content copied
content
Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Task: {52AA67C0-CD8E-4A2A-8420-45933EE707BD} - System32\Tasks\App Explorer => C:\Users\matti\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [10495528 2026-03-12] (SweetLabs Inc -> SweetLabs, Inc) <==== ATTENTION
C:\Users\matti\AppData\Local\Host App Service
CustomCLSID: HKU\S-1-5-21-1803993085-1654795624-4218030563-1001_Classes\CLSID\{18A68F64-72DD-42CE-A75D-EDBDAC226F5D}\localserver32 -> "C:\Users\matti\AppData\Roaming\Spotify\SpotifyLauncher.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-1803993085-1654795624-4218030563-1001_Classes\CLSID\{5F86DC52-D653-4CFF-BAC7-C3A406AF8946}\localserver32 -> "C:\Users\matti\AppData\Roaming\Spotify\Spotify.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-1803993085-1654795624-4218030563-1001_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> => No File
CustomCLSID: HKU\S-1-5-21-1803993085-1654795624-4218030563-1001_Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32 -> => No File
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\W11toWXPStuff\ClassicExplorer64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\W11toWXPStuff\ClassicExplorer64.dll -> No File
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk:4C32B9D343 [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Forge of Empires.url:1368113D25 [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk:60EC9648C0 [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk:BE800952D3 [4306]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Planet9 Stub.lnk:728EA71FBA [4306]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8310]
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\W11toWXPStuff\ClassicExplorer64.dll => No File
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\W11toWXPStuff\ClassicIEDLL_64.dll => No File
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\W11toWXPStuff\ClassicExplorer32.dll => No File
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\W11toWXPStuff\ClassicIEDLL_32.dll => No File
FirewallRules: [UDP Query User{40A75405-E810-4097-9899-09BD43D4186F}C:\users\matti\appdata\local\discord\app-1.0.9200\discord.exe] => (Allow) C:\users\matti\appdata\local\discord\app-1.0.9200\discord.exe => No File
FirewallRules: [TCP Query User{9E1573E9-1DD8-4052-B8D9-B910AAF16880}C:\users\matti\appdata\local\discord\app-1.0.9200\discord.exe] => (Allow) C:\users\matti\appdata\local\discord\app-1.0.9200\discord.exe => No File
FirewallRules: [{40850603-D415-4D29-AE72-043FC97A2ACE}] => (Allow) D:\SteamLibrary\steamapps\common\Supermarket Together\Supermarket Together.exe => No File
FirewallRules: [{FCEA701D-9EF3-4634-83AF-BD4C0CEC2A6D}] => (Allow) D:\SteamLibrary\steamapps\common\Supermarket Together\Supermarket Together.exe => No File
FirewallRules: [{22376969-8ABB-47EC-BF18-D64D0D01084E}] => (Allow) D:\SteamLibrary\steamapps\common\GarrysMod\gmod.exe => No File
FirewallRules: [{6A950492-6CA7-494F-83F6-A0FFA502BC51}] => (Allow) D:\SteamLibrary\steamapps\common\GarrysMod\gmod.exe => No File
FirewallRules: [{C1BF4819-5DF7-43C2-B5CB-EDBA01D50A3E}] => (Allow) D:\SteamLibrary\steamapps\common\Lethal Company\Lethal Company.exe => No File
FirewallRules: [{C324CC01-92C3-4112-86D4-76DE7DC344CB}] => (Allow) D:\SteamLibrary\steamapps\common\Lethal Company\Lethal Company.exe => No File
FirewallRules: [UDP Query User{7D5728C6-1EAB-4652-8988-C222DDAEB562}D:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [TCP Query User{6206AEFC-5F53-42E1-8EC6-D59A8075D93C}D:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [UDP Query User{3E78E757-7308-4631-B4AB-53C568C4BE33}D:\steamlibrary\steamapps\common\tekken 7\tekkengame\binaries\win64\tekkengame-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\tekken 7\tekkengame\binaries\win64\tekkengame-win64-shipping.exe => No File
FirewallRules: [TCP Query User{1CAAB189-BD0A-401D-8C37-582264303A95}D:\steamlibrary\steamapps\common\tekken 7\tekkengame\binaries\win64\tekkengame-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\tekken 7\tekkengame\binaries\win64\tekkengame-win64-shipping.exe => No File
FirewallRules: [{22310A18-FF49-4F0A-B344-E526EBB69B58}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{B617B417-99F7-4D5A-AAD9-6D3F38733CB2}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{5BF24139-A28F-41F7-B9A3-AAEE82FECE2D}] => (Allow) D:\SteamLibrary\steamapps\common\Among Us\Among Us.exe => No File
FirewallRules: [{3BCCC5F4-8D0E-4BFC-9C3B-6935527F169B}] => (Allow) D:\SteamLibrary\steamapps\common\Among Us\Among Us.exe => No File
FirewallRules: [TCP Query User{657A5FB9-D630-40AC-8BEB-EACB8827A208}C:\users\matti\documents\fightcade\emulator\fcade.exe] => (Allow) C:\users\matti\documents\fightcade\emulator\fcade.exe => No File
FirewallRules: [UDP Query User{3D578BA3-AFA9-444D-B275-2F5FEE4EAE60}C:\users\matti\documents\fightcade\emulator\fcade.exe] => (Allow) C:\users\matti\documents\fightcade\emulator\fcade.exe => No File
FirewallRules: [TCP Query User{2CDDB811-BE38-46E5-BB66-26572AE4218E}C:\users\matti\documents\fightcade\emulator\fbneo\fcadefbneo.exe] => (Allow) C:\users\matti\documents\fightcade\emulator\fbneo\fcadefbneo.exe => No File
FirewallRules: [UDP Query User{4FE98112-9A9D-4D7C-B274-D4B73CDBBEAC}C:\users\matti\documents\fightcade\emulator\fbneo\fcadefbneo.exe] => (Allow) C:\users\matti\documents\fightcade\emulator\fbneo\fcadefbneo.exe => No File
FirewallRules: [TCP Query User{7D901B47-A33F-4CFE-9C6D-AD33DD4AFFC9}C:\users\matti\appdata\local\programs\hyperbeam\hyperbeam.exe] => (Allow) C:\users\matti\appdata\local\programs\hyperbeam\hyperbeam.exe => No File
FirewallRules: [UDP Query User{523A265F-5660-425E-B349-FBF2D26CCB01}C:\users\matti\appdata\local\programs\hyperbeam\hyperbeam.exe] => (Allow) C:\users\matti\appdata\local\programs\hyperbeam\hyperbeam.exe => No File
FirewallRules: [TCP Query User{CE06945C-38F6-4A99-8836-AF7B330D727D}D:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) D:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [UDP Query User{00740BD0-075C-49B5-A95B-5A9FA4E3B355}D:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) D:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [{C6EADD3F-D2D0-478D-BF37-1EE27F2B662C}] => (Allow) C:\Users\matti\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [{4EDA64F9-599F-4A22-89A1-49CB4D5BDDA6}] => (Allow) C:\Users\matti\AppData\Roaming\uTorrent\uTorrent.exe => No File
FirewallRules: [TCP Query User{86F8CFD0-4AD9-4DBC-A970-9D3C45CD1A1F}C:\users\matti\appdata\local\discord\app-1.0.9219\discord.exe] => (Block) C:\users\matti\appdata\local\discord\app-1.0.9219\discord.exe => No File
FirewallRules: [UDP Query User{54D2AC33-95FA-4F82-BA11-29EF349AA389}C:\users\matti\appdata\local\discord\app-1.0.9219\discord.exe] => (Block) C:\users\matti\appdata\local\discord\app-1.0.9219\discord.exe => No File
FirewallRules: [TCP Query User{74498AB6-6A55-46D2-83A8-8511F443B085}C:\users\matti\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\matti\appdata\roaming\spotify\spotify.exe => No File
FirewallRules: [UDP Query User{D21F7DDF-2B11-40D4-907E-5409772E6F41}C:\users\matti\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\matti\appdata\roaming\spotify\spotify.exe => No File
FirewallRules: [{AC6AC32E-11ED-426E-A5DA-24618D983E1B}] => (Allow) C:\Users\matti\AppData\Local\Programs\Opera GX\opera.exe => No File
HKU\S-1-5-21-1803993085-1654795624-4218030563-1001\...\Run: [AMDNoiseSuppression] => "C:\WINDOWS\system32\AMD\ANR\AMDNoiseSuppression.exe" (No File)
Task: {5F09F004-4894-4CF6-94B3-06D4CEC45EBF} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
Task: {56794802-6223-434E-AA56-E5340C7A869E} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1778183033-462764241-3470957983-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (No File)
Task: {24216A16-1A31-437B-839A-24311D054049} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1803993085-1654795624-4218030563-1001 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (No File)
File: D:\Program Files (x86)\Electronic Arts\The Sims Medieval\Game\Bin\rld.dll;E:\Flashpoint\Legacy\cgi-bin\susisu.ktkr.net\contents\flash.php;E:\Flashpoint\Legacy\cgi-bin\susisu.ktkr.net\contents\game.php;E:\Flashpoint\Legacy\cgi-bin\susisu.ktkr.net\contents\trash.php;E:\Flashpoint\Legacy\cgi-bin\susisu.ktkr.net\index.php;E:\Flashpoint\Legacy\cgi-bin\www.avenidacartum.com.br\esquiandonaavenida\scores.php;C:\W11TOW~1\PROTEC~1\FIGURA~1.SCR;C:\Program Files\HP\HP DeskJet 2130 series\bin\HPStatusBL.dll;C:\W11toW7stuff\WFlip050\WinFlip.exe;C:\EmptyStandbyList.exe
CMD: type "C:\Users\matti\Desktop\regrunlog.txt"
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\matti\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.