zavirované PC

[Runn77]

Dobrý den prosím o pomoc s mým PC. V příloze posílám v souboru zip vygenerovaný výpis FRST64. Na obyčejné vložení mi připadá příliš dlouhý. Děkuji předem za pomoc.
Runn77 - Zbyněk

[Rudy]

Zdravím!
1. Spusťte nejprve tuto utilitu:

Ulozte na plochu AdwCleaner https://malwarebytes.com/adwcleaner/ nebo http://www.bleepingcomputer.com/download/adwcleaner/

ukoncete vsechny programy
odsouhlaste licencni podmiky (EULA) klikem na Souhlasim
kliknete pravym na ikonu AdwCleaneru a vyberte Spustit jako spravce (v pripade Win XP spustte obycejne dvojklikem)
kliknete na Skenovat nyni (Scan now), pote na Cisteni a opravy (Clean and Repair)
po restartu na Vas vyskoci log (pripadne jej najdete v C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt), jehoz obsah zkopirujte do pristi odpovedi

[Runn77]

Zdravím a posílám oba soubory.
Možná mám ještě komplikaci v tom, že v PC jsou dva disky systémový SSD a datový HDD a na ten mám přesměrovaný celý svůj profil (Plocha, stažené atd). Ten jsem vypojil a v zavirovaném PC je teď pouze systémové C. Ten datový jsem připojil do jiného PC a otestoval plným testem ESETu a bez nálezu.
AdwCleaner jsem ale dostal na plochu Public a odtud jej jako správce spustil.
Děkuji moc
# -------------------------------
# Malwarebytes AdwCleaner 8.8.1.639
# -------------------------------
# Build: 05-13-2026
# Database: 2026-04-29.3 (Local)
# Support: https://help.malwarebytes.com/
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 06-09-2026
# Duration: 00:00:09
# OS: Windows 11 (Build 26100.8457)
# Scanned: 32078
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner[S00].txt - [1416 octets] - [09/06/2026 10:01:55]
AdwCleaner[S01].txt - [1538 octets] - [09/06/2026 10:06:24]
AdwCleaner[S02].txt - [1538 octets] - [09/06/2026 10:08:12]
AdwCleaner[S03].txt - [1599 octets] - [09/06/2026 10:09:51]
AdwCleaner[C03].txt - [1789 octets] - [09/06/2026 10:10:02]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S04].txt ##########

# -------------------------------
# Malwarebytes AdwCleaner 8.8.1.639
# -------------------------------
# Build: 05-13-2026
# Database: 2026-04-29.3 (Local)
# Support: https://help.malwarebytes.com/
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 06-09-2026
# Duration: 00:00:00
# OS: Windows 11 (Build 26100.8457)
# Cleaned: 0
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S04].txt - [1721 octets] - [09/06/2026 10:13:23]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C04].txt ##########

[Rudy]

Toto je OK. Přidejte ještě log Addition . Je v D:\ v souboru addition.txt

[Runn77]

Bohužel na celém disku neni žádný soubor tohoto jména

[Runn77]

A na tom vyjmutém disku taky není.

[Rudy]

Z D:\ byl FRST spuštěn a do stejného adresáře pak ukládá vše, co vytvoří. Nesmazal jste si jej? Pokud soubor nenajdete, bude třeba udělat nové logy (FRST + Addition) a vložit je sem.

[Runn77]

Zdravím, omlouvám se jsem hodně mimo.
Zavirovaný počítač jsem nabootoval z USB flashdisku HirensBCD na ktery jsem dohrál ten FRST64. Ten jsem dnes ráno znovu spustil. Vytvořil adresář FRST ale v adresáři FRST/logs je pouze jeden txt soubor a ten znovu v příloze zazipovaný posílám.
Díky moc

[Runn77]

Ten adresář vytvořil na tom zavirovaném disku C

[Rudy]

1. PC nelze spustit v normálním režimu? Pokud byste si přečetl návod: http://forum.viry.cz/viewtopic.php?f=24&t=132509 , dověděl byste se, že FRST je třeba spustit z problémového systému. V opačném případě je to nanic.
2. PC nemusí být zavirován, může se jednat o systémovou chybu.

[Runn77]

Mohu se na viry.cz přihlásit z zavirovaného PC?
Před chvilkou jsem znovu z něj spustil FRST a mám tam oba soubory. Jeden má 28 kB a druhý 33kB mám je jen vložit nebo poslat v ZIP. Toto píšu z druhého NB a přiložím obrázky co mi vyskakují. Když se objevily, bylo jasné že mám problém. Tak jsem je vždy zavíral křížkem, neklepal na žádné tlačítko.
Na plochu se bohužel nedostanu, zůstalo mi přesměrování na vyjmutý HDD. Ten FRST jsem si uložil do TEMP a přes cmd jako administrátor spustil
Omlouvám se za zmatky
Zbyněk

[Runn77]

Přikládám oba logy:

[Rudy]

Samozřejmě, že se můžete přihlásit. Zatím jsem ale nenašel nic, co by nasvědčovalo tomu, že je PC zavirován.

Otevřte poznámkový blok a zkopírujte do něj:

Start

CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2292089391-1343519791-1179752980-1002\...\MountPoints2: {31ec7b5c-41fb-11f1-b334-10e7c6299e73} - "I:\HonorSuiteOnlineInstaller.exe"
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->
Task: {B034B4FF-B61A-43E7-9E7A-FF4D1A5AF39F} - System32\Tasks\IObit NY2026Sale (One-time) => "C:\Program Files (x86)\IObit\Driver Booster\Pub\enny26.exe" -> C:\Program Files (x86)\IObit\Driver Booster\Pub\\/rpop <==== ATTENTION
Task: {A21F35B5-63C9-49B6-9889-F4D0E0D220BB} - System32\Tasks\Microsoft\Windows\Clip\ClipESU => %SystemRoot%\system32\clipesu.exe (No File)
Task: {E88D9B2C-DDEA-47B2-9582-085153004DB5} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File)
Task: {CDA52DED-04C0-4AC3-B660-DD8DF4EED8A3} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe LogonUpdateResults (No File)
Task: {C0B5D12D-0DB9-46E8-8B77-C9BE948532D7} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (No File)
Task: {AD3042DF-A4B6-4CA8-B9A7-ECC94E14E22A} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S3 RwDrv; \??\C:\WINDOWS\system32\Drivers\RwDrv.sys (No File)
C:\WINDOWS\system32\5E37410B-D6F1-471D-AE27-563CEAC0D6B2
C:\DumpStack.log.tmp

EmptyTemp:
End

Uložte do C:\Temp jako fixlist.txt. Spusťte znovu FRST a klikněte na >Fix<. Po skončení akce se objeví log, který sem zkopírujte.

[Runn77]

Omlouvám se za zpoždění ale jsem hodně mimo. Posílám požadovaný log:
Fix result of Farbar Recovery Scan Tool (x64) Version: 11-06-2026
Ran by Zbynek (11-06-2026 19:55:23) Run:1
Running from C:\Temp
Loaded Profiles: Zbynek
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2292089391-1343519791-1179752980-1002\...\MountPoints2: {31ec7b5c-41fb-11f1-b334-10e7c6299e73} - "I:\HonorSuiteOnlineInstaller.exe"
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->
Task: {B034B4FF-B61A-43E7-9E7A-FF4D1A5AF39F} - System32\Tasks\IObit NY2026Sale (One-time) => "C:\Program Files (x86)\IObit\Driver Booster\Pub\enny26.exe" -> C:\Program Files (x86)\IObit\Driver Booster\Pub\\/rpop <==== ATTENTION
Task: {A21F35B5-63C9-49B6-9889-F4D0E0D220BB} - System32\Tasks\Microsoft\Windows\Clip\ClipESU => %SystemRoot%\system32\clipesu.exe (No File)
Task: {E88D9B2C-DDEA-47B2-9582-085153004DB5} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File)
Task: {CDA52DED-04C0-4AC3-B660-DD8DF4EED8A3} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe LogonUpdateResults (No File)
Task: {C0B5D12D-0DB9-46E8-8B77-C9BE948532D7} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (No File)
Task: {AD3042DF-A4B6-4CA8-B9A7-ECC94E14E22A} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
S3 RwDrv; \??\C:\WINDOWS\system32\Drivers\RwDrv.sys (No File)
C:\WINDOWS\system32\5E37410B-D6F1-471D-AE27-563CEAC0D6B2
C:\DumpStack.log.tmp

EmptyTemp:
End
*****************

Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
HKU\S-1-5-21-2292089391-1343519791-1179752980-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31ec7b5c-41fb-11f1-b334-10e7c6299e73} => removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C885AA15-1764-4293-B82A-0586ADD46B35} => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B034B4FF-B61A-43E7-9E7A-FF4D1A5AF39F}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B034B4FF-B61A-43E7-9E7A-FF4D1A5AF39F}" => removed successfully
C:\WINDOWS\System32\Tasks\IObit NY2026Sale (One-time) => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IObit NY2026Sale (One-time)" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A21F35B5-63C9-49B6-9889-F4D0E0D220BB}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A21F35B5-63C9-49B6-9889-F4D0E0D220BB}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Clip\ClipESU => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Clip\ClipESU" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E88D9B2C-DDEA-47B2-9582-085153004DB5}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E88D9B2C-DDEA-47B2-9582-085153004DB5}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Location\Notifications => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Location\Notifications" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CCDFC0B8-01A3-4E74-A820-4F13F51D269E}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCDFC0B8-01A3-4E74-A820-4F13F51D269E}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CDA52DED-04C0-4AC3-B660-DD8DF4EED8A3}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDA52DED-04C0-4AC3-B660-DD8DF4EED8A3}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C0B5D12D-0DB9-46E8-8B77-C9BE948532D7}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C0B5D12D-0DB9-46E8-8B77-C9BE948532D7}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_AC" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD3042DF-A4B6-4CA8-B9A7-ECC94E14E22A}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD3042DF-A4B6-4CA8-B9A7-ECC94E14E22A}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F3E6E7ED-A196-4E44-8803-55FAB3AD4E29}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F3E6E7ED-A196-4E44-8803-55FAB3AD4E29}" => removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => removed successfully
HKLM\System\CurrentControlSet\Services\RwDrv => removed successfully
RwDrv => service removed successfully
Could not move "C:\WINDOWS\system32\5E37410B-D6F1-471D-AE27-563CEAC0D6B2" => Scheduled to move on reboot.
Could not move "C:\DumpStack.log.tmp" => Scheduled to move on reboot.

=========== EmptyTemp: ==========

FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 182214640 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
Windows/system/drivers => 278578850 B
Edge => 1273413653 B
Firefox => 0 B
Opera => 0 B

Local\Temp, Local\*.tmp, LocalLow\Temp, Roaming\Temp, Roaming\*.tmp , IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 824 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 69958 B
Zbynek => 39811352 B

RecycleBin => 0 B
EmptyTemp: => 1.7 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 11-06-2026 19:57:09)

C:\WINDOWS\system32\5E37410B-D6F1-471D-AE27-563CEAC0D6B2 => Could not move
C:\DumpStack.log.tmp => Could not move

==== End of Fixlog 19:57:09 ====

[Rudy]

Nic se neděje, jsme tu stále. Bylo smazáno, log je již OK.