Jump to content

Overheating GPU - Bitcoin Miner?


Recommended Posts

My temperatures for my GPU and memory usage was fine yesterday until around 10:00 PM.

That's when I started getting an average of 85 degrees celcius for my GPU temp.

My memory usage was 1901 when my max is 1900, so I knew something was wrong. I thought if I let it rest for the night, in the morning, it would be fine. Just turned on my PC and immedietly, the memory usage is 1901 and temperatures start to increase until it hits 85 degrees.

My normal temperature would be around 50 degrees idle and fan speed would be about 29%, but now, it's 56% and over 60% watching youtube videos. I googled why my CPU/GPU might be using a ton of memory being idle, and found out that it might be a virus such as the Bitcoin Miner. Whatever the case, I need help.




4.15 GB of memory is being used when only these 2 programs are running. That screenshot was taken a couple of minutes before typing this. The memory usage is starting to increase.


Link to post
Share on other sites

  • Root Admin


P2P/Piracy Warning:

If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


Link to post
Share on other sites

RogueKiller V8.6.10 _x64_ [sep  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Andrew [Admin rights]
Mode : Scan -- Date : 09/10/2013 15:40:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Andrew\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-214661708-103080237-3671667183-1000\[...]\Run : SearchProtect (C:\Users\Andrew\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] ContinueToSaveUpdaterTask{946EC59C-16FD-4BE8-89A3-72B9F86A8E20}.job : C:\ProgramData\Premium\ContinueToSave\ContinueToSave.exe - /schedule /profilepath "C:\ProgramData\Premium\ContinueToSave\profile.ini" [-][-] -> FOUND
[V1][sUSP PATH] CodecUpdaterTask{1EE6387E-B24C-4554-88B1-4E4CA8C8368A}.job : C:\ProgramData\Codec\Codec.exe - /schedule /profilepath "C:\ProgramData\Codec\profile.ini" [-][-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[FF][PROXY] 1dz211dj.default : user_pref("network.proxy.hxxp", ""); -> FOUND
[FF][PROXY] 1dz211dj.default : user_pref("network.proxy.hxxp_port", 7808); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS723020BLA642 +++++
--- User ---
[MBR] 70feb256089a922a332d12881a8a0b70
[bSP] 09692300d7b6cf7adcbf4c207905e5d5 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20480 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 41945088 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 42149888 | Size: 1887147 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09102013_154022.txt >>


Link to post
Share on other sites

  • Root Admin

Please go ahead and run through the following steps and post back the logs when ready.

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Please go here to run the online antivirus scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


Link to post
Share on other sites

Sorry about that.


Malwarebytes Anti-Rootkit BETA

Database version: v2013.09.11.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew :: ANDREW-PC [administrator]

10/09/2013 11:02:44 PM
mbar-log-2013-09-10 (23-02-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 286088
Time elapsed: 22 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)


Link to post
Share on other sites

C:\Program Files (x86)\Activision\Call of Duty - Black Ops\BOLoader.exe    probably a variant of Win32/Injector.JRX trojan
C:\Program Files (x86)\Steam\steamapps\common\Football Superstars\IGBCache\Default\Extensions\oaldiepfhimkgbolleiklofofkcgpmel\1.0_0\bg.js    Win32/Adware.MultiPlug.H application
C:\Program Files (x86)\Steam\steamapps\common\Football Superstars\IGBCache\Extensions\oaldiepfhimkgbolleiklofofkcgpmel\1.0_0\bg.js    Win32/Adware.MultiPlug.H application
C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\edcpecmnlojlpaamfldlgdnpbiaigehc\1\50e96f5f0e2192.28371389.js    Win32/Adware.MultiPlug.H application
C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\legbcigbjalcnbgcaodlppfpnianagde\1\50e96ebcd18709.30450085.js    Win32/Adware.MultiPlug.H application
C:\Users\Andrew\Desktop\Black Ops Items\BOLoader.exe    probably a variant of Win32/Injector.JRX trojan

Link to post
Share on other sites

  • Root Admin

These are minimal PUP (Possibly Unwanted Program) detections.  You can upload those files to http://www.virustotal.com and have them scan them and see how many antivirus scanners detect them as dangerous or not and then decide if you want to remove them or not.


Please complete the other scans and post back the logs.

Link to post
Share on other sites

  • Root Admin

What is up with the Firefox proxy going on here?

IP address:
Host name: server.geek-spot.com

NetRange: -        AS32475NetName:        SINGLEHOPNetHandle:      NET-184-154-0-0-1Parent:         NET-184-0-0-0-0NetType:        Direct AllocationRegDate:        2010-06-21Updated:        2012-03-02Ref:            http://whois.arin.net/rest/net/NET-184-154-0-0-1OrgName:        SingleHop, Inc.OrgId:          SINGL-8Address:        215 W. Ohio St.Address:        5th FloorCity:           ChicagoStateProv:      ILPostalCode:     60654Country:        USRegDate:        2007-03-07Updated:        2012-11-19Comment:        http://www.singlehop.com/Ref:            http://whois.arin.net/rest/org/SINGL-8

FF ProfilePath: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\1dz211dj.default
FF NetworkProxy: "backup.ftp", ""
FF NetworkProxy: "backup.ftp_port", 7808
FF NetworkProxy: "backup.socks", ""
FF NetworkProxy: "backup.socks_port", 7808
FF NetworkProxy: "backup.ssl", ""
FF NetworkProxy: "backup.ssl_port", 7808
FF NetworkProxy: "ftp", ""
FF NetworkProxy: "ftp_port", 7808
FF NetworkProxy: "http", ""
FF NetworkProxy: "http_port", 7808
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", ""
FF NetworkProxy: "socks_port", 7808
FF NetworkProxy: "ssl", ""
FF NetworkProxy: "ssl_port", 7808

I also notice you're running software from IObit  - Game Booster 3
Here is a little more information about that company from China

The company behind this product was found to be stealing our database.
Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product.
Please see the following links and make up your own mind if you want to keep this on your system. If needed I can help you remove it.

Link to post
Share on other sites

  • Root Admin

No it's not required to remove Game Booster - just saying they're a rather unscrupulous company and perhaps a bit scary to run any type of software from them, but again, that's up to you.


Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.


Then delete your current logs from FRST and run the tool again and post back NEW logs.

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.