100% Disk usage potentially caused by Malware

[Spring9736]

 

Hello everyone,

I've been experiencing a persistent, recurring issue causing 100% disk usage on a non-OS disk on my system, and I'm looking for advice on how to resolve it. Generally, it starts of with low frequency, and ramps up over days until it's almost-constant. It has occurred twice, roughly 2-4 weeks in between, and the third occurrence is happening today. So far, I suspect it's either a malware, or videos from a particular series that either has technical errors in encoding, MPC-BE video player, and/or embedded, undetectable malware.

 

Here’s a detailed rundown of the situation so far:

System and Storage Details:

• Windows 11 22H2
• SSD: Fanxiang S101 2TB SATA SSD
• Usage: Hosts my OneDrive (including synced folders like Documents, Desktop) and serves as storage for downloads
• Duration of Use: 1 year without previous issues
• Health Checks: Full block scanning verified true capacity and read/write speeds

Problem Description:

• Symptoms: Frequent system stuttering, particularly noticeable during gaming (previously smooth 200 FPS is frequently stuttering, feels like effective ~5 FPS while counter shows ~60 average FPS). It is also extremely noticeable in normal web browsing, etc.

Disk Behavior:

• In the occurrence, SSD frequently jumped to 100% disk usage for milliseconds to minutes
• Even at 100% usage, read/write speeds in Task Manager are in the 2-digit KB/s range
• No bad sectors found after running a full chkdsk /f /x /r (which took 4 hours)
• In previous occurrences, appeared to have been solved by some virus scans, using MalwareBytes and ADWCleaner.
  • In particular, I'm suspecting PUP.Optional.Sogou -> Chrome Search Provider
  • MalwareBytes cannot find it but ADWCleaner does.
  • It comes back after being quarantined.
    • I cannot find the root this "Search Provider". ADWCleaner's logs does not show a location. It is all clean except this rather unhelpful line:

    • ***** [ Chromium URLs ] *****
      
      PUP.Optional.Sogou              ????

• The CPU appears to be only slightly stressed during episodes of 100% disk usage, jumping from ~10% baseline activity to ~25% activity. The CPU is AMD R7 5700x.

Recent Discovery:

• Potential Trigger: Video playback of a particular series (file type: .mkv, codec: x265, resolution: 1080p, bitrate: ~4500 kbps). I took a break between seasons after solving that issue last time to watch other stuff. This time, I was on the lookout for the problem returning, so the signs jumped out at me immediately
• Behavior: 100% disk usage spikes only during playback of these files (and ONLY these files), ceasing once playback is stopped. However, since first posting this issue ~6 hours ago, the problem seems to be metastasizing and is now occasionally popping up even when no video at all is being played back. 
• Software Used: MPC-BE and VLC (issue more severe with VLC)
• Scans: Windows Defender and MalwareBytes scans on these folders/files found no threats

Request for Assistance:

• What else can I do to diagnose and resolve this issue?
• Was there something wrong with the encoding (or related technical aspects) of these videos? Could decoding errors snowball into systematic errors?
• Does this behavior indicate possible malware despite clean scans?
• Any insights or suggestions would be greatly appreciated!

[JSntgRvr]

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
    

Example image of where to click to attach files when posting your reply

 

Thank you

 

Edited May 10 by AdvancedSetup
Corrected font issue

[Spring9736]

Since it was affecting my usage, I ran ADWCleaner last night and removed PUP.Optional.Sogou again. So far it has consistently been a direct noticeable difference, and also the only consistently recurring sign. For ADWCleaner logs, I have attached both the logs from last night, as well as today's fresh scan.

For MBAM - I am aware of the programs turned up - they are trusted.

FRST - I am concerned if it coming after ADWCleaner means it does not find the PUP.Optional.Sogou Chromium thing?

AdwCleaner[S04].txt AdwCleaner[C03].txt AdwCleaner[S03].txt Malwarebytes Scan Report 2024-05-11 024938.txt FRST.txt FRST - Addition.txt

[Spring9736]

Update to add a detail: I notice that every time I clear PUP.Optional.Sogou with ADWCleaner, the problem goes away, but also all my background tasks show in the corner of the taskbar also seem to get killed, and many of them, which are startup apps, do not automatically startup on the following reboot. Things seem to go back to normal on the second reboot, not sure if it's Windows repairing itself in the background?

[Spring9736]

Further update - I have more or less 100% confirmed the culprit to be either this video series or MPC-BE.

Since clearing PUP.Optional.Sogou last night, I have been constantly monitoring through Task Manager - Performance tab. It has been fine, hovering around 0-1%. I have been able to play other video files on this drive without any issues as well. In my earlier reply, there was no PUP.Optional.Sogou.

Today, with the Task Manager open - I played back this video again, and in the very same split second, the disk usage jumped to 100%. Playing any other local video file also spikes it to 100%, including the other ones I played last night. I immediately did another ADWCleaner scan, and PUP.Optional.Sogou is back. Without clearing/quarantining it, I restarted and ran FRST again.

I have attached new ADWCleaner and FRST logs.

AdwCleaner[S05].txt FRST.txt FRST - Addition.txt

[JSntgRvr]

Welcome 
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

• Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
• Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. 

Let's begin... 

This Fix will empty the following folders:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved. 
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

[Spring9736]

Since I have already cleared the suspected PUP.Optional.Sogou - should I purposely trigger it to be re-installed, before running the fixlist and Dr.Web CureIt?

[JSntgRvr]

No need. Run the Fix and Dr.Web Cureit. If there is something else, we can proceed from there.

[Spring9736]

Thanks. I have run both program. I also ran CureIt specifically to scan the suspicious files - but nothing was detected. This malware may not yet be "known", and I suspect even the "Chromium search engine" description "supplied" to ADWCleaner may be an attempt to obscure its seriousness.

Are there any further feasible steps to examine this malware, and/or remove it from the files so that the videos can still be played without re-infection?

Fixlog.txt cureit.log cureit_extra.log

[JSntgRvr]

Windows Resource Protection found corrupt files and successfully repaired them.
There are no infected objects detected
Try to recreate the issue and let me know the outcome.

[Spring9736]

I was planning to do another round of investigation with screen recording to show the scans and task manager before and after the video playback to establish direct cause.

However, I happened to have stumbled upon another video series causing this before I got around to it:

Then I suspected my MPC-BE version or my local install was corrupted, so I re-installed the latest version. Doing this, without any further scans or removing Sogou or restarts, immediately fixed the 100% disk usage.

To verify, I played both this new and the originally reported video series again after the update, neither triggered the issue again. Checking MPC-BE's github history, I could not find mentions of this issue nor it being fixed in any commits.

More bizarrely, playing the bad videos with VLC also no longer trigger the issue. Originally, the issue was much more severe with VLC, which led me to initially eliminate video players as the root cause of the issue, and blame the video files. I did not update or modify VLC at all, only MPC-BE.

At this point I suspect there were some bizarre interactions between old/corrupted MPC-BE, some system-level video playback/decoder processes, and some very specific video encoding/formatting properties caused a cascade of issues similar to memory leaks.

This still does not explain why scanning for and removing the Sogou malware each time also directly solved the issue, nor why playing those specific videos with that old MPC-BE versions seemed to directly make Sogou malware (re-)appear.

Will continue monitoring.

 

[AdvancedSetup]

You can use TreeSize Free to see what is taking up space on D: and move it to another location or delete

https://www.jam-software.com/treesize_free

 

[Spring9736]

This issue is about disk I/O usage, not about capacity usage. The capacity remains normal.

The problem is back again. Offending video files could be played normally for about 3 days, and now the same files are re-triggering the issue. We're back to square one.

So far it looks like re-installing MPC-BE temporarily solves the issue (again, I can offer no possible explanation as to why this also solves the issue on VLC). Scanning for and removing PUP.Sogou.Optional also temporarily solves the issue.

MPC-BE solution lasts a few days/files. PUP.Sogou.Optional solution is immediately moot when the files are opened again.

Either this is some undiscovered zero-day, or my computer is cursed.

[AdvancedSetup]

I'm sorry, not really following along. Any drive mechanical or digital is going to suffer in performance if the disk does not have at least about 20% free space.

The title of this topic says 100% Disk usage.

If you have NOTHING and I mean NOTHING calling, setting, using the D: drive that's fine, but if any program, process, etc. is actively set to use the D: volume and you don't have free space that is going to affect performance.