Malware with Crimson? Or False-Positive? - AMDJoe

Discussion in 'Videocards - AMD Radeon Drivers Section' started by Blackfyre, Nov 28, 2015.

  1. heroxoot

    heroxoot Master Guru

    Messages:
    442
    Likes Received:
    0
    GPU:
    EVGA 1080ti SC2
    Windows 10, no P folder. Are you guys on official crimson or the beta 7?
     
  2. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    Do you have a € directory?
     
  3. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,753
    Likes Received:
    661
    GPU:
    Inno3D RTX 3090
    I used the bootlogging function of Process Monitor (which took me some time because it's a bit weird on Windows 10), but I managed to find what happens. I'm still unclear as to why, though.

    The file gets created by LogonUI.exe which is clean in my system. Here's the first instance that the binary file appears in my system. The names for the cache get created based on the original .exe needing the shader cache, so I guess that's why we both get the same binary file name.
    Code:
    397932d0add511f4d66e1ad805d18765c0bf23ad7238ee13..bin
    [​IMG]

    Now, LogonUI seems to be calling a lot of DX11 functions when it works. You can see that by checking the txt file describing the file's creation in detail, created by Process Monitor.
    Code:
    Description:	Windows Logon User Interface Host
    Company:	Microsoft Corporation
    Name:	LogonUI.exe
    Version:	10.0.10586.0 (th2_release.151029-1700)
    Path:	C:\Windows\system32\LogonUI.exe
    Command Line:	"LogonUI.exe" /flags:0x0 /state0:0xa3bcc055 /state1:0x41c64e6d
    PID:	1008
    Parent PID:	728
    Session ID:	1
    User:	NT AUTHORITY\SYSTEM
    Auth ID:	00000000:000003e7
    Architecture:	64-bit
    Virtualized:	False
    Integrity:	System
    Started:	28/11/2015 20:13:20
    Ended:	(Running)
    Modules:
    winmmbase.dll	0x11b2f1a0000	0x2c000	C:\Windows\System32\winmmbase.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:34:56
    LogonUI.exe	0x7ff7a6de0000	0x7000	C:\Windows\System32\LogonUI.exe	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:40:12
    Windows.UI.Immersive.dll	0x7ffca4c50000	0x1bd000	C:\Windows\System32\Windows.UI.Immersive.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:34
    iertutil.dll	0x7ffca5440000	0x382000	C:\Windows\System32\iertutil.dll	Microsoft Corporation	11.00.10586.0 (th2_release.151029-1700)	13/11/2015 03:36:00
    Windows.UI.Xaml.dll	0x7ffca5870000	0x1039000	C:\Windows\System32\Windows.UI.Xaml.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	13/11/2015 04:05:11
    Windows.UI.dll	0x7ffca6b20000	0xa9000	C:\Windows\System32\Windows.UI.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	13/11/2015 03:49:24
    MrmCoreR.dll	0x7ffca6c50000	0x10e000	C:\Windows\System32\MrmCoreR.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:54
    wincorlib.dll	0x7ffca6e60000	0x6a000	C:\Windows\System32\wincorlib.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:36:08
    Windows.UI.Logon.dll	0x7ffca7070000	0x289000	C:\Windows\System32\Windows.UI.Logon.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:18:36
    atidxx64.dll	0x7ffca9b90000	0xc88000	C:\Windows\System32\atidxx64.dll	Advanced Micro Devices, Inc. 	8.17.10.0644	18/11/2015 01:12:29
    WinTypes.dll	0x7ffcaa900000	0x136000	C:\Windows\System32\WinTypes.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:53
    atiuxp64.dll	0x7ffcab9a0000	0x28000	C:\Windows\System32\atiuxp64.dll	Advanced Micro Devices, Inc. 	8.14.01.6489	18/11/2015 00:51:57
    KBDUS.DLL	0x7ffcab9e0000	0x7000	C:\Windows\System32\KBDUS.DLL	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:09:42
    MsSpellCheckingFacility.dll	0x7ffcabb20000	0x106000	C:\Windows\System32\MsSpellCheckingFacility.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:20:48
    KBDBR.DLL	0x7ffcabcb0000	0x6000	C:\Windows\System32\KBDBR.DLL	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:42:52
    version.dll	0x7ffcabcc0000	0xa000	C:\Windows\System32\version.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:40:36
    aticfx64.dll	0x7ffcabd00000	0x16f000	C:\Windows\System32\aticfx64.dll	Advanced Micro Devices, Inc. 	8.17.10.1429	18/11/2015 02:46:12
    Winlangdb.dll	0x7ffcabf00000	0x6e000	C:\Windows\System32\Winlangdb.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:10:38
    actxprxy.dll	0x7ffcacb80000	0x493000	C:\Windows\System32\actxprxy.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:14:52
    BCP47Langs.dll	0x7ffcad1d0000	0x67000	C:\Windows\System32\BCP47Langs.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:30:25
    InputSwitch.dll	0x7ffcad2a0000	0x4f000	C:\Windows\System32\InputSwitch.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:31:55
    dxgi.dll	0x7ffcad2f0000	0xa2000	C:\Windows\System32\dxgi.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:29:42
    d3d11.dll	0x7ffcad3e0000	0x2a8000	C:\Windows\System32\d3d11.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:13:56
    dwmapi.dll	0x7ffcad690000	0x22000	C:\Windows\System32\dwmapi.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:32:33
    propsys.dll	0x7ffcad6c0000	0x186000	C:\Windows\System32\propsys.dll	Microsoft Corporation	7.00.10586.0 (th2_release.151029-1700)	30/10/2015 00:15:46
    wtsapi32.dll	0x7ffcad870000	0x13000	C:\Windows\System32\wtsapi32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:10:06
    samlib.dll	0x7ffcad890000	0x1c000	C:\Windows\System32\samlib.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:39:26
    shacct.dll	0x7ffcad8b0000	0x32000	C:\Windows\System32\shacct.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:33:35
    sppc.dll	0x7ffcad8f0000	0x25000	C:\Windows\System32\sppc.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:32:46
    winmmbase.dll	0x7ffcad920000	0x2c000	C:\Windows\System32\winmmbase.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:34:56
    slc.dll	0x7ffcad950000	0x25000	C:\Windows\System32\slc.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:16:13
    winmm.dll	0x7ffcad980000	0x23000	C:\Windows\System32\winmm.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:35:26
    CoreMessaging.dll	0x7ffcad9b0000	0xbe000	C:\Windows\System32\CoreMessaging.dll	Microsoft Corporation	10.0.10586.0	29/10/2015 23:57:48
    LogonController.dll	0x7ffcada70000	0x85000	C:\Windows\System32\LogonController.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:27:14
    uxtheme.dll	0x7ffcae080000	0x96000	C:\Windows\System32\uxtheme.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:13:23
    twinapi.appcore.dll	0x7ffcae220000	0x100000	C:\Windows\System32\twinapi.appcore.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:16:21
    rmclient.dll	0x7ffcae4c0000	0x2a000	C:\Windows\System32\rmclient.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:35:57
    winsta.dll	0x7ffcaeb10000	0x56000	C:\Windows\System32\winsta.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:19:33
    userenv.dll	0x7ffcaeec0000	0x1f000	C:\Windows\System32\userenv.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:36:27
    bcrypt.dll	0x7ffcaf590000	0x29000	C:\Windows\System32\bcrypt.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:37:16
    kernel.appcore.dll	0x7ffcaf700000	0xf000	C:\Windows\System32\kernel.appcore.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:39:54
    powrprof.dll	0x7ffcaf710000	0x4b000	C:\Windows\System32\powrprof.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:36:20
    profapi.dll	0x7ffcaf760000	0x14000	C:\Windows\System32\profapi.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:39:08
    cfgmgr32.dll	0x7ffcaf980000	0x43000	C:\Windows\System32\cfgmgr32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:34:09
    SHCore.dll	0x7ffcaf9d0000	0xb5000	C:\Windows\System32\SHCore.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:22:15
    bcryptprimitives.dll	0x7ffcafa90000	0x6a000	C:\Windows\System32\bcryptprimitives.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:35:02
    windows.storage.dll	0x7ffcafb90000	0x644000	C:\Windows\System32\windows.storage.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:27:42
    KernelBase.dll	0x7ffcb02f0000	0x1e8000	C:\Windows\System32\KernelBase.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:11:42
    clbcatq.dll	0x7ffcb04e0000	0xa7000	C:\Windows\System32\clbcatq.dll	Microsoft Corporation	2001.12.10941.16384 (th2_release.151029-1700)	30/10/2015 00:29:41
    imm32.dll	0x7ffcb0590000	0x3b000	C:\Windows\System32\imm32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:09
    gdi32.dll	0x7ffcb05d0000	0x186000	C:\Windows\System32\gdi32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:29:21
    sechost.dll	0x7ffcb0d10000	0x5b000	C:\Windows\System32\sechost.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:32:18
    oleaut32.dll	0x7ffcb0e50000	0xc1000	C:\Windows\System32\oleaut32.dll	Microsoft Corporation	10.0.10586.0	30/10/2015 00:31:27
    rpcrt4.dll	0x7ffcb0f20000	0x11c000	C:\Windows\System32\rpcrt4.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:25:25
    ole32.dll	0x7ffcb1040000	0x143000	C:\Windows\System32\ole32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:24:46
    kernel32.dll	0x7ffcb11a0000	0xad000	C:\Windows\System32\kernel32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:27:54
    user32.dll	0x7ffcb27b0000	0x156000	C:\Windows\System32\user32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:52
    shlwapi.dll	0x7ffcb2920000	0x52000	C:\Windows\System32\shlwapi.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:28:38
    advapi32.dll	0x7ffcb2980000	0xa7000	C:\Windows\System32\advapi32.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:28:11
    combase.dll	0x7ffcb2a30000	0x27d000	C:\Windows\System32\combase.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:19:54
    msvcrt.dll	0x7ffcb2cd0000	0x9d000	C:\Windows\System32\msvcrt.dll	Microsoft Corporation	7.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:36:14
    msctf.dll	0x7ffcb2f20000	0x15a000	C:\Windows\System32\msctf.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:23:28
    ntdll.dll	0x7ffcb30e0000	0x1c1000	C:\Windows\System32\ntdll.dll	Microsoft Corporation	10.0.10586.0 (th2_release.151029-1700)	30/10/2015 00:10:27

    You can see the call to atidxx64.dll, which is the AMD DX11 driver.

    After the file is created, you can see that LogonUI is reading it (which it should, if it indeed is using it instead of compiling a shader on the fly). It also seems to be trying to create another folder for Cache, but failing. I don't know what's that about.
    [​IMG]

    Finally, this is the CSV stack report from the creation of the file.
    Code:
    "Frame","Module","Location","Address","Path"
    "0","FLTMGR.SYS","FltDecodeParameters + 0x18e1","0xfffff80093e86d21","C:\Windows\System32\drivers\FLTMGR.SYS"
    "1","FLTMGR.SYS","FltDecodeParameters + 0x148c","0xfffff80093e868cc","C:\Windows\System32\drivers\FLTMGR.SYS"
    "2","FLTMGR.SYS","FltQueryInformationFile + 0x723","0xfffff80093eb62c3","C:\Windows\System32\drivers\FLTMGR.SYS"
    "3","ntoskrnl.exe","ProbeForWrite + 0xc08","0xfffff800d4a08328","C:\Windows\system32\ntoskrnl.exe"
    "4","ntoskrnl.exe","MmSecureVirtualMemory + 0x19e","0xfffff800d4a87aba","C:\Windows\system32\ntoskrnl.exe"
    "5","ntoskrnl.exe","NtQueryInformationFile + 0x1026","0xfffff800d49fec96","C:\Windows\system32\ntoskrnl.exe"
    "6","ntoskrnl.exe","ObOpenObjectByNameEx + 0x1ec","0xfffff800d49fd69c","C:\Windows\system32\ntoskrnl.exe"
    "7","ntoskrnl.exe","ObOpenObjectByName + 0x488","0xfffff800d4a268c8","C:\Windows\system32\ntoskrnl.exe"
    "8","ntoskrnl.exe","NtCreateFile + 0x79","0xfffff800d4a26429","C:\Windows\system32\ntoskrnl.exe"
    "9","ntoskrnl.exe","setjmpex + 0x3963","0xfffff800d4760ca3","C:\Windows\system32\ntoskrnl.exe"
    "10","ntdll.dll","NtCreateFile + 0x14","0x7ffcb31857f4","C:\Windows\System32\ntdll.dll"
    "11","KernelBase.dll","CreateFileW + 0x394","0x7ffcb030a484","C:\Windows\System32\KernelBase.dll"
    "12","KernelBase.dll","CreateFileW + 0x66","0x7ffcb030a156","C:\Windows\System32\KernelBase.dll"
    "13","KernelBase.dll","CreateFileA + 0x5d","0x7ffcb0350dcd","C:\Windows\System32\KernelBase.dll"
    "14","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x37e7b","0x7ffca9c1cd3b","C:\Windows\System32\atidxx64.dll"
    "15","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x37939","0x7ffca9c1c7f9","C:\Windows\System32\atidxx64.dll"
    "16","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x35507","0x7ffca9c1a3c7","C:\Windows\System32\atidxx64.dll"
    "17","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x34b90","0x7ffca9c19a50","C:\Windows\System32\atidxx64.dll"
    "18","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x1b048","0x7ffca9bfff08","C:\Windows\System32\atidxx64.dll"
    "19","atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x1a205","0x7ffca9bff0c5","C:\Windows\System32\atidxx64.dll"
    "20","atidxx64.dll","XdxInitXopAdapterServices + 0x1eee","0x7ffca9b95cce","C:\Windows\System32\atidxx64.dll"
    "21","atidxx64.dll","XdxInitXopAdapterServices + 0x1bd8","0x7ffca9b959b8","C:\Windows\System32\atidxx64.dll"
    "22","atidxx64.dll","XdxInitXopAdapterServices + 0x341e5","0x7ffca9bc7fc5","C:\Windows\System32\atidxx64.dll"
    "23","atidxx64.dll","XdxInitXopAdapterServices + 0x16c91","0x7ffca9baaa71","C:\Windows\System32\atidxx64.dll"
    "24","atidxx64.dll","XdxInitXopAdapterServices + 0x14a3d","0x7ffca9ba881d","C:\Windows\System32\atidxx64.dll"
    "25","atidxx64.dll","XdxInitXopAdapterServices + 0xa6d","0x7ffca9b9484d","C:\Windows\System32\atidxx64.dll"
    "26","atiuxp64.dll","OpenAdapter10_2 + 0x4ede","0x7ffcab9aab72","C:\Windows\System32\atiuxp64.dll"
    "27","atiuxp64.dll","OpenAdapter10_2 + 0x12a","0x7ffcab9a5dbe","C:\Windows\System32\atiuxp64.dll"
    "28","aticfx64.dll","OpenAdapter10_2 + 0x13e","0x7ffcabd06ace","C:\Windows\System32\aticfx64.dll"
    "29","d3d11.dll","D3D11CoreCreateDevice + 0x27446","0x7ffcad422f66","C:\Windows\System32\d3d11.dll"
    "30","d3d11.dll","D3D11CoreCreateDevice + 0x764c","0x7ffcad40316c","C:\Windows\System32\d3d11.dll"
    "31","d3d11.dll","D3D11CoreCreateDevice + 0x1d315","0x7ffcad418e35","C:\Windows\System32\d3d11.dll"
    "32","d3d11.dll","D3D11CoreCreateDevice + 0x361a1","0x7ffcad431cc1","C:\Windows\System32\d3d11.dll"
    "33","d3d11.dll","D3D11CoreCreateDevice + 0x247cb","0x7ffcad4202eb","C:\Windows\System32\d3d11.dll"
    "34","d3d11.dll","D3D11CoreCreateDevice + 0x1300d","0x7ffcad40eb2d","C:\Windows\System32\d3d11.dll"
    "35","d3d11.dll","D3D11CoreCreateDevice + 0x27ac8","0x7ffcad4235e8","C:\Windows\System32\d3d11.dll"
    "36","d3d11.dll","D3D11CoreCreateDevice + 0x23f0d","0x7ffcad41fa2d","C:\Windows\System32\d3d11.dll"
    "37","d3d11.dll","D3D11CoreCreateDevice + 0x23ebd","0x7ffcad41f9dd","C:\Windows\System32\d3d11.dll"
    "38","d3d11.dll","D3D11CoreCreateDevice + 0x23c53","0x7ffcad41f773","C:\Windows\System32\d3d11.dll"
    "39","d3d11.dll","d3d11.dll + 0x19b13","0x7ffcad3f9b13","C:\Windows\System32\d3d11.dll"
    "40","d3d11.dll","D3D11CoreCreateLayeredDevice + 0x335","0x7ffcad3fb145","C:\Windows\System32\d3d11.dll"
    "41","d3d11.dll","D3D11CoreCreateLayeredDevice + 0x12b","0x7ffcad3faf3b","C:\Windows\System32\d3d11.dll"
    "42","d3d11.dll","D3D11CoreCreateDevice + 0x4a83","0x7ffcad4005a3","C:\Windows\System32\d3d11.dll"
    "43","d3d11.dll","D3D11CoreCreateDevice + 0x6f2","0x7ffcad3fc212","C:\Windows\System32\d3d11.dll"
    "44","d3d11.dll","D3D11CreateDeviceAndSwapChain + 0x402","0x7ffcad3fa592","C:\Windows\System32\d3d11.dll"
    "45","d3d11.dll","D3D11CreateDeviceAndSwapChain + 0xe4","0x7ffcad3fa274","C:\Windows\System32\d3d11.dll"
    "46","d3d11.dll","D3D11CreateDevice + 0x14c","0x7ffcad3fa17c","C:\Windows\System32\d3d11.dll"
    "47","d3d11.dll","D3D11CreateDevice + 0xcc","0x7ffcad3fa0fc","C:\Windows\System32\d3d11.dll"
    "48","Windows.UI.Xaml.dll","DllGetActivationFactory + 0xe4ce","0x7ffca5b2252e","C:\Windows\System32\Windows.UI.Xaml.dll"
    "49","Windows.UI.Xaml.dll","DllGetActivationFactory + 0xe319","0x7ffca5b22379","C:\Windows\System32\Windows.UI.Xaml.dll"
    "50","Windows.UI.Xaml.dll","Windows.UI.Xaml.dll + 0x21d438","0x7ffca5a8d438","C:\Windows\System32\Windows.UI.Xaml.dll"
    "51","ntdll.dll","RtlAcquireSRWLockShared + 0x6171","0x7ffcb310d631","C:\Windows\System32\ntdll.dll"
    "52","ntdll.dll","RtlAcquireSRWLockShared + 0x4274","0x7ffcb310b734","C:\Windows\System32\ntdll.dll"
    "53","kernel32.dll","BaseThreadInitThunk + 0x22","0x7ffcb11b8102","C:\Windows\System32\kernel32.dll"
    "54","ntdll.dll","RtlUserThreadStart + 0x34","0x7ffcb313c264","C:\Windows\System32\ntdll.dll"

    Notice the "atidxx64.dll","AmdDxGsaFreeCompiledShader + 0x37e7b","0x7ffca9c1cd3b","C:\Windows\System32\atidxx64.dll" events. It seems that the driver is doing stuff with compiled shaders, which would make sense if it's serving or creating a shader for LogonUI.exe.

    Now, my belief (and I'm no expert) is that Malwarebytes detects the shader as a trojan, because it contains code created by LogonUI (its shaders), and it's being packed in System32. LogonUI itself is a critical system component and a primary target for viruses and especially trojans. So when Malwarebytes detects a file "feeding" code to LogonUI, it flags it. The location itself must be the location for shaders created by processes that are neither the system Administrator, nor a simple user.

    So, in the end, I believe it's harmless, and I don't even know what AMD could have done to prevent this. We have activated the thing ourselves, when there is obviously not an "official" way to do so. Maybe they should create a blacklist for the feature, instead of a whitelist, and prohibit processes like LogonUI to do that. These are my two cents. It would be great if we could have some official response for this.
     
  4. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,753
    Likes Received:
    661
    GPU:
    Inno3D RTX 3090
    I already did that. It reappears after every boot. All the people who don't have the folder either don't have Windows 10, or they don't have Shader Cache globally enabled. It seems that LogonUI.exe in Windows 7 doesn't do DX11 calls as it seems to be doing under Windows 10, as I have shown above.
     

  5. Cave Waverider

    Cave Waverider Maha Guru

    Messages:
    1,122
    Likes Received:
    132
    GPU:
    RTX 3090 ROG Strix
    Really odd. I've got the Crimson drivers (dwonloaded directly from amd.com) installed on my dual 7970Ms with Shader Cache enabled, but there is no Windows\System32\P folder on Windows 10 1511.

    I don't have the Gaming Evolved app installed, could it have something to do with that?
     
  6. biggyca

    biggyca Master Guru

    Messages:
    353
    Likes Received:
    2
    GPU:
    GTX 980 GALAX
    windows 7, shader cache enabled on radeonmod, no "p" folder.
     
  7. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    What happens if you add LogonUI.exe to Radeon Settings and turn off Shader Cache? I've been trying to recreate the P directory by running things in System32, etc, but haven't managed it.
     
  8. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,753
    Likes Received:
    661
    GPU:
    Inno3D RTX 3090
    Neither me, and I suspect neither Blackfyre, have Gaming Evolved installed.

    First I created a profile for LogonUI.exe and set Shader Cache to off for it. It didn't work, the files were there when I restarted. Then I disabled the Shader Cache through RadeonMod (set the bits to 0x3000). The files didn't get created. It seems that the global setting is being used before any kind of profile is loaded, or the profiles functionality is slower to work/kick in.
     
  9. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    It seems from Pr's tests, the file is only detected as being malicious in the System32 directory, not when on the Desktop for example. That to me says it's a false positive and it's being flagged because it's suspicious being there. I don't know why AMD is caching in System32, it is strange, maybe they haven't done tests with Shader Cache globally on, maybe in the future it won't be possible, or they'll fix it and add the option to Radeon Settings.
     
  10. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    [​IMG]

    Empty though.
     

  11. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,753
    Likes Received:
    661
    GPU:
    Inno3D RTX 3090
    If you see from my logs, it was trying to create a Ÿ folder before the P one, and it couldn't. I believe it gets flagged because it's"feeding" LogonUI.exe with binary code instead of compiling on the spot. And since LogonUI is responsible for user authentication, the .bin gets flagged as a Trojan. The desktop file doesn't get flagged because it's not "feeding" LogonUI.exe with anything. The binary file itself is harmless, I think that what triggers the virus warnings is the act of supplanting the compilation process with a precompiled binary file and injecting that binary to LogonUI.exe.
     
  12. vdelvec

    vdelvec Member Guru

    Messages:
    157
    Likes Received:
    16
    GPU:
    Nvidia RTX 3090
    I always knew AMD was some kind of parasite or virus. LOL
     
  13. MerolaC

    MerolaC Ancient Guru

    Messages:
    3,544
    Likes Received:
    379
    GPU:
    MSI 5600XT G. MX
    Stop spreading misinformation and bull****.
    It's not funny and you just make people afraid of nothing.
    Reported.
     
  14. xxela

    xxela Master Guru

    Messages:
    225
    Likes Received:
    7
    GPU:
    RX6800 XT Red Devil
    I have Windows 10 TH2 and Shader Cache globally enabled but I dont have any P or € folders in System32. Must be something else but I dont think is something to worry about. Antiviruses do this false positive thing quite often with no real reason.
    Also Im on guru3d driver version.
     
  15. WhiteLightning

    WhiteLightning Don Illuminati Staff Member

    Messages:
    28,923
    Likes Received:
    1,778
    GPU:
    GTX1070 iChillx4
    Please dont make comments like this , no need to flame here!
     

  16. thatguy91

    thatguy91 Ancient Guru

    Messages:
    6,643
    Likes Received:
    99
    GPU:
    XFX RX 480 RS 4 GB
    is an antivirus being run, and if so what is it? Malwarebytes anti-malware isn't a virus scanner.

    It looks like something strange is going on with the system. No out of place dodgy folders here, everything is where it is supposed to be. Programs shouldn't really add folders to the system32 folder, and as it isn't commonly reported it suggests the issue is a localised one. Furthermore, those files could actually be trojans in the scan if the reason for the files being there are due to malicious reasons. They could even be infected duplicates of those in the proper files, there for the purpose of you not knowing that it's not meant to be there (typical person that is) and for it to run those files each time a game is loaded.

    Who knows, but in any case I would recommend examining the computer closely.
     
    Last edited: Nov 29, 2015
  17. Romulus_ut3

    Romulus_ut3 Master Guru

    Messages:
    683
    Likes Received:
    148
    GPU:
    AMD RX 570 4GB
    I guess forcing shader cache globally has it's quirks.
     
    Last edited: Nov 29, 2015
  18. Undying

    Undying Ancient Guru

    Messages:
    15,806
    Likes Received:
    4,817
    GPU:
    Aorus RX580 XTR 8GB
    That's why have profiles for that. I dont understand why would force it globally with third party software.
     
  19. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    The thread has been re-opened. Please read the original post on page one. Please respect the forum rules. Please run quickly through the thread (maybe a quick search) to see if your question has already been answered.
     
  20. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,753
    Likes Received:
    661
    GPU:
    Inno3D RTX 3090
    So, after I did all this I honestly don't believe it's a virus. On the other hand, I find the place for the shaders created by system processes (like the "special" LogonUI.exe) a bit weird. On the other hand, I'm not sure that the shader file could have even be "fed" to a process like that from any "normal" location. They should really work with a blacklist for system services, and allow us to do whatever we want for the rest.
     

Share This Page