There is probably a virus in the Realtek audio driver with the date 09.06.2020

Forums Snappy Driver Installer Origin There is probably a virus in the Realtek audio driver with the date 09.06.2020

Viewing 13 reply threads
  • Author
    Posts
    • #3321
      AvatarSmiley

      Hi, 🙂
      Windows 10, 1909
      Problem with: Realtek High Definition Audio driver, version 6.0.8967.1 from 09.06.2020.

      A few days ago I wanted to update my drivers. Every driver I installed except the Realtek audio one was working fine.
      I couldn’t open the Realtek tray icon/gui thing: RtkNGUI64.exe and after trying, the circle that shows something is working in the background beneath my mouse cursor, appears every 3 or 4 seconds.
      Windows defender then found a malicious file in the temp folder, that I couldn’t find with the explorer nor other means, and that defender couldn’t delete. procmon64 showed no suspicious activity. Since I reverted back to before installing the drivers, I can no longer see what the filename was what it was detected as. I remember it said something about password stealing.

      Please check this driver in your repository and how it got there. Apparently this is a zero day exploit or whatever because it wasn’t detected before installation.

      Thank you for your work,
      kind regards. 🙂

      0
    • #3322
      AvatarSmiley

      Oh, apperently the defender detection history wasn’t reverted back.

      The temp file with a random name was detected as: HackTool:Win32/Passview!MSR
      It was in the folder: C:\users\xxxxx\AppData\local\temp\tmp0000011b\ with name tmp00237xxx, where xxx is a random number.

      0
    • #3323
      AvatarSmiley

      I assume something else that wasn’t detected was running that Passview program every 4 seconds. That backgroundpprocess is what I meant with “zero day exploit”. It might have done more than looking at my passwords, but I couldn’t find any other proof of malicious software on my pc, and I tested it with many programs, including anti-rootkit

      0
    • #3324
      AvatarSmiley

      Sorry for all these posts, but I can’t edit them.
      I am currently uploading all the files to Virustotal.com, and so far everything seems clean, weirdly enough.
      So, I’ll also upload all the other drivers I installed that day.
      Baaah so much uploading…

      I’ll get back here when finished.

      0
    • #3331
      AvatarSmiley

      (Apparently I am not allowed to include links, so here is the same message without Links; There are spaces before every “com”)

      I’m at a loss. I tested every single file with virustotal.com and nothing came back positive. Here are all the drivers I installed that day. I had to upload 395 files. xD
      I even included my snappy folder:
      virustotal. com/gui/file/14f00ebf660c066d6a72249962dd7fd09ece729faffbcd76a19c79f3cf8c81c6/relations

      Realtek High Definition Audio driver:
      virustotal. com/gui/file/72cd7d15587ba5a7b6e7c4d43ed9273aa421bb522604bba56a310114b3606670/relations
      And a second, older one:
      virustotal. com/gui/file/5ed18761aef0b24191fd80a6b96059ebc9b5d447c74a3710976f1dc0e97c96db/relations

      Sound Blaster audio driver:
      virustotal. com/gui/file/50bc7cdba9248b3804b8f871c2f9c3fbd7a4c60878ebe9d3331ae25b38c3c21c/relations

      AMD PSP:
      virustotal. com/gui/file/43cf0fcc321282175845a7b6edba8fa53b3d76ccb122ccfeabf19cee6982ef2f/relations

      AMD GPIO:
      virustotal. com/gui/file/bb5a5032ade8911bf0f9770bc9f17631c32e7656a21ecb004f423069bec85226/relations

      AMD PCI:
      virustotal. com/gui/file/ef42e8dc8bb340dc84e9cff6ad9322369ba0aa5adc45bc19a7efa72a1022c135/relations

      Realtek PCIe network:
      virustotal. com/gui/file/8cfe083bce7dc7ff51becf98bfbf111e89d069cae79f1d62b4b22333f252cb36/relations

      Samsung NVME:
      virustotal. com/gui/file/4161c7f64fb67cb5b5c0c23295c46df789681f7e4a09e2cdb79b6b707ec0f9e5/relations

      Conclusion: WTH? Either there is zero-day malware in one of these or I’m going insane.
      One needs to install these in a VM and see what happens – but how do you install drivers for hardware that doesn’t exist in a VM?
      Grmpf…

      Help! xD

      0
    • #3332
      GlennGlenn
      Keymaster

      The folder you mention in your second post is not an SDIO folder. When SDIO extracts files it uses the %AppData%\Local\Temp\SDIO folder.

      • This reply was modified 3 months, 1 week ago by GlennGlenn.
      • This reply was modified 3 months, 1 week ago by GlennGlenn.
      • This reply was modified 3 months, 1 week ago by GlennGlenn.
      0
    • #3336
      AvatarSmiley

      Yeah, it was probably made by the malware

      0
    • #3337
      AvatarSmiley

      … that, I assume, came from one of these drivers that are in your pack – because that is all I installed or changed, and my PC is generally pretty safe since I configured it to be as safe as Windows Pro can be (Attack vector reduction) and I have anti-EXE and anti-Exploit running beneath Defender.
      It was, genuinely, only these drivers. That’s why I don’t understand that they are clean, by Virustotal standards.

      Anyway… I should have made an account here so that I can edit. Sorry for that 🙂

      0
    • #3341
      AvatarSmiley

      So, you don’t think there’s malware in one of these, Glenn?
      Do you get these drivers directly from the manufacturer? Could there have been a SSL MITM-attack, maybe? I remember there was something in the news recently about SSL server being attacked.

      0
      • #3352
        GlennGlenn
        Keymaster

        It’s not entirely out of the question but it seems unlikely given that you’ve scanned it and I’ve scanned it and we’ve all scanned it and no one has found any malware. The location you’re pointing to is not the extraction path. All we have is a Defender detection that deleted the file.

        I’m not the collector of the drivers but the situation does prompt me to improve practices when the new driver packs arrive.

        0
    • #3353
      GlennGlenn
      Keymaster

      This is a batch file I’m working on to include in the release procedure. It will, one by one, extract the driver packs and scan them. I’m using EEK but you should insert whatever malware scanner you use.

      Place it in the main folder with the SDIO.exe files.

      I might add it the the next release.

      @echo off
      for /f "tokens=*" %%a in ('dir /b /od "%~dp0SDIO_R*.exe"') do set "SDIOEXE=%%a"
      echo %SDIOEXE%
      for /F %%i in ('dir /b drivers\*.7z') do call :scanpack %%i %%~ni
      goto end
      
      :scanpack
      %SDIOEXE% -7z x drivers\%1 -y -odrivers\%2
      "C:\Toolkit\!Malware Cleanup Procedure\05 EEK\bin64\a2cmd.exe" /files=drivers\%2
      if errorlevel 2 goto :error
      if errorlevel 1 goto :found
      if exist drivers\%2\. rmdir /s /q drivers\%2
      goto :eof
      
      :error
      echo Error: drivers\%2
      goto :end
      
      :found
      echo FOUND: drivers\%2
      goto :end
      
      :end
      
      
      • This reply was modified 3 months, 1 week ago by GlennGlenn.
      • This reply was modified 3 months, 1 week ago by GlennGlenn.
      0
    • #3367
      AvatarSmiley

      All we have is a Defender detection that deleted the file.

      It actually couldn’t delete the file and I couldn’t find it with explorer or anything else. It was only removed once I reverted the system using a restore point. (I hope)

      I’m not the collector of the drivers

      Oh, that makes sense. I thought it was you, but now that you mention it, there’s the other SDI program that uses the same files. It’s just a collection someone creates and puts in a torrent, right? Who is that?

      This is a batch file I’m working on

      Ah nice. But, any anti-malware program should scan files opened or executed before finishing the operation. (probably the zip files, but definitely the extracted setups) In my case it just wasn’t detected by anything. (If it existed in them i.t.f.p. and wasn’t downloaded and executed after driver installation via something looking like a typical update process) Defender scanned these files automatically.
      Maybe include a free portable version of a good scanner to act as a second opinion instead?

      If driver or setups download malware after installation, then the most important thing becomes getting the packages from a trusted source.
      This is my leading hypothesis right now. I don’t remember if anything asked for internet access or not, though.

      0
      • #3369
        GlennGlenn
        Keymaster

        Who is that?

        Look inside a driver pack.

        Maybe include a free portable version of a good scanner to act as a second opinion instead?

        Better if you use the scanner you trust.

        This is my leading hypothesis right now.

        Well, let me know what you find.

        Right now, this is an unexplained anomaly. If we get more reports of a similar nature then we’ve got some decisions to make.

        0
        • #3372
          AvatarSmiley

          Better if you use the scanner you trust.

          But it does that automatically, no need for a script.
          If it doesn’t do that automatically, then the anti-malware program that’s running is useless.

          0
    • #3368
      AvatarEnjay

      Just to chip in to this conversation, when I install the RealTek driver from SDIO, my computers takes much longer to start up than normal. I have tried on two separate machines and it happened with both of them.

      One machine is a pretty fast spec gaming machine but installing the realtek driver added almost a minute to the boot time (normally around 20 seconds).

      The other machine is a much more basic “emails and word documents” machine. After installing the realtek driver, it was taking several minutes to start up.

      On both machines, I completely cleared out the driver and allowed Windows to find and install its default driver. That put startup times back to normal. Then I used Driver Easy to get the newest realtek driver that it could find and that did not cause a problem when installed. The one found by Driver Easy is from 26 March 2020 ver 6.0.8924.1

      0
      • #3370
        GlennGlenn
        Keymaster

        I would say this is a clear example of “don’t blindly install newer drivers for the sake of it”.

        I expect if you looked, SDIO would have offered a variety of versions for you to try out.

        0
    • #3371
      AvatarEnjay

      It did, but the hardware ID seemed to be right and all other drivers were listed as older or “less than optimal”. The one I installed was nicely highlighted in green and had the same signature numbers as the already installed driver.

      So, I did look at the options and wasn’t just doing it blindly. However, I concede that I’m not fully up to speed with what all the values meant. By the presentation of the options, however, SDIO was making it pretty clear that which one should be the best to install but, after installing, my computers were slower to boot.

      So, that’s three machines (my two plus Smiley’s one) that have had a problem with the RealTek driver dated 9th June. Neither of us has found malware. So there does seem to be a problem either with the driver itself or, if the driver isn’t suitable, SDIO making it look as if it is.

      Anyway, I don’t want to come across all grumpy. SDIO is very useful and has actually allowed me to get several poorly performing machines operating far more smoothly. The only issue that I have had has been with the RealTek driver.

      0
    • #3612
      AvatarSakata
      Participant

      If you install any realtek drivers and have issues with slow/odd response from programs, check in services and see if you have a “Nahimic” service there, stop it, and disable it.
      Its garbage that has been causing issues for years now. It is part of the extra effect processing.

      2+
Viewing 13 reply threads
  • You must be logged in to reply to this topic.
Do NOT follow this link or you will be banned from the site!