Recently, I noticed my GPU (NVIDIA Quadro P2200) was constantly running at 100% 3D load, even when no graphics-intensive applications were open. Task Manager showed high GPU usage with no obvious culprit. Chrome was closed, RealView was off in SolidWorks, and idle processes were minimal.
After digging deeper:
- I checked the Task Manager > Details tab and found a suspicious process named:
Microsoft Network Realtime lnspection Service.exe
Note the subtle deception: “lnspection” with an “L” instead of an “I”. - The file was located in:
C:\ProgramData\CABService\ - I inspected the digital signature and found it was “signed” by lolMiner, a known cryptocurrency mining tool.
- It was also listed under Windows Defender exclusions (!), meaning it was deliberately excluded from scanning.
Microsoft Defender didn’t detect it due to the exclusion.
I ran a set of reputable antivirus and anti-malware utilities** to detect and remove the threat.
detected:
Trojan:Win32/Kepavll!rfnPowerShell.DownLoader.2535
Cleanup
- Removed Windows Defender exclusions for:
C:\ProgramData\CABService\
powershell.exe
- Terminated the rogue process from Task Manager
- Deleted the entire folder:
C:\ProgramData\CABService\ - Manually removed malicious Scheduled Task
C:\Windows\System32\Tasks\Microsoft\Windows\Device Information\Device User
→ GPU usage returned to normal levels
Engineering video cards are the target audience for such viruses.
