Possible Malware causes High CPU temp

[NaniwaTiger89]

Hello,

I suspect that i may have a Malware in my system, I may have been infected 20 days ago from a downloaded file since i noticed the initial suspicious symptoms during that period. I was playing the game Warframe on Steam and as suddenly i experiencing FPS drops till it froze then i tried force exiting the game and opening the Task Manager but I was unable to open them. I forced restarted my laptop.Third restart the stuttering and freezing was gone but this is where i noticed that my Laptops fans are flaring out louder than usual and saw that my CPU temp is reaching 80-90 Degrees Celsius on idle. I deleted the file but the symptoms persists. At first i thought the fans just needs some cleaning so I cleaned the dust from the fans and reapplied thermal paste then bought a cooling pad but I only managed to reduce the temperate by 3 Degrees Celsius on average. This raised my suspicion that it might be a cryptominer so I scanned my system using Malwarebytes, Adware Cleaner, and FRST but found no malware. Tried to make an account here in the forums but was unsuccessful due to some error, but I managed to making one while on work. I reset my Laptop to factory setting but kept my personal files (mostly games) and my CPU was back to 44-55 Degrees Celsius while idle but still reaches about 80-95 Degrees Celsius when playing game. Also, after the factory reset I ran a Malwarebytes scan and detected a malware called "MachineLearning/Anomalous.100%" but the scan got stuck in Heuristics analysis for 12 whopping hours so i took a pic and forced close the scan since it couldn't be canceled as well before going to work, but after coming home i can't seem to manually find the detected file anymore. Thank you in advance for the help.

====

 Suspicious Symptoms:

- High CPU temps when downloading gaming even with games that the system is capable of running normally with moderate temps

- High Memory Usage (about 50% on idle)

- Internet speed slows down to a crawl when the CPU Temp is high and with about 50% packet loss

Also, it seems that I am unable to create an account from home and i'm posting from my workplace. When i tried creating an account using my Laptop from home i got a prompt "You are not allowed to use this email address" and on the second try i got an error code ( i can't remember remember the exact code) but I looked it up and most says it is related to IPB spamming service which I have no idea about (I thought it was related to my possible malware). I successfully created an account from work and tried making a post at home and got this message every time I tried to post the topic:

Blacklisted: 

 

*** We’re sorry but our system has detected wording in your post consistent with spam, It may be by accident, please try changing the wording and try to post again. 
If you’re still unable to, then please contact our Helpdesk at the following link: 

https://support.malwarebytes.com/community/consumer/pages/contact-us

Thank you
***

Could anyone take a look at this as well? Now I'm posting this at work again and do not have access to my Personal Laptop which means it will take some time to try the steps that will be provided if the "Blacklisted" issue is not resolved. The attached files are my latest  laptop scans from yesterday. Thanks again.

FRST.txt Shortcut.txt DxDiag.txt Malwarebytes scan.txt AdwCleaner[C02].txt Addition.txt

[AdvancedSetup]

Hello @NaniwaTiger89 and

I have removed the block on your account. It is part of our automated system that tries to prevent spammers from posting which sometimes as in your case is a false positive.

 

The logs are not showing an obvious infection. Let me have you temporarily uninstall the following software though and we'll run some other scans and see what else might be going on.

Norton Security
SpyHunter 5

If you're using the Norton Security Backup please make sure you have all passwords, special keys, etc saved to an external hard drive or other location not affected by the removal of Norton.

Once done, please restart the computer 2 times and post back new FRST logs as an attachment.

Thank you

Ron

 

[NaniwaTiger89]

Hi Ron, 

Thanks for the removal on the block. I will follow your advice when I get home in around 7 hours.

[NaniwaTiger89]

Hi Ron, 

I am done with uninstalling the programs you mentioned and here is the new FRST logs that you requested. Thanks.

Addition.txt FRST.txt Shortcut.txt

[AdvancedSetup]

Your Volume Shadow Copy service says it's having an issue. Please try to fix it using the information below.

 

 

Please download and run the following  Volume Shadow Copy Service (VSS) Diagnostic Tool from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.

You can also try the tool from Macrium Reflect if the Acronis tool did not work.

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool

• VSSfix 32bit - download
• VSSfix 64bit - download

Once you've run the repair tool you need to restart your computer.
Then check your Event Logs to see if the error was corrected. You can post new logs from FRST which will also show the Event Log entries 

If you don't have System Restore enabled then please take this time to enable it. If possible choose 10% of your C drive to store Restore Points.

System Restore disabled or greyed out? Turn On System Restore in Windows 10
 

Thank you

 

[AdvancedSetup]

Once that's corrected, please follow the directions from the following topic and clean up Chrome

 

Ron

 

[NaniwaTiger89]

Hello again Ron,

Shall I only do the steps regarding Chrome Secure Preference detection once we fully confirm that there are no more errors in Volume Shadow Copy Service?

I ran Acronis but there were still errors detected and there was no option to have it fixed. I ran Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool, when the loading bar with the prompt "Registering VSS" is gone does it mean that the process is complete? I will post my Acronis logs and new FRST logs when i get back home.

Thank you for your support.

[NaniwaTiger89]

Hello Ron,

I haven't done the steps to clean up my chrome since I cannot fully confirm if the VSS errors are fully fixed. Here are the logs for Acronis and FRST. Thanks.

Shortcut.txt Addition.txt FRST.txt AcronisVSSDoctorReport_2019-07-17-11-47-59.txt

[AdvancedSetup]

The only issue is your E: drive. That is low on free space but in general most additional drives don't really need VSS backup enabled.

What is on your E: drive?

Name: E:\
DeviceId: \\?\Volume{1c83f131-ffa7-4ff9-aad6-d4e868c2346f}\
Size: 20 GB
Available: 274 MB
Minimum: 320 MB
IsOk: False
Description: Free space is below required minimum
IsMounted: True

 

Go ahead and reset Google Chrome please.

 

[AdvancedSetup]

Please download the Norton Removal Tool and run it to remove some elements of that may have been left over the uninstall earlier.

https://support.norton.com/sp/en/us/home/current/solutions/v60392881_EndUserProfile_en_us

http://liveupdate.symantecliveupdate.com/upgrade/RnR/NRnR.exe

 

[NaniwaTiger89]

Hi Ron,

I only had 2 drives in my laptop C : drive for  the SSD and D : drive for my HDD. I may have clicked the "assign drive letter" option for Drive E : and F: of Acronis but closed it both times when i was asked to choose a destination. the attached photo are what the folders that E : drive contains (it might be possible that this is a back-up of some sort?). Is there anyway to remove both E : and F: from being assigned? Also, my Chrome scan was clean, absolutely no detection. 

[AdvancedSetup]

Okay, no problem. Just ignore it. VSS looks to be working now.

If you have not already done so please create a NEW System Restore Point.

Reset Google Chrome if you've not already done so. Then restart the computer and let me know how it's running now.

 

[NaniwaTiger89]

Greetings Ron,

I already reset Google Chrome sync and created a new restore point. Bit I can still see the CPU temp spiking during start up. 

[AdvancedSetup]

Please try the following program and see if they match

HWMonitor
https://www.cpuid.com/softwares/hwmonitor.html

http://download.cpuid.com/hwmonitor/hwmonitor_1.40.exe

 

[AdvancedSetup]

If that is correct, something is consuming 100% of the Disk I/O which you should be able to see in your Task Manager

 

[NaniwaTiger89]

Hi Ron,

The 100% disk usage is just a spike on start up and it goes to 1%-6% usage moments later. I'll try to reproduce it again later with hwmonitor when I get back home. However is it normal for my 8 GB RAM to be consumed up 40-50% when my memory usage in Task Manager is as little as 120 mb - 220 mb? 

[AdvancedSetup]

Under Task Manager on the PERFORMANCE tab on the bottom there is a link for "Open Resource Monitor" if you open that you can track down more of what is using what resource. The labels are clickable so that you can sort as well.

Give that a try and see what you can find.

If you need more detail there is also

Process Explorer from Microsoft
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Between those tools you should be able to track down what is using what as far as resources go.

Let me know how it goes or if you need additional assistance.

 

Ron

 

 

[NaniwaTiger89]

Hello again Ron,

I started the Launcher of the game Warframe to reproduce the high temperatures of the CPU. In the Process Explorer I noticed that my GPU memory is shooting up back and forth to 100% and about 13% for a split second. Other that that I honestly don't know what else to look for.

HWMonitor.txt

[AdvancedSetup]

Hi there

I'm not sure but I will move your topic over to the General PC help forum where some other members may be able to assist you further as I spend the majority of time doing malware removal and the computer does not appear to be infected at this time.

Thank you

Ron

@David H. Lipman @Firefox@exile360

[NaniwaTiger89]

Hi Ron,

Thanks for your time and effort!

[AdvancedSetup]

You're quite welcome, good luck

Ron

 

[David H. Lipman]

I see "Discord", "Dragon Center" and "Steam" executables.

Is  "Steam" and "Launcher" parts of a game ?  If yes, unload them and only load them when you want to play the game.

"Discord" is a communication application.  Unload that temporarily as well.

Unload Chrome as well.

Now, what kind of utilization are you seeing

Edited July 18, 2019 by David H. Lipman

[exile360]

Greetings,

It may also prove helpful to check the startups that load on your system.  To do so, please do the following:

Create an Autoruns Log:

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:

Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

• Double-click Autoruns.exe to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

Hide empty locations
Hide Windows entries

• Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

Verify code signatures
Check VirusTotal.com

• Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
• When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
• Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the ZIP folder you just created to your next reply

I'd also like to take a look at your current hardware configuration as that can play a large role in thermals (especially the CPU as some are known to run rather hot and there are things that can be done about it in many cases to improve thermal performance):

Provide System Specifications:

• Please download Speccy from here and save the ZIP file to your desktop or another location where you can easily find it.
• Right-click the file select Extract All... then click Extract in the window that pops up and it should be extracted to a folder in the same location as the ZIP file you downloaded.
• Open the extracted folder and then double-click on the version of Speccy appropriate for your system (select Speccy.exe if using a 32 bit Windows version or Speccy64.exe if you are running a 64 bit version of Windows) and click Yes, OK or Allow if prompted by User Account Control.
• Once the program starts it will analyze your system, please be patient as it may take a few moments to complete.
• Once it finishes and none of the areas say Analyzing click on the File button at the top and select Save Snapshot...
• Save the file to your desktop and click Ok to confirm
• Go to your desktop and right click on the file you just created and hover over Send to and select Compressed (zipped) Folder
• Please attach the zip file you just created to your next post
  

Edited July 18, 2019 by exile360

[NaniwaTiger89]

Hello @David H. Lipman,

Steam is a game platform developed by valve I us it to launch my games bought from their store. While the Launcher.exe is the Launcher for the game Warframe from steam as well (I find it weird that Digital Extreme still requires the launcher for the Steam version of their game). I just opened the launcher to reproduce the unusual High temperature of my CPU.

Hello @exile360,

Here are the logs from Autoruns and Speccy. I already cleaned fans of the dust and reapplied thermal paste as i have mentioned in my first comment(which probably voided the warranty since i broke the seal of my Laptop cause I kind of forgot that it still has 1 year before the warranty expires) but it did not help decrease the temperatures when gaming. Thank you.

MSI autoruns.zip MSI speccy.zip

[exile360]

I bet I know what the problem is with the CPU.  You've got a 7700HQ; Intel's 7th gen chips were known to run hot often (as were their 6th and 8th gen chips) and because Intel used less effective thermal paste under the integrated heat spreader (IHS) that covers the die of the CPU, heat isn't dissipated to your heat sync as well as it could be if they'd have used solder as they had with past generations of chips (and they started doing again with the 9th gen chips).  It's up to you, and if you aren't comfortable doing so then I wouldn't recommend it, but you could delid your CPU to apply either better thermal paste between the silicon and the IHS or you could even use liquid metal.  Additionally, the quality of thermal paste you use can have a huge impact on temperatures as can the application of it.  I personally use Thermal Grizzly Kryonaut as it gives me the lowest temps on my chips (I've used it on both CPUs and GPUs, including my current 7700K (overclocked to 4.6GHz across all cores) and my GTX 1070 (overclocked to +130MHz on the core and +450MHz on the VRAM; it typically runs around 1.9GHz when boosting during games and the memory runs at 8.9GHz) in my current laptop).  I spread a thin layer of the compound and then attach the cooler to the components as evenly as possible by applying a reasonable amount of pressure on the center over the component and attach the screws, tightening them gradually in an X pattern and I find that I get really good results.  Of course I have a larger 15.6" laptop so the coolers it comes with are pretty decent.  I also undervolt my CPU, and if you are able to do so with your chip it could substantially improve thermal performance without sacrificing clock speeds.  On my current chip I'm able to do -100MV on the core and -100MV on the uncore/cache voltage.  I use a utility called ThrottleStop for that.

More info on delidding if you're interested in that, can be found in the following videos:

https://www.youtube.com/watch?v=w9i_ULemBhI

https://www.youtube.com/watch?v=hdTsra-uLBI

Also bear in mind that you don't have to use liquid metal if you delid (I didn't, and my temps are great); I'd suggest Thermal Grizzly Kryonaut which is not electrically conductive so you don't risk shorting out your CPU.

I did have a 7700HQ in my last laptop and I delidded it as well and it definitely helped my temps immensely (they dropped round 10~20C across the board) and I also used Kryonaut just as I am with my current laptop.  I was also able to undervolt to around -200MV on the core and around -100MV on the uncore/cache voltages using Intel XTU (Intel Extreme Tuning Utility) which is what I used for overclocking and undervolting prior to discovering ThrottleStop, which is what I use now.  Your laptop may have shipped with XTU already installed; if so, you might want to take a look to see if it's undervolted or not.  If it hasn't been, you can try it to see how it goes, starting around -10-20MV and moving down until you find the point where it isn't stable (you can run a benchmark to test your CPU's stability).

You can find info on how to use ThrottleStop in the following posts and guides:

https://www.notebookcheck.net/How-to-Lower-Temperatures-Stop-Throttling-and-Increase-Battery-Life-The-ThrottleStop-Guide-2017.213140.0.html

https://beebom.com/how-use-throttlestop-control-cpu/

This guide shows how to undervolt using Intel XTU:

https://www.notebookcheck.net/Intel-Extreme-Tuning-Utility-XTU-Undervolting-Guide.272120.0.html

The above info is optional, and if you aren't comfortable with delidding or undervolting then skip it, but it can make a huge difference in temps and performance if you're up to it.  The downloads for both XTU and ThrottleStop can be found below:

https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU-

https://www.techpowerup.com/download/techpowerup-throttlestop/

I also noticed you still have some lingering components of Avast on your system.  Please run the Avast Uninstall Utility to remove them:

https://www.avast.com/uninstall-utility

After all that if you're still having issues please let us know and we'll move on to eliminating unnecessary startups with Autoruns.