Start CreateRestorePoint: CloseProcesses: (StruSoft AB -> StruSoft AB) C:\Users\Anwender\jj.exe\fdupdate.exe Folder: C:\Users\Anwender\jj.exe HKU\S-1-5-21-3250840988-4123481697-4079406739-1000\...\Run: [FEM Designer Updater] => C:\Users\Anwender\jj.exe\fdupdate.exe [573768 2026-05-18] (StruSoft AB -> StruSoft AB) <==== ACHTUNG Task: {02281965-AB78-48CC-8F35-5A172E47CF93} - System32\Tasks\FEM Designer Updater => C:\Users\Anwender\jj.exe\fdupdate.exe [573768 2026-05-18] (StruSoft AB -> StruSoft AB) <==== ACHTUNG 2026-05-19 00:12 - 2026-05-19 00:12 - 000003428 _____ C:\WINDOWS\system32\Tasks\FEM Designer Updater 2026-05-19 00:06 - 2026-05-19 00:19 - 944032064 _____ C:\Users\Anwender\Downloads\Nicht bestätigt 359182.crdownload 2026-05-18 23:57 - 2026-05-18 23:57 - 000000000 ____D C:\Users\Anwender\AppData\Local\Yandex 2026-05-18 23:56 - 2026-05-18 23:56 - 000000000 ____D C:\Users\Anwender\jj.exe 2026-05-18 23:55 - 2026-05-18 23:55 - 000000000 ____D C:\ProgramData\JAVAsocket_x86 2026-05-18 23:27 - 2026-05-18 23:27 - 000000000 ____D C:\Users\Anwender\AppData\Roaming\RenPy 2026-05-15 00:27 - 2026-05-15 00:27 - 000000000 ____D C:\Users\Anwender\AppData\Local\22bfc34d90b64054809542014fc9eb32 C:\Users\Anwender\AppData\Local\Temp\1cd84fff-8c98-486c-b380-e50ffb648dfe.tmp.node C:\Users\Anwender\AppData\Local\Temp\57cb7211-bd8b-44d3-8189-f6263d29aec7.tmp.node C:\Users\Anwender\AppData\Local\Temp\6c1adec1-02fb-4fbf-819f-8f75469ad86b.tmp.node C:\Users\Anwender\AppData\Local\Temp\7e9a0215-cc22-4e2b-9f4f-5a7a5233d4f0.tmp.node C:\Users\Anwender\AppData\Local\Temp\b17e7931-e7a1-4722-9831-08fd0eac90a6.tmp.node C:\Users\Anwender\AppData\Local\Temp\b8489a3f-ddab-42b0-b7fb-29e3180b9a18.tmp.node C:\Users\Anwender\AppData\Local\Temp\c5bd4418-30b2-430e-8c20-af324a5e4637.tmp.node C:\Users\Anwender\AppData\Local\Temp\f45ed36d-909b-411c-8260-6a687346087b.tmp.node AlternateDataStreams: C:\Users\Anwender\Downloads\FRST64.exe:MBAM.Zone.Identifier [450] HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Beschränkung <==== ACHTUNG HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Beschränkung <==== ACHTUNG HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG HKLM\SOFTWARE\Policies\Microsoft\Edge: Beschränkung <==== ACHTUNG Task: {87555B29-C0C2-44E3-87F3-A0BD06278F9E} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (Keine Datei) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (Keine Datei) HKLM\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe" (Keine Datei) S4 AmdTools64; \SystemRoot\System32\drivers\AmdTools64.sys (Keine Datei) S4 amduw23g-200433-80200602; \SystemRoot\System32\DriverStore\FileRepository\u0200433.inf_amd64_4972d231f4dc3f24\B025963\amdkmdag.sys (Keine Datei) S3 amduw23g-416988-c916d592; \SystemRoot\System32\DriverStore\FileRepository\u0416988.inf_amd64_502a898bef524158\B416392\amdkmdag.sys (Keine Datei) ShellIconOverlayIdentifiers: [ ProjectShareLocked] -> {C88B0D3F-9DD1-4CC6-8BED-E28DE51D7BB7} => C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\ProjectShareOverlay.dll -> Keine Datei FirewallRules: [{2E95C846-ECB1-4CC7-AA3A-AD8DFBFA3536}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => Keine Datei FirewallRules: [{6DF9ED41-E944-48AA-A107-993039B1EF47}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => Keine Datei FirewallRules: [{3DAC896A-5CAC-45AE-90CB-1D63475893AB}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.660\RazerAppEngine.exe => Keine Datei File: C:\Users\Anwender\Downloads\Eden-Windows-v0.2.0-amd64-clang-pgo.zip;C:\DumpStack.log.tmp Folder: C:\Users\Anwender\Downloads\Eden-Windows-v0.2.0-amd64-clang-pgo Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-28401-BUzefCc7XbjI Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-13234-LgR7VOclE97V Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-15886-PqsWtBcZqUlF Folder: C:\Users\Anwender\AppData\Roaming\CELSYS_EN\CLIPStudioPaint\e09a3052133c916792f2c0994d8c4711 Folder: C:\Users\Anwender\Downloads\Archive_get_921356 C:\Users\Anwender\AppData\Local\Temp\tmp-28401-BUzefCc7XbjI C:\Users\Anwender\AppData\Local\Temp\tmp-13234-LgR7VOclE97V C:\Users\Anwender\AppData\Local\Temp\tmp-15886-PqsWtBcZqUlF C:\Users\Anwender\AppData\Roaming\CELSYS_EN\CLIPStudioPaint\e09a3052133c916792f2c0994d8c4711 C:\Users\Anwender\Downloads\Archive_get_921356\Setup.exe Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" } C:\WINDOWS\Temp\* C:\WINDOWS\SystemTemp\* C:\Users\Anwender\AppData\Local\Temp\* StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: cmd: del %temp%\*.* /f /s /q cmd: rd /s /q %temp% cmd: bitsadmin /reset /allusers cmd: netsh winsock reset catalog cmd: ipconfig /flushdns RemoveProxy: EmptyTemp: End