content copied
content
Start
CreateRestorePoint:
CloseProcesses:
(StruSoft AB -> StruSoft AB) C:\Users\Anwender\jj.exe\fdupdate.exe
Folder: C:\Users\Anwender\jj.exe
HKU\S-1-5-21-3250840988-4123481697-4079406739-1000\...\Run: [FEM Designer Updater] => C:\Users\Anwender\jj.exe\fdupdate.exe [573768 2026-05-18] (StruSoft AB -> StruSoft AB) <==== ACHTUNG
Task: {02281965-AB78-48CC-8F35-5A172E47CF93} - System32\Tasks\FEM Designer Updater => C:\Users\Anwender\jj.exe\fdupdate.exe [573768 2026-05-18] (StruSoft AB -> StruSoft AB) <==== ACHTUNG
2026-05-19 00:12 - 2026-05-19 00:12 - 000003428 _____ C:\WINDOWS\system32\Tasks\FEM Designer Updater
2026-05-19 00:06 - 2026-05-19 00:19 - 944032064 _____ C:\Users\Anwender\Downloads\Nicht bestätigt 359182.crdownload
2026-05-18 23:57 - 2026-05-18 23:57 - 000000000 ____D C:\Users\Anwender\AppData\Local\Yandex
2026-05-18 23:56 - 2026-05-18 23:56 - 000000000 ____D C:\Users\Anwender\jj.exe
2026-05-18 23:55 - 2026-05-18 23:55 - 000000000 ____D C:\ProgramData\JAVAsocket_x86
2026-05-18 23:27 - 2026-05-18 23:27 - 000000000 ____D C:\Users\Anwender\AppData\Roaming\RenPy
2026-05-15 00:27 - 2026-05-15 00:27 - 000000000 ____D C:\Users\Anwender\AppData\Local\22bfc34d90b64054809542014fc9eb32
C:\Users\Anwender\AppData\Local\Temp\1cd84fff-8c98-486c-b380-e50ffb648dfe.tmp.node
C:\Users\Anwender\AppData\Local\Temp\57cb7211-bd8b-44d3-8189-f6263d29aec7.tmp.node
C:\Users\Anwender\AppData\Local\Temp\6c1adec1-02fb-4fbf-819f-8f75469ad86b.tmp.node
C:\Users\Anwender\AppData\Local\Temp\7e9a0215-cc22-4e2b-9f4f-5a7a5233d4f0.tmp.node
C:\Users\Anwender\AppData\Local\Temp\b17e7931-e7a1-4722-9831-08fd0eac90a6.tmp.node
C:\Users\Anwender\AppData\Local\Temp\b8489a3f-ddab-42b0-b7fb-29e3180b9a18.tmp.node
C:\Users\Anwender\AppData\Local\Temp\c5bd4418-30b2-430e-8c20-af324a5e4637.tmp.node
C:\Users\Anwender\AppData\Local\Temp\f45ed36d-909b-411c-8260-6a687346087b.tmp.node
AlternateDataStreams: C:\Users\Anwender\Downloads\FRST64.exe:MBAM.Zone.Identifier [450]
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Policies\Microsoft\Edge: Beschränkung <==== ACHTUNG
Task: {87555B29-C0C2-44E3-87F3-A0BD06278F9E} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (Keine Datei)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (Keine Datei)
HKLM\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe" (Keine Datei)
S4 AmdTools64; \SystemRoot\System32\drivers\AmdTools64.sys (Keine Datei)
S4 amduw23g-200433-80200602; \SystemRoot\System32\DriverStore\FileRepository\u0200433.inf_amd64_4972d231f4dc3f24\B025963\amdkmdag.sys (Keine Datei)
S3 amduw23g-416988-c916d592; \SystemRoot\System32\DriverStore\FileRepository\u0416988.inf_amd64_502a898bef524158\B416392\amdkmdag.sys (Keine Datei)
ShellIconOverlayIdentifiers: [ ProjectShareLocked] -> {C88B0D3F-9DD1-4CC6-8BED-E28DE51D7BB7} => C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\ProjectShareOverlay.dll -> Keine Datei
FirewallRules: [{2E95C846-ECB1-4CC7-AA3A-AD8DFBFA3536}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => Keine Datei
FirewallRules: [{6DF9ED41-E944-48AA-A107-993039B1EF47}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => Keine Datei
FirewallRules: [{3DAC896A-5CAC-45AE-90CB-1D63475893AB}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.660\RazerAppEngine.exe => Keine Datei
File: C:\Users\Anwender\Downloads\Eden-Windows-v0.2.0-amd64-clang-pgo.zip;C:\DumpStack.log.tmp
Folder: C:\Users\Anwender\Downloads\Eden-Windows-v0.2.0-amd64-clang-pgo
Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-28401-BUzefCc7XbjI
Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-13234-LgR7VOclE97V
Folder: C:\Users\Anwender\AppData\Local\Temp\tmp-15886-PqsWtBcZqUlF
Folder: C:\Users\Anwender\AppData\Roaming\CELSYS_EN\CLIPStudioPaint\e09a3052133c916792f2c0994d8c4711
Folder: C:\Users\Anwender\Downloads\Archive_get_921356
C:\Users\Anwender\AppData\Local\Temp\tmp-28401-BUzefCc7XbjI
C:\Users\Anwender\AppData\Local\Temp\tmp-13234-LgR7VOclE97V
C:\Users\Anwender\AppData\Local\Temp\tmp-15886-PqsWtBcZqUlF
C:\Users\Anwender\AppData\Roaming\CELSYS_EN\CLIPStudioPaint\e09a3052133c916792f2c0994d8c4711
C:\Users\Anwender\Downloads\Archive_get_921356\Setup.exe
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\Anwender\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.