CPU Activity 100 till task manager is opened

[Sam02Sngh]

CPU activity 100% till task manager is opened. I can say that because of the noise the fans make while I am browsing on my laptop (Predator helios 300 2019). Due to this it gets hot. As soon as I open task manager, cpu activity drops back to 10 or less. I have attached activity log below taken from malware bytes support tool.

(Sorry for bad english)

mbst-grab-results.zip

[Sam02Sngh]

I monitored temps and there'a a difference of as much as 25 deg Celsius between idle temps(75) and when task manager is open (50 deg celsius). 

 

Also, when removed from charging, laptop fans become less noisy and temps drop to 45degrees. Therefore. whatever running in the background only becomes active once laptop is connected to charging. 

 

I have attached the FRST and Addition files as well.

Addition.txt FRST.txt

 

Autoruns file attached below

LAPTOP-346VSMRE.zip

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

A rootkit infection is present on this computer.

Read carefully and follow these steps.
TDSS

• Download TDSSKiller and save it to your Desktop.
• Doubleclick on TDSSKiller.exe to run the application.
• Then click on Start Scan.
• If a suspicious file is detected, the default action will be Skip, click on Continue.

• If an infected file is detected, the default action will be Cure, click on Continue.
  

• Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  

• It may ask you to reboot the computer to complete the process. Click on Reboot Now.

• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  

• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

===

--RogueKiller--

• Download & SAVE to your Desktop Download RogueKiller
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or above, right-click the program file and select "Run as Administrator"
• Accept the user agreements.
• Execute the scan and wait until it has finished.
• If a Windows opens to explain what [PUM's] are, read about it.
• Click the RoguKiller icon on your taksbar to return to the report.
• Click open the Report
• Click Export TXT button
• Save the file as ReportRogue.txt
• Click the Remove button to delete the items in RED  
• Click Finish and close the program.
• Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  

=======

Please attach the logs for my review.

[Sam02Sngh]

Thanks for the clear steps!

Here is the tdsskiller report : 

11:07:35.0511 11512  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
11:07:35.0511 11512  UEFI system
11:07:37.0211 11512  ============================================================
11:07:37.0211 11512  Current date / time: 2020/03/25 11:07:37.0211
11:07:37.0211 11512  SystemInfo:
11:07:37.0220 11512  
11:07:37.0220 11512  OS Version: 6.2.9200 ServicePack: 0.0
11:07:37.0220 11512  Product type: Workstation
11:07:37.0220 11512  ComputerName: LAPTOP-346VSMRE
11:07:37.0221 11512  UserName: sam02
11:07:37.0221 11512  Windows directory: C:\WINDOWS
11:07:37.0221 11512  System windows directory: C:\WINDOWS
11:07:37.0221 11512  Running under WOW64
11:07:37.0221 11512  Processor architecture: Intel x64
11:07:37.0221 11512  Number of processors: 8
11:07:37.0221 11512  Page size: 0x1000
11:07:37.0221 11512  Boot type: Normal boot
11:07:37.0221 11512  ============================================================
11:07:39.0133 11512  Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:07:39.0143 11512  Drive \Device\Harddisk1\DR1 - Size: 0x3B9E656000 (238.47 Gb), SectorSize: 0x200, Cylinders: 0x799A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:07:39.0147 11512  ============================================================
11:07:39.0148 11512  \Device\Harddisk0\DR0:
11:07:39.0149 11512  MBR partitions:
11:07:39.0149 11512  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2788D800
11:07:39.0149 11512  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x2788E000, BlocksNum 0x2673B800
11:07:39.0149 11512  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x4DFCA000, BlocksNum 0x2673B800
11:07:39.0149 11512  \Device\Harddisk1\DR1:
11:07:39.0149 11512  GPT partitions:
11:07:39.0150 11512  \Device\Harddisk1\DR1\Partition1: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {F874B886-0ED1-4C24-BCA2-EBE83887F66A}, Name: EFI system partition, StartLBA 0x800, BlocksNum 0x32000
11:07:39.0150 11512  \Device\Harddisk1\DR1\Partition2: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {54CB3E5E-15FA-4F95-A01E-E3B07A88A630}, Name: Microsoft reserved partition, StartLBA 0x32800, BlocksNum 0x8000
11:07:39.0150 11512  \Device\Harddisk1\DR1\Partition3: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {09D2BFDB-A3D5-49C6-8647-6DCAB39D06C7}, Name: Basic data partition, StartLBA 0x3A800, BlocksNum 0x1DAB4800
11:07:39.0150 11512  \Device\Harddisk1\DR1\Partition4: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {A7014B1E-441F-44CA-B685-D8A96D0C974A}, Name: Basic data partition, StartLBA 0x1DAEF000, BlocksNum 0x200000
11:07:39.0150 11512  MBR partitions:
11:07:39.0150 11512  ============================================================
11:07:39.0151 11512 😄 <-> \Device\Harddisk1\DR1\Partition3
11:07:39.0219 11512 😧 <-> \Device\Harddisk0\DR0\Partition1
11:07:39.0252 11512  E: <-> \Device\Harddisk0\DR0\Partition2
11:07:39.0289 11512  G: <-> \Device\Harddisk0\DR0\Partition3
11:07:39.0289 11512  ============================================================
11:07:39.0289 11512  Initialize success
11:07:39.0289 11512  ============================================================
11:07:42.0514 4668  ============================================================
11:07:42.0514 4668  Scan started
11:07:42.0514 4668  Mode: Manual; 
11:07:42.0514 4668  ============================================================
11:07:42.0980 4668  ================ Scan system memory ========================
11:07:42.0981 4668  System memory - ok
11:07:42.0981 4668  ================ Scan services =============================
11:07:42.0981 4668  ================ Scan global ===============================
11:07:43.0019 4668  [ BCCC12EB2EF644E662A63A023FB83F9B ] C:\WINDOWS\system32\services.exe
11:07:43.0033 4668  [Global] - ok
11:07:43.0033 4668  ================ Scan MBR ==================================
11:07:43.0050 4668  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
11:07:43.0068 4668  \Device\Harddisk0\DR0 - ok
11:07:43.0072 4668  [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk1\DR1
11:07:43.0076 4668  \Device\Harddisk1\DR1 - ok
11:07:43.0077 4668  ================ Scan VBR ==================================
11:07:43.0080 4668  [ 47BF1CDA4CF16EF547AD0D26F6BA2FD7 ] \Device\Harddisk0\DR0\Partition1
11:07:43.0081 4668  \Device\Harddisk0\DR0\Partition1 - ok
11:07:43.0086 4668  [ D413B8508E394CBAD35A3C489C950DA7 ] \Device\Harddisk0\DR0\Partition2
11:07:43.0087 4668  \Device\Harddisk0\DR0\Partition2 - ok
11:07:43.0093 4668  [ CDD2A3CBB5315DD00888350092F96A5E ] \Device\Harddisk0\DR0\Partition3
11:07:43.0094 4668  \Device\Harddisk0\DR0\Partition3 - ok
11:07:43.0099 4668  [ 548D350D40202057295448F0CA3310AD ] \Device\Harddisk1\DR1\Partition1
11:07:43.0100 4668  \Device\Harddisk1\DR1\Partition1 - ok
11:07:43.0106 4668  [ D05ED8AA2F79CD81952BD8A0D2012F12 ] \Device\Harddisk1\DR1\Partition2
11:07:43.0106 4668  \Device\Harddisk1\DR1\Partition2 - ok
11:07:43.0112 4668  [ 82688338A0AF7F4351BC2534AC70EBF8 ] \Device\Harddisk1\DR1\Partition3
11:07:43.0114 4668  \Device\Harddisk1\DR1\Partition3 - ok
11:07:43.0120 4668  [ CBF6B19B571891A052E0BB08E3CB8260 ] \Device\Harddisk1\DR1\Partition4
11:07:43.0121 4668  \Device\Harddisk1\DR1\Partition4 - ok
11:07:43.0123 4668  ============================================================
11:07:43.0123 4668  Scan finished
11:07:43.0123 4668  ============================================================
11:07:43.0138 4412  Detected object count: 0
11:07:43.0138 4412  Actual detected object count: 0
 

[Sam02Sngh]

RogueKiller Anti-Malware V14.3.0.0 (x64) [Mar 23 2020] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.18363) 64 bits
Started in : Normal mode
User : sam02 [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20200323_083304, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/03/25 11:13:32 (Duration : 00:06:59)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] \X-6-8-89-1317838015-1263602325-1123168039-2185\{G5GDX7-9IM7-WML1-CI4A-QKO1ZTU87ZW} -- "C:\ProgramData\amd64_microsoft-windows-e..filter-ux.resources_31bf3856ad364e35_10.0.18362.1_en-us_ebdae9dc3ec49d89\ntvdm64.exe" -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Miner.Gen (Malicious)] (folder) Intel Rapid -- C:\Users\sam02\AppData\Roaming\Intel Rapid -> Found
[PUP.OnlineIO (Potentially Malicious)] (folder) AdvinstAnalytics -- C:\Users\sam02\AppData\Local\AdvinstAnalytics -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) DriverSetupUtility -- C:\ProgramData\DriverSetupUtility -> Found
[PUP.Gen1 (Potentially Malicious)] (folder) DriverSetupUtility -- C:\Program Files\DriverSetupUtility -> Found
[PUP.InnovativeSolutions (Potentially Malicious)] (folder) Innovative Solutions -- C:\Program Files (x86)\Innovative Solutions -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 

[Sam02Sngh]

Its still not solved. For example, when I am playing gta 5, fps is 80+ ( while tast manager is open) but goes below 50 when its closed. The issue is as obvious as that. Any fix would be welcome, Thank you.

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt.

===

After the restart please run the Farbar program and attach fresh logs for my review

Let me know what problem persists.

fixlist.txt

[Sam02Sngh]

I did as you said and my laptop shut down itself and prompted the self diagnosing process that comes from Acer itself. I had to perform a system restore and now many of my apps are not opening. But everything else is working fine. Also, my 1660ti is showing inactive in the task bar. I am guessing that some the fault was with Acer supplied software itself? Either way, what should I do now? I am really computer illiterate and am tensed as to what the problem is. 

Thank you for your time.

[Sam02Sngh]

Also , do i need to perform all of that again? The tdskiller and roguekiller programs that were used I mean.

[Sam02Sngh]

Edit : Turns out I cant even factory reset. It says There was a problem resetting this pc. 

[Sam02Sngh]

Please help me out, now my graphic card is showing inactive. I am worried that my firmware has been affected because my laptop is showing wierd signs. The webcam is also blinks when I tried browsing any site. What could be the issue??

[Sam02Sngh]

Please help me out I am panicking, my gpu goes idle and shows inactive in the task bar. PLEASE UNDO WHATEVER YOU DID.

 

[nasdaq]

Hi,

I had to perform a system restore and now many of my apps are not opening.

Did you verify if you had all the latest Windows Security Updates?

If not do it.
===

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Run the Farbar program and attach both log for my review.

p.s.
In post no 7 you attached my FixList.txt. I was expecting the FixLog.txt that is created after the fix.
Please attach it also.

[AdvancedSetup]

Are you still with us @Sam02Sngh

 

[Sam02Sngh]

Sorry for the late reply. I had to perform a factory reset.

This is the farbar result.

 

Farbar Service Scanner Version: 14-12-2019
Ran by sam02 (administrator) on 30-03-2020 at 10:34:54
Running from "C:\Users\sam02\OneDrive\Desktop"
Microsoft Windows 10 Home Single Language  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy: 
==================

System Restore:
============

System Restore Policy: 
========================

Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv: "%systemroot%\system32\svchost.exe -k netsvcs -p".
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy: 
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

[nasdaq]

Hi,

Looking good.

Windows Defender Disabled Policy: 

==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

AVast is installed on this computer.
It's normal that Windows Defender is disabled.

Stay safe.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you