So I have a malware that im trying to remove and someone told me to use the farbar recovery tool. They sent a fixlist.txt but it looks kinda weird. If its not legit, can someone create one fore me? Btw trying to remove this. Keeps coming back no matter what I do. (I'm trynning to remove a chrome extension called conditioner, located in appdata/local/chrome_appearance)FRST.txt 39.29KB3 downloadsAddition.txt 64.34KB6 downloadsFixlist.txt 27.3KB12 downloads
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-05-2023
Ran by xingz (administrator) on LAPTOP-V4A2F2MC (LENOVO 20U9001PUS) (26-05-2023 21:39:28)
Running from C:\Users\xingz\Downloads\FRST64.exe
Loaded Profiles: xingz
Platform: Microsoft Windows 10 Pro Version 22H2 19045.2965 (X64) Language: English (United States)
Default browser: Opera
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(DriverStore\FileRepository\fn.inf_amd64_2c108e77df60bbd0\driver\tphkload.exe ->) (Lenovo -> Lenovo Group Limited) C:\Windows\System32\DriverStore\FileRepository\FN2C8E~1.INF\driver\shtctky.exe
(DriverStore\FileRepository\fn.inf_amd64_2c108e77df60bbd0\driver\tphkload.exe ->) (Lenovo -> Lenovo Group Limited) C:\Windows\System32\DriverStore\FileRepository\FN2C8E~1.INF\driver\tposd.exe
(explorer.exe ->) (Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe <20>
(explorer.exe ->) (Opera Software AS -> Opera Software) C:\Users\xingz\AppData\Local\Programs\Opera GX\assistant\browser_assistant.exe <2>
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.242\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.242\GoogleCrashHandler64.exe
(services.exe ->) (GLAVSOFT, OOO -> GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\dptf_cpu.inf_amd64_1da48d5885266bb7\esif_uf.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\sgx_psw.inf_amd64_b117548b2e075ba1\aesm_service.exe
(services.exe ->) (Lenovo -> Lenovo Group Limited) C:\Windows\System32\DriverStore\FileRepository\fn.inf_amd64_2c108e77df60bbd0\driver\tphkload.exe
(services.exe ->) (Lenovo -> Lenovo Group Ltd.) C:\Windows\System32\drivers\Lenovo\udc\Service\UDClientService.exe
(services.exe ->) (Lenovo -> Lenovo) C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_amd64_02d728b29c6492d3\x64\ibmpmsvc.exe
(services.exe ->) (Lenovo -> Lenovo) C:\Windows\System32\DriverStore\FileRepository\smartstandbycomponent.inf_amd64_1a7a38fb4d407c19\SmartStandby.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe <2>
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\Locator.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\NisSrv.exe
(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_550508a90a3c9a47\RtkAudUService64.exe <2>
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\InputMethod\CHS\ChsIME.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MoUsoCoreWorker.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
==================== Registry (Whitelisted) ===================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [XMouseButtonControl] => C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe [1684216 2020-05-13] (Open Source Developer, Phillip Gibbons -> Highresolution Enterprises)
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [1808888 2021-08-09] (GLAVSOFT, OOO -> GlavSoft LLC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [706344 2021-09-27] (Oracle America, Inc. -> Oracle Corporation)
HKLM-x32\...\Run: [Adobe CCXProcess] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\CCXProcess.exe [129288 2021-08-04] (Adobe Inc. -> )
HKLM-x32\...\Run: [Launch 0 FwCustom] => C:\Program Files\TECWARE\PHANTOMRGB\Phantom RGB Mechanical Keyboard.exe [3487232 2017-11-22] (0) [File not signed]
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [850208 2022-04-29] (Adobe Inc. -> Adobe Inc.)
HKLM-x32\...\Run: [app service] => C:\Program Files (x86)\Apps tracker\Apps tracker.exe [1854976 2014-07-26] (Marko Devcic) [File not signed]
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKLM Group Policy restriction on software: C:\Users\xingz\AppData\Local\Roblox <==== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\WindowsApps\Microsoft.MinecraftUWP_1.19.2201.0_x64__8wekyb3d8bbwe <==== ATTENTION
HKU\S-1-5-19\...\Run: [OneDriveSetup] => C:\Windows\SysWOW64\OneDriveSetup.exe [30870320 2019-12-07] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Run: [OneDriveSetup] => C:\Windows\SysWOW64\OneDriveSetup.exe [30870320 2019-12-07] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2602424 2023-05-18] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [MicrosoftEdgeAutoLaunch_ECE742257346276521BD64230C9B00B2] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [4152216 2023-05-17] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [Spotify] => C:\Users\xingz\AppData\Roaming\Spotify\Spotify.exe [20475768 2023-05-14] (Spotify AB -> Spotify Ltd) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [electron.app.BlueStacks Services] => C:\Users\xingz\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe [157858648 2023-03-22] (Bluestack Systems, Inc -> now.gg, Inc.) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [Opera GX Stable] => C:\Users\xingz\AppData\Local\Programs\Opera GX\launcher.exe [2611616 2023-05-18] (Opera Norway AS -> Opera Software) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [Opera GX Browser Assistant] => C:\Users\xingz\AppData\Local\Programs\Opera GX\assistant\browser_assistant.exe [3291288 2021-02-01] (Opera Software AS -> Opera Software) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\Run: [OneDrive] => C:\Program Files\Microsoft OneDrive\OneDrive.exe [2602424 2023-05-18] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\Run: [Spotify] => C:\Users\steve\AppData\Roaming\Spotify\Spotify.exe [20434296 2023-04-12] (Spotify AB -> Spotify Ltd) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\RunOnce: [Application Restart #0] => C:\Windows\System32\WpcMon.exe [1173472 2022-03-09] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files\Google\Chrome\Application\113.0.5672.127\Installer\chrmstp.exe [2023-05-18] (Google LLC -> Google LLC)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
==================== Scheduled Tasks (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {04FBBF8E-8295-46B5-9EA4-A6EA1254083B} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {16E8E669-32BE-4D14-830D-6382D0119F4A} - System32\Tasks\Lenovo\Vantage\Schedule\BatteryGaugeAddinDailyScheduleTask => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {1D67F742-85B4-44B5-8318-A3166CE940BF} - System32\Tasks\Lenovo\UDC\Lenovo UDC Monitor => C:\Windows\system32\drivers\lenovo\udc\data\InfBackup\UdcInfInstaller.exe [186568 2022-11-17] (Lenovo -> Lenovo Group Ltd.)
Task: {2BB7E33D-F0AF-4575-A4BE-C02790501D87} - \Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask -> No File <==== ATTENTION
Task: {35B70B13-8C7B-49B6-9AEB-65FF3447C313} - System32\Tasks\Opera GX scheduled assistant Autoupdate 1684208052 => C:\Users\xingz\AppData\Local\Programs\Opera GX\launcher.exe [2611616 2023-05-18] (Opera Norway AS -> Opera Software) -> --scheduledautoupdate --component-name=assistant --component-path="C:\Users\xingz\AppData\Local\Programs\Opera GX\assistant" $(Arg0)
Task: {3D8D1BAB-E484-4612-AF54-9FB0C6FA32F8} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [732064 2023-05-24] (Mozilla Corporation -> Mozilla Foundation)
Task: {4036C0B7-34AA-468C-AB46-F772FA8641E7} - System32\Tasks\Lenovo\UDC\Lenovo UDC Idle Monitor => C:\windows\system32\drivers\Lenovo\udc\Service\UDCUserAgent.exe [90832 2022-11-17] (Lenovo -> Lenovo Group Ltd.)
Task: {49624E2D-6C4A-4A4A-9AE4-CC07F1BF5F92} - System32\Tasks\Lenovo\Vantage\Schedule\GenericMessagingAddin => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {4AB579F9-66DF-4A41-8111-9D7CC3CCBC1D} - System32\Tasks\Lenovo\Power Manager\Background monitor => "C:\Windows\SysWOW64\Lenovo\PowerMgr\PowerMgr.exe" (No File)
Task: {58A35D9E-F992-431E-B92F-4F83F5B530FD} - System32\Tasks\Lenovo\Vantage\Schedule\LenovoSystemUpdateAddin_WeeklyTask => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {5F1B607A-7006-4824-BA79-5683E2098EDA} - System32\Tasks\Lenovo\Vantage\Schedule\Lenovo.Vantage.SmartPerformance.MonthlyReport => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {6006CC98-EB9C-4F55-AF57-8260A55E557B} - System32\Tasks\BlueStacksHelper_nxt => C:\Program Files\BlueStacks_nxt\BlueStacksHelper.exe [302968 2023-04-06] (Now.gg, INC -> BlueStack Systems, Inc.)
Task: {62AF0E12-ED1A-44C3-BAD0-77546EDB12B6} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-3401934515-1319308757-2340201554-1013 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4194736 2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {681A26F1-4DFC-4BCA-8550-C47AC43061CE} - System32\Tasks\RtkAudUService64_BG => C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_550508a90a3c9a47\RtkAudUService64.exe [1618296 2022-10-27] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
Task: {6843406C-C8AD-4AF0-84EC-2F2A6DB6FDBF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {692A960B-F908-4175-A00D-9E8B78A58130} - System32\Tasks\Lenovo\Vantage\Schedule\HeartbeatAddinDailyScheduleTask => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {6DAB3044-C503-4469-AEA5-BFE0FF29E689} - System32\Tasks\Lenovo\SmartStandby\Daily analysis => C:\Windows\System32\DriverStore\FileRepository\smartstandbycomponent.inf_amd64_1a7a38fb4d407c19\AutonomicMgr.exe [74232 2023-02-03] (Lenovo -> )
Task: {71EAFF68-1E10-44E9-B314-8CFA5F36F70F} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [190816 2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Task: {82E3B4CA-9791-4EAA-A0E1-0039CB78DA30} - System32\Tasks\Lenovo\Power Manager\Uninstall task => C:\Windows\SysWOW64\PowerMgrInst.exe [65016 2022-12-05] (Lenovo -> )
Task: {85FD5001-3715-4F50-9E4A-10CF1B7E359C} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [157664 2023-05-13] (Microsoft Corporation -> Microsoft Corporation)
Task: {8DADCCA5-ABE7-4368-A4D1-349F8BE3F9C0} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-3401934515-1319308757-2340201554-1001 => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4194736 2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {8F3FCB09-23A5-44DA-ADA2-859D5AE3114F} - System32\Tasks\Opera GX scheduled Autoupdate 1683689610 => C:\Users\xingz\AppData\Local\Programs\Opera GX\launcher.exe [2611616 2023-05-18] (Opera Norway AS -> Opera Software)
Task: {92C81E33-7A05-4376-A2A1-C9BB4C88EBAB} - System32\Tasks\GoogleUpdateTaskMachineUA{8AE0283D-4715-477E-B4FA-30ADCAB22F9C} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [162072 2023-05-10] (Google LLC -> Google LLC)
Task: {95FB764C-1ED3-4553-93E2-4DA277F58B9D} - \Lenovo\ImController\TimeBasedEvents\5cea59fa-0825-478d-b121-a0a3581aaf36 -> No File <==== ATTENTION
Task: {99163ADE-5A5D-4651-B561-6D0A3CC00DA8} - \Lenovo\ImController\TimeBasedEvents\95695eb7-60b9-4692-a297-4bb8008177be -> No File <==== ATTENTION
Task: {9D0FA7B9-D33E-4BEE-BE85-464CE860AFE6} - System32\Tasks\Lenovo\Vantage\Lenovo.Vantage.ServiceMaintainance => C:\Windows\system32\sc.exe [72192 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> start LenovoVantageService
Task: {A0D74873-1E2E-446A-A114-7DA5464881E8} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26513416 2023-05-13] (Microsoft Corporation -> Microsoft Corporation)
Task: {AAA78F5D-311C-417F-8759-4EED6488B3E9} - System32\Tasks\GoogleUpdateTaskMachineCore{1A00DBDC-0531-43C9-BE55-F4F274D72257} => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [162072 2023-05-10] (Google LLC -> Google LLC)
Task: {AEC36406-7268-4466-BE84-E133D7783FBF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {B104AAFD-9666-451F-B70A-1A58C8F9163A} - System32\Tasks\Lenovo\Vantage\Schedule\LenovoCompanionAppAddinDailyScheduleTask => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {B16F6113-E3F6-4585-AF02-9D1A2561F60B} - System32\Tasks\OneDrive Per-Machine Standalone Update Task => C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe [4194736 2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
Task: {C58242C5-76AC-4EBE-A69F-C749AEFCFEF6} - \Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance -> No File <==== ATTENTION
Task: {C5C29684-43AB-4917-867B-04E2B43E5C18} - System32\Tasks\Lenovo\Vantage\Schedule\DailyTelemetryTransmission => C:\Program Files (x86)\Lenovo\VantageService\3.13.43.0\ScheduleEventAction.exe [28888 2022-11-29] (Lenovo -> Lenovo Group Ltd.)
Task: {CAE8CA1F-02BD-4B5A-A195-04A6D66AC905} - System32\Tasks\Lenovo\SmartStandby\Uninstall Monitor => C:\Windows\system32\SmartStandbyInst.exe [43512 2023-02-03] (Lenovo -> )
Task: {DEA5D6DE-A74D-41CD-8658-CED24AD89EF3} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [26513416 2023-05-13] (Microsoft Corporation -> Microsoft Corporation)
Task: {E29F22D3-9D0A-43AD-B7D4-17C70A46FB65} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MpCmdRun.exe [1650024 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {EC10BB20-6278-459B-A6B9-916B8E1FA02E} - \Lenovo\ImController\TimeBasedEvents\05e1cd92-5a3f-4b23-b48e-92d53cd7696e -> No File <==== ATTENTION
Task: {F1EA2F48-835F-4BA2-9D62-4C579FDFF366} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe [677280 2023-05-24] (Mozilla Corporation -> Mozilla Corporation) -> --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {F927B388-D58E-4E16-AB50-A5A16C439A1F} - \Lenovo\ImController\Lenovo iM Controller Monitor -> No File <==== ATTENTION
Task: {FB91CF6E-73E3-4433-A731-68306AF96DC8} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [157664 2023-05-13] (Microsoft Corporation -> Microsoft Corporation)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{f8db8ce6-aba5-452e-8efb-9abf2e5ed972}: [DhcpNameServer] 150.203.1.2
Tcpip\..\Interfaces\{fdcc7fd9-8859-4e2c-b1cb-ab2408d683df}: [DhcpNameServer] 192.168.1.254
Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\xingz\AppData\Local\Microsoft\Edge\User Data\Default [2023-05-26]
Edge Extension: (Edge relevant text changes) - C:\Users\xingz\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha [2023-04-24]
Edge Extension: (中国工商银行密码扩展) - C:\Users\xingz\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\lkcpjhiihlemmaffnfhkmdhncpdpidgd [2023-05-08]
FireFox:
========
FF DefaultProfile: oma27aod.default
FF ProfilePath: C:\Users\xingz\AppData\Roaming\Mozilla\Firefox\Profiles\oma27aod.default [2021-11-05]
FF ProfilePath: C:\Users\xingz\AppData\Roaming\Mozilla\Firefox\Profiles\uj6803d8.default-release [2022-12-18]
FF Plugin: @java.com/DTPlugin,version=11.311.2 -> C:\Program Files\Java\jre1.8.0_311\bin\dtplugin\npDeployJava1.dll [2021-10-31] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.311.2 -> C:\Program Files\Java\jre1.8.0_311\bin\plugin2\npjp2.dll [2021-10-31] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2022-11-02] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2022-04-29] (Adobe Inc. -> Adobe Systems)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2022-11-02] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-11-02] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2022-04-29] (Adobe Inc. -> Adobe Systems)
Chrome:
=======
CHR Profile: C:\Users\xingz\AppData\Local\Google\Chrome\User Data\Default [2023-05-26]
CHR Notifications: Default -> hxxps://www.youtube.com
CHR Extension: (uBlock Origin) - C:\Users\xingz\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2023-05-10]
CHR Extension: (Google Docs Offline) - C:\Users\xingz\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2023-05-25]
CHR Extension: (Chrome Web Store Payments) - C:\Users\xingz\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2023-05-10]
Opera:
=======
StartMenuInternet: (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001) Opera GXStable - "C:\Users\xingz\AppData\Local\Programs\Opera GX\Launcher.exe"
==================== Services (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [919328 2022-04-11] (Adobe Inc. -> Adobe Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [11749376 2023-05-13] (Microsoft Corporation -> Microsoft Corporation)
S2 DolbyDAXAPI; C:\Windows\System32\DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_c28b41707aefc6b9\DAX3API.exe [2283600 2021-04-28] (Dolby Laboratories, Inc. -> Dolby Laboratories)
S2 EPDService; C:\Windows\System32\EPDService.exe [211584 2022-07-07] (ELAN MICROELECTRONICS CORPORATION -> ELAN Microelectronics Corp.)
S3 FileSyncHelper; C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncHelper.exe [3444152 2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
S2 FMAPOService; C:\Windows\System32\FMService64.exe [479656 2022-08-08] (Microsoft Windows Hardware Compatibility Publisher -> Fortemedia)
R2 IBMPMSVC; C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_amd64_02d728b29c6492d3\x64\ibmpmsvc.exe [850936 2022-11-24] (Lenovo -> Lenovo)
S2 Intel® Platform License Manager Service; C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_dec9bbf83f76d9e5\lib\PlatformLicenseManagerService.exe [746464 2022-09-23] (Intel Corporation -> Intel® Corporation)
S2 IntelAudioService; C:\Windows\System32\DriverStore\FileRepository\intcoed.inf_amd64_581d7e91d349facc\\AS\\IAS\\IntelAudioService.exe [402464 ] (Intel Corporation -> Intel)
R2 LenovoSmartStandby; C:\Windows\System32\DriverStore\FileRepository\smartstandbycomponent.inf_amd64_1a7a38fb4d407c19\SmartStandby.exe [332792 2023-02-03] (Lenovo -> Lenovo)
S2 LenovoVantageService; C:\Program Files (x86)\Lenovo\VantageService\\3.13.43.0\LenovoVantageService.exe [32464 ] (Lenovo -> Lenovo Group Ltd.)
S2 LITSSVC; C:\Windows\System32\LITSSvc.exe [1260488 2023-01-17] (Lenovo -> Lenovo.)
S2 LPlatSvc; C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_amd64_02d728b29c6492d3\x64\LPlatSvc.exe [906232 2022-11-24] (Lenovo -> Lenovo)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [9246536 2023-05-21] (Malwarebytes Inc. -> Malwarebytes)
S3 OneDrive Updater Service; C:\Program Files\Microsoft OneDrive\23.091.0430.0001\OneDriveUpdaterService.exe [3779496 2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [336256 2023-05-10] (Microsoft Windows Publisher -> Microsoft Corporation)
S2 SynHsaService; C:\Windows\System32\SynRpcServer.exe [187328 2022-08-09] (Synaptics Incorporated -> Synaptics Incorporated.)
S2 TbtP2pShortcutService; C:\Windows\TbtP2pShortcutService.exe [256368 2022-12-15] (Intel Corporation -> Intel Corporation)
R2 TPHKLOAD; C:\Windows\System32\DriverStore\FileRepository\fn.inf_amd64_2c108e77df60bbd0\driver\TPHKLOAD.exe [602832 2023-04-14] (Lenovo -> Lenovo Group Limited)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1808888 2021-08-09] (GLAVSOFT, OOO -> GlavSoft LLC.)
R2 UDCService; C:\Windows\System32\drivers\Lenovo\udc\Service\UDClientService.exe [72912 2022-11-17] (Lenovo -> Lenovo Group Ltd.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\NisSrv.exe [3216064 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MsMpEng.exe [133544 2023-05-02] (Microsoft Windows Publisher -> Microsoft Corporation)
S2 ImControllerService; %SystemRoot%\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [X]
===================== Drivers (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 BlueStacksDrv_nxt; C:\Program Files\BlueStacks_nxt\BstkDrv_nxt.sys [322304 2023-04-06] (Bluestack Systems, Inc -> Bluestack System Inc.)
S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2021-09-19] (Microsoft Corporation) [File not signed]
S3 BthHFEnum; C:\Windows\System32\drivers\bthhfenum.sys [154112 2021-10-15] (Microsoft Corporation) [File not signed]
R3 EPD; C:\Windows\System32\drivers\EPD.sys [160896 2022-07-07] (ELAN MICROELECTRONICS CORPORATION -> ELAN Microelectronics Corp.)
R3 IBMPMDRV; C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_amd64_02d728b29c6492d3\x64\ibmpmdrv.sys [53240 2022-11-24] (Lenovo -> Lenovo)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [223176 2023-05-25] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [21480 2023-05-08] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2023-05-08] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MpKsl4c0a2317; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C9D98005-7A93-4AA4-BF2C-E0DEDC544937}\MpKslDrv.sys [212264 2023-05-26] (Microsoft Windows -> Microsoft Corporation)
R1 PMDRVS; C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_amd64_02d728b29c6492d3\x64\pmdrvs.sys [38904 2022-11-24] (Lenovo -> Lenovo)
S3 sshid; C:\Windows\system32\DRIVERS\sshid.sys [47760 2021-09-01] (SteelSeries ApS -> SteelSeries ApS)
S3 VoiceAIDriver; C:\Windows\System32\DriverStore\FileRepository\voiceaidriver.inf_amd64_214d6aacf9c41414\voiceaidriver.sys [73640 2022-12-28] (Voice AI LLC -> Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [49616 2023-05-02] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [498944 2023-05-02] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [99608 2023-05-02] (Microsoft Windows -> Microsoft Corporation)
R3 WiManH; C:\Windows\System32\DriverStore\FileRepository\wiman.inf_amd64_39b0d69e31702623\WiManH\WiManH.sys [180296 2022-07-11] (Intel Corporation -> Intel Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One month (created) (Whitelisted) =========
(If an entry is included in the fixlist, the file/folder will be moved.)
2023-05-26 21:39 - 2023-05-26 21:40 - 000028498 _____ C:\Users\xingz\Downloads\FRST.txt
2023-05-26 21:39 - 2023-05-26 21:39 - 000000000 ____D C:\FRST
2023-05-26 21:31 - 2023-05-26 21:31 - 002382848 _____ (Farbar) C:\Users\xingz\Downloads\FRST64.exe
2023-05-26 19:56 - 2023-05-26 20:01 - 000000000 ____D C:\AdwCleaner
2023-05-26 19:55 - 2023-05-26 19:55 - 008791352 _____ (Malwarebytes) C:\Users\xingz\Downloads\AdwCleaner.exe
2023-05-26 19:11 - 2023-05-26 19:11 - 000000000 ____D C:\Users\xingz\AppData\Local\chrome_appearance
2023-05-24 07:38 - 2023-05-25 00:32 - 000000000 ____D C:\Program Files\Mozilla Firefox
2023-05-21 08:10 - 2023-05-25 00:33 - 000000000 ____D C:\Users\xingz\AppData\Local\Malwarebytes
2023-05-15 20:34 - 2023-05-15 20:34 - 000004478 _____ C:\Windows\system32\Tasks\Opera GX scheduled assistant Autoupdate 1684208052
2023-05-12 17:59 - 2023-05-12 17:59 - 000000000 ____D C:\Users\steve\AppData\Local\mbam
2023-05-12 17:57 - 2023-05-12 17:57 - 000000000 ____D C:\Users\steve\AppData\Local\HD-Player
2023-05-10 14:55 - 2023-05-18 15:21 - 000002254 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2023-05-10 14:55 - 2023-05-18 15:21 - 000002213 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2023-05-10 14:55 - 2023-05-18 13:43 - 000003790 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA{8AE0283D-4715-477E-B4FA-30ADCAB22F9C}
2023-05-10 14:55 - 2023-05-18 13:43 - 000003666 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore{1A00DBDC-0531-43C9-BE55-F4F274D72257}
2023-05-10 14:55 - 2023-05-10 14:55 - 001367592 _____ (Google LLC) C:\Users\xingz\Downloads\ChromeSetup (1).exe
2023-05-10 14:55 - 2023-05-10 14:55 - 000000000 ____D C:\Program Files\Google
2023-05-10 07:46 - 2023-05-10 07:46 - 000000000 ___HD C:\$WinREAgent
2023-05-09 20:33 - 2023-05-24 20:35 - 000004218 _____ C:\Windows\system32\Tasks\Opera GX scheduled Autoupdate 1683689610
2023-05-09 20:33 - 2023-05-24 20:35 - 000001445 _____ C:\Users\xingz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Opera GX Browser.lnk
2023-05-09 20:33 - 2023-05-09 20:33 - 000000000 ____D C:\Users\xingz\AppData\Roaming\Opera Software
2023-05-09 20:33 - 2023-05-09 20:33 - 000000000 ____D C:\Users\xingz\AppData\Local\Opera Software
2023-05-09 20:32 - 2023-05-09 20:32 - 003492536 _____ (Opera Software) C:\Users\xingz\Downloads\OperaGXSetup.exe
2023-05-08 20:28 - 2023-05-08 20:28 - 000002040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2023-05-08 20:28 - 2023-05-08 20:28 - 000002028 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2023-05-08 20:28 - 2023-05-08 20:28 - 000000000 ____D C:\ProgramData\Malwarebytes
2023-05-08 20:27 - 2023-05-08 20:27 - 002635568 _____ (Malwarebytes) C:\Users\xingz\Downloads\MBSetup-649B016C.exe
2023-05-05 20:12 - 2023-05-25 22:25 - 000000000 ____D C:\Users\xingz\AppData\Roaming\Editor
2023-05-04 15:16 - 2022-12-15 03:59 - 000049528 _____ (Intel Corporation) C:\Windows\TbtControlCenterToastLauncher.exe
==================== One month (modified) ==================
(If an entry is included in the fixlist, the file/folder will be moved.)
2023-05-26 21:25 - 2021-04-22 15:09 - 000000000 ____D C:\Users\xingz\AppData\Roaming\.minecraft
2023-05-26 21:20 - 2021-04-20 17:35 - 000000000 ____D C:\Program Files (x86)\Google
2023-05-26 20:59 - 2022-02-07 20:44 - 000000000 ____D C:\Users\xingz\AppData\Roaming\Feather Launcher
2023-05-26 20:59 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2023-05-26 20:22 - 2021-10-14 16:16 - 000004168 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{5D73C5AA-E5E0-402E-A9CF-AFD995EA41B3}
2023-05-26 20:01 - 2022-10-20 21:19 - 000000000 ____D C:\Users\steve\AppData\Local\Lenovo
2023-05-26 20:01 - 2021-04-20 17:07 - 000000000 ____D C:\Users\xingz\AppData\Local\Lenovo
2023-05-26 20:01 - 2020-12-22 06:08 - 000000000 ____D C:\Windows\SysWOW64\Lenovo
2023-05-26 20:01 - 2020-12-22 06:08 - 000000000 ____D C:\Windows\system32\Lenovo
2023-05-26 20:01 - 2020-12-22 05:55 - 000000000 ____D C:\Windows\system32\Tasks\Lenovo
2023-05-26 20:01 - 2020-12-22 05:55 - 000000000 ____D C:\Windows\Lenovo
2023-05-26 20:01 - 2020-12-22 05:55 - 000000000 ____D C:\Program Files\Lenovo
2023-05-26 20:01 - 2020-12-22 05:44 - 000000000 ____D C:\ProgramData\Lenovo
2023-05-26 19:49 - 2020-05-06 11:33 - 000000000 ____D C:\Windows\system32\SleepStudy
2023-05-26 19:11 - 2021-04-20 16:50 - 000000000 ____D C:\Users\xingz
2023-05-26 14:28 - 2019-12-07 02:14 - 000000000 ___HD C:\Program Files\WindowsApps
2023-05-26 14:28 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\AppReadiness
2023-05-25 20:16 - 2020-12-22 06:01 - 000000000 ____D C:\Windows\TempInst
2023-05-25 15:23 - 2021-04-27 11:00 - 000000000 ____D C:\Users\xingz\AppData\Local\D3DSCache
2023-05-25 07:54 - 2021-04-24 14:02 - 000406080 _____ C:\Windows\system32\prfh0804.dat
2023-05-25 07:54 - 2021-04-24 14:02 - 000125564 _____ C:\Windows\system32\prfc0804.dat
2023-05-25 07:54 - 2020-05-06 11:41 - 001314344 _____ C:\Windows\system32\PerfStringBackup.INI
2023-05-25 07:54 - 2019-12-07 02:13 - 000000000 ____D C:\Windows\INF
2023-05-25 00:33 - 2021-04-20 17:06 - 000000000 __SHD C:\Users\xingz\IntelGraphicsProfiles
2023-05-25 00:33 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ServiceState
2023-05-25 00:32 - 2022-01-11 18:42 - 000000000 ____D C:\Program Files\Microsoft OneDrive
2023-05-25 00:32 - 2021-11-05 11:59 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2023-05-25 00:32 - 2020-12-22 06:00 - 000000000 ___HD C:\Intel
2023-05-25 00:32 - 2020-05-06 11:33 - 000008192 ___SH C:\DumpStack.log.tmp
2023-05-25 00:32 - 2020-05-06 11:33 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2023-05-25 00:32 - 2019-12-07 02:03 - 001310720 _____ C:\Windows\system32\config\BBI
2023-05-24 14:43 - 2021-11-05 11:59 - 000001012 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2023-05-24 08:57 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\CbsTemp
2023-05-23 18:35 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\AppLocker
2023-05-21 20:36 - 2023-04-14 19:10 - 000000000 ____D C:\ProgramData\boost_interprocess
2023-05-21 20:36 - 2023-04-14 19:10 - 000000000 ____D C:\ProgramData\BlueStacks_nxt
2023-05-20 07:30 - 2023-01-17 10:24 - 000002283 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2023-05-20 07:30 - 2020-12-22 05:55 - 000002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2023-05-18 22:12 - 2022-10-20 21:20 - 000003596 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-3401934515-1319308757-2340201554-1013
2023-05-18 22:12 - 2022-10-20 21:18 - 000000000 ___RD C:\Users\steve\OneDrive
2023-05-18 22:12 - 2022-01-09 23:10 - 000003194 _____ C:\Windows\system32\Tasks\OneDrive Per-Machine Standalone Update Task
2023-05-18 22:12 - 2022-01-09 23:10 - 000002139 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2023-05-18 22:12 - 2021-12-10 22:56 - 000003596 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-3401934515-1319308757-2340201554-1001
2023-05-15 20:21 - 2023-02-23 21:29 - 000000000 ____D C:\Users\xingz\AppData\Local\Spotify
2023-05-15 18:38 - 2023-02-23 21:29 - 000000000 ____D C:\Users\xingz\AppData\Roaming\Spotify
2023-05-14 22:34 - 2022-02-07 20:44 - 000000000 ____D C:\Program Files\Feather Launcher
2023-05-13 19:20 - 2020-12-22 05:55 - 000000000 ____D C:\Program Files\Microsoft Office
2023-05-12 19:01 - 2022-10-25 16:59 - 000079312 _____ (Microsoft Corporation) C:\Windows\system32\xgamehelper.exe
2023-05-12 19:01 - 2022-10-25 16:59 - 000062968 _____ (Microsoft Corporation) C:\Windows\system32\xgamecontrol.exe
2023-05-12 19:01 - 2021-11-22 13:22 - 002794960 _____ (Microsoft Corporation) C:\Windows\system32\xgameruntime.dll
2023-05-12 19:01 - 2021-11-22 13:22 - 000488912 _____ (Microsoft Corporation) C:\Windows\system32\gameplatformservices.dll
2023-05-12 19:01 - 2021-11-22 13:22 - 000247248 _____ (Microsoft Corporation) C:\Windows\system32\gamingservicesproxy.dll
2023-05-12 19:01 - 2021-11-22 13:22 - 000202192 _____ (Microsoft Corporation) C:\Windows\system32\gameconfighelper.dll
2023-05-12 19:01 - 2021-11-22 13:22 - 000165376 _____ (Microsoft Corporation) C:\Windows\system32\gamelaunchhelper.dll
2023-05-12 19:01 - 2021-11-22 13:22 - 000131072 _____ (Microsoft Corporation) C:\Windows\system32\gamingtcuihelpers.dll
2023-05-12 17:57 - 2022-10-20 21:19 - 000000000 ____D C:\Users\steve\AppData\Local\Packages
2023-05-12 17:56 - 2023-02-20 15:00 - 000000000 ____D C:\Users\steve\AppData\Local\Spotify
2023-05-12 17:55 - 2023-02-20 14:59 - 000000000 ____D C:\Users\steve\AppData\Roaming\Spotify
2023-05-12 17:55 - 2022-10-21 16:34 - 000000000 ____D C:\Users\steve\AppData\Local\CrashDumps
2023-05-12 17:55 - 2022-10-20 21:19 - 000000000 __SHD C:\Users\steve\IntelGraphicsProfiles
2023-05-11 21:37 - 2022-01-29 09:47 - 000464928 _____ C:\Windows\system32\FNTCACHE.DAT
2023-05-11 21:36 - 2021-04-24 14:02 - 000000000 ____D C:\Windows\SysWOW64\zh-HANS
2023-05-11 21:36 - 2021-04-24 14:02 - 000000000 ____D C:\Windows\system32\zh-HANS
2023-05-11 21:36 - 2020-12-22 05:44 - 000000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\SystemResources
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\SecureBootUpdates
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\oobe
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ShellExperiences
2023-05-11 21:36 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\bcastdvr
2023-05-11 21:35 - 2023-04-14 19:10 - 000000000 ____D C:\Users\xingz\AppData\Roaming\bluestacks-services
2023-05-10 18:06 - 2020-12-22 05:54 - 000003536 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2023-05-10 18:06 - 2020-12-22 05:54 - 000003412 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2023-05-10 14:55 - 2021-04-20 17:35 - 000000000 ____D C:\Users\xingz\AppData\Local\Google
2023-05-10 07:57 - 2020-05-06 11:36 - 003015168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2023-05-10 07:45 - 2021-04-20 17:11 - 000000000 ____D C:\Windows\system32\MRT
2023-05-10 07:40 - 2021-04-20 17:11 - 159583304 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2023-05-09 21:06 - 2021-04-20 17:06 - 000000000 ____D C:\Users\xingz\AppData\Local\Packages
2023-05-08 20:49 - 2021-10-12 10:37 - 000000000 ____D C:\Program Files (x86)\ProtectorsOfRealm
2023-05-08 20:28 - 2023-01-13 21:05 - 000000000 ____D C:\Program Files\Malwarebytes
2023-05-08 20:28 - 2019-12-07 02:14 - 000000000 ___HD C:\Windows\ELAMBKUP
2023-05-07 19:42 - 2022-01-05 20:09 - 000000000 ____D C:\Users\xingz\AppData\Roaming\Microsoft\MMC
2023-05-06 20:50 - 2022-01-29 14:02 - 000000000 ____D C:\Users\xingz\AppData\Local\CrashDumps
2023-05-04 15:49 - 2021-04-20 17:19 - 000000000 ____D C:\Program Files\Microsoft Update Health Tools
2023-05-02 15:49 - 2020-05-06 11:33 - 000000000 ____D C:\Windows\system32\Drivers\wd
2023-05-02 11:45 - 2023-04-14 19:10 - 000000000 ____D C:\Users\xingz\AppData\Local\bluestacks-services-updater
==================== SigCheck ============================
(There is no automatic fix for files that do not pass verification.)
==================== End of FRST.txt ========================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-05-2023
Ran by xingz (26-05-2023 21:41:25)
Running from C:\Users\xingz\Downloads
Microsoft Windows 10 Pro Version 22H2 19045.2965 (X64) (2021-04-21 15:49:59)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
(If an entry is included in the fixlist, it will be removed.)
Administrator (S-1-5-21-3401934515-1319308757-2340201554-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3401934515-1319308757-2340201554-503 - Limited - Disabled)
Guest (S-1-5-21-3401934515-1319308757-2340201554-501 - Limited - Disabled)
kevin (S-1-5-21-3401934515-1319308757-2340201554-1014 - Limited - Disabled)
steve (S-1-5-21-3401934515-1319308757-2340201554-1013 - Limited - Enabled) => C:\Users\steve
WDAGUtilityAccount (S-1-5-21-3401934515-1319308757-2340201554-504 - Limited - Disabled)
xingz (S-1-5-21-3401934515-1319308757-2340201554-1001 - Administrator - Enabled) => C:\Users\xingz
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 5.7.1.1 - Adobe Inc.)
Adobe Premiere Pro 2022 (HKLM-x32\...\PPRO_22_0) (Version: 22.0 - Adobe Inc.)
Apps tracker (HKLM-x32\...\{F3DF7997-48CE-4BA9-BA1E-04E9D1E16056}) (Version: 2.0.2.0 - Marko Devcic)
AVG Update Helper (HKLM-x32\...\{EDB7AEE7-E932-4836-AE50-D3B0B7766CB5}) (Version: 1.8.1188.1 - AVG Technologies) Hidden
Badlion Client (HKLM\...\1de14785-dd8c-5cd2-aae8-d4a376f81d78) (Version: 3.14.0 - Badlion)
blender (HKLM\...\{2BC83619-A036-48ED-9DBB-13E8667E79E2}) (Version: 2.93.1 - Blender Foundation)
BlueStacks App Player (HKLM\...\BlueStacks_nxt) (Version: 5.11.42.1002 - now.gg, Inc.)
BlueStacks Services (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\BlueStacksServices) (Version: 1.1.1 - now.gg, Inc.)
BlueStacks X (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\BlueStacks X) (Version: 10.0.7.1001 - now.gg, Inc.)
Epic Games Launcher Prerequisites (x64) (HKLM\...\{F9C5C994-F6B9-4D75-B3E7-AD01B84073E9}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Feather Launcher (HKLM\...\cb3d390f-61d8-588c-9dbc-20097422bee3) (Version: 1.5.5 - Digital Ingot, Inc.)
Genshin Impact (HKLM\...\Genshin Impact) (Version: 2.23.0.0 - miHoYo Co.,Ltd)
Glorious Model O Software (HKLM-x32\...\{0969D386-B5B4-41BD-98E3-4A1A7D32CB97}_is1) (Version: 1.0.9 - Glorious PC Gaming Race LLC.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 113.0.5672.127 - Google LLC)
IntelliJ IDEA Community Edition 2021.3.1 (HKLM-x32\...\IntelliJ IDEA Community Edition 2021.3.1) (Version: 213.6461.79 - JetBrains s.r.o.)
Java 8 Update 311 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180311F0}) (Version: 8.0.3110.11 - Oracle Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{43a03b9c-4770-409c-a999-587b60700b63}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Lenovo Quick Clean (HKLM-x32\...\{DD167096-6F6D-4250-B94E-6CE26EE8C409}_is1) (Version: 1.02.0041 - Lenovo)
Lenovo Vantage Service (HKLM-x32\...\VantageSRV_is1) (Version: 3.13.43.0 - Lenovo Group Ltd.)
Lunar Client (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\1fcec38f-e773-5444-8669-32b8eb41524b) (Version: 2.15.1 - Moonsworth, LLC)
Lunar Client (HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\1fcec38f-e773-5444-8669-32b8eb41524b) (Version: 2.15.1 - Moonsworth, LLC)
MacroRecorder v2.0.82 (HKLM-x32\...\MacroRecorder_is1) (Version: 2.0.82 - Bartels Media GmbH)
Malwarebytes version 4.5.28.266 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.28.266 - Malwarebytes)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 113.0.1774.50 - Microsoft Corporation)
Microsoft Edge WebView2 Runtime (HKLM-x32\...\Microsoft EdgeWebView) (Version: 113.0.1774.50 - Microsoft Corporation)
Microsoft GameInput (HKLM-x32\...\{1F2B6AF3-C260-8666-5950-E3FEDBC851D6}) (Version: 10.1.22621.3036 - Microsoft Corporation)
Microsoft Office Professional Plus 2019 - en-us (HKLM\...\ProPlus2019Retail - en-us) (Version: 16.0.16327.20248 - Microsoft Corporation)
Microsoft OneDrive (HKLM\...\OneDriveSetup.exe) (Version: 23.091.0430.0001 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{BB052C53-34CB-42DE-AF41-66FDFCEEC868}) (Version: 3.72.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649 (HKLM-x32\...\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}) (Version: 12.0.40649.5 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 (HKLM-x32\...\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664 (HKLM-x32\...\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}) (Version: 12.0.40664.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664 (HKLM\...\{010792BA-551A-3AC0-A7EF-0FAB4156C382}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664 (HKLM\...\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664 (HKLM-x32\...\{D401961D-3A20-3AC7-943B-6139D5BD490A}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664 (HKLM-x32\...\{8122DAB1-ED4D-3676-BB0A-CA368196543E}) (Version: 12.0.40664 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.23.27820 (HKLM-x32\...\{45231ab4-69fd-486a-859d-7a59fcd11013}) (Version: 14.23.27820.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.31.31103 (HKLM-x32\...\{2aaf1df0-eb13-4099-9992-962bb4e596d1}) (Version: 14.31.31103.0 - Microsoft Corporation)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.23.27820 (HKLM-x32\...\{86BE78D9-65A1-4E69-86F8-C1F5281F8553}) (Version: 14.23.27820 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.23.27820 (HKLM-x32\...\{00AC3934-26B4-406E-807C-1692AC7329EC}) (Version: 14.23.27820 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.31.31103 (HKLM\...\{A977984B-9244-49E3-BD24-43F0A8009667}) (Version: 14.31.31103 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.31.31103 (HKLM\...\{A181A302-3F6D-4BAD-97A8-A426A6499D78}) (Version: 14.31.31103 - Microsoft Corporation) Hidden
Minecraft Launcher (HKLM-x32\...\{733C3ACB-432D-4880-B0E1-660000D7974D}) (Version: 1.0.0.0 - Mojang)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 113.0.2 (x64 en-US)) (Version: 113.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 94.0.1 - Mozilla)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.16130.20218 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.16327.20248 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.14131.20278 - Microsoft Corporation) Hidden
Opera GX Stable 98.0.4759.74 (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Opera GX 98.0.4759.74) (Version: 98.0.4759.74 - Opera Software)
osu! (HKLM-x32\...\{6c74fb19-7d77-4e40-b7f5-eeca266c15dc}) (Version: latest - ppy Pty Ltd)
PyCharm Community Edition 222.3048.9 (HKLM-x32\...\PyCharm Community Edition 222.3048.9) (Version: 222.3048.9 - JetBrains s.r.o.)
Python 3.10.5 (64-bit) (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\{e15803b8-d809-47f3-8818-73f0d155cf58}) (Version: 3.10.5150.0 - Python Software Foundation)
Python 3.10.5 Core Interpreter (64-bit) (HKLM\...\{496B2CAE-CF79-440A-82F1-7587559ABA00}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Development Libraries (64-bit) (HKLM\...\{7B0F6EAD-C8A1-4496-8492-801EDE1A6323}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Documentation (64-bit) (HKLM\...\{3BC23B98-3D25-4A74-98FD-A1BE957A1340}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Executables (64-bit) (HKLM\...\{0FE1250F-6DD6-4948-B211-741B7CDBB335}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 pip Bootstrap (64-bit) (HKLM\...\{C3B084B6-D193-4633-BBB4-E890AAB946A2}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Standard Library (64-bit) (HKLM\...\{67F90672-C696-4DBB-8F33-95CCCFA21DCE}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Tcl/Tk Support (64-bit) (HKLM\...\{7F7E3C5D-2A37-4F1D-8E8C-3BB073D36BFE}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Test Suite (64-bit) (HKLM\...\{269FCA5D-D0CF-43B2-B656-24DF6DAA0D4E}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python 3.10.5 Utility Scripts (64-bit) (HKLM\...\{BBD9CCC0-981B-4976-91EC-4C1E637BCF85}) (Version: 3.10.5150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{25196DA8-29BD-4383-B7B5-B36C3BAF43F3}) (Version: 3.10.7826.0 - Python Software Foundation)
Roblox Player (HKLM-x32\...\roblox-player-admin) (Version: - Roblox Corporation)
Roblox Player for xingz (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\roblox-player) (Version: - Roblox Corporation)
Roblox Studio for xingz (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\roblox-studio) (Version: - Roblox Corporation)
Spotify (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Spotify) (Version: 1.2.10.760.g52970952 - Spotify AB)
Spotify (HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\Spotify) (Version: 1.2.8.923.g4f94bf0d - Spotify AB)
Tecware Phantom RGB (HKLM-x32\...\{12F382E1-63D4-4B94-BD32-5F845E74FC79}) (Version: 2017.10.20 - Tecware Inc.)
TightVNC (HKLM\...\{361FB9AD-9238-4E87-8CFB-4126752A79F8}) (Version: 2.8.63.0 - GlavSoft LLC.)
Windows PC Health Check (HKLM\...\{6798C408-2636-448C-8AC6-F4E341102D27}) (Version: 3.6.2204.08001 - Microsoft Corporation)
X-Mouse Button Control 2.19.2 (HKLM-x32\...\X-Mouse Button Control) (Version: 2.19.2 - Highresolution Enterprises)
Zoom (HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\ZoomUMX) (Version: 5.13.11 (13434) - Zoom Video Communications, Inc.)
Zoom (HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\ZoomUMX) (Version: 5.13.3 (11494) - Zoom Video Communications, Inc.)
Packages:
=========
Adobe Notification Client -> C:\Program Files\WindowsApps\AdobeNotificationClient_3.0.1.1_x86__enpm4xejd91yc [2022-04-20] (Adobe Systems Incorporated)
Canon Office Printer Utility -> C:\Program Files\WindowsApps\34791E63.CanonOfficePrinterUtility_12.7.0.0_x64__6e5tt8cgb93ep [2023-04-01] (Canon Inc.)
Dolby Access -> C:\Program Files\WindowsApps\DolbyLaboratories.DolbyAccess_3.17.945.0_x64__rz1tebttyb220 [2023-05-12] (Dolby Laboratories)
ELAN TrackPoint for Thinkpad -> C:\Program Files\WindowsApps\ELANMicroelectronicsCorpo.ELANTrackPointforThinkpa_24.121.18.0_x64__stws0m115j6hg [2023-04-13] (ELAN Microelectronics Corporation)
Intel® Graphics Command Center -> C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.4779.0_x64__8j3eq9eme6ctt [2023-04-14] (INTEL CORP) [Startup Task]
Lenovo Companion -> C:\Program Files\WindowsApps\E046963F.LenovoCompanion_10.2304.15.0_x64__k1h2ywk1493x8 [2023-05-12] (LENOVO INC.)
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2021-04-20] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2021-04-20] (Microsoft Corporation) [MS Ad]
Minecraft for Windows 10 -> C:\Program Files\WindowsApps\Microsoft.MinecraftUWP_1.19.8301.0_x64__8wekyb3d8bbwe [2023-05-18] (Microsoft Studios)
Minecraft Launcher -> C:\Program Files\WindowsApps\Microsoft.4297127D64EC6_1.2.4.0_x64__8wekyb3d8bbwe [2023-03-22] (0)
MPEG-2 Video Extension -> C:\Program Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.50901.0_x64__8wekyb3d8bbwe [2022-10-20] (Microsoft Corporation)
Photos Media Engine Add-on -> C:\Program Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2021-12-29] (Microsoft Corporation)
PrebootManager -> C:\Program Files\WindowsApps\SynapticsIncorporated.SynapticsUtilities_1.1.15.0_x64__807d65c4rvak2 [2023-05-26] (Synaptics Incorporated)
Realtek Audio Control -> C:\Program Files\WindowsApps\RealtekSemiconductorCorp.RealtekAudioControl_1.39.283.0_x64__dt26b99r8h8gj [2023-04-13] (Realtek Semiconductor Corp)
Solitaire & Casual Games -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.16.3140.0_x64__8wekyb3d8bbwe [2023-03-24] (Microsoft Studios) [MS Ad]
Thunderbolt™ Control Center -> C:\Program Files\WindowsApps\AppUp.ThunderboltControlCenter_1.0.36.0_x64__8j3eq9eme6ctt [2022-10-20] (INTEL CORP)
==================== Custom CLSID (Whitelisted): ==============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-56513A335FF0} -> [Creative Cloud Files] => C:\Users\xingz\Creative Cloud Files [2021-12-12 12:13]
CustomCLSID: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32 -> C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe (Adobe Inc. -> Adobe Inc.)
CustomCLSID: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001_Classes\CLSID\{89b2b650-c4dd-d68b-46e7-3176f1973c8b}\localserver32 -> "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Inc. -> Adobe Systems)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-05-24] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-05-24] (Adobe Inc. -> )
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-05-24] (Adobe Inc. -> )
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-05-24] (Adobe Inc. -> )
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll -> No File
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-05-08] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => C:\Program Files\Microsoft OneDrive\23.091.0430.0001\FileSyncShell64.dll [2023-05-18] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2022-05-24] (Adobe Inc. -> )
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-05-08] (Malwarebytes Inc. -> Malwarebytes)
==================== Codecs (Whitelisted) ====================
==================== Shortcuts & WMI ========================
==================== Loaded Modules (Whitelisted) =============
2020-12-22 05:55 - 2020-12-22 05:55 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll
2020-12-22 05:55 - 2020-12-22 05:55 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll] C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll
==================== Alternate Data Streams (Whitelisted) ========
(If an entry is included in the fixlist, only the ADS will be removed.)
AlternateDataStreams: C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc:169D67954B [3434]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk:7661CCE9BF [3434]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Badlion Client.lnk:8BD81608B2 [3434]
==================== Safe Mode (Whitelisted) ==================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
==================== Association (Whitelisted) =================
==================== Internet Explorer (Whitelisted) ==========
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://mystart.lenovo.com/
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://mystart.lenovo.com/
SearchScopes: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001 -> DefaultScope {56D2BC0A-A4AF-4853-ACAF-CF45B41ECDC4} URL =
SearchScopes: HKU\S-1-5-21-3401934515-1319308757-2340201554-1001 -> {56D2BC0A-A4AF-4853-ACAF-CF45B41ECDC4} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2023-01-31] (Microsoft Corporation -> Microsoft Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_311\bin\ssv.dll [2021-10-31] (Oracle America, Inc. -> Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_311\bin\jp2ssv.dll [2021-10-31] (Oracle America, Inc. -> Oracle Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2023-03-03] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-04-29] (Microsoft Corporation -> Microsoft Corporation)
==================== Hosts content: =========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2019-12-07 02:14 - 2023-03-31 18:57 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts
==================== Other Areas ===========================
(Currently there is no automatic fix for this section.)
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files (x86)\Common Files\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;%SYSTEMROOT%\System32\OpenSSH\
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\windows\img0.jpg
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\windows\img0.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(If an entry is included in the fixlist, it will be removed.)
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run: => "XMouseButtonControl"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"
HKLM\...\StartupApproved\Run32: => "Launch 0 FwCustom"
HKLM\...\StartupApproved\Run32: => "app service"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\StartupFolder: => "Editor.lnk"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "electron.app.BlueStacks Services"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "Opera GX Stable"
==================== FirewallRules (Whitelisted) ================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{220EE994-BE11-4910-9E9D-6AD363581480}] => (Allow) C:\Users\xingz\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{0A6F0D8E-1114-4217-B9DE-78CF34647377}] => (Allow) C:\Users\xingz\AppData\Roaming\Zoom\bin\airhost.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{181AA54A-9C82-4ADE-8624-B6C81A36323D}] => (Allow) C:\Users\xingz\AppData\Roaming\Zoom\bin\airhost.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [TCP Query User{F1A9B36C-0A78-41B4-8BC9-19D7FEE55CE7}C:\users\xingz\appdata\local\roblox\versions\version-8ac675b82d1f4055\robloxstudiobeta.exe] => (Block) C:\users\xingz\appdata\local\roblox\versions\version-8ac675b82d1f4055\robloxstudiobeta.exe => No File
FirewallRules: [UDP Query User{3AE58D10-59EC-4607-B1B4-038185D245C7}C:\users\xingz\appdata\local\roblox\versions\version-8ac675b82d1f4055\robloxstudiobeta.exe] => (Block) C:\users\xingz\appdata\local\roblox\versions\version-8ac675b82d1f4055\robloxstudiobeta.exe => No File
FirewallRules: [TCP Query User{131BD6D6-3994-4EB3-8C89-60520B6D9413}C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe
FirewallRules: [UDP Query User{80A7C161-F82A-4F43-B84A-554A595F5E45}C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe
FirewallRules: [TCP Query User{42D1D028-DBD3-4429-A36F-5ABE21C401B8}C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe
FirewallRules: [UDP Query User{731A2418-E675-4A8B-BABD-CC61236B8760}C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-alpha\windows-x64\java-runtime-alpha\bin\javaw.exe
FirewallRules: [TCP Query User{DBB37804-20A8-42DE-83BF-F08F4876B251}C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [UDP Query User{30ABE11C-B120-4079-AFCF-B0C886725B21}C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [TCP Query User{87DE7BF8-D457-45D8-8452-D4A363BF2055}C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [UDP Query User{B35DFA02-A575-480C-B512-B7490EDE71E6}C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [TCP Query User{9644C938-F6A6-47B4-BCD9-E874160282AC}C:\program files\genshin impact\genshin impact game\genshinimpact.exe] => (Allow) C:\program files\genshin impact\genshin impact game\genshinimpact.exe (COGNOSPHERE PTE. LTD. -> )
FirewallRules: [UDP Query User{8046336F-4718-4775-80AC-D06A63441238}C:\program files\genshin impact\genshin impact game\genshinimpact.exe] => (Allow) C:\program files\genshin impact\genshin impact game\genshinimpact.exe (COGNOSPHERE PTE. LTD. -> )
FirewallRules: [TCP Query User{A537D39F-558C-487D-B8B1-62BC763CD5A0}C:\users\xingz\.lunarclient\jre\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe => No File
FirewallRules: [UDP Query User{2E5A1505-4A1F-4A1B-9998-06FEDAAB72EC}C:\users\xingz\.lunarclient\jre\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe => No File
FirewallRules: [{0435CBB7-8BC0-47F7-A22A-7EA87315144E}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{3A23E17F-8F05-4395-913D-E741536E8F6B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [TCP Query User{A8E52C09-8CC0-4694-BD2E-653328B79D69}C:\users\xingz\.lunarclient\jre\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{1A71ABF3-F2C0-495D-B67E-878E289A0D14}C:\users\xingz\.lunarclient\jre\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{4C95AB9A-C709-4D3E-B834-AFEB1B7A3044}C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe
FirewallRules: [UDP Query User{73536288-3F51-4D4C-AE7D-539D1B607641}C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe
FirewallRules: [TCP Query User{B1941243-58A1-4706-9894-6853924A3C01}C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe
FirewallRules: [UDP Query User{431CA77D-84FA-4563-A1F6-5DC7D643EF50}C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft launcher\runtime\java-runtime-beta\windows-x64\java-runtime-beta\bin\javaw.exe
FirewallRules: [TCP Query User{8D9B957B-9DEC-412C-9C79-36424F6B9CAF}C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{8DB1C6BB-14C3-49BB-ADE5-BC8B089A0CA8}C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [{F4F95BD8-C86C-4684-84AD-3E9F23434793}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{7431D0FE-44DD-48EF-89AF-2CD74990CF3C}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [TCP Query User{60343C94-01F2-4AF5-BCC3-AC6FF0FA38D1}C:\program files\jetbrains\intellij idea community edition 2021.3.1\bin\idea64.exe] => (Block) C:\program files\jetbrains\intellij idea community edition 2021.3.1\bin\idea64.exe (JetBrains s.r.o. -> JetBrains s.r.o.)
FirewallRules: [UDP Query User{BB51BDFF-5CF0-4C00-8FED-7FD3D6760F7D}C:\program files\jetbrains\intellij idea community edition 2021.3.1\bin\idea64.exe] => (Block) C:\program files\jetbrains\intellij idea community edition 2021.3.1\bin\idea64.exe (JetBrains s.r.o. -> JetBrains s.r.o.)
FirewallRules: [TCP Query User{077527CC-8AAD-4B33-AF3D-B17A9A984018}C:\users\xingz\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\users\xingz\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [UDP Query User{BC0DF9D1-1AAF-4FE0-AF20-C5BE26F48CC0}C:\users\xingz\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe] => (Block) C:\users\xingz\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\jre-legacy\windows-x64\jre-legacy\bin\javaw.exe
FirewallRules: [TCP Query User{8CEBE65D-5403-44DF-B0DA-676C233EB8BB}C:\users\xingz\.lunarclient\jre\1.18\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{2CE92A4D-5B34-40EE-9557-49AD940F49F7}C:\users\xingz\.lunarclient\jre\1.18\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{090B6993-66C6-4F3C-B5DE-7C3F36AE6FE8}C:\users\xingz\appdata\roaming\tone\tone.exe] => (Block) C:\users\xingz\appdata\roaming\tone\tone.exe => No File
FirewallRules: [UDP Query User{63A570DB-5DB8-4CBD-8646-134DAD3354A2}C:\users\xingz\appdata\roaming\tone\tone.exe] => (Block) C:\users\xingz\appdata\roaming\tone\tone.exe => No File
FirewallRules: [TCP Query User{A0DBE3AB-18B7-4866-AE70-EB2433C5A0FF}C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{F7046A95-F28C-4E25-AD14-62BEE5051826}C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{89717AB1-91C1-4EFD-9E19-AE15FA9E92B5}C:\users\xingz\.lunarclient\jre\1.17\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Allow) C:\users\xingz\.lunarclient\jre\1.17\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{A468293F-3438-4EE0-9AC7-691B07EA0CD9}C:\users\xingz\.lunarclient\jre\1.17\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Allow) C:\users\xingz\.lunarclient\jre\1.17\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{DD7A66B5-B32F-4BE8-95A6-86C69BDD0C88}C:\users\xingz\.lunarclient\jre\1.16\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.16\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{B20EEECF-FE38-4222-A476-83000CF6BE22}C:\users\xingz\.lunarclient\jre\1.16\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.16\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{BDB226E9-6504-4C39-ACD5-E4FB195DC185}C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{316AF107-D884-47C2-A996-CDFD4E44C7D3}C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.8\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{E8CB5428-E6ED-4B0E-BE92-4EE528D08F58}C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{500E8406-AAF5-460E-904F-6390EC2A6A7E}C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.1\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{64C14478-4070-4FF1-AE79-7C10A4D03DC3}C:\users\xingz\appdata\roaming\.minecraft\jre\jdk17u12-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jdk17u12-windows-x64\bin\javaw.exe
FirewallRules: [UDP Query User{2CB2D358-90AC-4C67-A158-BDE116F25096}C:\users\xingz\appdata\roaming\.minecraft\jre\jdk17u12-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jdk17u12-windows-x64\bin\javaw.exe
FirewallRules: [TCP Query User{76FB8DF8-3C11-4695-99CB-26138B0DB974}C:\users\xingz\.lunarclient\jre\1.19\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.19\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{ADC70C55-3F7C-4852-87A6-7E1784CB68A5}C:\users\xingz\.lunarclient\jre\1.19\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.19\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{B9C9F3AA-9A60-4CBD-88A8-B82283F1705A}C:\users\xingz\.lunarclient\jre\1.18.2\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.2\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{B714B485-1BBA-4820-88DA-733170738430}C:\users\xingz\.lunarclient\jre\1.18.2\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\1.18.2\zulu17.30.15-ca-fx-jre17.0.1-win_x64\bin\javaw.exe
FirewallRules: [{A7398E08-3B24-45B7-9158-9A22CAAE9E57}] => (Allow) C:\Program Files\TightVNC\tvnserver.exe (GLAVSOFT, OOO -> GlavSoft LLC.)
FirewallRules: [TCP Query User{86058B7D-B319-4A7D-9058-D29CBECFD8F4}C:\users\xingz\.lunarclient\jre\fa234a1fe798847fdfba61a4106ad35e6c97a521\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\fa234a1fe798847fdfba61a4106ad35e6c97a521\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{DF07CA57-6162-434C-8934-28629F1EAB82}C:\users\xingz\.lunarclient\jre\fa234a1fe798847fdfba61a4106ad35e6c97a521\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\fa234a1fe798847fdfba61a4106ad35e6c97a521\zulu16.30.15-ca-fx-jre16.0.1-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{4028970E-CA42-4DF2-A462-039638CE4AF9}C:\users\xingz\.lunarclient\jre\afdad172129eee99e8ca772a4ce6e5ee64f8f93c\zulu16.32.15-ca-jre16.0.2-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\afdad172129eee99e8ca772a4ce6e5ee64f8f93c\zulu16.32.15-ca-jre16.0.2-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{E2DD6144-1B43-4FC3-9ACA-887493D2F654}C:\users\xingz\.lunarclient\jre\afdad172129eee99e8ca772a4ce6e5ee64f8f93c\zulu16.32.15-ca-jre16.0.2-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\afdad172129eee99e8ca772a4ce6e5ee64f8f93c\zulu16.32.15-ca-jre16.0.2-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{76B28E4F-7002-4FC3-AF6B-F3140EE8E5A2}C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{FD6C76BA-FF12-4F4E-BDAF-FB9B138B05F2}C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{F9661B15-9F90-40BD-B6FA-BD5FDE425D37}C:\program files\badlion client\badlion client.exe] => (Block) C:\program files\badlion client\badlion client.exe (ESL Gaming Online, Inc. -> Badlion)
FirewallRules: [UDP Query User{BC4697E4-F53B-44E0-AB8C-20D4DF721396}C:\program files\badlion client\badlion client.exe] => (Block) C:\program files\badlion client\badlion client.exe (ESL Gaming Online, Inc. -> Badlion)
FirewallRules: [TCP Query User{A338E6F4-E93C-428D-A618-A3B8406E36F3}C:\programdata\badlionclient\jre1.8.0_202\bin\javaw.exe] => (Block) C:\programdata\badlionclient\jre1.8.0_202\bin\javaw.exe
FirewallRules: [UDP Query User{CF367926-3FEB-4D21-A2E7-66AE4B87D011}C:\programdata\badlionclient\jre1.8.0_202\bin\javaw.exe] => (Block) C:\programdata\badlionclient\jre1.8.0_202\bin\javaw.exe
FirewallRules: [TCP Query User{BFC855C8-ED46-4B9E-8272-2E740934AEC4}C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [UDP Query User{8ADFDD9D-A085-4C59-8896-D7BA14467959}C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [TCP Query User{AB878EC0-03FB-4909-8CB9-60B76E57451B}C:\users\steve\appdata\roaming\zoom\bin\zoom.exe] => (Allow) C:\users\steve\appdata\roaming\zoom\bin\zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [UDP Query User{9269E085-EB19-4D5F-B95C-F377C519D95C}C:\users\steve\appdata\roaming\zoom\bin\zoom.exe] => (Allow) C:\users\steve\appdata\roaming\zoom\bin\zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [TCP Query User{79D156EE-9A82-4551-A331-BE02E97AB2B9}C:\users\steve\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\steve\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [UDP Query User{327CB78D-EC8C-415F-B626-989794FE0BC0}C:\users\steve\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\steve\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [TCP Query User{D64F9166-7852-4CD2-BB9E-366E941FC808}C:\users\steve\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\steve\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{47E52959-CF98-462A-BDBD-220A3F2ADC27}C:\users\steve\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\steve\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{E7828977-2DAF-4030-BF36-421C890FD86F}C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe] => (Block) C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe
FirewallRules: [UDP Query User{CA1D19F0-D52E-4F10-B544-68101CF3654D}C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe] => (Block) C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe
FirewallRules: [TCP Query User{BA86A3B7-3EFE-4391-94D7-4729AAB6247E}C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [UDP Query User{F4B0684F-8B8F-4129-B671-BB6076BEC6E4}C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe] => (Block) C:\users\xingz\.lunarclient\jre\4dcd188552ce8876d5e55e1f6d22505109bfa4cb\zulu17.34.19-ca-jre17.0.3-win_x64\bin\javaw.exe
FirewallRules: [TCP Query User{11C7F981-C557-4AEA-A716-F151FE7A4F56}C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [UDP Query User{384AF94D-2320-420E-9CF9-43EC56182C71}C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\jre8u332b09-windows-x64\bin\javaw.exe
FirewallRules: [TCP Query User{E447A7FD-8923-4450-88F7-8438CA68BC4D}C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe] => (Block) C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe
FirewallRules: [UDP Query User{FEC6DF49-A7AC-4E20-8A44-419724B2D294}C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe] => (Block) C:\users\steve\onedrive\documents\cosmicclient-x64\jre_64\bin\javaw.exe
FirewallRules: [TCP Query User{6D7A6599-6F94-47BD-AD3F-B7C22F3BCC34}C:\riot games\riot client\riotclientservices.exe] => (Block) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [UDP Query User{721115DE-F096-4FE4-A34A-F3F60EBE5A89}C:\riot games\riot client\riotclientservices.exe] => (Block) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [TCP Query User{C3611F06-65DB-4702-B44D-2A663F265D0C}C:\program files (x86)\minecraft launcher\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft launcher\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe
FirewallRules: [UDP Query User{EE6692E0-967D-4E81-AA40-FE854800C5BA}C:\program files (x86)\minecraft launcher\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft launcher\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe
FirewallRules: [{71386089-2850-4AFE-B97B-10493B87812A}] => (Allow) C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe (Bartels Media GmbH -> )
FirewallRules: [TCP Query User{769C0808-1F65-4259-9BBD-4B81604BC73F}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\steve\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{608ECDB5-C1AC-40ED-A4DB-760851AC56A5}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\steve\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{79549723-AD18-459B-9047-6ACBDBB1F8AE}] => (Allow) C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe => No File
FirewallRules: [TCP Query User{0C5EE284-840C-4868-8F1C-6FB3F22F4DE3}C:\users\xingz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\xingz\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{3AD5F2B7-6FB4-49FE-8880-FAE6141DC103}C:\users\xingz\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\xingz\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [TCP Query User{21058307-8B63-4598-9319-99AA0525231B}C:\users\xingz\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\xingz\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{CF490249-2386-4E19-8E73-0685C046D062}C:\users\xingz\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\xingz\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [TCP Query User{DD26D7AB-8A5C-4690-BFA2-F4E71ABEA445}C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe
FirewallRules: [UDP Query User{8136D7D2-358E-4820-9D7A-78C6D36B051E}C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe
FirewallRules: [TCP Query User{207833E2-A9D9-48A7-B52C-0791862BA3BA}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\steve\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{57E27E23-EC6F-43EA-84E4-61EE7D970DE1}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\steve\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [TCP Query User{EB256D96-6256-467B-A23B-81DEE2CEB228}C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe
FirewallRules: [UDP Query User{34764D80-53A6-4F87-A4F4-12338A2752D9}C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe] => (Block) C:\users\xingz\appdata\roaming\.minecraft\jre\openjdk17u-jre_x64_windows_hotspot_17.0.3_7\bin\javaw.exe
FirewallRules: [TCP Query User{755B29E1-5851-4EF6-B297-31C8776269AD}C:\programdata\badlionclient\jdk-17.0.1_12\bin\javaw.exe] => (Block) C:\programdata\badlionclient\jdk-17.0.1_12\bin\javaw.exe
FirewallRules: [UDP Query User{17FB1F17-BB09-4272-A4AC-3F38374306D5}C:\programdata\badlionclient\jdk-17.0.1_12\bin\javaw.exe] => (Block) C:\programdata\badlionclient\jdk-17.0.1_12\bin\javaw.exe
FirewallRules: [{214CC674-4429-4A12-A59F-CE67260307BF}] => (Allow) C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe (Now.gg, INC -> Bluestack Systems, Inc.)
FirewallRules: [{59C22DE5-EA2D-46E4-9B0C-3BE744D3863E}] => (Allow) C:\Program Files (x86)\BlueStacks X\Cloud Game.exe (Now.gg, INC -> COMPANY NAME)
FirewallRules: [{E7A460B0-A7A8-4E8A-93F4-93F5BDB8800B}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe (Now.gg, INC -> BlueStack Systems)
FirewallRules: [{2F9FF7FA-37B7-432F-9F3D-547EB72F304A}] => (Allow) C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe (Bluestack Systems, Inc -> The Qt Company Ltd.)
FirewallRules: [{C1E201AA-F14C-4B3A-9423-F23219EA01E9}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{4C32B17E-3677-4F99-A46C-74B779173F9E}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{DD5C1921-5AC2-4D14-B50F-3E23961DBA1B}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [TCP Query User{69157086-44AB-46F0-B826-339E5068C4B0}C:\users\xingz\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\xingz\appdata\local\programs\opera gx\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [UDP Query User{CCEE3457-08CE-43A8-B900-5ADFBD2F3426}C:\users\xingz\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\xingz\appdata\local\programs\opera gx\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [TCP Query User{E51CCAD8-6339-44F9-8EAB-44F40A079563}C:\users\xingz\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\xingz\appdata\local\programs\opera gx\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [UDP Query User{A15E4510-1A35-45AC-BC52-E1ED149B1BB7}C:\users\xingz\appdata\local\programs\opera gx\opera.exe] => (Block) C:\users\xingz\appdata\local\programs\opera gx\opera.exe (Opera Norway AS -> Opera Software)
FirewallRules: [{D4E21B92-2FAA-4DF5-B329-DDE279E1C300}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
FirewallRules: [{14E884DB-C78E-43E2-BF32-8D184FEAF0B3}] => (Allow) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\113.0.1774.50\msedgewebview2.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{8DA51D7C-1D5C-4441-8624-5160C58FE1DA}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3206.0_x64__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{2D5F83A6-9091-480F-AE40-7AD567EE1BDC}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3206.0_x64__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{B8BBF104-8314-48D9-B94E-99860F1E8696}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3206.0_x64__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{F4EF2339-ED68-4B67-96CB-B00181AF390B}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.98.3206.0_x64__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
==================== Restore Points =========================
18-05-2023 11:40:50 Scheduled Checkpoint
24-05-2023 08:54:48 Windows Modules Installer
26-05-2023 20:00:45 AdwCleaner_BeforeCleaning_26/05/2023_20:00:44
==================== Faulty Device Manager Devices ============
==================== Event log errors: ========================
Application errors:
==================
Error: (05/21/2023 08:36:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HD-Player.exe, version: 5.11.42.1002, time stamp: 0x642ea107
Faulting module name: ucrtbase.dll, version: 10.0.19041.789, time stamp: 0x2bd748bf
Exception code: 0xc0000409
Fault offset: 0x000000000007286e
Faulting process id: 0x31dc
Faulting application start time: 0x01d98c5e8b2e4ca4
Faulting application path: C:\Program Files\BlueStacks_nxt\HD-Player.exe
Faulting module path: C:\Windows\System32\ucrtbase.dll
Report Id: d42d4488-9ae8-40d9-b397-c2020214f0c7
Faulting package full name:
Faulting package-relative application ID:
Error: (05/13/2023 07:19:52 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: LAPTOP-V4A2F2MC)
Description: Application or service 'Microsoft Office SDX Helper' could not be shut down.
Error: (05/12/2023 05:55:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IGCCTray.exe, version: 1.100.4779.0, time stamp: 0x642d6a5c
Faulting module name: KERNELBASE.dll, version: 10.0.19041.2913, time stamp: 0xa1c3e870
Exception code: 0xe0434352
Fault offset: 0x000000000002cf19
Faulting process id: 0x526c
Faulting application start time: 0x01d98535a87d0091
Faulting application path: C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.4779.0_x64__8j3eq9eme6ctt\GCP.ML.BackgroundSysTray\IGCCTray.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: c3b5c6c2-4005-4e60-983c-25c9c00fcafb
Faulting package full name: AppUp.IntelGraphicsExperience_1.100.4779.0_x64__8j3eq9eme6ctt
Faulting package-relative application ID: App
Error: (05/12/2023 05:55:49 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: IGCCTray.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.UnauthorizedAccessException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.Pipes.NamedPipeServerStream.Create(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeAccessRights, SECURITY_ATTRIBUTES)
at System.IO.Pipes.NamedPipeServerStream..ctor(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeSecurity, System.IO.HandleInheritability, System.IO.Pipes.PipeAccessRights)
at System.IO.Pipes.NamedPipeServerStream..ctor(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeSecurity)
at GCP.ML.BackgroundSysTray.SingleInstanceApp.NamedPipeServerCreateServer()
at GCP.ML.BackgroundSysTray.SingleInstanceApp.Initialize()
at GCP.ML.BackgroundSysTray.Program.Main()
Error: (05/11/2023 09:37:45 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]
Error: (05/06/2023 08:50:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Taskmgr.exe, version: 10.0.19041.1202, time stamp: 0x843271e7
Faulting module name: Taskmgr.exe, version: 10.0.19041.1202, time stamp: 0x843271e7
Exception code: 0xc0000005
Fault offset: 0x0000000000086034
Faulting process id: 0x1c88
Faulting application start time: 0x01d98096f2c75838
Faulting application path: C:\Windows\System32\Taskmgr.exe
Faulting module path: C:\Windows\System32\Taskmgr.exe
Report Id: 8171ba51-e568-4b5c-876f-7803214da21a
Faulting package full name:
Faulting package-relative application ID:
Error: (04/29/2023 12:28:43 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: LAPTOP-V4A2F2MC)
Description: Application or service 'Microsoft Office SDX Helper' could not be shut down.
Error: (04/28/2023 03:43:36 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.
System errors:
=============
Error: (05/26/2023 09:50:21 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xDC, Sub error code: 0x7C
Error: (05/26/2023 09:50:21 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xDC, Sub error code: 0xB1
Error: (05/26/2023 09:50:21 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xE0, Sub error code: 0x4E
Error: (05/26/2023 09:50:21 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0x12D, Sub error code: 0x75
Error: (05/26/2023 09:44:39 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xDC, Sub error code: 0x7C
Error: (05/26/2023 09:44:39 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xDC, Sub error code: 0xB1
Error: (05/26/2023 09:44:39 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0xE0, Sub error code: 0x4E
Error: (05/26/2023 09:44:39 PM) (Source: nhi) (EventID: 9006) (User: )
Description: An error was detected.
Error message: Error code: 0x12D, Sub error code: 0x75
Windows Defender:
================
Date: 2023-05-26 21:28:17
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Date: 2023-05-25 21:43:50
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Date: 2023-05-24 21:54:20
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Date: 2023-05-24 21:54:19
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Date: 2023-05-23 20:42:06
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan
Event[0]:
Date: 2023-03-28 09:20:57
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.385.1369.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.20100.6
Error code: 0x80070102
Error description: The wait operation timed out.
CodeIntegrity:
===============
Date: 2023-05-25 21:43:17
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2304.8-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2023-05-25 21:27:22
Description:
Windows blocked file \Device\HarddiskVolume3\Windows\System32\scrobj.dll which has been disallowed for protected processes.
==================== Memory info ===========================
BIOS: LENOVO N2WET24W (1.14 ) 10/15/2020
Motherboard: LENOVO 20U9001PUS
Processor: Intel® Core i5-10210U CPU @ 1.60GHz
Percentage of memory in use: 36%
Total physical RAM: 16134.84 MB
Available physical RAM: 10241.56 MB
Total Virtual: 18566.84 MB
Available Virtual: 12529.33 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:475.69 GB) (Free:269.49 GB) (Model: WDC PC SN730 SDBQNTY-512G-1001) (Protected) NTFS
\\?\Volume{75c729c2-6720-4a40-961a-d501e696aaf0}\ (WinRE_DRV) (Fixed) (Total:0.98 GB) (Free:0.48 GB) NTFS
\\?\Volume{164629a9-b1e5-4ff7-a08a-6a886215a41d}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.22 GB) FAT32
==================== MBR & Partition Table ====================
==========================================================
Disk: 0 (Size: 476.9 GB) (Disk ID: 7E749F88)
Partition: GPT.
==================== End of Addition.txt =======================
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
cmd: reagentc /info
cmd: manage-bde -status c:
comment: cmd: manage-bde -protectors -get c:
cmd: ECHO Y|CHKDSK C: /F
cmd: wmic diskdrive get model,serialNumber,size,mediaType
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKLM Group Policy restriction on software: C:\Users\xingz\AppData\Local\Roblox <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\Run: [MicrosoftEdgeAutoLaunch_ECE742257346276521BD64230C9B00B2] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [4152216 2023-05-17] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3401934515-1319308757-2340201554-1013\...\RunOnce: [Application Restart #0] => C:\Windows\System32\WpcMon.exe [1173472 2022-03-09] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {2BB7E33D-F0AF-4575-A4BE-C02790501D87} - \Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask -> No File <==== ATTENTION
Task: {4AB579F9-66DF-4A41-8111-9D7CC3CCBC1D} - System32\Tasks\Lenovo\Power Manager\Background monitor => "C:\Windows\SysWOW64\Lenovo\PowerMgr\PowerMgr.exe" (No File)
Task: {95FB764C-1ED3-4553-93E2-4DA277F58B9D} - \Lenovo\ImController\TimeBasedEvents\5cea59fa-0825-478d-b121-a0a3581aaf36 -> No File <==== ATTENTION
Task: {99163ADE-5A5D-4651-B561-6D0A3CC00DA8} - \Lenovo\ImController\TimeBasedEvents\95695eb7-60b9-4692-a297-4bb8008177be -> No File <==== ATTENTION
Task: {C58242C5-76AC-4EBE-A69F-C749AEFCFEF6} - \Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance -> No File <==== ATTENTION
Task: {EC10BB20-6278-459B-A6B9-916B8E1FA02E} - \Lenovo\ImController\TimeBasedEvents\05e1cd92-5a3f-4b23-b48e-92d53cd7696e -> No File <==== ATTENTION
Task: {F927B388-D58E-4E16-AB50-A5A16C439A1F} - \Lenovo\ImController\Lenovo iM Controller Monitor -> No File <==== ATTENTION
Edge Extension: (中国工商银行密码扩展) - C:\Users\xingz\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\lkcpjhiihlemmaffnfhkmdhncpdpidgd [2023-05-08]
S2 ImControllerService; %SystemRoot%\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [X]
AlternateDataStreams: C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc:169D67954B [3434]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk:7661CCE9BF [3434]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Badlion Client.lnk:8BD81608B2 [3434]
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run: => "XMouseButtonControl"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Adobe CCXProcess"
HKLM\...\StartupApproved\Run32: => "Launch 0 FwCustom"
HKLM\...\StartupApproved\Run32: => "app service"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\StartupFolder: => "Editor.lnk"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "electron.app.BlueStacks Services"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-3401934515-1319308757-2340201554-1001\...\StartupApproved\Run: => "Opera GX Stable"
2019-12-07 02:14 - 2023-03-31 18:57 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts
cmd: pushd c:\windows\system32
cmd: net stop bits
cmd: net stop cryptSvc
cmd: net stop wuauserv
cmd: net stop msiserver
cmd: del /s /q C:\Windows\SoftwareDistribution\download\*.*
cmd: net start cryptSvc
cmd: net start bits
cmd: net start wuauserv
cmd: net start msiserver
cmd: DISM.exe /Online /Cleanup-image /Restorehealth
cmd: sfc /scannow
StartBatch:
del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
"%WINDIR%\SYSTEM32\lodctr.exe" /R
"%WINDIR%\SysWOW64\lodctr.exe" /R
"%WINDIR%\SYSTEM32\lodctr.exe" /R
"%WINDIR%\SysWOW64\lodctr.exe" /R
NETSH winsock reset catalog
NETSH int ipv4 reset reset.log
NETSH int ipv6 reset reset.log
ipconfig /release
ipconfig /renew
ipconfig /flushdns
ipconfig /registerdns
net start sdrsvc
net start vss
net start rpcss
net start eventsystem
net start mpsdrv
net start bfe
net start MpsSvc
net start winmgmt
netsh winhttp reset proxy
Bitsadmin /Reset /Allusers
Endbatch:
C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp
C:\Windows\Temp\*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
C:\Windows\System32\GroupPolicyUsers
C:\Windows\System32\GroupPolicy
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt" /v "CheckedValue" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d 3 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d 1 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d 1 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d 1 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d 1 /f
cmd: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled
cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
cmd: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 32 /f
cmd: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
cmd: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsUpdate" /f
cmd: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /s
cmd: reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions" /s
cmd: reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Startup
StartBatch:
SETLOCAL ENABLEEXTENSIONS
echo userprofile=%USERPROFILE%
if not defined userprofile echo no userprofile&goto :eof
del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.dll*"
del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.exe*"
del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.zip*"
rd /s /q "%userprofile%\AppData\Roaming\discord\Cache"
rd /s /q "%userprofile%\AppData\Roaming\discord\code cache"
rd /s /q "%userprofile%\AppData\Roaming\discord\gpucache"
:eof
EndBatch:
StartPowerShell:
# Get a verbose listing of installed applications
Function Get-InstalledSoftwareList {
$PS = $PSVersionTable.PSVersion.Major
if($PS -ne 5) {
$SW = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*") + (Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*")
$SW | Select DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation, InstallSource | sort-object -Property DisplayName -Unique | Format-Table -AutoSize | Out-String -Width 8096
}else {
# Only PowerShell 5 supports the Get-AppxPackage cmdlet
$SW = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*") + (Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*")
$SW | Select DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation, InstallSource, ModifyPath, UninstallString, NoModify, NoRepair, NoRemove | sort-object -Property DisplayName -Unique | Format-Table -AutoSize | Out-String -Width 8096
$psWinVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentVersion
if ($psWinVer -lt 6.3){
# Windows 7 does not support Get-AppxPackage
}else {
# Remove the pound sign to gather the installed Application Packages
# $Packages = Get-AppxPackage -AllUsers
# $Packages | sort-object -Property Name -Unique | Out-String -Width 8096
}
}
}
# Function to check whether the current machine is domain joined
Function Test-DomainJoined()
{
return (Get-WmiObject -query "select * from win32_ntdomain where Status ='OK'") -ne $null
}
# Function to check how long the computer takes to start up
Function Get-BootTimeDuration {
Get-WinEvent -FilterHashtable @{
logname='Microsoft-Windows-Diagnostics-Performance/Operational';
id=100
} -MaxEvents 10 | select -ExpandProperty message
}
# Function Get-Drive by Raghu Dodda from stackoverflow, minor mods by AdvancedSetup
Function Get-Drive {
foreach($disk in Get-CimInstance Win32_Diskdrive) {
$diskMetadata = Get-Disk | Where-Object { $_.Number -eq $disk.Index } | Select-Object -First 1
$partitions = Get-CimAssociatedInstance -ResultClassName Win32_DiskPartition -InputObject $disk
foreach($partition in $partitions) {
$drives = Get-CimAssociatedInstance -ResultClassName Win32_LogicalDisk -InputObject $partition
foreach($drive in $drives) {
$totalSpace = [math]::Round($drive.Size / 1GB, 3)
$freeSpace = [math]::Round($drive.FreeSpace / 1GB, 3)
$usedSpace = [math]::Round($totalSpace - $freeSpace, 3)
$volume = Get-Volume |
Where-Object { $_.DriveLetter -eq $drive.DeviceID.Trim(":") } |
Select-Object -First 1
[PSCustomObject] @{
DriveLetter = $drive.DeviceID
Number = $disk.Index
Label = $volume.FileSystemLabel
Manufacturer = $diskMetadata.Manufacturer
Model = $diskMetadata.Model
SerialNumber = $diskMetadata.SerialNumber.Trim()
Name = $disk.Caption
FirmwareRev = $disk.FirmwareRevision
PnPID = $disk.PNPDeviceID
SCSIPort = $disk.SCSIPort
FileSystem = $volume.FileSystem
MediaType = $disk.MediaType
PartitionKind = $diskMetadata.PartitionStyle
BootDisk = $diskMetadata.BootFromDisk
TotalSpace = $totalSpace
FreeSpace = $freeSpace
UsedSpace = $usedSpace
Drive = $drive
Partition = $partition
Disk = $disk
}
}
}
}
}
# Check if MWAC logs are Inbound or Outbound alerts
function Get-MWAC-InboundData {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string]$FolderPath
)
Get-ChildItem -Path $FolderPath -Filter *.json -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
$content = $content -split '\r?\n' | Select-Object -Skip 1 | Out-String
if($content) {
$json = $content | ConvertFrom-Json -ErrorAction SilentlyContinue
if ($json -and !$json.threats[0].mainTrace.websiteData.isInbound) {
$dateTime = (Get-Item $_.FullName).LastWriteTime
$output = [PSCustomObject]@{
Index = $null
Name = $_.Name
Date = $dateTime
ProcessPath = $json.threats[0].mainTrace.websiteData.processPath
}
$output
}
}
} | Sort-Object -Property Date | ForEach-Object -Begin { $index = 1 } -Process {
$_.Index = ('{0:0000}' -f $index)
$index++
$_
} | Format-Table Index, Name, Date, ProcessPath -AutoSize
}
function Get-BaseBoardInfo {
param(
[string]$ComputerName = "."
)
$colItems = Get-WmiObject -Class Win32_BaseBoard -ComputerName $ComputerName
foreach($objItem in $colItems){
$properties = @{
"ConfigOptions" = ($objItem.ConfigOptions -join ",");
"Depth" = $objItem.Depth;
"Description" = $objItem.Description;
"Height" = $objItem.Height;
"HostingBoard" = $objItem.HostingBoard;
"HotSwappable" = $objItem.HotSwappable;
"Manufacturer" = $objItem.Manufacturer;
"Model" = $objItem.Model;
"Name" = $objItem.Name;
"OtherIdentifyingInfo" = $objItem.OtherIdentifyingInfo;
"PartNumber" = $objItem.PartNumber;
"PoweredOn" = $objItem.PoweredOn;
"Product" = $objItem.Product;
"Removable" = $objItem.Removable;
"Replaceable" = $objItem.Replaceable;
"RequirementsDescription" = $objItem.RequirementsDescription;
"RequiresDaughterBoard" = $objItem.RequiresDaughterBoard;
"SerialNumber" = $objItem.SerialNumber;
"SKU" = $objItem.SKU;
"SlotLayout" = $objItem.SlotLayout;
"SpecialRequirements" = $objItem.SpecialRequirements;
"Tag" = $objItem.Tag;
"Version" = $objItem.Version;
"Weight" = $objItem.Weight;
"Width" = $objItem.Width;
}
$data = $properties.GetEnumerator() | Where-Object {$_.Value -ne $null -and $_.Value -ne ""} | Format-List | Out-String
if($data -ne $null -and $data -ne ""){
Write-Host $data
}
}
}
# Function to manage Windows Defender, remove exclusions, run scan, report on status
Function Manage-WindowsDefender {
Get-MpComputerStatus
echo "Listing of exclusions"
Get-MpPreference | Select-Object -Expand ExclusionPath | Out-String -width 4096
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -Force}
foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -Force}
foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -Force}
Set-MpPreference -DisableAutoExclusions $true -Force
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true -Force
Set-MpPreference -DisableArchiveScanning $false -Force
Set-MpPreference -DisableBehaviorMonitoring $false -Force
Set-MpPreference -DisableEmailScanning $False -Force
Set-MpPreference -DisableIOAVProtection $false -Force
Set-MpPreference -DisablePrivacyMode $true -Force
Set-MpPreference -DisableRealtimeMonitoring $false -Force
Set-MpPreference -MAPSReporting Advanced -Force
Set-MpPreference -PUAProtection enabled -Force
Set-MpPreference -SignatureScheduleDay Everyday -Force
Set-MpPreference -DisableRemovableDriveScanning $false -Force
Set-MpPreference -SubmitSamplesConsent SendSafeSamples
# Reset and check Secure Health status
Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
Get-AppxPackage Microsoft.SecHealthUI -AllUsers|select Name, Status
# Check if these services are running
Get-Service Windefend, SecurityHealthService, wscsvc, mpsdrv, mpssvc, WdNisSvc | Select Name,DisplayName, Status
# Check for signature updates
Update-MpSignature
Start-MpScan -ScanType QuickScan
Remove-MpThreat
# Check computer status again after setting to make sure changes were applied
Get-MpComputerStatus
Get-MpPreference
Get-MpThreatDetection
}
Function Remove-all-windefend-excludes {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -force}
foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -force}
foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -force}
}
# Function to clear out web browser cache for chrome, msedge, and brave
Function Remove-BrowserCache {
Stop-Process -Name chrome -ErrorAction SilentlyContinue -Force -Confirm:$false
Stop-Process -Name msedge -ErrorAction SilentlyContinue -Force -Confirm:$false
Stop-Process -Name brave -ErrorAction SilentlyContinue -Force -Confirm:$false
[String] ${stUserDomain},[String] ${stUserAccount} = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")
Remove-Item -Path "C:\Users\${stUserAccount}\AppData\Local\Google\Chrome\User Data\Default\Cache\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
Remove-Item -Path "C:\Users\${stUserAccount}\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
Remove-Item -Path "C:\Users\${stUserAccount}\AppData\Local\bravesoftware\brave-browser\User Data\Default\Cache\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
}
# Function to clear temp files
Function Remove-TempFiles {
Remove-Item -Path "$ENV:Temp\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
Remove-Item -Path "$Env:windir\Temp\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
}
# Gather information and Set Important Service values
# Check if the computer is Domain Joined
$DJ = Test-DomainJoined
echo "Domain Joined: $DJ"
# PowerShell 2.0 on Windows 7 the Get-Service does not support query of StartupType
# (Service is locked from change) Set-Service -Name "BFE" -StartupType Automatic -Verbose
# (Service is locked from change) Set-Service -Name "DcomLaunch" -StartupType Automatic -Verbose
# (Service is locked from change) Set-Service -Name "MpsSvc" -StartupType Automatic -Verbose
# (Service is locked from change) Set-Service -Name "msiserver" -StartupType Manual -Verbose
# (Service is locked from change) Set-Service -Name "RpcEptMapper" -StartupType Automatic -Verbose
# (Service is locked from change) Set-Service -Name "RpcSs" -StartupType Automatic -Verbose
# (Service is locked from change) (service does not exist on Windows 7) Set-Service -Name "SecurityHealthService" -StartupType Manual -Verbose
# (Service is locked from change) (service does not exist on Windows 7) Set-Service -Name "WdNisSvc" -StartupType Manual -Verbose
# (Service is locked from change) (service does not operate the same on Windows 7) Set-Service -Name "WinDefend" -StartupType Automatic -Verbose
# (Service is locked from change) (PowerShell did not introduce DelayedAutoStart until version 6 ) Set-Service -Name "wscsvc" -StartupType DelayedAutoStart -Verbose
Set-Service -Name "BITS" -StartupType Manual -Verbose
Set-Service -Name "Dhcp" -StartupType Automatic -Verbose
Set-Service -Name "EventLog" -StartupType Automatic -Verbose
Set-Service -Name "EventSystem" -StartupType Automatic -Verbose
Set-Service -Name "nsi" -StartupType Automatic -Verbose
Set-Service -Name "RasMan" -StartupType Manual -Verbose
Set-Service -Name "SDRSVC" -StartupType Manual -Verbose
Set-Service -Name "SstpSvc" -StartupType Manual -Verbose
Set-Service -Name "TrustedInstaller" -StartupType Manual -Verbose
Set-Service -Name "VSS" -StartupType Manual -Verbose
Set-Service -Name "Winmgmt" -StartupType Automatic -Verbose
# Windows Update uses a Trigger Start for StartupType
Set-Service -Name "wuauserv" -StartupType Manual -Verbose
echo .
echo "Retrieving informaton on important Services"
$psWinVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentVersion
if ($psWinVer -lt 6.3){
# UsoSvc does not exist on Windows 7 do nothing
# securityhealthservice does not exist on Windows 7 do nothing
}else {
# WMIC is being deprecated. PowerShell did not introduce DelayedAutoStart until version 6 : Update Orchestrator Service
Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\UsoSvc' -Name 'DelayedAutoStart' -Value 1
Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\UsoSvc' -Name 'Start' -Value 2
Get-Service UsoSvc | Select-Object -Property Name, StartType, Status
Get-Service securityhealthservice | Select-Object -Property Name, StartType, Status
# Method to reinstall SecHealthUI if needed on Windows 10 - does not exist on Windows 7
# Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
}
$Services = @("BITS","Dhcp","EventLog","EventSystem","MpsSvc","msiserver","nsi","RasMan","SDRSVC","SstpSvc","TrustedInstaller","VSS","Winmgmt","wuauserv","windefend")
foreach($Service in $Services) {
Get-Service $service | Select-Object -Property Name, StartType, Status
}
# Make all our function calls and complete other commands. Functions need to be loaded first before calling them.
# set IPv4 precedence over IPv6
$newValue = New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisabledComponents' -PropertyType DWord -Value 32 -Force
# Windows 7 does not support many of these calls so we have to check the OS version and bypass those not supported
if ($psWinVer -lt 6.3){
# Windows 7 so do not run some code
}else {
# Determine if Secure Boot is enabled or not
$SBS=Confirm-SecureBootUEFI
echo ...
echo ...
echo "Secure Boot Status: $SBS"
# Call function to gather disk drive properties
Get-Drive | Sort -Property DriveLetter | Format-List
# Manage Windows Defender and run a quick scan
echo Windows Defender Preferences and Status
Manage-WindowsDefender | Out-String -Width 4096
# Run DISM to check for and repair system image damage - not supported on Windows 7
# Repair-WindowsImage -Online -CheckHealth
# Repair-WindowsImage -Online -ScanHealth
# Repair-WindowsImage -Online -RestoreHealth
}
# Stop services to clean up the Windows Update Folder
$ServicesToStop = @("cryptSvc","wuauserv","msiserver")
# Turn off Services to remove locked files
foreach($Service in $ServicesToStop) {
Stop-Service -Name $Service -Force -PassThru
$VerifyServiceStopped = Get-Service $Service | Where-Object {$_.status -eq "Stopped"} | select -last 1
if ($VerifyServiceStopped) {
Write-Host $Service' service stop = succeed (0)'
} else {
Write-Host $Service' service stop = fail (1000)'
Exit '1000'
}
}
Remove-Item -Path "C:\Windows\SoftwareDistribution\download\*" -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue -verbose
# Start or Restart Services
$ServicesToStart = @("cryptSvc","wuauserv","msiserver","bfe","bits","eventsystem","rpcss","trustedinstaller","vss","winmgmt")
foreach($Service in $ServicesToStart) {
Start-Service -Name $Service -PassThru
$VerifyServiceStarted = Get-Service $Service | Where-Object {$_.status -eq "Running"} | select -last 1
if ($VerifyServiceStarted) {
Write-Host $Service' service running = succeed (0)'
} else {
Write-Host $Service' service did not start = fail (1000)'
Exit '1000'
}
}
# Call function to check MWAC logs
Get-MWAC-InboundData -FolderPath "C:\ProgramData\Malwarebytes\MBAMService\MwacDetections"
# Call function to get verbose software list
echo "Gathering verbose list of installed software"
Get-InstalledSoftwareList
# Get a verbose listing of all services
# echo "Gathering verbose list of all Services"
# Get-WmiObject -Class Win32_Service | Select-Object * | sort DisplayName
# Gather a verbose OS listing
echo "Gathering verbose Operating System information"
Get-CimInstance -ClassName CIM_OperatingSystem | select -Property * | Out-String -Width 4096
# Clear browser caches
echo "Clearing all browser cache. Google Chrome, MS Edge, Brave"
Remove-BrowserCache
# Remove temp files
echo "Clearing all temporary files"
Remove-TempFiles
# Verify the consistency of WMI
echo "Validate the integrity of WMI"
winmgmt /salvagerepository
winmgmt /verifyrepository
# Gather a list of network devices
echo "Listing of Network Devices"
Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions" | Out-String -Width 4096
echo "Enable Automatic Recovery"
"bcdedit /export C:\exportBCDfile" | cmd.exe
"bcdedit.exe /set {default} recoveryenabled yes" | cmd.exe
"bcdedit /enum" | cmd.exe
Get-BitLockerVolume
$MBState = Get-ChildItem -Path "C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json" -Recurse | Select-String 'licenseState' -SimpleMatch -List | Select Line
"Malwarebytes State: $MBState"
Get-BaseBoardInfo
Remove-all-windefend-excludes
Repair-Volume -DriveLetter C -OfflineScanAndFix
Get-BootTimeDuration
EndPowerShell:
cmd: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /s
cmd: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /s
cmd: sc qc WinDefend
cmd: sc queryex WinDefend
EmptyTemp:
Reboot:
Edited by buddy215, 29 May 2023 - 05:52 PM.