Jump to content
Loot

Blank Task using GPU and CPU

Recommended Posts

I have a blank task in task manager that says its svchost taking at max 40% gpu and 15% cpu, but uses less gpu when something else is using the gpu. I just noticed this today and neither Malwarebytes or Malwarebytes Anti-Rootkit found anything on my pc. I can't figure out what the problem is and would love some help. Also I don't want to reset my pc if at all possible.

Share this post


Link to post
Share on other sites

Another one opened while I was playing a game, it was using almost all of my gpu.

Share this post


Link to post
Share on other sites

Hello Loot and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites

Hello Loot,

Thanks for those logs, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

next,

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply


Let me see those logs in your reply...

Thank you,

Kevin..

 

 

fixlist.txt

Share this post


Link to post
Share on other sites

Hey! Thanks again for the reply.

 

Since running the fixlist I haven't seen anything on my PC even after multiple restarts and waiting for anything to happen, which is good. The only problem is that nothing got saved to the mrt.log, just a scan from a week ago. The only detection that came from running MSRT was VirTool:Win32/DefenderTamperingRestore, which got detected every time I restarted my PC. Anyway, i'll link the other two files since only old scans are saved to mrt.log.

Fixlog.txt DESKTOP-VAN7SK6.zip

Share this post


Link to post
Share on other sites

Hello Loot,

Continue please:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file c:\windows\syswow64\astsrv.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thank you,

Kevin

Share this post


Link to post
Share on other sites

Hiya Loot,

Well VT log confirms what was flagged in autoruns, lets get that file off your system...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Thanks,
 
Kevin..

 

 

fixlist.txt

Share this post


Link to post
Share on other sites

Hello Loot,

Can right click on that entry in taskmanager, can you select "open file location" see where it lives..?

Run another scan with autoruns and post that log....

Thanks,

Kevin..

Share this post


Link to post
Share on other sites

That is the correct folder, lets see if we can see what is attached to that entry...

user posted imageProcess Monitor - Capture
  • Download Process Monitor from Sysinternal Suite, and extract the ProcessMonitor.zip file;
  • Right-click on Procmon.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Wait for the program to start capturing events (you'll see entries appears very fast);
  •  
  • Once done, click on the little magnifying lense button to stop the capture;
    user posted image
     
  • Click on the File menu, followed by Save... and save the logfile (by default it'll be saved in the ProcessMonitor folder);
  • Right-click on the ProcMon trace file you saved (.pml file), select Send to and Compressed archive (.zip);
  • Attach that .zip file in your next reply;

Thank you,

Kevin..

Share this post


Link to post
Share on other sites

Hey,

 

I wasn't sure when to pause the capture, so I left it running until the file was too big to upload. Also I started this after the blank program already started since usually the blank task takes a minute to start.

Logfile.zip

Share this post


Link to post
Share on other sites

Hello Loot,

Nothing of interest showing in that log, took awhile to trawl through it all... There were a few empty tasks linking to svchost but on checking there properties and stacks, no malware or infection..

Run this please:

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thanks,

Kevin

Share this post


Link to post
Share on other sites

Hello Loot,

Another clean set of logs, try the following please:

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....
 
Thanks,
 
Kevin..

Share this post


Link to post
Share on other sites

Hey Kevin,

 

Unfortunately nothing was found. I would also like to note that sometimes the program starts and sometimes it doesn't. Not sure if that's anything of help, but I would like to tell you that.

Share this post


Link to post
Share on other sites

Hey,

I've waited a few days to see if anything would happen. Nothing showed up while in clean boot mode. After uninstalling and cleaning up everything not needed on my computer I haven't seen anything. Hopefully its gone, if there is anything else to do, let me know!

Share this post


Link to post
Share on other sites

Hiya Loot,

If clean boot made the difference  it is now a process of elimination to find which non MS service(s) was affecting your system...

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled.

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...

Thanks,

Kevin.

 

Share this post


Link to post
Share on other sites

Hey Kevin,

 

That's what I did right after I saw that. The two services I narrowed it down to are not in the service list anymore after cleaning up everything on my computer.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.