Question svchost pid 11604 high dedicated gpu memory usage

Kian960

Honorable
Mar 3, 2017
6
0
10,510
Guys, I need help. 2 days ago, I noticed my system is stuttering to every game I play.
everything in my cpu/ram/gpu/disks shows no high usage. However, when I checked my gpu from task manager, I noticed my dedicated memory is used up. Around 4.6gb is being used.
I checked task manager in details section, I saw svchost with a high dedicated memory usage. I downloaded process explorer. and looked at that svchost.
I saw it having a different commandline that goes around: c:\windows/system32\svchost.exe --cinit-find-e --pool=stratum://'0x2602181F73C1A08867C4D6F5C246537dcD9BXXXX(I censored the last 4 because it might lead to my system to whatever this <Mod Edit> means I am just being cautious)desktopc/ [email remove ]@eth[/USER]-jp 1.nanopool.org:9999 --cinit-max-gpu=30 --response-timeout=30 --farm-retries=30 --cinit-idle-wait=5 -cinit-idle-gpu=100

path:
c:\windows\system32\svchost.exe

I used Malwarebytes and adware,hitman pro to find the this said malware. but still hasn't fixed it. Anyone can help me please? Thanks in advance.
 
Last edited by a moderator:

shininggod

Commendable
Dec 27, 2018
2
0
1,510
Kian960,

I receently encountered this as well, and i can tell you none of the antivirus thing as today works.
Besides reinstall windows, attemp to remove it will take some long times to chase it down.

I report this when i download those antivirus to try, also report to MS, but no reply at all.

scvHost.exe is ok, do not touch it, it is cause by something is calling it.
I kinda want to blame MS should limit what process can call it....
You can see the command line i got (put at the end).

1. Using task manager, go to detail page, select add "GPU" column, one of the svchost will use the most GPU power
*this depends on the command line "cinit-max-gpu=100"
Here you will get PID.

2.Download process explorer, and rename it as needed. The virus i get will stop if i run procexp.exe/procexp64.exe
Find the process with the same PID, double click on it, read the "Parent"

3.download process monitor, filter by path includes the "Parent"

For 2 and 3,
You may need to add this into start up and let it run since windows start, let it gets all data before the virus cloeses it self.

4.filter by the "Parent"'s "Panret", attempt to find if there are more "parent".

In my case, there are 3 levels as i dig up.
Remove all of them solve my GPU issue.
*All of them are run as admin (you can see it has the icon), and signed as microsoft/asus (i didn't fully check their spelling).

You can try move them then reboot, a new file with a current date will put there.
This approves it is a virus/maleware and not offical MS stuff.

#1 C:\Users\USER\AppData\Roaming\
i forget the name, asus sonic something .exe

create ->
#2 C:\Windows\System32\Microsoft\telemetry\siHost32.exe

create ->
#3 C:\Windows\System32\SecurityHealth.exe

This "SecurityHealth.exe" is running the svchost with the command line:

C:\WINDOWS/System32\svchost.exe --cinit-find-e --pool=stratum://0x2602181F731C1A0867C4D6F5C2465F37dcD9B095@eth-jp1.nanopool.org:9999/{COMPUTERNAME}/tWiB10us%40protonmail.com --cinit-max-gpu=100 --response-timeout=300 --farm-retries=30 --cinit-stealth-targets="j25MJZRdIXsCpRamxlXNgOiSwnKrl9ff4Hd5upVlCHprBMnSyU2T+U9GmGi9RIhzEiQNSeecOYqZ6aD+ZuxwWQQMLlngO1rFTmdOq/MjWTi8zTC+/GdwX1A4hdzV0kCaKuv+CYy2Y2uCStLp6XzZVeCexnNTUDG/v6lLfqrDX84DWBh0EmoXoyfNgtt3FkWOukd1JVAnlDYCE0VecQu35yzb/AE8iDFw6lLJHtWVbJYQy4PZfeNEMpkUqSd0ZUg+haImILxgAOnCA7VmPKieTkNbhiFoLYffdD7tIMBrxEL0n9sjOw1fJ970qXCRknPYEppz40DxoBz7FmnZIy27gHgslzCORB/HbD5zYObVeMEiBf3lYFRjbh6rjlRDHCRDeaYBhVZnZCmGRm7ngG3kwRcszki2VexCGCKw48t58AUEO7MDtDNm7gnbj93umqrgyW5Yk4fcGuuJ7hl3hEM/636IN23JJcNdp7qGUuGa6EFZFYFo+H36Gj8qkYGgFz35R1FHl1fnKWRm3x8NqMohEpt5SPYhKQWHLuP1ZMNaGwILLfHr8R/WhPZDHpqFQH8EzzrREY83Os2CHsDt4gJYNzopYrh3hLPaSHfw4I07r7bVzOUXS932seZsiOlNnl+9c16E8DoNqk//30/F5Jwj2oCI9xBfuvsK5J5orr0GdMEOWCOWl/bw2MoPqdMbdFTVLfRgKT4hD49quXsZQHoPaQ==" --cinit-stealth