Autologger results for issue # 133

[Bertcaus]

Welcome! Thank you for joining the section of VIRUSNET association support.

---

BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:

---

Step 1: Are you in the right place?

• Do you need assistance in PC cure from viruses?
• Or would you like to report a bug or propose a feature for HiJackThis?

If yes, see the next step.

Step 2: Show us the required logs (for PC cure):

• Read carefully: How to make a request for help in the PC cure section

  I hope this is the right way for sending the autologger results. I stopped the protection of Windows defender and Malware bytes premium before making the log. The hard disk contains 3 partitions: D and E are normally encrypted with bitlocker but were unlocked during this test. Remark: autologger starts in Russian? As I wrote in issue 133 the PC is VERY slow with a lot of disk activity, even at the very beginning of the start of Windows 10. Thank you for your help. CollectionLog-2021.02.20-13.01.zip

[dragokas]

Hi, thank you for the log and the wrong language report. That is normal. We'll return to you as soon as possible.

---

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

[Sandor-Helper]

Hi, I didn't find any malicious-related things in logs. Could you please temporarily uninstall these programs:

DriverFix 4.2021.1.29 O&O AutoBackup Professional O&O Defrag Professional O&O DiskImage O&O SafeErase Professional

After that: Download AdwCleaner (by Malwarebytes) and save it to Desktop. Run (it should be run by right-clicking as Administrator), press "Scan" and wait. At the end of the scan log will be found at: C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt (where x is any digit). Attach it to your next post here.

[dragokas]

++ Also,

1. Using ClearLNK tool, repair the following links and attach the tool's report to your message.

   >>>  "C:\Users\Carpentier\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Tombstones\Firefox.lnk"     -> ["C:\Users\Carpentier\AppData\Local\Mozilla Firefox\firefox.exe"]
   >>>  "C:\Users\Carpentier\Desktop\Antivirus\Panda Cloud Cleaner.lnk"   -> ["C:\Program Files (x86)\Panda Security\Panda Cloud Cleaner\PCloudCleaner.exe"]
   >>>  "C:\Users\Carpentier\Desktop\Mozilla\MozBackup.lnk"     -> ["C:\Program Files (x86)\MozBackup\MozBackup.exe"]
   >>>  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos\HP Beats Audio.lnk"        -> ["C:\WINDOWS\system32\IDTNC64.cpl"]

2. Please update the AVZ safe files database:

   • Start AVZ.
   • Close all of the applications and start the Internet Browser you use in your system (for example Internet Explorer, FireFox, Opera etc. – if several are installed, start all of the browsers, so AVZ would analyze all of the plugins and extensions used).
   • In AVZ menu, select File – Standard scripts. Select script № 8 in the opened window (item "Collection not recognized and suspicious files") and click "Execute selected scripts". This should take up to 1-5 minutes. As a result, folder LOG will be created in the AVZ folder with the archive named virusinfofiles.zip
   • Upload this archive as described here.
   • If the size of the archive will be more than 250 MB, you have to upload it to any file storage server that doesn't require recapture submission (for example: Yandex.Disk, Zippyshare, My-Files.RU, karelia.ru, Ge.tt or http://webfile.ru/ and add a link to it in your next message.

[Bertcaus]

ClearLNK-2021.02.25_10.19.41.log Hello,

I downloaded AVZ from Kapersky: I can only choose script 6, 7 and 9: there is no script Nr. 8? Do I have to use a specially crafted version?

Thanks again

[dragokas]

Use the version, you already downloaded before: in \AutoLogger\AV\av_z.exe

We still waiting for AdwCleaner logs.

[Bertcaus]

OK. I didn't select any volume (C,D,E and/or R) because we started from "file": was that OK? I did send the AdwCleaner logs before but I added it here again. AdwCleaner[S00].txt The AVZ log is only 99 MB (<250 MB) but the max filesize for uploading directly from here is apparently 10 MB? I will try to upload it to a file storage server instead.

[Bertcaus]

Here is the link from Zippyshare: https://www7.zippyshare.com/v/DZxvzAOb/file.html

[Sandor-Helper]

OK, Preinstalled Software do not touch (if you want you can uninstall useless ones via Control Panel) and other should be cleaned that way:

Run AdwCleaner (by Malwarebytes) again (it should be run by right-clicking as Administrator), press "Scan" and wait. Press Quarantine button and let program reboot the system. After restart the clean log will be found at: C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt (where x is any digit). Attach it to your next post here.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please attach the logs back here.

[Bertcaus]

Logfiles AdwCleaner[C02].txt Addition.txt FRST.txt

[Sandor-Helper]

Preinstalled Software do not touch

You've missed this warning.

Temporarily turn off any antivirus. Highlight following code:

Start::
SystemRestore: On
CreateRestorePoint:
HKU\S-1-5-21-1738531296-2742049075-251234721-1001\...\MountPoints2: {0939b1d8-5eec-11eb-8ea4-089e01f8f2e6} - "F:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1738531296-2742049075-251234721-1001\...\MountPoints2: {8330d7e5-2cb4-11eb-8e93-089e01f8f2e6} - "F:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-1738531296-2742049075-251234721-1001\...\MountPoints2: {dfb08d15-3cb9-11eb-8e9b-089e01f8f2e6} - "F:\HiSuiteDownLoader.exe" 
GroupPolicy: Restrictie ? <==== AANDACHT
Policies: C:\ProgramData\NTUSER.pol: Restrictie <==== AANDACHT
Task: {05DCB70F-177E-414E-9D06-4BA27DD25C6B} - System32\Tasks\OO DiskImage {a6908807-5a1f-40d9-b3ea-b7366716162e} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {0EC75651-D16A-48D4-B6CD-B5A4E186EDEE} - System32\Tasks\OO DiskImage {68b939d0-0849-4c0a-9fcb-364623c355d4} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {1ADB4CD5-B5FB-4E53-849F-DC16F907916E} - System32\Tasks\OO DiskImage {816a8193-fdc4-4417-8282-82ffc97691a1} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {23860148-B0E3-489B-B036-263E21E6943B} - System32\Tasks\OO DiskImage {b083564b-445c-4299-919c-fb923a91e228} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {2B4A16DB-49A8-4007-8E9B-73BF7E3CA20B} - System32\Tasks\OO DiskImage {950e887a-5357-4340-8e82-1bbddea1377f} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {32D249CF-0993-4A71-AB07-8BC47F6A4578} - System32\Tasks\OO DiskImage {835aab37-97cf-414d-8308-4b28bd3575d3} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {35B63E27-21C5-4398-AEA0-247E7E6BC872} - System32\Tasks\OO DiskImage {d3397d51-5860-4889-ad52-e036fc3e3b48} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {4E0F9286-3351-42CB-BA0A-AC7326162164} - System32\Tasks\OO DiskImage {dce7c5bf-3a5a-4c67-a26b-7dfc10f16e0b} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {54956AD3-D532-4CFA-B0A5-405A4B8DEBC3} - System32\Tasks\OO DiskImage {4cda414d-fceb-4daa-84eb-d136b3389641} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {6DF4F1A3-279A-472A-AAF0-290FA8DD54B0} - System32\Tasks\OO DiskImage {ac875da4-4ea2-4aa0-b94d-fc9ead56b54d} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {8E498727-0906-4761-AA5A-D4F3514C264B} - System32\Tasks\OO DiskImage {e515b5ea-45c8-4d26-a9e4-49ccca833b32} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {9200FB01-68C7-4A8E-A0F9-9BDD00801022} - System32\Tasks\OO DiskImage {e6b3d7f8-fab5-4fc3-90a7-8c4b33eac206} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {985AA641-EF4C-4ACD-883D-026284ED1854} - System32\Tasks\OO DiskImage {970d8e7c-3d22-4323-b68c-d56d335099e2} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {9894D525-331D-4409-95B3-BF9F5C906456} - System32\Tasks\OO DiskImage {aa2c29f4-8298-4ada-92c8-61d0ae3cc2f5} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {AD6998E0-A1A9-443C-BA16-48538BF77196} - System32\Tasks\OO DiskImage {00113ce6-9c00-4d2d-9da0-90ae67dd6b18} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {B255E997-CD7F-48D2-9E88-5B0EE3018878} - System32\Tasks\OO DiskImage {e3b5ccd9-95ac-41c7-8f57-3eb872ffe82e} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {BCFD8871-C76D-42DB-BB59-C131289E3AB2} - System32\Tasks\OO DiskImage {3904ff60-43cd-421d-abe4-d56daec7a440} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {BFCE487B-9418-4A59-AD8E-40D8EBECD289} - System32\Tasks\OO DiskImage {169e29bd-aafc-4ec8-aabb-835bb33f3b2b} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {C4D896D9-79A3-4379-BD5C-AA28FA958CE4} - System32\Tasks\OO DiskImage {127a732a-682d-4577-89b8-3191152bba40} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {D1E7B08C-FD27-441A-81ED-5EBC6BC2642A} - System32\Tasks\OO DiskImage {9820ee99-f6ba-4d2c-8663-89ecf8fe2cdb} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: {E621B659-FE72-4777-8B5F-00C9A42B5CD0} - System32\Tasks\OO DiskImage {6e574cc5-897b-4044-9a3a-04d10c22d4ec} => C:\Program Files\OO Software\DiskImage\oodiag.exe
Task: C:\WINDOWS\Tasks\OO DiskImage {169e29bd-aafc-4ec8-aabb-835bb33f3b2b}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {169e29bd-aafc-4ec8-aabb-835bb33f3b2b}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20200609.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {3904ff60-43cd-421d-abe4-d56daec7a440}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {3904ff60-43cd-421d-abe4-d56daec7a440}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20181008.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {4cda414d-fceb-4daa-84eb-d136b3389641}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {4cda414d-fceb-4daa-84eb-d136b3389641}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20180828.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {68b939d0-0849-4c0a-9fcb-364623c355d4}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {68b939d0-0849-4c0a-9fcb-364623c355d4}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20181021.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {6e574cc5-897b-4044-9a3a-04d10c22d4ec}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {6e574cc5-897b-4044-9a3a-04d10c22d4ec}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20200212.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {816a8193-fdc4-4417-8282-82ffc97691a1}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {816a8193-fdc4-4417-8282-82ffc97691a1}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190704.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {835aab37-97cf-414d-8308-4b28bd3575d3}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {835aab37-97cf-414d-8308-4b28bd3575d3}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20200907.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {950e887a-5357-4340-8e82-1bbddea1377f}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {950e887a-5357-4340-8e82-1bbddea1377f}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190312.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {970d8e7c-3d22-4323-b68c-d56d335099e2}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {970d8e7c-3d22-4323-b68c-d56d335099e2}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190225.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {9820ee99-f6ba-4d2c-8663-89ecf8fe2cdb}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {9820ee99-f6ba-4d2c-8663-89ecf8fe2cdb}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190803.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {a6908807-5a1f-40d9-b3ea-b7366716162e}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {a6908807-5a1f-40d9-b3ea-b7366716162e}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20180717.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {aa2c29f4-8298-4ada-92c8-61d0ae3cc2f5}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {aa2c29f4-8298-4ada-92c8-61d0ae3cc2f5}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190114.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {ac875da4-4ea2-4aa0-b94d-fc9ead56b54d}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {ac875da4-4ea2-4aa0-b94d-fc9ead56b54d}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20200306.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {b083564b-445c-4299-919c-fb923a91e228}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {b083564b-445c-4299-919c-fb923a91e228}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20181203.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {dce7c5bf-3a5a-4c67-a26b-7dfc10f16e0b}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {dce7c5bf-3a5a-4c67-a26b-7dfc10f16e0b}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190927.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {e515b5ea-45c8-4d26-a9e4-49ccca833b32}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {e515b5ea-45c8-4d26-a9e4-49ccca833b32}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190411.xml
Task: C:\WINDOWS\Tasks\OO DiskImage {e6b3d7f8-fab5-4fc3-90a7-8c4b33eac206}.job => C:\Program Files\OO Software\DiskImage\oodiag.exe,/run {e6b3d7f8-fab5-4fc3-90a7-8c4b33eac206}O&O DiskImage C:\ProgramData\OO Software\DiskImage\Jobs\Job20190527.xml
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

[Bertcaus]

Fixlog.txt

[Sandor-Helper]

the PC is VERY slow with a lot of disk activity

Is this still persists?

[Bertcaus]

I tried to restart the PC a few times: the boot sequence timing differs each time, but there is less disk activity and once started it seems to run faster. So it's better than before. In the beginning we uninstalled some program's of O&O Software which are trusted and payed program's: Diskimage is normally loaded at boottime and is used for backup (it makes an image of the disk). I should reïnstall it for future use, but maybe it doesn't have to start at boottime. Can you explain what in your opinion was causing the problem? Only after the last things we tried there was a difference. Thanks in advance.

[Sandor-Helper]

Only after the last things we tried there was a difference

Main things were clean empty tasks and deep Temp cleaning.

About O&O Software - you can try to figure out by installing it again and see will there be any difference. In my opinion there is no need to install that kind of programs in addition. Windows itself have its own instruments to clean, backup and defrag (if needed) and all that instrumenst do it correctly.

[Bertcaus]

Hello. I reïnstalled DiskImage Pro and the problem came back. So you were right about the cause. However, when we uninstalled that program the problem wasn't solved. I found that when I start the program immediately after (a very slow) boot and close it again the problem disappears. Even after a shut down (with hibernation) everything stays OK until I do a restart (so without hibernation) then the problem comes back until I open/close the program. Does this make sense to you? Cam you image what is happening at boot time that creates 100 % disk activity until I start/close the program one time? This is strange behaviour I never had before (and I am using this program many years) and the problem doesn't occur on 2 other PC's (an older and a newer one). So I can circumvent the problem but i am curious about this behaviour. Thanks again for your kind help.

[Sandor-Helper]

There could be a lot of causes like:

• interfering between other soft
• different hardware
• etc.

You say that you have payd lisence, so you can connect with its tech support and describe the poblem there.