Malware with Crimson? Or False-Positive? - AMDJoe

Discussion in 'Videocards - AMD Radeon Drivers Section' started by Blackfyre, Nov 28, 2015.

  1. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    I concur. I don't think it's a virus or malware either.

    The objective of this thread was first to identify whether or not it's Malware. Then to hopefully allow AMD to realise why it's being detected as Malware.

    AMD should either contact malwarebytes and other anti-malware and virus programs to add their Shader Cache to their safe list. Or change their methods in the next driver update.
     
  2. Turanis

    Turanis Ancient Guru

    Messages:
    1,778
    Likes Received:
    471
    GPU:
    Gigabyte RX500
    Windows 7/10 no problems with that /P folder,is not there.
    You have some malware or unwanted software who counterfeit that Amd software.

    Check closely every program you have installed last week.
    Did you scan with MSRT,Spybot or tdsskiller?

    LogonUI.exe implements the graphical user interface shown when a user is asked to log in to the local machine. This is a core component of Windows and should be left alone.
    Note: The LogonUI.exe file is located in the folder C:\Windows\System32. In other cases, LogonUI.exe is a virus, spyware, trojan or worm!

    Check your Startup programs in Win10 task manager,disable all or just some programs who dont want to eat your ram etc.
     
    Last edited: Nov 30, 2015
  3. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    No I have not installed any programs over the last week or so. No Gaming Evolved is not installed (a question which was asked earlier). I scan my computer regularly (at least once a week), and I pay very close attention to what I am installing (scanned before and after installation).

    Installing AMD 15.11.1 Drivers, played about 8 different games DX11 games (no issues after the scan). Installed AMD Crimson, ran RadeonMod to force Shader Cache globally (aka for all games), then ran the same 8 games, and ended up with the same "malware" detected in the same P folder (directory); which we suspect is not Malware, just stupidity of writing to the System32 folder (aka AMD assumed no one is going to be enabling shader cache globally through a 3rd party app, and did not pay attention to where shader cache is writing to when globally forced (enabled); this is evident because copying the same files to the desktop and scanning them, renders them harmless).

    By the way it was already established that it could be in 3 different directories, not necessarily the P folder.

    It's not that hard to duplicate the problem really. Just run RadeonMod, enable Shader Cache, it's under UMD --> Gaming Optimization --> Shader Cache (change the value to 0x3200), and restart your computer... play through a bunch of DX11 games (say maybe 6 to 8 games), it'll take roughly 30 minutes of running around or doing 1 mission in each one, etc... Download MalwareBytes Anti-Malware, and run a custom scan on your OS drive, on the left panel, make sure all 4 options are ticked when doing the custom scan for the OS drive (usually C drive).
     
  4. Lumaan

    Lumaan Member

    Messages:
    39
    Likes Received:
    0
    GPU:
    Asus R9 290X 4GB OC
    Hmm Thinking loud here, but can it be something only happens in Windows 10 TH2 (10586)?
    In that MS change something, and AMD drivers needs an update from the AMD Devs?
     

  5. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,749
    Likes Received:
    660
    GPU:
    Inno3D RTX 3090
    I did all that, including a whole Dr. Web scan that took all night, yesterday. There is nothing. Do you have Shader Cache globally enabled like we do? In the logs I also see that there are other locations that are being created, it doesn't necessarily have to be a P folder. There is nothing weird in the system, and after the triple scan I run a scf /scannow, that only reverted the OpenCL dll that the AMD driver installs, to the default MS one (which is the expected behavior btw).

    Both me and Blackfyre have TH2 and 7970s.
     
  6. Turanis

    Turanis Ancient Guru

    Messages:
    1,778
    Likes Received:
    471
    GPU:
    Gigabyte RX500
    Why should I run that untrusted program who gives you headache?I dont wanna test it,dont wanna run it.
    So thats the culprit,that littlle program named RadeonMod.

    Shader Cache is enabled globally and run without any problem,enabled even in every game i have.
    Windows 10(1511 update)/Win7 runs well,no trouble here.

    I dont find any other "DxCache" in Windows 10/7,except \AppData\Local\AMD\DxCache.
     
    Last edited: Nov 30, 2015
  7. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,749
    Likes Received:
    660
    GPU:
    Inno3D RTX 3090
    RadeonMod checks clean on every scan. Furthermore, I have changed the value in the Registry manually, and I got the same.
     
  8. Turanis

    Turanis Ancient Guru

    Messages:
    1,778
    Likes Received:
    471
    GPU:
    Gigabyte RX500
    This untrusted program put that folder in Windows\System32.And make Malwarebyte to sound the alarm.
    I dont trust any program downloaded from internet.Sorry. :)
     
  9. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    The drivers are creating the cache, not RadeonMod. All you're doing is forcing the driver to cache shaders for everything DX10/11. LogonUI.exe is being cached and Malwarebytes is detecting it as a false positive. It's been discussed already.
     
  10. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    You were just told you could edit the registry key yourself and it will produce the same effect. You don't need the program, the only thing the program does is simplify it. And again after explaining it multiple times for two pages you said I have Shader Cache enabled globally, how do you have it enabled globally exactly? Because there's no way of doing it through AMD Settings. If you set it to "AMD Optimized", that does not mean it's enabled globally.

    Really, it's actually getting to point where it's becoming really hard to decide whether you're trolling or being serious. Because your comments are not only becoming repetitive, they are borderline idiotic, and rage inducing.

    The program RadeonMod is endorsed by everyone here. Including Guru3D who have it posted in their download section on the site (you think they would post it before running it multiple times through several anti-virus and anti-malware programs?). So this "untrustworthy" program, is as "untrustworthy" as MSI Afterburner. The members who created it are long standing members in our Guru3D community who are trustworthy too.

    All it does is edit registry keys for AMD drivers, if you don't trust it you can do it yourself.

    If you're running WINDOWS 10, fully updated, as it says in OP, and have shader cache globally enabled, and have ran a full scan with malwarebytes anti-malware and haven't found anything, then please do report to us here. Otherwise, please, enough with this repetitive stupidity in the comments.

    :bang::bang::bang:
     
    Last edited: Nov 30, 2015

  11. MacT

    MacT Member Guru

    Messages:
    184
    Likes Received:
    0
    GPU:
    2 x Sapphire HD 7970 OC
    Maybe this is why the Global settings for Shader Cache INSIDE the Crimson suite is AMD optimised only.

    Maybe AMD know for total global (like what you are enabling through RadeonMod) will fully enable Shader Cache creations for things unrelated to DX gaming. So their global ' AMD Optimised ' limits somewhat the Shader Cache creation to game related DX programs.

    By setting 'Global' within RadeonMod, you are bypassing the AMD optimised (which excludes all the unnecessary Shader Cache creation for irrelevant processes).

    p.s. Getting confusing when peeps are misunderstanding the 2 'Globals' which are Global settings - Shader Cache AMD optimised within the Crimson software vs the Global enable Shader Cache within RadeonMod.
     
  12. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    It's not really creating it for anything un-related. The only thing Shader Cache works on is DX10 and DX11 application/games (edit: correction, games & applications, thanks to @theoneofgod below). So no other programs would create Shader Cache files.

    I do agree, that perhaps AMD omitted it on purpose. But they should have written a code to prevent it from writing to System32... Because that just looks like carelessness to assume that you're going to introduce a new feature that people have been looking forward to and not have the code for it written properly (or finished rather). It ends up writing to both AppData and in System32 :3eyes:

    Thanks for commenting and sharing your thoughts anyway.
     
    Last edited: Dec 1, 2015
  13. BoMbY

    BoMbY Member Guru

    Messages:
    185
    Likes Received:
    0
    GPU:
    Fury X
    MalwareBytes is ****. Uninstall it. Produces false positives like no other.
     
  14. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    For the love of god and everything that is holy. We have already established that it doesn't matter whether it's actually Malware or not (and it's not Malware)... It shouldn't be writing to two different directories and it shouldn't be writing in the System32 folder. That's either a mistake, or just carelessness. And it should be fixed by AMD.
     
  15. BoMbY

    BoMbY Member Guru

    Messages:
    185
    Likes Received:
    0
    GPU:
    Fury X
    They can write to wherever they want. No other "security" software has a problem with that. Malwarebytes is oversensitive crap, and it unnecessarily unsettling people with crap messages like this.
     

  16. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,749
    Likes Received:
    660
    GPU:
    Inno3D RTX 3090
    Yeap. LogonUI.exe seems to be compiling shaders I guess. Maybe they should have a blacklist instead of a whitelist. That would make enabling the feature for everything easier, and keep instances like this correct.

    You are confusing things that it reports as "PUP" (Potentially Unwanted Programs), with actual detections. In this case I was actually impressed it got it. There is something feeding precompiled binaries to the Windows login process after all.
     
  17. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,605
    Likes Received:
    249
    GPU:
    RX 580 8GB
    Any application based around DX10/11 seems to be having shaders cached when forced on. Team Viewer, Skype, Explorer, etc.
     
  18. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,099
    Likes Received:
    89
    GPU:
    RTX 2070 Super
    Exactly. Thank you.

    It actually goes to show how thorough Malwarebytes Anti-Malware is in comparison to other Anti-Malware software.
     
  19. MacT

    MacT Member Guru

    Messages:
    184
    Likes Received:
    0
    GPU:
    2 x Sapphire HD 7970 OC
    I am sorry, did AMD write the RadeonMod? It is not up to AMD to fix unintentional consequences a 3rd party program has introduced.

    In and of itself, is Shader Cache not just a function within graphics API's? AMD don't OWN exclusive use of shader cache. They are just using the function (through their Crimson) to benefit relevant games/applications (Their AMD optimised setting). Or if you like you can set Shader Cache for each individual application within the Crimson.

    Global enable of Shader Cache through RadeonMod could very well be turning on or injecting into any and all graphics APIs (And, not just DX. Like, OpenGL has shader cache, Mantle etc). Whereas within Crimson, the Global Settings, Shader Cache - AMD Optimised is selectively controlled/limited by AMD to only apply to programs and/or games of their choosing.
     
  20. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,749
    Likes Received:
    660
    GPU:
    Inno3D RTX 3090
    What are you even talking about? Caching Shaders is something that either the app or the GPU driver can do. It's not "there" and AMD decided to use it. The driver needs to interpret compiled shaders, store them, and then retrieve them when the app tries to compile again. It's actually quite a lot of work. There isn't really a "hack" via RadeonMod, it's a single registry switch.

    The sane option would be to have a blacklist, not a whitelist. That way we can enable and test it for everything without weird side effects like this one.
     

Share This Page