We had a major storm through here recently and we suffered damage to the house roof and ceilings. I just received the quote to repair. I’m hoping that a small fraction of the 80,000 odd people that download SDIO and/or Desktop Info every month won’t mind chipping in a few dollars to help out. Click on the big blue button at the bottom of the page to help us keep a roof over our heads, literally!
Guests have read-only access to our forums. If you wish to participate you will need to register. Be sure to activate your account from the email sent to you when you register.
Hi, 🙂
Windows 10, 1909
Problem with: Realtek High Definition Audio driver, version 6.0.8967.1 from 09.06.2020.
A few days ago I wanted to update my drivers. Every driver I installed except the Realtek audio one was working fine.
I couldn't open the Realtek tray icon/gui thing: RtkNGUI64.exe and after trying, the circle that shows something is working in the background beneath my mouse cursor, appears every 3 or 4 seconds.
Windows defender then found a malicious file in the temp folder, that I couldn't find with the explorer nor other means, and that defender couldn't delete. procmon64 showed no suspicious activity. Since I reverted back to before installing the drivers, I can no longer see what the filename was what it was detected as. I remember it said something about password stealing.
Please check this driver in your repository and how it got there. Apparently this is a zero day exploit or whatever because it wasn't detected before installation.
Thank you for your work,
kind regards. 🙂
Oh, apperently the defender detection history wasn't reverted back.
The temp file with a random name was detected as: HackTool:Win32/Passview!MSR
It was in the folder: C:usersxxxxxAppDatalocaltemptmp0000011b with name tmp00237xxx, where xxx is a random number.
I assume something else that wasn't detected was running that Passview program every 4 seconds. That backgroundpprocess is what I meant with "zero day exploit". It might have done more than looking at my passwords, but I couldn't find any other proof of malicious software on my pc, and I tested it with many programs, including anti-rootkit
Sorry for all these posts, but I can't edit them.
I am currently uploading all the files to Virustotal.com, and so far everything seems clean, weirdly enough.
So, I'll also upload all the other drivers I installed that day.
Baaah so much uploading...
I'll get back here when finished.
(Apparently I am not allowed to include links, so here is the same message without Links; There are spaces before every "com")
I'm at a loss. I tested every single file with virustotal.com and nothing came back positive. Here are all the drivers I installed that day. I had to upload 395 files. xD
I even included my snappy folder:
virustotal. com/gui/file/14f00ebf660c066d6a72249962dd7fd09ece729faffbcd76a19c79f3cf8c81c6/relations
Realtek High Definition Audio driver:
virustotal. com/gui/file/72cd7d15587ba5a7b6e7c4d43ed9273aa421bb522604bba56a310114b3606670/relations
And a second, older one:
virustotal. com/gui/file/5ed18761aef0b24191fd80a6b96059ebc9b5d447c74a3710976f1dc0e97c96db/relations
Sound Blaster audio driver:
virustotal. com/gui/file/50bc7cdba9248b3804b8f871c2f9c3fbd7a4c60878ebe9d3331ae25b38c3c21c/relations
AMD PSP:
virustotal. com/gui/file/43cf0fcc321282175845a7b6edba8fa53b3d76ccb122ccfeabf19cee6982ef2f/relations
AMD GPIO:
virustotal. com/gui/file/bb5a5032ade8911bf0f9770bc9f17631c32e7656a21ecb004f423069bec85226/relations
AMD PCI:
virustotal. com/gui/file/ef42e8dc8bb340dc84e9cff6ad9322369ba0aa5adc45bc19a7efa72a1022c135/relations
Realtek PCIe network:
virustotal. com/gui/file/8cfe083bce7dc7ff51becf98bfbf111e89d069cae79f1d62b4b22333f252cb36/relations
Samsung NVME:
virustotal. com/gui/file/4161c7f64fb67cb5b5c0c23295c46df789681f7e4a09e2cdb79b6b707ec0f9e5/relations
Conclusion: WTH? Either there is zero-day malware in one of these or I'm going insane.
One needs to install these in a VM and see what happens - but how do you install drivers for hardware that doesn't exist in a VM?
Grmpf...
Help! xD
The folder you mention in your second post is not an SDIO folder. When SDIO extracts files it uses the %AppData%LocalTempSDIO folder.
Yeah, it was probably made by the malware
... that, I assume, came from one of these drivers that are in your pack - because that is all I installed or changed, and my PC is generally pretty safe since I configured it to be as safe as Windows Pro can be (Attack vector reduction) and I have anti-EXE and anti-Exploit running beneath Defender.
It was, genuinely, only these drivers. That's why I don't understand that they are clean, by Virustotal standards.
Anyway... I should have made an account here so that I can edit. Sorry for that 🙂
So, you don't think there's malware in one of these, Glenn?
Do you get these drivers directly from the manufacturer? Could there have been a SSL MITM-attack, maybe? I remember there was something in the news recently about SSL server being attacked.
It's not entirely out of the question but it seems unlikely given that you've scanned it and I've scanned it and we've all scanned it and no one has found any malware. The location you're pointing to is not the extraction path. All we have is a Defender detection that deleted the file.
I'm not the collector of the drivers but the situation does prompt me to improve practices when the new driver packs arrive.
This is a batch file I'm working on to include in the release procedure. It will, one by one, extract the driver packs and scan them. I'm using EEK but you should insert whatever malware scanner you use.
Place it in the main folder with the SDIO.exe files.
I might add it the the next release.
@echo off
for /f "tokens=*" %%a in ('dir /b /od "%~dp0SDIO_R*.exe"') do set "SDIOEXE=%%a"
echo %SDIOEXE%
for /F %%i in ('dir /b drivers*.7z') do call :scanpack %%i %%~ni
goto end
:scanpack
%SDIOEXE% -7z x drivers%1 -y -odrivers%2
"C:Toolkit!Malware Cleanup Procedure5 EEKbin64a2cmd.exe" /files=drivers%2
if errorlevel 2 goto :error
if errorlevel 1 goto :found
if exist drivers%2. rmdir /s /q drivers%2
goto :eof
:error
echo Error: drivers%2
goto :end
:found
echo FOUND: drivers%2
goto :end
:end
All we have is a Defender detection that deleted the file.
It actually couldn't delete the file and I couldn't find it with explorer or anything else. It was only removed once I reverted the system using a restore point. (I hope)
I’m not the collector of the drivers
Oh, that makes sense. I thought it was you, but now that you mention it, there's the other SDI program that uses the same files. It's just a collection someone creates and puts in a torrent, right? Who is that?
This is a batch file I’m working on
Ah nice. But, any anti-malware program should scan files opened or executed before finishing the operation. (probably the zip files, but definitely the extracted setups) In my case it just wasn't detected by anything. (If it existed in them i.t.f.p. and wasn't downloaded and executed after driver installation via something looking like a typical update process) Defender scanned these files automatically.
Maybe include a free portable version of a good scanner to act as a second opinion instead?
If driver or setups download malware after installation, then the most important thing becomes getting the packages from a trusted source.
This is my leading hypothesis right now. I don't remember if anything asked for internet access or not, though.
Just to chip in to this conversation, when I install the RealTek driver from SDIO, my computers takes much longer to start up than normal. I have tried on two separate machines and it happened with both of them.
One machine is a pretty fast spec gaming machine but installing the realtek driver added almost a minute to the boot time (normally around 20 seconds).
The other machine is a much more basic "emails and word documents" machine. After installing the realtek driver, it was taking several minutes to start up.
On both machines, I completely cleared out the driver and allowed Windows to find and install its default driver. That put startup times back to normal. Then I used Driver Easy to get the newest realtek driver that it could find and that did not cause a problem when installed. The one found by Driver Easy is from 26 March 2020 ver 6.0.8924.1
Who is that?
Look inside a driver pack.
Maybe include a free portable version of a good scanner to act as a second opinion instead?
Better if you use the scanner you trust.
This is my leading hypothesis right now.
Well, let me know what you find.
Right now, this is an unexplained anomaly. If we get more reports of a similar nature then we've got some decisions to make.
I would say this is a clear example of "don't blindly install newer drivers for the sake of it".
I expect if you looked, SDIO would have offered a variety of versions for you to try out.
