AddInProcess.exe and MSBuild.exe maxing out GPU usage — turns out it was malware? Looking for advice.

Understanding and Addressing Unusual GPU Activity and Potential Malware on Your Windows Laptop

Introduction

Recently, a user reported experiencing persistent high GPU usage on their laptop, accompanied by unexpected process activity involving AddInProcess.exe and MSBuild.exe. These processes, typically associated with development tools and Microsoft .NET framework operations, suddenly appeared to be consuming excessive resources and generating suspicious outbound connection alerts. This behavior prompted concerns about possible malware infection and raised questions about effective, permanent remediation strategies.

Recognizing Unusual System Behavior

The user observed the following key indicators:

• Continuous high GPU utilization, causing laptop fans to run loudly and draining battery life.
• Processes AddInProcess.exe and MSBuild.exe running persistently, even without heavy tasks.
• Malwarebytes antivirus alerts indicating blocked outbound connections from msbuild.exe and powershell.exe.
• Connection attempts to suspicious domains, notably t4es8.com, with associated IP addresses and ports.
• Files located in standard system directories (C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe and C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) involved in the activity.

Initial Response and Temporary Measures

In efforts to mitigate the resource drain temporarily, the user created a batch script that forcefully terminated the suspicious processes:

batch
batCopyEdittaskkill /f /im AddInProcess.exe
taskkill /f /im MSBuild.exe
taskkill /f /im powershell.exe

Executing this script as an administrator resulted in immediate reduction of GPU utilization and normalized system performance. This suggests that terminating these processes halts the malicious activity, at least in the short term.

Further Investigation and Security Concerns

Despite running regular malware scans, the user continues to receive alerts regarding blocked outbound connections, primarily linked to PowerShell. These symptoms strongly point toward ongoing malicious activity, possibly from malware that leverages legitimate Windows processes to establish unauthorized network communication.

Potential causes include:
– Malware disguised as legitimate processes (e.g., MSBuild or PowerShell).
– Persistence mechanisms that regenerate malicious processes.
– Exploitation of system vulnerabilities to maintain persistence.

Recommended Actions for Permanent Removal

Given the suspicion of malware and the persistence of suspicious activity, a comprehensive and systematic approach is advisable:

1. Disconnect from the Internet

2. To prevent data exfiltration and stop malicious processes from establishing further connections.

3. **