[SOLVED] Strange handles in explorer.exe and Cryptographic Service corrupted

[Rusty T]

Hello,

Got some long time issues with some strange handles appearing in processes like:

1. C:\Windows\explorer.exe
2. C:\Windows\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_5cf411dadcb5710d\Display.NvContainer\NVDisplay.Container.exe
3. C:\Windows\System32\DriverStore\FileRepository\u0400644.inf_amd64_9691c8ee1bbfcbb7\B399690\atieclxx.exe

This strange handles multiplies if I put PC to sleep, each session adding more NA process. Please see the picture bellow.

First I notice them on my old system with OS Win 7 in 2018-2019, than later on 10 LTSC 2019, than now on Win 10 LTSC 2021.

I've seen this handles using Kill Switch made by Comodo, a task manager. But I checked them against ProcessExplorer by Sysinternals.

Please see pictures.

Secure Boot is on, Core Isolation is on , Eset Internet Security. Some services are disabled to minimize vulnerabilities. Fast Boot is disable in BIOS and Windows as well, don't like that feature, never trust it.

All scans are clean- ESET , Malwarebytes, HitmanPro, KVRT.

Sent here by Maxstar, Please advise.


Thank You

 

[DR M]

Hello.

Is this a personal or a company computer?

Microsoft Windows 10 Enterprise LTSC Version 21H2 19044.4651 (X64) (2023-12-21 21:09:16)

 

[Rusty T]

Hello.

Is this a personal or a company computer?

Microsoft Windows 10 Enterprise LTSC Version 21H2 19044.4651 (X64) (2023-12-21 21:09:16)

Personal.

 

[DR M]

Sorry I'm asking, but I need to be sure: Do you have a valid retail license for your Windows? Enterprise edition is used by companies, not individuals.

 

[Rusty T]

Sorry I'm asking, but I need to be sure: Do you have a valid retail license for your Windows? Enterprise edition is used by companies, not individuals.

Yes I do, this is the SHA 256 of the image I use to install LTSC 2021 C90A6DF8997BF49E56B9673982F3E80745058723A707AEF8F22998AE6479597D.

I use LTSC since my first installation of win 10 was a PRO version lasted only 5 months before being unusable. I did clean install tough of Win 10 Pro using my old key from Win 7 Pro.
5 months or so , immersive ctrl panel wasn't working, RAID 0 driver will freeze, Cryptographic Service corrupted and other issues, same hardware I used in Win 7 with no issues. A complete fiasco, since than I'm using only LTSC.

 

[DR M]

OK.

Please, make a restart and run FRST tool once more. Attach fresh FRST logs.

 

[Rusty T]

Don't know if matters but, both logs of FRST are from Admin account on this PC not the standard user account I usually log into and use.

 

[DR M]

Thanks. The logs looks much better now.

We need our tools to run from an Admin account, so you are just fine.

I'll start reviewing your logs, and I'll need some time to do this. In the meantime:

Please, adhere to the guidelines below:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

 

[DR M]

A couple of questions before I give you a fix:

1. Any idea why the following items are locked?

2024-07-22 16:16 C:\$Recycle.Bin
2024-06-27 20:46 C:\ProgramData\NVIDIA
2024-06-25 17:41 C:\ProgramData\NVIDIA Corporation
2024-01-13 17:14 C:\ProgramData\WarThunder
2024-02-27 15:29 C:\Users\Bob\AppData\Roaming\NVIDIA
2023-12-28 15:26 C:\Users\Bob\AppData\Local\D3DSCache
2024-05-11 22:04 C:\Users\Bob\AppData\Local\NVIDIA
2024-06-26 19:29 C:\Users\Bob\AppData\Local\NVIDIA Corporation
2024-01-14 21:11 C:\Users\Bob\AppData\Local\WarThunder
2023-12-28 21:13 C:\Users\Pete\AppData\Local\Blizzard Entertainment


2. Did you intentionally set these policies?

HKLM\Software\Policies\...\system: [AllowCrossDeviceClipboard] 0
HKLM\Software\Policies\...\system: [AllowClipboardHistory] 0
HKU\S-1-5-21-739470744-3462514756-3725128217-1001\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1001\...\Policies\Explorer: [NoSearchInternetInStartMenu] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1002\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1002\...\Policies\Explorer: [NoSearchInternetInStartMenu] 1

 

[Rusty T]

A couple of questions before I give you a fix:

1. Any idea why the following items are locked?

2024-07-22 16:16 C:\$Recycle.Bin
2024-06-27 20:46 C:\ProgramData\NVIDIA
2024-06-25 17:41 C:\ProgramData\NVIDIA Corporation
2024-01-13 17:14 C:\ProgramData\WarThunder
2024-02-27 15:29 C:\Users\Bob\AppData\Roaming\NVIDIA
2023-12-28 15:26 C:\Users\Bob\AppData\Local\D3DSCache
2024-05-11 22:04 C:\Users\Bob\AppData\Local\NVIDIA
2024-06-26 19:29 C:\Users\Bob\AppData\Local\NVIDIA Corporation
2024-01-14 21:11 C:\Users\Bob\AppData\Local\WarThunder
2023-12-28 21:13 C:\Users\Pete\AppData\Local\Blizzard Entertainment


2. Did you intentionally set these policies?

HKLM\Software\Policies\...\system: [AllowCrossDeviceClipboard] 0
HKLM\Software\Policies\...\system: [AllowClipboardHistory] 0
HKU\S-1-5-21-739470744-3462514756-3725128217-1001\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1001\...\Policies\Explorer: [NoSearchInternetInStartMenu] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1002\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-739470744-3462514756-3725128217-1002\...\Policies\Explorer: [NoSearchInternetInStartMenu] 1

1. Yes. Recycle Bin was several time exploited. Landing files there and than use them to corrupt legit OS files and inject in different processes. One of the games even starting Windows Update service, (like 3-4 times in 30 min) my guess to use the proxy that comes with it.
Blizzard and Nvidia had to fishy activity in their caches so I just lock them. Nvidia Telemetry was in the used past by a game to get the desired connections and privileges that comes with the service.

D3DSCache is locked just for hardware testing purposes.

2. Yes.

 

[DR M]

I don't agree with your action locking items like that, especially NVIDIA.

Other than that, there is no sign of an active infection in your system. Some maintenance is needed, however.

FRST fix

Please do the following to run a FRST fix. First, make sure that you move FRST tool from the Downloads folder on to your Desktop.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
GroupPolicy: Restriction - Edge <==== ATTENTION
GroupPolicy\User: Restriction - Edge <==== ATTENTION
Task: {41F5FC9D-EE65-4CA4-A908-91B3587198E0} - \Microsoft\XblGameSave\XblGameSaveTask -> No File <==== ATTENTION
Task: {D5FDAF59-ECE4-4060-B4AC-896FCEF10E42} - \CCleanerSkipUAC - Pete -> No File <==== ATTENTION
S3 PrintNotify; C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll [X]
S3 HWiNFO_187; \??\C:\Users\Pete\AppData\Local\Temp\HWiNFO64A_187.SYS [X] <==== ATTENTION
2024-07-21 19:51 - 2024-07-22 12:10 - 000000000 ____D C:\KVRT2020_Data
2024-07-21 19:45 - 2024-07-21 19:47 - 111583088 _____ (AO Kaspersky Lab) C:\Users\Bob\Downloads\KVRT.exe
FirewallRules: [{FEF190EA-2AD1-42BC-95AE-045BB8692FC7}] => (Allow) D:\GAMES\steam.exe => No File
FirewallRules: [{9EE38158-4230-44A5-A996-72880FDA342B}] => (Allow) D:\GAMES\steam.exe => No File
FirewallRules: [{9482A9B4-B6BD-490A-BFBC-45EBD98C8404}] => (Allow) D:\GAMES\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{B20DE4A9-F5C8-46B9-868C-62A20B363564}] => (Allow) D:\GAMES\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{23C2C0E6-118B-496A-90C6-91DBE0FFA49F}] => (Allow) D:\GAMES\steamapps\common\Sudden Strike 4\SuddenStrike4.exe => No File
FirewallRules: [{4477D82F-4415-47FB-BB41-4691E485F894}] => (Allow) D:\GAMES\steamapps\common\Sudden Strike 4\SuddenStrike4.exe => No File
FirewallRules: [{87FE01A8-EAA9-4E8F-A82B-FE20DE584902}] => (Allow) D:\GAMES\steamapps\common\Company of Heroes 3\RelicCoH3.exe => No File
FirewallRules: [{052BFE7A-7025-44F7-B4C6-94312E3B9600}] => (Allow) D:\GAMES\steamapps\common\Company of Heroes 3\RelicCoH3.exe => No File
FirewallRules: [{17505DF1-8C90-4D86-877B-BDC1C5FA5904}] => (Allow) D:\GAMES\steamapps\common\ShadowOfMordor\x64\ShadowOfMordor.exe => No File
FirewallRules: [{A871530A-7FCF-4A53-9EF9-E792F07B98E2}] => (Allow) D:\GAMES\steamapps\common\ShadowOfMordor\x64\ShadowOfMordor.exe => No File
FirewallRules: [{4C6301F8-04EA-461D-9FAE-91149413AC5B}] => (Allow) D:\GAMES\steamapps\common\War Thunder\eac_wt_mlauncher.exe => No File
FirewallRules: [{2B02F3E8-239F-41C4-BCC9-2D4F05FED5B0}] => (Allow) D:\GAMES\steamapps\common\War Thunder\eac_wt_mlauncher.exe => No File
FirewallRules: [{EA100EB7-7E50-428D-B6FE-C08B80153852}] => (Allow) D:\GAMES\steamapps\common\War Thunder\launcher.exe => No File
FirewallRules: [{CE281C0A-B39A-4C4C-82EE-4F9DCB7A79EA}] => (Allow) D:\GAMES\steamapps\common\War Thunder\launcher.exe => No File
FirewallRules: [{4DD8ABE6-7531-40E0-A7E5-F57DE8C59469}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\Resolve.exe => No File
FirewallRules: [{7C97BFA8-A45F-4D66-A5C9-E4521CDAE3EF}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\bmdpaneld.exe => No File
FirewallRules: [{95B168EA-EBC6-432C-A90A-F1C6C5858040}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DaVinciPanelDaemon.exe => No File
FirewallRules: [{416569F6-2678-4D93-90B0-FA24EA5EE54D}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\JLCooperPanelDaemon.exe => No File
FirewallRules: [{5379C26F-4636-466A-A97F-9E0F8B5A833D}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\EuphonixPanelDaemon.exe => No File
FirewallRules: [{6BDEF9FA-93BB-4752-A8C3-5411BA8F381A}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\TangentPanelDaemon.exe => No File
FirewallRules: [{FF1F0FE4-D6BA-4BFD-BC11-C4F8B6A8A7B5}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File
FirewallRules: [{9147973C-5369-4F0F-BB9A-BF49B1ADB8FC}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\fuscript.exe => No File
FirewallRules: [{F6326543-A268-4580-BA97-66F30714FFBD}] => (Allow) G:\GAMES\steamapps\common\3DMark Demo\bin\x64\3DMark.exe => No File
FirewallRules: [{76FFEA66-D354-436C-B48C-A56DE9F34F64}] => (Allow) G:\GAMES\steamapps\common\3DMark Demo\bin\x64\3DMark.exe => No File
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

[Rusty T]

Not using Windows Firewall, ESET. Restore points are off as ESET doesn't like them on, they consider it a vulnerability I guess or maybe something else.
Not using Edge either.

I'll run the script.

 

[DR M]

System restore is an essential utility and it must be ON, especially at a good moment of the system, like now, after the fix. That's why I included it in the fix. You may need it any time.

Yes, please run the fix and post the fixlog.txt.

 

[Rusty T]

I know what System Restore suppose to be but why ESET think otherwise? Prolly because a lot of malware make use of it. I'm not saying is not useful is just a two edge sword.

I just created now a System Restore manually.

1.After Maxstar fix exlorer.exe doesn't have anymore the dubious handles after restarts, shut down or sleep but, Nvidia Display Container still does. Any idea what are those and why are appearing?
Please see the picture attached
2. Cryptographic service still doesn't load right judging dberr.txt

Thanks

 

[DR M]

System Restore was not successfully created via the fix, and this is because you have Max usage at 6% and your free space is only 26GB. That's why it was disabled. You may want to reduce that 6% to 2%.

1.After Maxstar fix exlorer.exe doesn't have anymore the dubious handles after restarts, shut down or sleep but, Nvidia Display Container still does. Any idea what are those and why are appearing?
Please see the picture attached

I don't know. And with the modifications you did on the system, in the name of security, this is even more difficult to be answered.

2. Cryptographic service still doesn't load right judging dberr.txt

To which txt file are you referring?

 

[Rusty T]

System Restore was not successfully created via the fix, and this is because you have Max usage at 6% and your free space is only 26GB. That's why it was disabled. You may want to reduce that 6% to 2%.



I don't know. And with the modifications you did on the system, in the name of security, this is even more difficult to be answered.



To which txt file are you referring?

Is ok, I will clear some files from C:

The usual .txt file that is in any c:\Windows\System32\catroot2\

Please look at the start of the post to the picture I uploaded Cryptographik SVC corrupt

 

[Rusty T]

This is a normal Cryptographic Service, maybe with an error or 2, now look at mine, only errors, and was like that from the first minutes of a fresh win 10 LTSC installation not even connected to the internet yet, not "because my mods in the name of security".
I've see that before to a windows 10 Pro N installation, full of errors like mine but, that corrected itself after some windows updates.

 

[DR M]

Check the Cryptographic Service status at this stage:

Go to Services, find Cryptographic Service, double click on it and attach a screenshot of what you get.

 

[Rusty T]

Here you are, you also can see after first minutes of the installation of fresh windows 10 LTSC 2021 on the second jpg

 

[DR M]

However, it seems that it is running. Let's leave it for now.

Another thing I noticed in your logs, is that you disabled WinHttpAutoProxySvc. Did you do that via the Registry? Because it's not possible to disable it manually in Services.

Last thing you would worry about:

Microsoft Windows 10 Enterprise LTSC Version 21H2 19044.4651 (X64) Language: English (United States)

Have you tried to upgrade and had issues? You are an upgrade behind and this makes your system extremely vulnerable.