Intermittent 100% CPU load, slow down, can't find the cause

Hello again... after a long gap.

New Autoruns (.arn) file is attached (zip format as actual .arn file is over 8 Mbytes).

Unfortunately, the problem still persists, after many attempts to diagnose and fix it.

To recap: Periodically (could be after a delay of 2 mins, 5 mins, 10 mins - seems a bit random), the CPU usage in Windows Task manager > Performance jumps to 100% and stays there for a while (could be anything from 30 seconds to, say, two minutes), then it drops back to a lower, normal [level. When up at 100%, just about everything else grinds to a crawl.

Using Win Task Mgr > Processes (all users) I cannot see a specific rogue process or task which is causing this. It can happen when the "Image name" is Chrome, Firefox, Opera. In the CPU column, the figure can be up to, say, around 50, but never up around 100 (even through the bar graph in the Performance tab is showing 100%.

If I am running, say, Firefox (Chrome and Opera not running) and this happens, then if I close Firefox the CPU usage drops back to normal after a few seconds. Same applies if the "top task" was, say, Opera: close it and the CPU load drops back to normal.

In other words, whatever the main process or task (or "image") I am using, something is making it jump up to 100% CPU load for a period of time.

I tries starting in Safe Mode and then doing some normal web browsing using (I think) Opera. The problem didn't appear. I'm not sure if I left it long enough to be sure that it wasn't going to happen...

...but if we assume that it doesn't occur in Safe Mode, can someone give me some basic instructions on how to diagnose the issue from Safe Mode (e.g. selectively re-enabling drivers(??))

One irritation is that, in Safe Mode, there is no audio. Is there an easy way to get audio working in Safe Mode without editing the Registry (which is what was suggested in one website I saw).

Many thanks
Paul
Melbourne, Australia

Go to the Logon tab in Autoruns and uncheck the following for testing:

Persistence persistence Module Intel Corporation c:\windows\system32\igfxpers.exe 1/10/2012 2:19 PM

Dropbox Dropbox Dropbox, Inc. c:\program files (x86)\dropbox\client\dropbox.exe 2/19/2019 4:18 PM

RealDownloader RealDownloader c:\program files (x86)\real\realdownloader\downloader2.exe 11/15/2018 5:29 PM

TkBellExe RealNetworks Scheduler RealNetworks, Inc. c:\program files (x86)\real\realplayer\update\realsched.exe 11/15/2018 6:02 PM

3xAV MySpeed Loader Enounce Incorporated c:\program files (x86)\enounce\myspeed\myspeed.exe 2/2/2019 6:56 AM

CCleaner Monitoring CCleaner Piriform Ltd c:\program files\ccleaner\ccleaner64.exe 7/13/2016 1:20 PM

f.lux f.lux f.lux Software LLC c:\users\pp\appdata\local\fluxsoftware\flux\flux.exe 10/24/2018 1:40 PM

Opera Browser Assistant Opera Browser Assistant Opera Software c:\users\pp\appdata\local\programs\opera\assistant\browser_assistant.exe 1/1/2019 10:00 PM

Skype for Desktop Skype Skype Technologies S.A. c:\program files (x86)\microsoft\skype for desktop\skype.exe 1/25/2019 12:54 PM

RealTimes.lnk RealPlayer with RealTimes RealNetworks, Inc. c:\program files (x86)\real\realplayer\rpds\bin\rpsystray.exe 11/15/2018 5:19 PM

Google Chrome Google Chrome Installer Google Inc. c:\program files (x86)\google\chrome\application\72.0.3626.119\installer\chrmstp.exe 2/18/2019 10:00 PM




Now click the Everything tab and in Autoruns and search for adobe. Uncheck all of those.

Reboot your computer and see if the problem still exists. If it doesn't then reenable each module one at a time with each computer restart until you find the problem.

Also, Persistence can stay deactivated. You don't need it on all the time.

As to safe mode, you don't want to operate your computer in safe mode. That's just for testing. And since the problem doesn't occur in safe mode that tells me it's a start up or driver, etc causing the issue.

Thanks! I've followed your instructions and it all seems to be behaving well - no sudden CPU loading. I'm going to keep using the computer for a bit longer to make sure that all is well and then start step-by-step re-enabling (and re-booting) as you suggest.

I did do a test with one of the items just now: TkBellexe. This is some sort of scheduler for RealPlayer, and it installs another task: realsched.exe With these in place, after a minute or two the CPU load shot up to 99% - 100%.

I'm therefore quite suspicious about these items. As mentioned, I have disabled them again and want to make sure that all is OK without them running; then re-enable to see if the issue returns.

It would make sense that the problem could be related to some sort of scheduler, due to intermittent nature.

Will report back later.

Thanks
Paul

I may have spoken too soon - I think it's doing it again :-(

It certainly seemed to shoot up to 100% for a while, but I was using Chrome at that point and I have heard that Chrome itself can cause a lot of problems. I will do some further testing using Opera and Firefox. However, I would like to have Chrome working as I use the Grammarly writing application and this appears only have am add-on / extension for CHrome, not the others.

Regarding Autoruns: If I look through the "Everything" tab I see man other entries. I assume these are all in the Registry, and many of them are related to programs I have installed. Note sure if any of these apart from Adobe-related ones, require attention. I have attached a .arn file for an Autoruns analysis just now - I assume that this will show the changes made as per your instructions.


UPDATE: Sorry to say that the problem does seem to still be there. While I was typing the above paragraph, the CPU load shot up to 100% and the fan speeded up and typing on the screen got rather laggy. CPU stayed at 100% for about 20 seconds, then dropped down. Now, as I types this, CPU usage is showing a healthy 9%. Now it has jumped to 56%, now back to 9%. What is going on...? (Memory is at 3.82GB out of the installed 8GB.)

One fundamental question: Is it normal that there can be tasks or processes which take so much CPU resource and yet are not visible in the Task Manager > Processes tab or in Process Explorer?

PS There are two other items in the Logon tab which your instructions didn't refer to, namely: NUSB3MON and RUSCB3MON.

I believe these are the driver(s) for a USB 3. 0 Express Card (i.e. an Express Card which adds 2 x USB 3 ports to the laptop). This USB 3 card is not installed at the moment, so these two items should not be needed. I'll try un-checking them and then re-start.

Okay. Try disabling these under the Scheduled Tasks tab.

\G2MUpdateTask-S-1-5-21-3345699460-1060094371-2920337070-1000 GoToMeeting LogMeIn, Inc. c:\users\pp\appdata\local\gotomeeting\11882\g2mupdate.exe 2/22/2019 6:08 PM

There are two.

\G2MUploadTask-S-1-5-21-3345699460-1060094371-2920337070-1000 GoToMeeting LogMeIn, Inc. c:\users\pp\appdata\local\gotomeeting\11882\g2mupload.exe 2/22/2019 6:08 PM

\RealDownloader Update Check RealDownloader c:\program files (x86)\real\realdownloader\downloader2.exe 11/15/2018 5:29 PM

\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3345699460-1060094371-2920337070-1000 RealUpgrade Launcher RealNetworks, Inc. c:\program files (x86)\real\realdownloader\realupgrade.exe 11/15/2018 5:30 PM

\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3345699460-1060094371-2920337070-1000 RealUpgrade Launcher RealNetworks, Inc. c:\program files (x86)\real\realdownloader\realupgrade.exe 11/15/2018 5:30 PM

Reboot the computer.

Now when the computer reboots launch Process Hacker and click the CPU tab so you organize all items with highest CPU usage. Does anything stick out?

Downloads - Process Hacker

Run Chrome and then run Ring3 API Hook Scanner. Detect Inline, IAT and EAT hooks with Ring3 API Hook Scanner | NoVirusThanks

Also run Stream Armor. In the options turn on all options except turn off folder scan for streams.

Stream Armor : Free Tool to Scan & Clean Malicious Alternate Data Streams (ADS) | www.SecurityXploded.com

Many thanks for the additional information.

I haven't unchecked any more items in Autorruns yet (e.g. the Scheduled tasks) as, for the moment, it seems to be running OK (although I did see one short-term jump to CPU 100% which lasted about 20 or 30 seconds).

I'm waiting to see if the problem repeats as I carry on with normal use of the PC (on the large VGA-connected screen). If it doesn't, then I will start re-enabling the already-disabled items one by one (with re-boots).

The further instructions regarding API Hook Scanner etc. are opening up a whole new world to me - sounds rather complex, hope I don't have to go there!

One issue I haven't been able to fathom: How can there be this weird behaviour without anything strange showing up in Process Explorer? Can there be 'invisible' tasks or processes which occupy the CPU in this way?

Lastly, I wanted to experiment with taking a screen video using my mobile phone. This shows the 'ticking over' ("no problem") condition:

X201t ticking over low CPU load 2019030112H33 - YouTube

If it starts playing up again I'll do my best to be quick on the draw and capture it on video.

Thanks so much again for all your help - this is the only real progress I have made with this in over six months.

If it spikes to 100% again, see if it does indeed show up in Process Hacker or Process Explorer. In there you can see the components of the process and perhaps ID what the culprit is.

I'm kinda suspecting Chrome and something else hooking to it or using it. If all else fails, try uninstalling Chrome with Revo Uninstaller in safe mode as a test. Then use Firefox and see if the CPU load comes back.

Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems


Stream Armor and Ring3 API Hook Scanner are just simple scanners that help root out malware that traditional anti-virus may not even be able to detect. I'm quite curious what Ring3 API Hook Scanner shows when Chrome is running.

Something else that may clue you into what's going on is the small program Whatchanged and Disk Pulse.

Whatchanged will allow you to take a snap shot of your current running state with files and registry entries and then latter compare that baseline to a new scan of what changed. The text files are in the program's directory. You may want to use Notepad++ to open them.


Disk Pulse shows you in real time what your hard drive is doing. That may come in handy.


Download What Changed - MajorGeeks


DiskPulse - Disk Change Monitor


Notepad++ Home

It's definitely some dll or service that's doing it since under safe mode you don't exhibit this behavior.

Hello again

I unistalled Chrome using the paid version of AShampoo Uninstaller 7. I didn't have the Uninstaller program running when I installed Chrome, but, nevertheless, it seemed to uninstall it. When I do a search on c: and d: for chrome*.* I do not find anything apart from a directory in which there is the Chrome install file. Also, there is no refermce to CHrome in the "Processes" list on Windows Task Manager. So I think we can ssume that it is uninstalled and not running.


Howver, with Firefox running, after a few minutes the CPU load jumped to 100% an dthe Memory usage to 7GB (out of 8GB installed). This was with about five tabs open in Firefox, one on Yahoo Mail and the others on various pages on a well-known news site. So the problem persists.


Thanks for the the list other tools. I had the Hook Scanner running for a while, and then DiskPulse, but neither of them showed anything that jumped out at me as unusual.


Are there some further systematic steps I could try with these or the other tools you suggested?

Thanks and regards
Paul

Are you still using Ashampoo WinOptimizer? I hesitate using any so-called "Windows optimizers."

Can you please run SuperAntiSpyware. Make sure you disable your anti-virus before using it.

I would scan all downloads you intend on installing at Virus Total. I see some things in your Autorun file I would not install.

When you run Firefox, run Ring3 API Hook scanner and see if you get any hooks show up.

Remove Malware & Spyware with Anti-Malware Software | Superantispyware

I do have ASmapoo WinOptimizer installed, but I don't run it very often. Is it unsafe?

Have run SuperAntiSpyware - nothing found after quick scan, will try a full scan.

Also, will try the Hook Scanner when running Firefox in a moment.

In the meantime: which are the items in my Startup which give cause for concern?

Thanks
Paul

Update: Running Ring3 API Hook Scanner whil Firefox is running produces no result i.e. the Hook Scann screen has the output 'form' dispalyed (Process, API, Address, Hook Address, Hook Module, Type) but the grid below is unpopulated, even after running the scanner.


Can I re-enable Microsoft Secuirty Essentials anti-virus now, and what are the next steps?

PS I also tried running the PC in Safe Mode again, just to make sure that the processor CPU Load issue did not re-occur under those conditions. I had three tabs open in Firefox, each on YouTube playing a long video (>1 hour). The CPU load stayed very low (<10%) and the video on each tab seemed to played flawlessly, without and stalling or other problems - quite inlike what happens when running in 'normal' Windows mode. So definitley looks like something like a driver or other item which is loaded as part of the startup sequence (visible or hidden) which is going rogue.

StreamArmor downloaded and run through VirusTotal: two positive results, all others OK (green).

Is this is aproble, or likley false positives? How can you tell when looking at results from VirusTotal? In the meantime, I haven't proceeded with StreamArmor.


Responses to points raised in the last few posts woudl also be greatly appreciated.


Thanks.

Stream Armor is fine, just false positives. Especially since everything else checks out. You can expect that with a scanner like Virus Total or Herd Protect since they both use multiple anti-virus engines.

Yes, you can turn on your anti-virus again. I just wanted it off when you ran SuperAntiSpyware. You only use MSE? I wouldn't trust that as a good full prof anti-virus. I thought I saw some other anti-virus installed though other than MSE. I have my parents use Bitdefender Free. It's low on resources, good detection engine and is cloud-based which helps nab polymorphic malware. Read this: https://www.howtogeek.com/173291/go...w-recommends-you-use-a-third-party-antivirus/

That WinOptimizer is more than likely snake oil and I wouldn't trust it. Those kinds of programs tend to create more issues than it's worth. You can always optimize your PC manually.

If you uninstall WinOptimizer, see if the problem still persists. If so try the following. Type in msconfig into search. Go to Selective startup. Uncheck Load startup items. Reboot PC. See if problem still persists. If problem is gone, reenable startup items and go to the Startup tab and uncheck 4 or so at a time. Reboot until you can single out what startup item may be the issue.

If it isn't a startup item, try a selective startup without services. If problem is gone do the same process of elimination as you did with startup items, but this time with services using msconfig.

Okay, I just downloaded and scanned Stream Armor and I only got one detection other than your four. Did you get it from here?

Stream Armor : Free Tool to Scan & Clean Malicious Alternate Data Streams (ADS) | www.SecurityXploded.com


Scroll towards the bottom of the page.

Yup, that's where I got it from. Re-submitted to VirusTotal and again got two (probably false) positives - see screen shot.

Have run StreamArmor and it detected tow items worthy of investigation. Both were image files (i.e. pictures) resulting from scans with my scanner. Can't remember of they were .jpg or .pdf - have deleted both. Sounds very much like false positives - results were 'green' not amber or red. So, essentially, nothing found with StreamArmor, I think.

I just found a tool that might help you if you still have this trouble. Check out WhySoSlow. .Resplendence Software - WhySoSlow

I've been to that website numbers of times to get Whocrased, but never really checked out their other stuff until now. Let me know how that goes.

Many thanks - will give it a try.

Paul