Area 51 R2 - Windows update / other issues.

Hi RTID75‌,

Do you see any exclamation marks on device manager? It looks like the driver is not installing correctly, you can uninstall the driver and reinstall it manually here.

Also, make sure the BIOS is up to date. 

You have USB based malware that is being overwritten by WHQL "update" based on a depreciated Realtek certificate.  

Microsoft Safety Scanner - Free Virus Scan with the Microsoft Safety Scanner 

Lethic botnet malware has been discovered with signed digital certificates from a Taiwanese company, Realtek Semiconductor Corp. The certificates are similar to those that accompanied the Stuxnet virus that had been targeting SCADA systems most notably power and centrifuge facilities in Iran and India. There is no evidence that Realtek is authorizing the use of the certificates, and researchers speculate that criminal cyber gangs responsible for the Lethic malware are simply using unverified forgeries.  The presence of verified and forged signed digital certificates is a problem with all versions of windows, as it undermines TRUST in systems designed to prevent the spread of malicious code.

Also detected as: Packed.Win32.Krap.x (Kaspersky), Trojan.Lethic.B (VirusBuster), Win32/Lethic.AA (ESET), Trj/Zlob.KH (Panda), Trojan.CryptRedol.Gen.2 (BitDefender)

Description:
Published Date:Feb 13, 2017
Alert level:severe

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/LethicVirTool:Win32/Lethic 

C:\Program Files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3

R2 IconMan_R;IconMan_R;c:\program files\realtek\realtek usb 2.0 card reader\RIconMan.exe

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys

I would unistall anything that says Realtek and then scan any usbflash drives for the malware pe dropper in autorun.

They show up in add remove programs as

Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver

i have the same issue. windows downloads the driver but it gets rejected (probably by secure boot). windows downloads the Driver again and the cycle repeads. fresh install of Win 10 version 1703 didn't help. all you can do is block this RT Card Reader Driver. you will need to download and run the tool provided by Microsoft here:

https://support.microsoft.com/en-us/help/3073930/how-to-temporarily-prevent-a-driver-update-from-reinstalling-in-windows… 

Carbon Based Lifeform wrote:

i have the same issue. windows downloads the driver but it gets rejected (probably by secure boot). windows downloads the Driver again and the cycle repeads. fresh install of Win 10 version 1703 didn't help. all you can do is block this RT Card Reader Driver. you will need to download and run the tool provided by Microsoft here:

 

https://support.microsoft.com/en-us/help/3073930/how-to-temporarily-prevent-a-driver-update-from-reinstalling-in-windows… 

Good troubleshooting trying a clean install. Also, thanks for supplying your current work-around.
 
I suggest you start a new thread, with as much detail as possible. Should act as a report to Dell (for this Dell unique device) and should be sufficient for forwarding to Microsoft. I'm not really aware of whole proper procedure to getting this resolved, but seems like notifying Alienware Engineering would be a good start.

USB based malware that is being overwritten by WHQL "update" based on a depreciated Realtek certificate.  This is very specific.  Malware, which spreads by exploiting an unpatched Windows vulnerability,  signed using a valid Realtek Semiconductor signature. Secondly, the payload, two rootkit components that get installed as system drivers.  Patching afterwards does nothing because its closing the barn door after the cows get out.   SFC /SCANNOW may help but ultimately its scorched earth reinstall because you are infected.

USB based malware is reinfected in seconds when the offending flash drive is re inserted.

This is precisely why Realtek is involved.  Windows defender and other antivirus solutions are fooled

by the valid signature on the malware.

Microsoft Malware Protection Center - Help 

Drive-By Download - YouTube 

speedstep wrote:

USB based malware that is being overwritten by WHQL "update" based on a depreciated Realtek certificate.  

This is very specific.

It is strange they are both Realtek or RT related.
 
So, you think ‌ problem is malware also. Even though he clean-installed Windows?

Ok, first some history. I'm a big believer in Nuke-and-Pave (Fdisk-Cleaned followed by clean Windows install from pristine genuine Windows media). Many years ago, Microsoft had it very clear to us Partners that the only way to return a virus or spyware infected system to a guaranteed working state was to clean install Windows to a blank disk .... therefore, returning the installed Windows to an un-compromised state. 

When at all possible, I have been doing initial FDisk on systems for a long time now (even on non-UEFI conventional-BIOS machines). This is the reason I now support using SecureBoot on UEFI systems. I understand the push-back in certain circles, but the ability to prevent RootKits outweighs it, IMO. 
 
Not on my systems, but I have seen RansomWare infections in the field. Sometimes, even tasked with "cleaning it up" for clients (either with my company doing the work or in a consulting or advisory capacity). I also recall a couple of "man-in-the-middle" compromises of secure browser connections (they were to popular banks). I'm sure we have all had a brush with a virus or spyware over the years, but after you experience these newer threats, you will likely have a whole different outlook on things. These new threats are pretty scary stuff (even for me).
 
So, my first questions are:
 
1. Would a Lethic (or similar) infected system prevent the creation of a perfect/genuine copy of Windows-10 with the Media Creation Tool onto a USB Flash drive?
 
2. If a perfect Windows-10 Flash drive was simply inserted into the USB-Port of a system infected with Lethic (or similar), would it then contaminate  or compromise that copy of the Windows Installer on that flash-drive?

2a. If so, could that contamination spread to a completely different system if used to install Windows with it later?

 Microsoft Malware Protection Center - Help 
1. Would a Lethic (or similar) infected system prevent the creation of a perfect/genuine copy of Windows-10 with the Media Creation Tool onto a USB Flash drive?  It would infect any NON WRITE PROTECTED media.

 
2. If a perfect Windows-10 Flash drive was simply inserted into the USB-Port of a system infected with Lethic (or similar), would it then contaminate  or compromise that copy of the Windows Installer on that flash-drive?   This spreads like conventional human virus.  Insert into infected and become infected.  Insert clean Non Write protected become infected.

Bi directional transmission.

2a. If so, could that contamination spread to a completely different system if used to install Windows with it later?
Spreading from flash drive to hard drive and the other way round is the vector for infection and re infection.  Thats why DVD    Non burned, Non infected media is required.

Infection and Re infection and spread takes seconds.   No amount of nuke and pave prevents immediate RE infection

on reboot after insertion of the infected media.   Usb flash drives are not the only infection vector.  Once they get on they spread via internet and via NON WRITE PROTECTED flash media.  There will be no spoon fed step by step remote psychic friends network removal instructions.

There are 12,674 variants of this issue and more every 6 hours.  This is not 1 malware with 1 name.
P2P-Worm.Win32.Palevo.rmm
Win32/DelfInject.gen!BH
Generic.dx!nns.trojan
    •    The presence of the following files:
    •     \shelldm.exe
    •     \xcllsx.exe
    •    The presence of the following registry modifications:
    •    Adds value: "zmmclr"
    •    With data: " \xcllsx.exe"
    •    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    •    Adds value: "wesspell"
    •    With data: " \shelldm.exe"
    •    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
c:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
c:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini
c:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"

this is not a virus! it happens only with the Windows Version 1703. it happened after upgrading from Version 1607 and it happens after fresh install. i installed Win 10 from a USB Stick which i'm usually using at work. if it was infected, i would have noticed it long time ago. usually i'm installing Win 10 without Internet Connection. the faulty Driver comes with the first Windows Update as soon as i enable the WIFI Connection. . there is nothing magic about it. Microsoft is pushing a faulty Driver. it happened before and it will happen again. with Nvidias new "break it first, fix it later" Strategy it will happen sooner rather than later.  just block the Update guys and forget it. BTW, the Card Reader Driver provided by Dell works perfectly fine.

speedstep‌ ,

Thanks for taking the time to answer my questions. I find this topic very interesting.
 
I sure would like to know where Microsoft stands on this issue. Mainly because Internet downloaded ISO (usually written to USB-Flash) is their adopted distribution method. This not only includes Consumer and Business Windows-10 installs, but also Servers and programs like TechNet, and MAPS.

Based on your answers, here are my next questions:

1. When Windows-10 Media Creation Tool is used on a clean system, do you think a flash drive with a physical "write protect switch" would be able to keep it protected and clean ... if eventually used on an infected system?

2. When Windows-10 Media Creation Tool is used on a clean system, do you think using fdisk to write protect the flash drive would be able to keep it protected and clean ... if eventually used on an infected system?

3. Do you agree that this procedure below would work 100% on a RootKit or otherwise infected system? Also, the created media would be 100% safe (prevent contamination of media and forever prevent spreading of infections)? 

Create Windows-10 Disc (Write-Once, then forever Read-Only).

- Download Windows-10 ISO.

-   -  Checksum should be verified (either manually or by Microsoft downloader).

- Write ISO to single-sided DVD-R (with Verify on)

Nuke and Pave the target system
- Fdisk/clean to Initialize boot disk (HDD/SSD is now as clean as possible)
- Be sure UEFI and SecureBoot are on in BIOS

- Boot and install Windows-10 from this DVD-R (GPT and NTFS will be used)

-   -  If machine has no DVD-ROM drive, an USB External drive MUST be used.

- After First-Time-Setup, run msinfo32, and verify SecureBoot state is reporting as ON.

Finally, can you think of any other 100% guaranteed way?