Share via

Malware from Nvidia Container

Anonymous
2024-04-02T15:57:04+00:00

Ive got some form of a malware, it installed files in my desktop that werent there, and my documents and AVG blocked them when it was trying to reach out on wireshark with nothing running it kept sending packets from one port to another then trying to exfiltrate seemingly to a C2 Server.., it appeared to be from the Nvidia Container and there was a WinTemp and WinReTemp Partitions created and it says i have ssms installed which i never installed Can someone help me by pointing me if im in the right direction from what you see.

Like i said there was 2 paritions created and there was one of the times, i opened 2 users who had the name of registry keys then when i closed the user panel and reopened they were gone. Memory will be as high as 95% when sitting idol watching it using that sysinternals plugin, ive ran autorans, and proc explorer, task manager and watched packets on all interfaces of wireshark without anything going.. I included my notes below of what ive found and this malware appears to be trying to send packets over bluetooth and spread using bluetooth exploits or same network exploits. It created an Apple Hard Drive? And the svchost uses like the most memory. It constantly clears my event logs and i cant reinstall windows, or reset, it sat at 67% for over an hour trying to reset

__________________________________________________________ 

	Initial Notes:

CPU @ 10-18% Jumps from 18-43% CPU Jumps from 4-5% to 30, 50% Memory is idling at 43% (without programs open)

High Memory Jumps and CPU Jumps from low bottom numbers indicate malware, a process and/or packet and possible screen capture process being executed in autoruns through the DLL/Registry values which have been added into system files to hold network persistence.

Nvidia Container appears to be taking Screen Captures and trying to send them to host.

Mallicious DLL/Registry Keys appear to be installed with a combination program.

One Drive Appears Infected on ******@outlook.com, Attack Vector appears to be cloud based. With DLL, Registry Persistence, Appears to have came from a file download or link or Mallicious Internet.

Strings, That appear "Unusual" in Proc Explorer Admin

  1. Redmond1
  2. Washington1
  3. N0L0J
  4. O0M0K

In Process Monitor, svchost.exe PID 2908 is doing a UDP send, from:

(With Nothing Connected, and Bluetooth DISABLED)

57529 -> ff02::1:3:llmnr

57529 -> 224.0.0.252:llmnr

54548 -> ff02::1:3:llmnr

54548 -> 224.0.0.252:llmnr

55926 -> ff02::1:3:llmnr

55926 -> 224.0.0.252:llmnr

_________________________________________________________

svchost.exe 

sihost.exe

Path

C:\Windows\System32\svchost.exe

Command Line

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

Current Directory

C:\Windows\System32\

Registry Key

HKLM\System\CurrentControlSet\Services\WpnUserService_d91de

__________________________________________________________ 

		phone link?

path

C:\Program Files\WindowsApps\Microsoft.YourPhone_1.24022.87.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe

cmd

"C:\Program Files\WindowsApps\Microsoft.YourPhone_1.24022.87.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe" -ComServer:Background -Embedding

Phone link is configured off in windows setttings?

__________________________________________________________

********Assumed Persistence/Problem program************ 

	Nvidia Container

nvcontainer.exe PID 9652 UDP 

svchost.exe  PID 11316 UDP 

svchost.exe  PID 11316 UDP

nvcontainer.ex pid 9268

in rammap processes

Autostart:

HKLM\System\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem

Command Line:

C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem /ert

Path:

C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\NVDisplay.Container.exe

Check:

PROCEXP152.SYS

A security setting is detecting this as a vulnerable driver and blocking it form loading. Youll need to adjust your settings to load this driver.

C:\Program Files\NVIDIA Corporation\NvContainer

Task Scheduler\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}

CMD

"C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll"

Path:

C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe

__________________________________________________________ 

	Windows Wireless Lan 802.11

C:\Windows\System32\wlanext.exe

cmd

C:\Windows\system32\WLANExt.exe 2603384371488

__________________________________________________________ 

	Spooler Subsystem App

HKLM\System\CurrentControlSet\Services\Spooler

AutoStart:

HKLM\System\CurrentControlSet\Services\Spooler

CMD/Path:

C:\Windows\System32\spoolsv.exe

______________________________________________________

Strange Folder with IP Address Type Name.

C:\Users\Local_Admin\AppData\Local\Microsoft\OneDrive\24.050.0310.0001

_____________________________________________________

Autoruns:(No Web)

______________________________________________

"C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\nvshext.dll"

________________________________________________

AVG Shell exe

"C:\Program Files\AVG\Antivirus\ashShell.dll"

______________________________________________

Link Click to Call

"C:\Program Files\Microsoft Office\root\vfs

\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll"

_______________________________________________

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\BHO

_______________________________________________

IEToEdge BHO

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\BHO

IEToEdge BHO

_______________________________________________

OneDrive Standalone Update Task

"C:\Users\Local_Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe"

_____________________________________________

ClickToRunSvc

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun

______________________________________________

Windows Defender Advanced

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.dll

______________________________________________

Image Path REG_EXPAND_SZ Registry Key

"%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe"\

______________________________________________

Microsoft Update Health Service

C:\Program Files\Microsoft Update Health Tools\uhssvc

_______________________________________________

C:\Windows\PLAInterface id: 0 (\Device\NPF_Loopback)

C:\Windows\SKB\LanguageModels

_______________________________________________

These Are the Packets that wireshark is showing with NOTHING Connected:

DNS Queries

5353 5353

Source: 192.168.56.1 , Destination: 224.0.0.251

408 689.958536 fe80::1567:edf6:4976:dd73 ff02::fb MDNS 95 Standard query 0x0000 PTR _microsoft_mcc._tcp.local, "QU" question

410 690.973342 fe80::1567:edf6:4976:dd73 ff02::fb MDNS 95 Standard query 0x0000 PTR _microsoft_mcc._tcp.local, "QM" question

411 770.581337 127.0.0.1 127.0.0.1 TCP 45 49722 → 49723 [PSH, ACK] Seq=45 Ack=1 Win=8442 Len=1

412 770.581369 127.0.0.1 127.0.0.1 TCP 44 49723 → 49722 [ACK] Seq=1 Ack=46 Win=8438 Len=0

413 770.581751 127.0.0.1 127.0.0.1 TCP 45 49729 → 49728 [PSH, ACK] Seq=45 Ack=1 Win=8442 Len=1

414 770.581771 127.0.0.1 127.0.0.1 TCP 44 49728 → 49729 [ACK] Seq=1 Ack=46 Win=8439 Len=0

Source 59479

Dest 445

Source 5353

Dest 5353

________________________________________________________

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\123.0.2420.65\123.0.2420.65Manifest

Manifest File?

2 Strange Hidden User accounts which appear as Registry Keys?

<assembly

xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

<assemblyIdentity 

  name='123.0.2420.65' 

  version='123.0.2420.65' 

  type='win32'/&gt;

<file name='msedge_elf.dll'/>

</assembly>

_________________________________________________

Sits Below SustainabilityService.dll

C:\Windows\System32\svchost

wsappx 133.8mb

_____________________________________________

**

C:\Windows\System32\ntoskrnl

Running High 47.0 Mb Under "Secure System"

______________________________________________

C:\Windows\System32\ntprint

C:\Windows\System32\ntprint.dll

_______________________________________________

C:\Windows\System32\svchost

"Service Host: State Repository Service"

_______________________________________________

Windows Widgets:

WebView2 GPU Process 4.7mb

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\123.0.2420.65

**

_______________________________________________

_________________________________________________

"C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll"

"C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll"

"C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll"

"C:\Windows\System32\4545ffe2-0dc4-4df4-9d02-299ef204635e_hvsocket.dll"

"C:\Windows\System32\backgroundTaskHost.exe"

"C:\Windows\System32\BackgroundTransferHost.exe"

C:\Windows\System32\ApplicationFrameHost -> 9.1% MB Running

C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_c2532b63de827d3d -> 1.7% MB Running

______________________________________________

+HKLM\SYSTECurrentControlSet\Control]SafeBoot\AlternateShell

C:\Windows\System32\cmd.exe

______________________________________________

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\Installer\msedge_7z.data

_______________________________________________

"C:\Windows\System32\aadauthhelper.dll"

_________________________________________________

"C:\Windows\System32\wbem\unsecapp.exe"

_______________________________________________

+Steelseries HID Service Steelseries HID Driver

C:\Windows\System32\drivers\sshid

________________________________________________

nvvad_WaveExtensible

C:\Windows\System32\drivers\nvvad64v.sys

_______________________________________________

+Known DLL Files Not found?

_wow64cpu

_wowarmhw

_wowarmhw

_xtajit

_xtajit

wow64

wow64base

wow64icon

xtajit64

xtajit64

________________________________________________ 

	Autoruns Startup

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

rdpclip 

 rdpclip 

 RDP Clipboard Monitor 

 Microsoft Corporation 

 10.0.22621.3374 

 c:\windows\system32\rdpclip.exe 

 9/21/1976 11:09 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

C:\Windows\system32\userinit.exe 

 C:\Windows\system32\userinit.exe 

 Userinit Logon Application 

 Microsoft Corporation 

 10.0.22621.3235 

 c:\windows\system32\userinit.exe 

 12/6/1943 2:49 AM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet

SystemPropertiesPerformance.exe 

 SystemPropertiesPerformance.exe 

 Change Computer Performance Settings 

 Microsoft Corporation 

 10.0.22621.1 

 c:\windows\system32\systempropertiesperformance.exe 

 10/26/1909 11:12 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

explorer.exe 

 explorer.exe 

 Windows Explorer 

 Microsoft Corporation 

 10.0.22621.3374 

 c:\windows\explorer.exe 

 8/11/1909 9:54 PM

__________________________________________________________ 

		Load Order:

Boot System Reserved n/a* pcw Performance Counters for Windows Driver System32\drivers\pcw.sys

Boot WdfLoadGroup n/a* Wdf01000 @%SystemRoot%\system32\drivers\Wdf01000.sys,-1000 system32\drivers\Wdf01000.sys

Boot Boot Bus Extender 7 acpiex Microsoft ACPIEx Driver System32\Drivers\acpiex.sys

Boot Boot Bus Extender 2 msisadrv System32\drivers\msisadrv.sys

Boot Boot Bus Extender 3 isapnp System32\drivers\isapnp.sys

Boot Boot Bus Extender 3 pci @pci.inf,%pci_svcdesc%;PCI Bus Driver System32\drivers\pci.sys

Boot Boot Bus Extender 4 vdrvroot @vdrvroot.inf,%vdrvroot_svcdesc%;Microsoft Virtual Drive Enumerator System32\drivers\vdrvroot.sys

Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100 System32\drivers\partmgr.sys

Boot Boot Bus Extender n/a* pdc @%SystemRoot%\system32\drivers\pdc.sys,-100 system32\drivers\pdc.sys

Boot System Bus Extender 7 nvraid System32\drivers\nvraid.sys

Boot System Bus Extender 3 ebdrv0 @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD System32\drivers\evbd0a.sys

Boot System Bus Extender 4 ebdrv @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD System32\drivers\evbda.sys

Boot System Bus Extender 1 pcmcia System32\drivers\pcmcia.sys

Boot System Bus Extender 8 spaceport @spaceport.inf,%Spaceport_ServiceDesc%;Storage Spaces Driver System32\drivers\spaceport.sys

Boot System Bus Extender 9 pciide System32\drivers\pciide.sys

Boot System Bus Extender 9 volmgr @volmgr.inf,%volmgr_svcdesc%;Volume Manager Driver System32\drivers\volmgr.sys

Boot System Bus Extender 10 intelide System32\drivers\intelide.sys

Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100 System32\drivers\volmgrx.sys

Boot System Bus Extender 12 vmbus @wvmbus.inf,%vmbus.SVCDESC%;Virtual Machine Bus System32\drivers\vmbus.sys

Boot System Bus Extender 13 vpci @wvpci.inf,%vpci.SVCDESC%;Microsoft Hyper-V Virtual PCI Bus System32\drivers\vpci.sys

Boot System Bus Extender 2 b06bdrv @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD System32\drivers\bxvbda.sys

Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100 System32\drivers\mountmgr.sys

Boot SCSI Miniport 25 iaStorV @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7 System32\drivers\iaStorV.sys

Boot SCSI Miniport 25 stexstor System32\drivers\stexstor.sys

Boot SCSI Miniport 1 AppleSSD @AppleSSD.inf,%DevDesc1%;Apple Solid State Drive Device System32\drivers\AppleSSD.sys

Boot SCSI miniport 2 3ware System32\drivers\3ware.sys

Boot SCSI miniport 4 amdsata System32\drivers\amdsata.sys

Boot SCSI miniport 5 amdxata System32\drivers\amdxata.sys

Boot SCSI miniport 6 amdsbs System32\drivers\amdsbs.sys

Boot SCSI miniport 7 arcsas @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver System32\drivers\arcsas.sys

Boot SCSI Miniport 9 ItSas35i System32\drivers\ItSas35i.sys

Boot SCSI Miniport 10 LSI_SAS System32\drivers\lsi_sas.sys

Boot SCSI Miniport 11 LSI_SAS2i System32\drivers\lsi_sas2i.sys

Boot SCSI Miniport 12 LSI_SAS3i System32\drivers\lsi_sas3i.sys

Boot SCSI Miniport 13 megasas2i System32\drivers\MegaSas2i.sys

Boot SCSI Miniport 14 megasas35i System32\drivers\megasas35i.sys

Boot SCSI Miniport 15 megasr System32\drivers\megasr.sys

Boot SCSI Miniport 16 mpi3drvi System32\drivers\mpi3drvi.sys

Boot SCSI Miniport 17 mvumis System32\drivers\mvumis.sys

Boot SCSI Miniport 18 nvstor System32\drivers\nvstor.sys

Boot SCSI Miniport 19 percsas2i System32\drivers\percsas2i.sys

Boot SCSI Miniport 20 percsas3i System32\drivers\percsas3i.sys

Boot SCSI Miniport 21 pvscsi @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver System32\drivers\pvscsii.sys

Boot SCSI Miniport 22 SiSRaid2 System32\drivers\SiSRaid2.sys

Boot SCSI Miniport 23 SiSRaid4 System32\drivers\sisraid4.sys

Boot SCSI Miniport 26 vsmraid System32\drivers\vsmraid.sys

Boot SCSI Miniport 27 VSTXRAID @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver System32\drivers\vstxraid.sys

Boot SCSI Miniport 28 cht4iscsi System32\drivers\cht4sx64.sys

Boot SCSI miniport 29 iaStorAVC @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller System32\drivers\iaStorAVC.sys

Boot SCSI Miniport 31 atapi @mshdc.inf,%idechannel.DeviceDesc%;IDE Channel System32\drivers\atapi.sys

Boot SCSI Miniport 32 storahci @mshdc.inf,%storahci_ServiceDescription%;Microsoft Standard SATA AHCI Driver System32\drivers\storahci.sys

Boot SCSI miniport 33 iaStorVD @oem22.inf,%iaStorVD.ServiceName%;Intel(R) Chipset VMD RST Controller service System32\drivers\iaStorVD.sys

Boot SCSI Miniport 33 stornvme @stornvme.inf,%StorNVMe_ServiceDesc%;Microsoft Standard NVM Express Driver System32\drivers\stornvme.sys

Boot SCSI Miniport 210* ADP80XX System32\drivers\ADP80XX.SYS

Boot SCSI Miniport 259* HpSAMD System32\drivers\HpSAMD.sys

Boot SCSI Miniport 259* SmartSAMD System32\drivers\SmartSAMD.sys

Boot Primary Disk 1 nvdimm @nvdimm.inf,%nvdimm.SvcDesc%;Microsoft NVDIMM device driver System32\drivers\nvdimm.sys

Boot SCSI Class 1 EhStorTcgDrv @ehstortcgdrv.inf,%EhStorTcgDrv.Desc%;Microsoft driver for storage devices supporting IEEE 1667 and TCG protocols System32\drivers\EhStorTcgDrv.sys

Boot SCSI Class n/a* EhStorClass @%SystemRoot%\system32\drivers\EhStorClass.sys,-100 System32\drivers\EhStorClass.sys

Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001 system32\drivers\fltmgr.sys

Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100 System32\drivers\fileinfo.sys

Boot FSFilter Compression n/a* Wof Windows Overlay File System Filter Driver

Boot FSFilter Anti-Virus n/a* WdFilter @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-330 system32\drivers\wd\WdFilter.sys

Boot Filter 1 CLFS @%SystemRoot%\system32\drivers\clfs.sys,-100 System32\drivers\CLFS.sys

Boot Base 1 KSecDD System32\Drivers\ksecdd.sys

Boot Base 26* storvsc System32\drivers\storvsc.sys

Boot File System n/a* Fs_Rec

Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200 system32\drivers\ndis.sys

Boot Cryptography 2 KSecPkg System32\Drivers\ksecpkg.sys

Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\drivers\tcpip.sys,-10001 System32\drivers\tcpip.sys

Boot PNP_TDI n/a* WFPLWFS @%SystemRoot%\System32\drivers\wfplwfs.sys,-6000 System32\drivers\wfplwfs.sys

Boot Extended Base n/a* avgRvrt avgRvrt system32\drivers\avgRvrt.sys

Boot Extended Base n/a* avgVmm avgVmm system32\drivers\avgVmm.sys

Boot Extended Base 46* storflt @wstorflt.inf,%service_desc%;Microsoft Hyper-V Storage Accelerator System32\drivers\vmstorfl.sys

Boot Core* 2* ACPI @acpi.inf,%ACPI.SvcDesc%;Microsoft ACPI Driver System32\drivers\ACPI.sys

Boot n/a* n/a* avgbidsh avgbidsh system32\drivers\avgbidsh.sys

Boot n/a* n/a* avgbuniv avgbuniv system32\drivers\avgbuniv.sys

Boot Early-Launch* n/a* avgElam avgElam system32\drivers\avgElam.sys

Boot PnP Filter* 6* bttflt @virtdisk.inf,%service_desc%;Microsoft Hyper-V VHDPMEM BTT Filter System32\drivers\bttflt.sys

Boot Core* 4* CNG System32\Drivers\cng.sys

Boot n/a* n/a* disk @disk.inf,%disk_ServiceDesc%;Disk Driver System32\drivers\disk.sys

Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100 System32\DRIVERS\fvevol.sys

Boot * n/a* GenPass @genpass.inf,%GenPass.SVCDESC%;Microsoft GenPass Driver System32\DriverStore\FileRepository\genpass.inf_amd64_bef88a423225ecdc\genpass.sys

Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101 System32\drivers\hwpolicy.sys

Boot Core Security Extensions* 1* intelpep @intelpep.inf,%INTELPEP.SVCDESC%;Intel(R) Power Engine Plug-in Driver System32\drivers\intelpep.sys

Boot Core Security Extensions* 2* IntelPMT @intelpmt.inf,%IntelPMT.SVCDESC%;Intel(R) Platform Monitoring Technology Service System32\drivers\IntelPMT.sys

Boot PnP Filter* n/a* iorate @%SystemRoot%\system32\drivers\iorate.sys,-101 system32\drivers\iorate.sys

Boot n/a* n/a* MsSecCore @%SystemRoot%\System32\Drivers\msseccore.sys,-1001 system32\drivers\msseccore.sys

Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101 System32\Drivers\mup.sys

Boot * n/a* nvmedisk @nvmedisk.inf,%nvmedisk.SvcDesc%;Microsoft NVMe disk driver System32\drivers\nvmedisk.sys

Boot n/a* n/a* pmem @pmem.inf,%pmem.SvcDesc%;Microsoft persistent memory disk driver System32\drivers\pmem.sys

Boot * n/a* PRM @prm.inf,%PRM.SvcDesc%;Microsoft PRM Driver System32\DriverStore\FileRepository\prm.inf_amd64_de435dc5c75d64a5\PRM.sys

Boot n/a* n/a* Ramdisk Windows RAM Disk Driver system32\DRIVERS\ramdisk.sys

Boot PnP Filter* n/a* rdyboost ReadyBoost System32\drivers\rdyboost.sys

Boot n/a* n/a* sbp2port @sbp2.inf,%sbp2_ServiceDesc%;SBP-2 Transport/Protocol Bus Driver System32\drivers\sbp2port.sys

Boot n/a* n/a* scmbus @scmbus.inf,%scmbus.SvcDesc%;Microsoft Storage Class Memory Bus Driver System32\drivers\scmbus.sys

Boot n/a* n/a* storufs @storufs.inf,%UfsServiceDesc%;Microsoft Universal Flash Storage (UFS) Driver System32\drivers\storufs.sys

Boot n/a* n/a* volsnap @%SystemRoot%\system32\drivers\volsnap.sys,-100 System32\drivers\volsnap.sys

Boot * n/a* volume @volume.inf,%VolumeServiceDesc%;Volume driver System32\drivers\volume.sys

Boot Core Security Extensions* 1* WindowsTrustedRT Windows Trusted Execution Environment Class Extension system32\drivers\WindowsTrustedRT.sys

Boot Core Security Extensions* 2* WindowsTrustedRTProxy @WindowsTrustedRTProxy.inf,%WindowsTrustedRTProxy.SVCDESC%;Microsoft Windows Trusted Runtime Secure Service System32\drivers\WindowsTrustedRTProxy.sys

System SCSI CDROM Class 1 cdrom @cdrom.inf,%cdrom_ServiceDesc%;CD-ROM Driver \SystemRoot\System32\drivers\cdrom.sys

System FSFilter Security Enhancer n/a* avgSP avgSP system32\drivers\avgSP.sys

System FSFilter Virtualization n/a* avgSnx avgSnx system32\drivers\avgSnx.sys

System FSFilter Encryption n/a* FileCrypt @%systemroot%\system32\drivers\filecrypt.sys,-100 system32\drivers\filecrypt.sys

System FSFilter Anti-Virus n/a* avgMonFlt avgMonFlt system32\drivers\avgMonFlt.sys

System FSFilter Activity Monitor n/a* UCPD @%SystemRoot%\system32\drivers\UCPD.sys,-200 system32\drivers\UCPD.sys

System Base 1 Null

System Base 2 Beep Beep

System Keyboard Port n/a* avgKbd avgKbd system32\drivers\avgKbd.sys

System Video Init 1 DXGKrnl LDDM Graphics Subsystem \SystemRoot\System32\drivers\dxgkrnl.sys

System Video 1 BasicDisplay \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_02da009b3d736cc1\BasicDisplay.sys

System Video 2* BasicRender \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_402645b3f1a80dd7\BasicRender.sys

System File system n/a* CimFS

System File system n/a* Msfs

System File system n/a* Npfs

System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004 \SystemRoot\system32\DRIVERS\tdx.sys

System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000 \SystemRoot\system32\drivers\afd.sys

System PNP_TDI n/a* afunix afunix \SystemRoot\system32\drivers\afunix.sys

System PNP_TDI n/a* avgRdr avgRdr system32\drivers\avgRdr2.sys

System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2 System32\DRIVERS\netbt.sys

System NDIS 17 VBoxNetLwf @oem84.inf,%VBoxNetLwfService_Desc%;VirtualBox NDIS6 Bridged Networking Service \SystemRoot\system32\DRIVERS\VBoxNetLwf.sys

System NDIS 18 npcap @oem101.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP) \SystemRoot\system32\DRIVERS\npcap.sys

System NDIS n/a* avgNetHub avgNetHub system32\drivers\avgNetHub.sys

System NDIS n/a* NdisCap @%SystemRoot%\System32\drivers\ndiscap.sys,-5000 System32\drivers\ndiscap.sys

System NDIS n/a* Psched @%windir%\System32\drivers\pacer.sys,-101 System32\drivers\pacer.sys

System NDIS n/a* vwififlt @%SystemRoot%\System32\drivers\vwififlt.sys,-259 System32\drivers\vwififlt.sys

System NetBIOSGroup n/a* NetBIOS @%windir%\system32\drivers\netbios.sys,-503 system32\drivers\netbios.sys

System Extended Base 42* Vid \SystemRoot\System32\drivers\Vid.sys

System n/a* n/a* ahcache @%systemroot%\system32\drivers\ahcache.sys,-102 system32\DRIVERS\ahcache.sys

System * n/a* ATKWMIACPIIO ATKWMIACPI Driver \SystemRoot\System32\DriverStore\FileRepository\asussci2.inf_amd64_c2532b63de827d3d\ASUSOptimization\AsusWmiAcpi.sys

System n/a* n/a* avgArPot avgArPot system32\drivers\avgArPot.sys

System n/a* n/a* avgbidsdriver avgbidsdriver system32\drivers\avgbidsdriver.sys

System n/a* n/a* bam @%SystemRoot%\system32\drivers\bam.sys,-100 system32\drivers\bam.sys

System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202 system32\drivers\csc.sys

System n/a* n/a* dam @%SystemRoot%\system32\drivers\dam.sys,-100 system32\drivers\dam.sys

System Network* n/a* Dfsc @%systemroot%\system32\wkssvc.dll,-1008 System32\Drivers\dfsc.sys

System * n/a* mssmbios @mssmbios.inf,%mssmbios_svcdesc%;Microsoft System Management BIOS Driver \SystemRoot\System32\drivers\mssmbios.sys

System * n/a* npsvctrig @npsvctrig.inf,%NPSVCTRIG.SvcDisplayName%;Named pipe service trigger provider \SystemRoot\System32\drivers\npsvctrig.sys

System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2 system32\drivers\nsiproxy.sys

System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000 system32\DRIVERS\rdbss.sys

System n/a* n/a* VBoxSup VirtualBox Service \SystemRoot\system32\DRIVERS\VBoxSup.sys

System n/a* n/a* VBoxUSBMon VirtualBox USB Monitor Service \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys

System n/a* n/a* veracrypt veracrypt System32\drivers\veracrypt.sys

Automatic FSFilter Virtualization n/a* bfs @%systemroot%\system32\drivers\bfs.sys,-100 \SystemRoot\system32\drivers\bfs.sys

Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100 \SystemRoot\system32\drivers\luafv.sys

Automatic FSFilter Virtualization n/a* wcifs @%systemroot%\system32\drivers\wcifs.sys,-100 \SystemRoot\system32\drivers\wcifs.sys

Automatic FSFilter HSM 1 CldFlt Windows Cloud Files Filter Driver system32\drivers\cldflt.sys

Automatic FSFilter Quota Management n/a* storqosflt @%SystemRoot%\System32\drivers\storqosflt.sys,-101 system32\drivers\storqosflt.sys

Automatic FSFilter Top n/a* bindflt @%systemroot%\system32\drivers\bindflt.sys,-100 \SystemRoot\system32\drivers\bindflt.sys

Automatic Video n/a* NVDisplay.ContainerLocalSystem NVIDIA Display Container LS

Automatic COM Infrastructure n/a* BrokerInfrastructure @%windir%\system32\bisrv.dll,-100 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* DcomLaunch @combase.dll,-5012 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* LSM @%windir%\system32\lsm.dll,-1001 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001 %SystemRoot%\system32\svchost.exe -k RPCSS -p

Automatic COM Infrastructure n/a* RpcSs @combase.dll,-5010 %SystemRoot%\system32\svchost.exe -k rpcss -p

Automatic Event Log n/a* EventLog @%SystemRoot%\system32\wevtsvc.dll,-200 %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic ProfSvc_Group n/a* AvgWscReporter "C:\Program Files\AVG\Antivirus\wsc_proxy.exe" /runassvc /rpcserver

Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112 %systemroot%\system32\svchost.exe -k netsvcs -p

Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300 %systemroot%\system32\svchost.exe -k UserProfileService -p

Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200 %SystemRoot%\system32\svchost.exe -k netsvcs -p

Automatic profsvc_group n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000 %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192 %SystemRoot%\System32\svchost.exe -k netsvcs -p

Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\AudioEndpointBuilder.dll,-204 %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200 %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic AudioGroup n/a* FontCache @%systemroot%\system32\FntCache.dll,-100 %SystemRoot%\system32\svchost.exe -k LocalService -p

Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1 %SystemRoot%\system32\lsass.exe

Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic PlugPlay n/a* TextInputManagementService @%SystemRoot%\system32\TabSvc.dll,-100 %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic NDIS n/a* lltdio @%SystemRoot%\system32\lltdres.dll,-6 system32\drivers\lltdio.sys

Automatic NDIS n/a* MsLldp @%SystemRoot%\system32\drivers\mslldp.sys,-200 system32\drivers\mslldp.sys

Automatic NDIS n/a* rspndr @%SystemRoot%\system32\lltdres.dll,-5 system32\drivers\rspndr.sys

Automatic NDIS n/a* wanarp @%systemroot%\system32\mprmsg.dll,-32011 System32\DRIVERS\wanarp.sys

Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100 %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101 %SystemRoot%\system32\svchost.exe -k NetworkService -p

Automatic TDI n/a* DusmSvc @%SystemRoot%\System32\dusmsvc.dll,-1 %SystemRoot%\Syste

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-09-20T06:04:56+00:00

    Any update on this? My EventViewer has an application error non-stop every single minute related to this. Here's a copy of mine below.

    Faulting application name: NVDisplay.Container.exe, version: 1.39.3323.1171, time stamp: 0x64e85748

    Faulting module name: _nvtopps.dll, version: 32.0.15.6094, time stamp: 0x66bc34e0

    Exception code: 0xc0000005

    Fault offset: 0x000000000037b4bb

    Faulting process id: 0x0x7170

    Faulting application start time: 0x0x1DB0B22A239489F

    Faulting application path: C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_33559cc6c2fd215a\Display.NvContainer\NVDisplay.Container.exe

    Faulting module path: C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_33559cc6c2fd215a\Display.NvContainer\plugins\LocalSystem\_nvtopps.dll

    Report Id: 7b1140cf-1702-4362-bbce-9a2fdd3667d5

    Faulting package full name: 

    Faulting package-relative application ID: 

    and this one'

    Faulting application name: NVDisplay.Container.exe, version: 1.39.3323.1171, time stamp: 0x64e85748

    Faulting module name: NVDisplay.Container.exe, version: 1.39.3323.1171, time stamp: 0x64e85748

    Exception code: 0xc0000409

    Fault offset: 0x00000000000932e5

    Faulting process id: 0x0x6210

    Faulting application start time: 0x0x1DB0B222704DE43

    Faulting application path: C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_33559cc6c2fd215a\Display.NvContainer\NVDisplay.Container.exe

    Faulting module path: C:\WINDOWS\System32\DriverStore\FileRepository\nvmdi.inf_amd64_33559cc6c2fd215a\Display.NvContainer\NVDisplay.Container.exe

    Report Id: 6042bbc8-40a8-4772-bffa-cf5a2a7c69ff

    Faulting package full name: 

    Faulting package-relative application ID: 

    The fault offset codes seems to only change between those 2 codes. Months ago it was not once a minute, so now it has increased. No idea **** is going on. I reinstalled my Nvidia drivers completely using DDU months when I first saw this happening as well.

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-07-11T18:28:05+00:00

    I have a same problem.

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2024-10-10T15:17:29+00:00

    @skarface I have the same infection that you describe I fear. Can we PM on this platform? I would desperately like to connect with anyone that has had experiences similar to mine. I have resigned myself to using infected devices the rest of my life. But I would rather join together and find a way to help rid ourselves of these infections.

    DB

    0 comments
  4. Anonymous
    2024-09-22T16:02:45+00:00

    i think iv got the same vires i think theay brutforce routers or use sotlen admin thigs thare assesing my pc's useing intel me and have bean seanding fermwera updates to everey thing on the net work and redirrecting atemps to update im trying to compile coreboot rom cose it disables intel me and you have to get it flashed on opeing my lap top up ect. id getit flash wive that and re plase the ssd only after dissconeting all the batters and letting it discarg. then reinstall offline get groopolec gpedit.msc dissable windows driver updates and SWD class gide remove blue tuth driver and block it wive gpedit.msc and you nead to replasce evrthing wivth wifi or blue tufh at the same time and chang the passwords on any new rowter regueraly sory about my speeling i have dislxer o and tel any one wows been useing the net work the bad news thething is nothing tetekcs fermwar virises or ther activaty im in the uk by the way

    0 comments
  5. Anonymous
    2024-04-03T10:51:33+00:00

    Hello,Geneva_X

    Thank you for posting in the Microsoft community.

    Understanding that you seem to have installed a malware, which may try to send packets to the C2 server and perform some abnormal behaviours in your system, please back up all the data files you need to the cloud or other locations, then immediately disconnect from the network, format the hard drive, and install a new system, which will prevent the malware from affecting the system as much as possible, and reduce the damage caused by it. In the meantime, if you have any concerns about Nvidia's software, you can visit its official website for further advice, and I'll provide you with a link to it here: Customer Support, Knowledgebase, and FAQs | NVIDIA

    Disclaimer:  Microsoft provides no assurances and/or warranties, implied or otherwise, and  is not responsible for the information you receive from the third-party  linked sites or any support related to technology. If you are going to modify BIOS Settings, please  back up all your personal files first to ensure you do not lose data.

    Please refer to the steps for a freshly installed system: How to make clean install of Windows 11 - Microsoft Community

    Disclaimer: At this point, we have exhausted all troubleshooting and I recommend that we try to perform a clean install to get your computer back into a working condition. Please ensure that you backup any important data, including Documents, Pictures, Videos, and more.

    Give it a try and feel free to contact me in the forums with any developments.

    Best Regards,

    Rota |Microsoft Community Support Specialist

    0 comments