater => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [454656 2025-09-09] (Microsoft Windows -> Microsoft Corporation) -> -nologo -noprofile -noninteractive -ExecutionPolicy Bypass -File "C:\WINDOWS\policy\SDK_RUN\NeITDeviceUpdater.ps1" R3 cpuz158; C:\WINDOWS\temp\cpuz158\cpuz158_x64.sys [44592 2026-06-22] (Microsoft Windows Hardware Compatibility Publisher -> CPUID) <==== ATTENTION R3 GPUZ-v2; C:\WINDOWS\TEMP\GPUZ-v2.sys [51392 2026-06-22] (TechPowerUp LLC -> ) <==== ATTENTION 2026-06-22 17:55 - 2026-06-22 17:55 - 000003690 _____ C:\WINDOWS\system32\Tasks\NeITDeviceUpdater Folder: C:\WINDOWS\policy\SDK_RUN Folder: C:\WINDOWS\policy Comment: This snippet removes all Windows Defender exclusions DeleteKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths StartPowershell: Try { $Paths=(Get-MpPreference).ExclusionPath $Extensions=(Get-MpPreference).ExclusionExtension $Processes=(Get-MpPreference).ExclusionProcess foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop } foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop } foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop } } Catch { Write-Error "Error occurred while removing Windows Defender exclusions: $_" } EndPowershell: StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartBatch: rem This snippet downloads KVRT (Kaspersky Virus Removal Tool) directly from Kaspersky and scans with it rem IMPORTANT: This currently (to my knowledge) scans only the following: System memory, Startup objects, Boot sectors rem To perform a full scan (which possibly may take longer than an hour, so not recommended,) please use the argument "-allvolumes" rem It is better to keep it only as a scanner because cleaning modes tend to restart which break the fix process. %windir%\System32\curl.exe --silent "https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe" -o "C:\FRST\KASVRT.exe" C:\FRST\KASVRT.exe -silent -adinsilent -accepteula -processlevel 0 -dontencrypt >> "C:\FRST\KVRT_log.txt" type "C:\FRST\KVRT_log.txt" exit EndBatch: EmptyTemp: End::