Share via

Malware from Nvidia Container

Anonymous
2024-04-02T15:57:04+00:00

Ive got some form of a malware, it installed files in my desktop that werent there, and my documents and AVG blocked them when it was trying to reach out on wireshark with nothing running it kept sending packets from one port to another then trying to exfiltrate seemingly to a C2 Server.., it appeared to be from the Nvidia Container and there was a WinTemp and WinReTemp Partitions created and it says i have ssms installed which i never installed Can someone help me by pointing me if im in the right direction from what you see.

Like i said there was 2 paritions created and there was one of the times, i opened 2 users who had the name of registry keys then when i closed the user panel and reopened they were gone. Memory will be as high as 95% when sitting idol watching it using that sysinternals plugin, ive ran autorans, and proc explorer, task manager and watched packets on all interfaces of wireshark without anything going.. I included my notes below of what ive found and this malware appears to be trying to send packets over bluetooth and spread using bluetooth exploits or same network exploits. It created an Apple Hard Drive? And the svchost uses like the most memory. It constantly clears my event logs and i cant reinstall windows, or reset, it sat at 67% for over an hour trying to reset

__________________________________________________________ 

	Initial Notes:

CPU @ 10-18% Jumps from 18-43% CPU Jumps from 4-5% to 30, 50% Memory is idling at 43% (without programs open)

High Memory Jumps and CPU Jumps from low bottom numbers indicate malware, a process and/or packet and possible screen capture process being executed in autoruns through the DLL/Registry values which have been added into system files to hold network persistence.

Nvidia Container appears to be taking Screen Captures and trying to send them to host.

Mallicious DLL/Registry Keys appear to be installed with a combination program.

One Drive Appears Infected on ******@outlook.com, Attack Vector appears to be cloud based. With DLL, Registry Persistence, Appears to have came from a file download or link or Mallicious Internet.

Strings, That appear "Unusual" in Proc Explorer Admin

  1. Redmond1
  2. Washington1
  3. N0L0J
  4. O0M0K

In Process Monitor, svchost.exe PID 2908 is doing a UDP send, from:

(With Nothing Connected, and Bluetooth DISABLED)

57529 -> ff02::1:3:llmnr

57529 -> 224.0.0.252:llmnr

54548 -> ff02::1:3:llmnr

54548 -> 224.0.0.252:llmnr

55926 -> ff02::1:3:llmnr

55926 -> 224.0.0.252:llmnr

_________________________________________________________

svchost.exe 

sihost.exe

Path

C:\Windows\System32\svchost.exe

Command Line

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

Current Directory

C:\Windows\System32\

Registry Key

HKLM\System\CurrentControlSet\Services\WpnUserService_d91de

__________________________________________________________ 

		phone link?

path

C:\Program Files\WindowsApps\Microsoft.YourPhone_1.24022.87.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe

cmd

"C:\Program Files\WindowsApps\Microsoft.YourPhone_1.24022.87.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe" -ComServer:Background -Embedding

Phone link is configured off in windows setttings?

__________________________________________________________

********Assumed Persistence/Problem program************ 

	Nvidia Container

nvcontainer.exe PID 9652 UDP 

svchost.exe  PID 11316 UDP 

svchost.exe  PID 11316 UDP

nvcontainer.ex pid 9268

in rammap processes

Autostart:

HKLM\System\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem

Command Line:

C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem /ert

Path:

C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\Display.NvContainer\NVDisplay.Container.exe

Check:

PROCEXP152.SYS

A security setting is detecting this as a vulnerable driver and blocking it form loading. Youll need to adjust your settings to load this driver.

C:\Program Files\NVIDIA Corporation\NvContainer

Task Scheduler\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}

CMD

"C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll"

Path:

C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe

__________________________________________________________ 

	Windows Wireless Lan 802.11

C:\Windows\System32\wlanext.exe

cmd

C:\Windows\system32\WLANExt.exe 2603384371488

__________________________________________________________ 

	Spooler Subsystem App

HKLM\System\CurrentControlSet\Services\Spooler

AutoStart:

HKLM\System\CurrentControlSet\Services\Spooler

CMD/Path:

C:\Windows\System32\spoolsv.exe

______________________________________________________

Strange Folder with IP Address Type Name.

C:\Users\Local_Admin\AppData\Local\Microsoft\OneDrive\24.050.0310.0001

_____________________________________________________

Autoruns:(No Web)

______________________________________________

"C:\Windows\System32\DriverStore\FileRepository\nvamsi.inf_amd64_dbb753a44f4fff27\nvshext.dll"

________________________________________________

AVG Shell exe

"C:\Program Files\AVG\Antivirus\ashShell.dll"

______________________________________________

Link Click to Call

"C:\Program Files\Microsoft Office\root\vfs

\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll"

_______________________________________________

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\BHO

_______________________________________________

IEToEdge BHO

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\BHO

IEToEdge BHO

_______________________________________________

OneDrive Standalone Update Task

"C:\Users\Local_Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe"

_____________________________________________

ClickToRunSvc

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun

______________________________________________

Windows Defender Advanced

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.dll

______________________________________________

Image Path REG_EXPAND_SZ Registry Key

"%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe"\

______________________________________________

Microsoft Update Health Service

C:\Program Files\Microsoft Update Health Tools\uhssvc

_______________________________________________

C:\Windows\PLAInterface id: 0 (\Device\NPF_Loopback)

C:\Windows\SKB\LanguageModels

_______________________________________________

These Are the Packets that wireshark is showing with NOTHING Connected:

DNS Queries

5353 5353

Source: 192.168.56.1 , Destination: 224.0.0.251

408 689.958536 fe80::1567:edf6:4976:dd73 ff02::fb MDNS 95 Standard query 0x0000 PTR _microsoft_mcc._tcp.local, "QU" question

410 690.973342 fe80::1567:edf6:4976:dd73 ff02::fb MDNS 95 Standard query 0x0000 PTR _microsoft_mcc._tcp.local, "QM" question

411 770.581337 127.0.0.1 127.0.0.1 TCP 45 49722 → 49723 [PSH, ACK] Seq=45 Ack=1 Win=8442 Len=1

412 770.581369 127.0.0.1 127.0.0.1 TCP 44 49723 → 49722 [ACK] Seq=1 Ack=46 Win=8438 Len=0

413 770.581751 127.0.0.1 127.0.0.1 TCP 45 49729 → 49728 [PSH, ACK] Seq=45 Ack=1 Win=8442 Len=1

414 770.581771 127.0.0.1 127.0.0.1 TCP 44 49728 → 49729 [ACK] Seq=1 Ack=46 Win=8439 Len=0

Source 59479

Dest 445

Source 5353

Dest 5353

________________________________________________________

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\123.0.2420.65\123.0.2420.65Manifest

Manifest File?

2 Strange Hidden User accounts which appear as Registry Keys?

<assembly

xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

<assemblyIdentity 

  name='123.0.2420.65' 

  version='123.0.2420.65' 

  type='win32'/&gt;

<file name='msedge_elf.dll'/>

</assembly>

_________________________________________________

Sits Below SustainabilityService.dll

C:\Windows\System32\svchost

wsappx 133.8mb

_____________________________________________

**

C:\Windows\System32\ntoskrnl

Running High 47.0 Mb Under "Secure System"

______________________________________________

C:\Windows\System32\ntprint

C:\Windows\System32\ntprint.dll

_______________________________________________

C:\Windows\System32\svchost

"Service Host: State Repository Service"

_______________________________________________

Windows Widgets:

WebView2 GPU Process 4.7mb

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\123.0.2420.65

**

_______________________________________________

_________________________________________________

"C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll"

"C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll"

"C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll"

"C:\Windows\System32\4545ffe2-0dc4-4df4-9d02-299ef204635e_hvsocket.dll"

"C:\Windows\System32\backgroundTaskHost.exe"

"C:\Windows\System32\BackgroundTransferHost.exe"

C:\Windows\System32\ApplicationFrameHost -> 9.1% MB Running

C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_c2532b63de827d3d -> 1.7% MB Running

______________________________________________

+HKLM\SYSTECurrentControlSet\Control]SafeBoot\AlternateShell

C:\Windows\System32\cmd.exe

______________________________________________

C:\Program Files (x86)\Microsoft\Edge\Application\123.0.2420.65\Installer\msedge_7z.data

_______________________________________________

"C:\Windows\System32\aadauthhelper.dll"

_________________________________________________

"C:\Windows\System32\wbem\unsecapp.exe"

_______________________________________________

+Steelseries HID Service Steelseries HID Driver

C:\Windows\System32\drivers\sshid

________________________________________________

nvvad_WaveExtensible

C:\Windows\System32\drivers\nvvad64v.sys

_______________________________________________

+Known DLL Files Not found?

_wow64cpu

_wowarmhw

_wowarmhw

_xtajit

_xtajit

wow64

wow64base

wow64icon

xtajit64

xtajit64

________________________________________________ 

	Autoruns Startup

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

rdpclip 

 rdpclip 

 RDP Clipboard Monitor 

 Microsoft Corporation 

 10.0.22621.3374 

 c:\windows\system32\rdpclip.exe 

 9/21/1976 11:09 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

C:\Windows\system32\userinit.exe 

 C:\Windows\system32\userinit.exe 

 Userinit Logon Application 

 Microsoft Corporation 

 10.0.22621.3235 

 c:\windows\system32\userinit.exe 

 12/6/1943 2:49 AM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet

SystemPropertiesPerformance.exe 

 SystemPropertiesPerformance.exe 

 Change Computer Performance Settings 

 Microsoft Corporation 

 10.0.22621.1 

 c:\windows\system32\systempropertiesperformance.exe 

 10/26/1909 11:12 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

explorer.exe 

 explorer.exe 

 Windows Explorer 

 Microsoft Corporation 

 10.0.22621.3374 

 c:\windows\explorer.exe 

 8/11/1909 9:54 PM

__________________________________________________________ 

		Load Order:

Boot System Reserved n/a* pcw Performance Counters for Windows Driver System32\drivers\pcw.sys

Boot WdfLoadGroup n/a* Wdf01000 @%SystemRoot%\system32\drivers\Wdf01000.sys,-1000 system32\drivers\Wdf01000.sys

Boot Boot Bus Extender 7 acpiex Microsoft ACPIEx Driver System32\Drivers\acpiex.sys

Boot Boot Bus Extender 2 msisadrv System32\drivers\msisadrv.sys

Boot Boot Bus Extender 3 isapnp System32\drivers\isapnp.sys

Boot Boot Bus Extender 3 pci @pci.inf,%pci_svcdesc%;PCI Bus Driver System32\drivers\pci.sys

Boot Boot Bus Extender 4 vdrvroot @vdrvroot.inf,%vdrvroot_svcdesc%;Microsoft Virtual Drive Enumerator System32\drivers\vdrvroot.sys

Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100 System32\drivers\partmgr.sys

Boot Boot Bus Extender n/a* pdc @%SystemRoot%\system32\drivers\pdc.sys,-100 system32\drivers\pdc.sys

Boot System Bus Extender 7 nvraid System32\drivers\nvraid.sys

Boot System Bus Extender 3 ebdrv0 @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD System32\drivers\evbd0a.sys

Boot System Bus Extender 4 ebdrv @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD System32\drivers\evbda.sys

Boot System Bus Extender 1 pcmcia System32\drivers\pcmcia.sys

Boot System Bus Extender 8 spaceport @spaceport.inf,%Spaceport_ServiceDesc%;Storage Spaces Driver System32\drivers\spaceport.sys

Boot System Bus Extender 9 pciide System32\drivers\pciide.sys

Boot System Bus Extender 9 volmgr @volmgr.inf,%volmgr_svcdesc%;Volume Manager Driver System32\drivers\volmgr.sys

Boot System Bus Extender 10 intelide System32\drivers\intelide.sys

Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100 System32\drivers\volmgrx.sys

Boot System Bus Extender 12 vmbus @wvmbus.inf,%vmbus.SVCDESC%;Virtual Machine Bus System32\drivers\vmbus.sys

Boot System Bus Extender 13 vpci @wvpci.inf,%vpci.SVCDESC%;Microsoft Hyper-V Virtual PCI Bus System32\drivers\vpci.sys

Boot System Bus Extender 2 b06bdrv @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD System32\drivers\bxvbda.sys

Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100 System32\drivers\mountmgr.sys

Boot SCSI Miniport 25 iaStorV @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7 System32\drivers\iaStorV.sys

Boot SCSI Miniport 25 stexstor System32\drivers\stexstor.sys

Boot SCSI Miniport 1 AppleSSD @AppleSSD.inf,%DevDesc1%;Apple Solid State Drive Device System32\drivers\AppleSSD.sys

Boot SCSI miniport 2 3ware System32\drivers\3ware.sys

Boot SCSI miniport 4 amdsata System32\drivers\amdsata.sys

Boot SCSI miniport 5 amdxata System32\drivers\amdxata.sys

Boot SCSI miniport 6 amdsbs System32\drivers\amdsbs.sys

Boot SCSI miniport 7 arcsas @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver System32\drivers\arcsas.sys

Boot SCSI Miniport 9 ItSas35i System32\drivers\ItSas35i.sys

Boot SCSI Miniport 10 LSI_SAS System32\drivers\lsi_sas.sys

Boot SCSI Miniport 11 LSI_SAS2i System32\drivers\lsi_sas2i.sys

Boot SCSI Miniport 12 LSI_SAS3i System32\drivers\lsi_sas3i.sys

Boot SCSI Miniport 13 megasas2i System32\drivers\MegaSas2i.sys

Boot SCSI Miniport 14 megasas35i System32\drivers\megasas35i.sys

Boot SCSI Miniport 15 megasr System32\drivers\megasr.sys

Boot SCSI Miniport 16 mpi3drvi System32\drivers\mpi3drvi.sys

Boot SCSI Miniport 17 mvumis System32\drivers\mvumis.sys

Boot SCSI Miniport 18 nvstor System32\drivers\nvstor.sys

Boot SCSI Miniport 19 percsas2i System32\drivers\percsas2i.sys

Boot SCSI Miniport 20 percsas3i System32\drivers\percsas3i.sys

Boot SCSI Miniport 21 pvscsi @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver System32\drivers\pvscsii.sys

Boot SCSI Miniport 22 SiSRaid2 System32\drivers\SiSRaid2.sys

Boot SCSI Miniport 23 SiSRaid4 System32\drivers\sisraid4.sys

Boot SCSI Miniport 26 vsmraid System32\drivers\vsmraid.sys

Boot SCSI Miniport 27 VSTXRAID @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver System32\drivers\vstxraid.sys

Boot SCSI Miniport 28 cht4iscsi System32\drivers\cht4sx64.sys

Boot SCSI miniport 29 iaStorAVC @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller System32\drivers\iaStorAVC.sys

Boot SCSI Miniport 31 atapi @mshdc.inf,%idechannel.DeviceDesc%;IDE Channel System32\drivers\atapi.sys

Boot SCSI Miniport 32 storahci @mshdc.inf,%storahci_ServiceDescription%;Microsoft Standard SATA AHCI Driver System32\drivers\storahci.sys

Boot SCSI miniport 33 iaStorVD @oem22.inf,%iaStorVD.ServiceName%;Intel(R) Chipset VMD RST Controller service System32\drivers\iaStorVD.sys

Boot SCSI Miniport 33 stornvme @stornvme.inf,%StorNVMe_ServiceDesc%;Microsoft Standard NVM Express Driver System32\drivers\stornvme.sys

Boot SCSI Miniport 210* ADP80XX System32\drivers\ADP80XX.SYS

Boot SCSI Miniport 259* HpSAMD System32\drivers\HpSAMD.sys

Boot SCSI Miniport 259* SmartSAMD System32\drivers\SmartSAMD.sys

Boot Primary Disk 1 nvdimm @nvdimm.inf,%nvdimm.SvcDesc%;Microsoft NVDIMM device driver System32\drivers\nvdimm.sys

Boot SCSI Class 1 EhStorTcgDrv @ehstortcgdrv.inf,%EhStorTcgDrv.Desc%;Microsoft driver for storage devices supporting IEEE 1667 and TCG protocols System32\drivers\EhStorTcgDrv.sys

Boot SCSI Class n/a* EhStorClass @%SystemRoot%\system32\drivers\EhStorClass.sys,-100 System32\drivers\EhStorClass.sys

Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001 system32\drivers\fltmgr.sys

Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100 System32\drivers\fileinfo.sys

Boot FSFilter Compression n/a* Wof Windows Overlay File System Filter Driver

Boot FSFilter Anti-Virus n/a* WdFilter @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-330 system32\drivers\wd\WdFilter.sys

Boot Filter 1 CLFS @%SystemRoot%\system32\drivers\clfs.sys,-100 System32\drivers\CLFS.sys

Boot Base 1 KSecDD System32\Drivers\ksecdd.sys

Boot Base 26* storvsc System32\drivers\storvsc.sys

Boot File System n/a* Fs_Rec

Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200 system32\drivers\ndis.sys

Boot Cryptography 2 KSecPkg System32\Drivers\ksecpkg.sys

Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\drivers\tcpip.sys,-10001 System32\drivers\tcpip.sys

Boot PNP_TDI n/a* WFPLWFS @%SystemRoot%\System32\drivers\wfplwfs.sys,-6000 System32\drivers\wfplwfs.sys

Boot Extended Base n/a* avgRvrt avgRvrt system32\drivers\avgRvrt.sys

Boot Extended Base n/a* avgVmm avgVmm system32\drivers\avgVmm.sys

Boot Extended Base 46* storflt @wstorflt.inf,%service_desc%;Microsoft Hyper-V Storage Accelerator System32\drivers\vmstorfl.sys

Boot Core* 2* ACPI @acpi.inf,%ACPI.SvcDesc%;Microsoft ACPI Driver System32\drivers\ACPI.sys

Boot n/a* n/a* avgbidsh avgbidsh system32\drivers\avgbidsh.sys

Boot n/a* n/a* avgbuniv avgbuniv system32\drivers\avgbuniv.sys

Boot Early-Launch* n/a* avgElam avgElam system32\drivers\avgElam.sys

Boot PnP Filter* 6* bttflt @virtdisk.inf,%service_desc%;Microsoft Hyper-V VHDPMEM BTT Filter System32\drivers\bttflt.sys

Boot Core* 4* CNG System32\Drivers\cng.sys

Boot n/a* n/a* disk @disk.inf,%disk_ServiceDesc%;Disk Driver System32\drivers\disk.sys

Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100 System32\DRIVERS\fvevol.sys

Boot * n/a* GenPass @genpass.inf,%GenPass.SVCDESC%;Microsoft GenPass Driver System32\DriverStore\FileRepository\genpass.inf_amd64_bef88a423225ecdc\genpass.sys

Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101 System32\drivers\hwpolicy.sys

Boot Core Security Extensions* 1* intelpep @intelpep.inf,%INTELPEP.SVCDESC%;Intel(R) Power Engine Plug-in Driver System32\drivers\intelpep.sys

Boot Core Security Extensions* 2* IntelPMT @intelpmt.inf,%IntelPMT.SVCDESC%;Intel(R) Platform Monitoring Technology Service System32\drivers\IntelPMT.sys

Boot PnP Filter* n/a* iorate @%SystemRoot%\system32\drivers\iorate.sys,-101 system32\drivers\iorate.sys

Boot n/a* n/a* MsSecCore @%SystemRoot%\System32\Drivers\msseccore.sys,-1001 system32\drivers\msseccore.sys

Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101 System32\Drivers\mup.sys

Boot * n/a* nvmedisk @nvmedisk.inf,%nvmedisk.SvcDesc%;Microsoft NVMe disk driver System32\drivers\nvmedisk.sys

Boot n/a* n/a* pmem @pmem.inf,%pmem.SvcDesc%;Microsoft persistent memory disk driver System32\drivers\pmem.sys

Boot * n/a* PRM @prm.inf,%PRM.SvcDesc%;Microsoft PRM Driver System32\DriverStore\FileRepository\prm.inf_amd64_de435dc5c75d64a5\PRM.sys

Boot n/a* n/a* Ramdisk Windows RAM Disk Driver system32\DRIVERS\ramdisk.sys

Boot PnP Filter* n/a* rdyboost ReadyBoost System32\drivers\rdyboost.sys

Boot n/a* n/a* sbp2port @sbp2.inf,%sbp2_ServiceDesc%;SBP-2 Transport/Protocol Bus Driver System32\drivers\sbp2port.sys

Boot n/a* n/a* scmbus @scmbus.inf,%scmbus.SvcDesc%;Microsoft Storage Class Memory Bus Driver System32\drivers\scmbus.sys

Boot n/a* n/a* storufs @storufs.inf,%UfsServiceDesc%;Microsoft Universal Flash Storage (UFS) Driver System32\drivers\storufs.sys

Boot n/a* n/a* volsnap @%SystemRoot%\system32\drivers\volsnap.sys,-100 System32\drivers\volsnap.sys

Boot * n/a* volume @volume.inf,%VolumeServiceDesc%;Volume driver System32\drivers\volume.sys

Boot Core Security Extensions* 1* WindowsTrustedRT Windows Trusted Execution Environment Class Extension system32\drivers\WindowsTrustedRT.sys

Boot Core Security Extensions* 2* WindowsTrustedRTProxy @WindowsTrustedRTProxy.inf,%WindowsTrustedRTProxy.SVCDESC%;Microsoft Windows Trusted Runtime Secure Service System32\drivers\WindowsTrustedRTProxy.sys

System SCSI CDROM Class 1 cdrom @cdrom.inf,%cdrom_ServiceDesc%;CD-ROM Driver \SystemRoot\System32\drivers\cdrom.sys

System FSFilter Security Enhancer n/a* avgSP avgSP system32\drivers\avgSP.sys

System FSFilter Virtualization n/a* avgSnx avgSnx system32\drivers\avgSnx.sys

System FSFilter Encryption n/a* FileCrypt @%systemroot%\system32\drivers\filecrypt.sys,-100 system32\drivers\filecrypt.sys

System FSFilter Anti-Virus n/a* avgMonFlt avgMonFlt system32\drivers\avgMonFlt.sys

System FSFilter Activity Monitor n/a* UCPD @%SystemRoot%\system32\drivers\UCPD.sys,-200 system32\drivers\UCPD.sys

System Base 1 Null

System Base 2 Beep Beep

System Keyboard Port n/a* avgKbd avgKbd system32\drivers\avgKbd.sys

System Video Init 1 DXGKrnl LDDM Graphics Subsystem \SystemRoot\System32\drivers\dxgkrnl.sys

System Video 1 BasicDisplay \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_02da009b3d736cc1\BasicDisplay.sys

System Video 2* BasicRender \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_402645b3f1a80dd7\BasicRender.sys

System File system n/a* CimFS

System File system n/a* Msfs

System File system n/a* Npfs

System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004 \SystemRoot\system32\DRIVERS\tdx.sys

System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000 \SystemRoot\system32\drivers\afd.sys

System PNP_TDI n/a* afunix afunix \SystemRoot\system32\drivers\afunix.sys

System PNP_TDI n/a* avgRdr avgRdr system32\drivers\avgRdr2.sys

System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2 System32\DRIVERS\netbt.sys

System NDIS 17 VBoxNetLwf @oem84.inf,%VBoxNetLwfService_Desc%;VirtualBox NDIS6 Bridged Networking Service \SystemRoot\system32\DRIVERS\VBoxNetLwf.sys

System NDIS 18 npcap @oem101.inf,%NPF_Desc_Standard%;Npcap Packet Driver (NPCAP) \SystemRoot\system32\DRIVERS\npcap.sys

System NDIS n/a* avgNetHub avgNetHub system32\drivers\avgNetHub.sys

System NDIS n/a* NdisCap @%SystemRoot%\System32\drivers\ndiscap.sys,-5000 System32\drivers\ndiscap.sys

System NDIS n/a* Psched @%windir%\System32\drivers\pacer.sys,-101 System32\drivers\pacer.sys

System NDIS n/a* vwififlt @%SystemRoot%\System32\drivers\vwififlt.sys,-259 System32\drivers\vwififlt.sys

System NetBIOSGroup n/a* NetBIOS @%windir%\system32\drivers\netbios.sys,-503 system32\drivers\netbios.sys

System Extended Base 42* Vid \SystemRoot\System32\drivers\Vid.sys

System n/a* n/a* ahcache @%systemroot%\system32\drivers\ahcache.sys,-102 system32\DRIVERS\ahcache.sys

System * n/a* ATKWMIACPIIO ATKWMIACPI Driver \SystemRoot\System32\DriverStore\FileRepository\asussci2.inf_amd64_c2532b63de827d3d\ASUSOptimization\AsusWmiAcpi.sys

System n/a* n/a* avgArPot avgArPot system32\drivers\avgArPot.sys

System n/a* n/a* avgbidsdriver avgbidsdriver system32\drivers\avgbidsdriver.sys

System n/a* n/a* bam @%SystemRoot%\system32\drivers\bam.sys,-100 system32\drivers\bam.sys

System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202 system32\drivers\csc.sys

System n/a* n/a* dam @%SystemRoot%\system32\drivers\dam.sys,-100 system32\drivers\dam.sys

System Network* n/a* Dfsc @%systemroot%\system32\wkssvc.dll,-1008 System32\Drivers\dfsc.sys

System * n/a* mssmbios @mssmbios.inf,%mssmbios_svcdesc%;Microsoft System Management BIOS Driver \SystemRoot\System32\drivers\mssmbios.sys

System * n/a* npsvctrig @npsvctrig.inf,%NPSVCTRIG.SvcDisplayName%;Named pipe service trigger provider \SystemRoot\System32\drivers\npsvctrig.sys

System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2 system32\drivers\nsiproxy.sys

System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000 system32\DRIVERS\rdbss.sys

System n/a* n/a* VBoxSup VirtualBox Service \SystemRoot\system32\DRIVERS\VBoxSup.sys

System n/a* n/a* VBoxUSBMon VirtualBox USB Monitor Service \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys

System n/a* n/a* veracrypt veracrypt System32\drivers\veracrypt.sys

Automatic FSFilter Virtualization n/a* bfs @%systemroot%\system32\drivers\bfs.sys,-100 \SystemRoot\system32\drivers\bfs.sys

Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100 \SystemRoot\system32\drivers\luafv.sys

Automatic FSFilter Virtualization n/a* wcifs @%systemroot%\system32\drivers\wcifs.sys,-100 \SystemRoot\system32\drivers\wcifs.sys

Automatic FSFilter HSM 1 CldFlt Windows Cloud Files Filter Driver system32\drivers\cldflt.sys

Automatic FSFilter Quota Management n/a* storqosflt @%SystemRoot%\System32\drivers\storqosflt.sys,-101 system32\drivers\storqosflt.sys

Automatic FSFilter Top n/a* bindflt @%systemroot%\system32\drivers\bindflt.sys,-100 \SystemRoot\system32\drivers\bindflt.sys

Automatic Video n/a* NVDisplay.ContainerLocalSystem NVIDIA Display Container LS

Automatic COM Infrastructure n/a* BrokerInfrastructure @%windir%\system32\bisrv.dll,-100 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* DcomLaunch @combase.dll,-5012 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* LSM @%windir%\system32\lsm.dll,-1001 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001 %SystemRoot%\system32\svchost.exe -k RPCSS -p

Automatic COM Infrastructure n/a* RpcSs @combase.dll,-5010 %SystemRoot%\system32\svchost.exe -k rpcss -p

Automatic Event Log n/a* EventLog @%SystemRoot%\system32\wevtsvc.dll,-200 %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic ProfSvc_Group n/a* AvgWscReporter "C:\Program Files\AVG\Antivirus\wsc_proxy.exe" /runassvc /rpcserver

Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112 %systemroot%\system32\svchost.exe -k netsvcs -p

Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300 %systemroot%\system32\svchost.exe -k UserProfileService -p

Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200 %SystemRoot%\system32\svchost.exe -k netsvcs -p

Automatic profsvc_group n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000 %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192 %SystemRoot%\System32\svchost.exe -k netsvcs -p

Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\AudioEndpointBuilder.dll,-204 %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200 %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic AudioGroup n/a* FontCache @%systemroot%\system32\FntCache.dll,-100 %SystemRoot%\system32\svchost.exe -k LocalService -p

Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1 %SystemRoot%\system32\lsass.exe

Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100 %SystemRoot%\system32\svchost.exe -k DcomLaunch -p

Automatic PlugPlay n/a* TextInputManagementService @%SystemRoot%\system32\TabSvc.dll,-100 %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted -p

Automatic NDIS n/a* lltdio @%SystemRoot%\system32\lltdres.dll,-6 system32\drivers\lltdio.sys

Automatic NDIS n/a* MsLldp @%SystemRoot%\system32\drivers\mslldp.sys,-200 system32\drivers\mslldp.sys

Automatic NDIS n/a* rspndr @%SystemRoot%\system32\lltdres.dll,-5 system32\drivers\rspndr.sys

Automatic NDIS n/a* wanarp @%systemroot%\system32\mprmsg.dll,-32011 System32\DRIVERS\wanarp.sys

Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100 %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted -p

Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101 %SystemRoot%\system32\svchost.exe -k NetworkService -p

Automatic TDI n/a* DusmSvc @%SystemRoot%\System32\dusmsvc.dll,-1 %SystemRoot%\Syste

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-09T15:43:54+00:00

    I'd like to be kept in the loop on this. I have the exact same infected files as Geneva_X. However, I've been fighting this infection for over 5 years. First 4 years, unknowingly just how deep and serious of an infection I had. I would wipe the drive and reinstall a clean Windows system and move one. That is until I realized what I did. ALL my devices are infected down to the kernel. From Windows and Linux machines, to iPhones, SmartTVs and even my SmartFridge. I've done all the research myself for over a year and even quit working 5 months ago to spend full time seeing what in the world I've been infected with. The conclusions I've come about on all my systems here is that this is a rootkit, deeply nestled in the kernel. It's changed lots of the firmware on all my devices. Absolutely nothing picks it up as far as AVs or internet security. It subverts everything thrown at it. I had to learn Linux to be able to see how it maintains persistence even after flashing the BIOS ROM chip, installing a new hard drive and a Windows 10 from an Official Microsoft DVD. It's all in the kernel programming. That's what was hacked. All the ACPI tables have been changed. And all of this boots up at the base start of RAM and there's no way in hell to beat it. At least my computer skills can't. I'm pretty saavy with computer systems, I just don't have programming skills. I can read and understand some, I can't write. I had to take video of my Linux box at boot time just so I can slow the video down and see what is booting. And like I said, there's hundreds of functions and switches to the kernel, but the main one I saw causing all these files Geneva_X listed was the reprogramming of the ACPI tables. With time it just gets worse and worse in taking complete control of the device. Down at the kernel level it installs TCP Cache Hash Tables and maintains network connectivity with your device, no matter where or in what state your device is. (On/Off, Connected/NotConnected). Everything you install or visit or try to do is automatically taken over, as the hacker/virus takes over the loopback device address at 127.0.0.1. Then it uses multicasting, which I haven't gotten to yet, but that where you start seeing the 224.x.x.x, Geneva listed. You'll also see 0.0.0.0, 10.x.x.x, 239.x.x.x, 198.x.x.x, addresses. I've had very few hits in these 5 years, as I found out all the symptoms I would research, where being re-routed by these hackers/viruses, so it wasn't until recently that I found some ways to go around it, and at every single forum I've landed with these exact same symptoms, the moderators have either ridiculed, mocked, or not taking serious, the poster's symptoms and backstory and they brush them off with a clean malware scan, that as I've said before, come back clean from any AV. Other things I've seen, are running the posters around in circles, never replying back to the poster, just awful the way they're treated. This is the first place where a moderator actually listened to the symptoms exibited AND agreed that there is an infection present. That's why this is the first place I'd like to give my two cents about it. I tried to at BleepingComputer, and the moderator wanted all the scans that they initially do, even after I told him that they would come up spic and span clean, just like OP had, and whom hadn't been replied after all the terrific and terrific research he did by himself. Anyway, I've already turned in a 3 month package I prepared, over to the FBI. It was eye-opening at first, a great learning experience, just where all the holes and vulnerabilities are at in my network, but I can't anymore. I'm tired. I've lost so much sleep, weight, and for crying-out-loud, I stopped working!! I gave up when I brought in brand new laptops bought at Best Buy and taken out all RF and IR emitting components there at the store. Disabled anything and everything at my house with the same components. Installed a brand new modem from my ISP, with a direct ethernet cable connection to the computers, and the computers installed the Windows 11 that came with them, WITH ALL THE SAME FILES AND FOLDERS THAT Geneva_X has here. That there, actually spooked me out a bit. So I'm gonna fight fire with fire and let the Feds take over. Problem is that there's a process for them and in the meanwhile I'm stuck at ground zero, no man's land, fighting these goons back with nothing but infected tools, so I'm in a pretty crappy situation. Like I said, I have not seen anything close to helping this out anywhere. I ended up going to the local university here and asking for the computer science department dean, when I became completely frustrated and one point. He told me all systems had been subverted and started me out with a script called Trawler on Github. That script found over 250 infections on my first device, with over, and I counted, 190 of them on the kernel. Keep me posted on Geneva_X or anything you find out. If you want further things I've researched, and came up with let me know. I got tons that i gave the feds. My hackers happend to be Asian, Japanese/Chinese to be exact. I have hundres of Jap/Chn, language packs on the registries to my devices. IME packs in those languages with absolute system privileges and controls, that won't let me do any changes. Just a bunch of info I've discovered from researching this. Thanks a lot, fellas. Let's see what we can come up with and knocks these freakin' goons out where they belong.

    20+ people found this answer helpful.
    0 comments
  2. Anonymous
    2024-10-12T01:43:13+00:00

    Hey everyone, so I actually figured this out and solved it. I did extensive searching and found an archived thread on Reddit where a very anti-monitoring (privacy addict) guy was dealing with the same thing. Based on what I understand and what he says / believes, of which I’m confident in unless told otherwise, it is the built in NVIDIA telemetry causing this issue.

    Here is the Reddit link: https://www.reddit.com/r/nvidia/s/niHq4uLrLq

    I followed his process step by step and it eliminated every single EventViewer error related to issue. You have to manually re-assign folder ownership $ permissions in order to delete the telemetry files, otherwise you won’t be able to.

    Another thing to keep in mind is when you update your NVIDIA drivers you will have to repeat this process. If you are familiar with NVslimmer or NVcleaninstall, neither of those will accomplish what manually deleting these files does and without doing it the manual way you will create issues with the driver certificate signatures.

    I will copy / paste his post in italics, in case the URL is blocked after I post this.

    IMPORTANT NOTE: The folder that houses the “Display.NvContainer” and the “plugins” folder he mentions might, and likely will, have a different name than his. My folder has a different name as well. It is quick and easy to figure out which folder you will use by simply clicking into each NVIDIA folder until you find the one you’re looking for, as there are not very many in that directly that start with an “n”. Or, you can check your logs like he points out.

    “How to properly disable Nvidia Telemetry baked in drvier.

    This is not recommended for people using Geforce Experience because if you are using it you don't care about telemtry

    So you can get rid of most of telemetry by using "NVcleanstall" but Nvidia has telemetry built inside the driver. It's a guide on how to remove in manually.

    stop all nvidia services

    You need to delete 4 files for this.

    Location: C:\Windows\System32\DriverStore\FileRepository\nvamig.inf\_amd64\_91529e61bce2ff08\Display.NvContainer\plugins

    You might have different location you can check your location by checking the log file inside: C:\ProgramData\NVIDIA

    These are protected files you might need to take ownership of these files before deleting them.

    Google "Take Full Ownership of Files & Folders Context Menu" - use majorgeeks one.

    first 3 is in LocalSystem folder

    1. \_DisplayDriverRAS.dll (biggest culprit)(initiate Telemetry API inside nvcontainer.exe)

    2. \_NvMsgBusBroadcast.dll

    3. \_nvtopps.dll

    last one is in session folder

    1. \_NvGSTPlugin.dll (2nd biggest culprit)

    2. nvprofileupdaterplugin.dll(checks for driver update you can remove it based on your usecase)

    Restart device.

    Doing all these steps and NVIDIA container has 0% cpu usage under any condition even on restart it doesn't spike for few seconds.”

    7 people found this answer helpful.
    0 comments
  3. Anonymous
    2024-10-14T19:44:53+00:00

    My friend, my heart goes out to you. It's clear this issue has reached a point where it's taking a serious toll on your well-being. I strongly recommend reaching out to a medical professional about this situation as soon as possible.

    As for the issue itself, I would advise considering a 'scorched earth' approach: wipe everything clean and start from scratch.

    1. Get rid of any and all devices, including:
      • Laptops/PCs
      • Smartphones
      • Smartwatches
      • Smart TVs
      • IoT devices (e.g., smart appliances)
      • Hard drives and USB drives
      • Your WiFi router and/or modem
      • Anything else that connects to the internet
    2. Any files you can't bear to lose should be uploaded to a cloud storage provider—preferably one with built-in virus scanning, such as Google Drive.
    3. Once you've completely eliminated every internet-connected device, you can rebuild with the peace of mind that whatever was affecting you has been fully eradicated.

    But before anything else, please speak to a physician. No device is worth sacrificing your health.

    Best of luck,
    DJ

    6 people found this answer helpful.
    0 comments
  4. Anonymous
    2024-07-19T05:32:02+00:00

    I've been dealing with the exact same issue. It has consumed me for the past 2 months and I still can't my head wrapped around it all. But 100% the exact same thing you're dealing with. All the way down to the loop back and multicast. All devices that have connected to my router have been compromised, iPhones and Mac devices included and redirecting most of the websites.

    Do you have any update? I'm supposed to be meeting with my local FBI Field Officers soon as well.

    Thanks!

    2 people found this answer helpful.
    0 comments
  5. Anonymous
    2024-05-22T00:22:39+00:00

    hey skarface ive got the same issue man is there anyway i could talk with you about it?

    please please send me an email ******@gmail.com id greatly appreciate it. like you this is the first thing ive been able to find that wasnt **** run around. i look forward to hearing from you thanks!

    1 person found this answer helpful.
    0 comments