D5 2.6.1 - virus/malware/ransomware & encripting of data/system almost compromized

**D5 Render Version:2.6.1
**Graphics Card:nvidia 4090 24gb
**Driver Version:latest
Issue Description:
Screenshots/Videos Description:
Steps to Reproduce (optional):

Dear All,

So recently I had received a new PC by my organization. i9 13GEN + 4090. Updated everything and installed D5 2.6.1.0423. After sometime I had a TDR delay issue. Which is the case with large files. (Which wasn’t what I was working on a large file).

Let me also give you a backdrop of where I work. We are a closed system and with an IT organization with systems in place for cyber threats to safeguard our data. Coming up to the issue at hand.

After running the PC at admin mode to fix the TDR delay. The D5 started mis-behaving itself. Every time it started asking for admin mode to start and run. Which it never did before. Next after giving it admin access. The file wouldn’t open but it would be stuck at 0%. After half n hour of constantly trying to make the file open or run a new file or opening from SketchUp plugin sync. It dint budge and it kept being stuck at 0%. During the process of running the app after closing the app in task manager, I found that there was a -command being run each time when running D5. Due to the command added in front of the shortcut/exe, it always asked for admin right to run. Which it never did before.

It looked like this below when I click more properties in the admin rights box trying to understand why would it need admin access when it never used to before.

                               VVVVVVVVVVVVV

“C:\Program Files\D5 Render\D5.exe” -(somecommand)

Then suddenly I get a call from my IT dept. That something has been trying to encrypt the files on your computer and your system has been compromised.
He also sent me this after the entire process of cleaning and formatting the computer and got the pc up and running now. Maybe it can help you figure.

---

We tried installing and doing the same installation in the system beside me as well. And turns out after installing the same executable from the GITHUB file from your website download. (Below is screenshot of redirected website to GITHUB LINK)

Because our firewalls blocks websites like github access we had to give the system open internet access to download the file again and install the new version on the new system. Which dint take much time and it installed 2.6.1.0423 after downloading from your servers.

SCREENSHOT above, it transfers to the Github link and downloads the latest installer files.

---

After the installation finished on my associates system the first time we ran D5 again it mysteriously asked us ADMIN ACCESS. D5 never did that ever previously. We got suspicious and immediately we asked it to uninstall the software. And it dint let us. It removed the files in programfiles location etc.

But the name D5 was still prevelant in the apps location kept saying you dont have admin rights to do so.
We tried login with the local admin account on the pc and apparently it removed admin account completely or locked us out as it just wouldnt let us login, saying some error. So we knew it was compromised again
and sent it for a reformat. If we would have given it adminaccess, we might have had another even more seriously compromised system on our hands.

Now after 2 systems being compromised we have decided to not use the app until things are fixed. including installing any previous versions, until we know its safe to do so. We are lucky that D5 older versions on other systems are not hit by this and are working fine. As I completed the work at hand on other system yesterday as I had a deadline. But reluctantly we will not be using the same until we are sure that everything’s in the clear.

Its time we had some checks and stringent policies in place to check on these kind of attacks so systems are not compromised like this and I have lost almost 2 whole days and 2 systems in the process.
I have narrated all of this from the documentation of my recollection is all. I couldn’t get all the proofs you needed also. So please bear with me.

PLEASE DO SOMETHING ASAP!!

Hello, if you downloaded the installation package from our official website, there should be no virus problem. D5 Render | Real-Time Ray Tracing 3D Rendering Software

I think this may be caused by your firewall recognising D5 as a virus. You could try asking IT to whitelist D5.

Hi LunaLang,

Its already whitelisted. Why is D5 missbehaving and asking for admin rights and permissions each time. I have given u full run down of my issues. Please read carefully and try and recreate it from your Github website. My 2 systems have been compromised in the process of the new update installation. My data would have been encrypted and locked by the ransomware and your response is to let it happen??!!

Its not a firewall isuee Maam. Please take this seriously.

Sorry for this. We will check this issue.

Hello, do you remember which of these two options you chose to be when you installed D5?

Did you make any changes to your software or hardware before the tdr error?
Is your newly downloaded D5 installed in the same path as the previous old version? You can check if it’s because of path permissions. Did you install it under C drive? (C:\Program Files\D5 Render)

Hi Luna,

None of these options were given to me when I had installed it. There was only the I agree & Install Folder shown in options. (maybe, i cant recollect exactly now). Because we dint click on custom install. We directly installed as it asked… After which it would do some downloading and install it within say 2mins and done. All issues for me started after the TDR delay for asking of admin rights. After which something was a miss and everytime it kept asking for admin rights. I had checked more option in the admin privilges window and found that the software was running with a like (-somethingcommaand) each time and because of that command it would always ask for admin privellages. I even check in the properties of the shortcut as well as the main app for that sub command (-somethingcommand) but there was none anywhere. It ran only when i ran the program and asking for admin rights… And everytime i ran it would ask the D5 operation with a command. Being said that even if i had issues on my current PC. How come it missbehaved on the second PC fresh download and install as well?! That when my IT manager & I had got very suspicious.

Did you make any changes to your software or hardware before the tdr error?
No, because it was a fresh installation there was no changes.
Is your newly downloaded D5 installed in the same path as the previous old version?
This was a fresh system install and had nothing to do with any previous old versions on it.

Did you install it under C drive? (C:\Program Files\D5 Render)
Yes the default folder that was given.

Hello. I think your problem is caused by the fact that you have installed it in the default location may have caused the software to ask for admin rights. You can contact your IT and ask them to allow you to customise the installation to a path other than the C drive and then check if it still asks for admin rights.

As a user of D5, I am very concerned about this.

D5 employees appear to not have understood his issue.

After re-reading it seems a hacked website redirecting to github could explain the issue.

I would like someone from D5 to explain the following so that I can make sure this does not happen to me.

1. Do you host files on Github?
2. Does your download page redirect to Github?

I download from Downloading

3. Is the download which starts when visiting the above link coming from Github?

Thanks!

Thanks, this is exactly what i have been trying to explain here but i am guessing they still dont get it. Somewhere in the process they are still thinking the package that they are sending out is reaching us safely.
And if its “unsafe” what can or how can we check it.

@LunaLang You are still replying telling me the issue is about where i installed the software to. But totally missing the fact about the critical RANSOMWARE attack that i might have had if i ran the program with a faulty installation coming from YOUR WEBSITE. The issue here is not where its installed. The issue is that we are getting faulty malware/ransomware installation files from your website. Please this is a concern and your need to dig deeper.

I don’t mean to be rude but please TAKE THIS SERIOUS AND READ THE FIRST POST AND UNDERSTAND THE PROBLEM. This is not just an installation issue.

Hi Luna,

Previously we had installed it multiple times in default folder, our systems have 2 users. 1 Local Admin & 2 User (me/employee). We have installed it in the user installation. It never asked for ADMIN privileges before even once. Not for running or installing the software.

If i install or run with admin rights. I loose all the previous recent works and it looks like a brand new install as well. Also the software behaves very sluggish and unresponsive at best. Except for the TDR delay issue we never needed to run D5 with admin privileges.

Just for your info. We have a total of 10 systems here still using D5 in different capacities. And only the 2 NEW FRESH WINDOWS INSTALLED PC, which were trying to install the new version of 2.6.1 have been compromised with this RANSOMEWARE ATTACK, the installation has been provided from your website. We need to relook how we are delivering the product to the customer safely Luna. This is the task at hand right now. For the PC’s that have already running D5 versions they seem fine and run without any problems.

Thanks for feedback and explain. I understand now. We will check this issue.

Please revert back as days have gone by and we need to start our work. Please provide with safe solution to install D5. I don’t trust the github link/ new version anymore. Can i go fwd and install previous version?

Hi! We are still checking the issue. This is a link to the full installer, it’s the latest version and you can install with it. WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

I have installed the previous version as of now, but im afraid of updating to latest versions. once u give me a clear sign i will update it within the app itself. and not via installer.
Thanks

This installer does not lead to other links to download new content again during the installation process.
The online installer needs to download a portion of the content during the installation process, which does come from github, but we checked the github link and it is currently safe and risk-free.
If possible you can send us your logs and we’ll check it. his post shows how to collect logs. D5 Support Tool - Get Help / Tech Support - D5 RENDER FORUM
You can share a link here or send your log to our email. (support@d5techs.com, please describe the problem and attach the link of this post to your mail)
Also, can you tell me how did you run it in admin mode? Did you right click to run in admin mode or did you set in the software properties to run this software in admin mode? If you make changes in the properties, it may cause you to have to use admin mode every time to run D5.

We earlier tried to install on two systems from the main website on your page(FRESH DOWNLOADS & INSTALLS), and i feel something goes wrong in the middle. For me to download from github i need to ask admin to give me full access of internet as our organization is behind a firewall, blocking of sites. same like any other secure company as GITHUB is locked here. and faced issues with it what i have reported to you in previous post.

How can I take a log file when after I install the application my PC gets compromised. I would think that the program would generate a LOG, which would be created after the application would be allowed to run. In this case its keeps asking me run the application via ADMIN mode at the first time its installed… Its not supposed to run via admin mode. Like i reported earlier. The application when its clicked to run, kept asking to run as admin mode password. When clicking more options in the password window the app was running with a -command which looks like “C:\Program Files\D5 Render\D5.exe” -(somecommand)

I installed it to default folder not in admin folder etc. All that is said in the Original Post.
First time on the first PC i ran it with admin privileges after installation and working on projects for sometime and then a TDR issue because of which needed admin privileges. The program ran fine after TDR fixing, did some minor work also. But then PC got messed up, felt sluggish unresponsive so restarted. After restart each run of D5 it kept asking for admin rights. I dint give it any then D5 would open to the splash screen and upon opening of a file get stuck at 0% loading of the file. force closing from task manager same issue. Admin right>dint give>splash screen>0% stuck.
Im like lets give it admin right and see what happens. So we did. Then it behaves as if its a clean install. It has no recent projects in recent tab. But would still get stuck at 0% progress. For 15min on a NEW FILE. not even on existing heavy project. Thats when i realized something was wrong. Think of it 128GB RAM, 13thgen i9. 4090ti 24GB card. And to top it a FRESH WINDOWS install. And the program is acting like its in the 1990’s. After giving that admin rights and running for the first time. Immediately within 5mins, my IT ADMIN immediately phoned me asking me what I had DONE, and informed me that my pc as been compromised, something is encrypting my data and that if we let it continue we might loose all of it and might even compromise our servers. Screenshot of it above. Now that its compromised i would need to work somewhere else.

Se we then tried installing D5 on the PC next to me, so could continue works and meet my deadlines. This time resulted in asking for admin rights to run the program after installation the FIRST TIME running the app. On PC-2 we dint give it admin access to run program at all. Mind you all of this from the MAIN website downloads section (going into the GITHUB).

Next we thought we are safe as we dint give any admin rights to the program so i thought lets remove the program uninstall it completely (on PC-2). U know via control pannel>apps>uninstall etc. The program “would” delete the files in the default folder but not remove it from the controlpannel>app location. D5 still remained and refused to remove the app asking for admin rights. So tried to login to local admin mode account to uninstall D5. The Local ADMIN account on the computer was just completely removed the password not working it removed any trace of a local admin. the IT guy checked USER permission at that time and found no trace of an ADMIN account.

I dint need to rightclick>runasAdmin. It automatically pulledup the UAC dialogue box for ADMIN RIGHTS (exampled screenshot below) and always kept asking for admin rights to run the program, after the first installation during that time. I am thinking that there was something wrong during that time I was doing the installation that it compromised my 2 PC installations.

Im thinking the EXE came bundled with some worm/trojan/virus during that time.

When click on more info. it showed that the program was running with an addition clause “C:\Program Files\D5 Render\D5.exe” -(somecommand)
I dont remember the command so im so sorry cant help you or recollect. but eachtime it kept asking for that.

I have re-created everything and explained everything again for you to understand. And im right now taken a hit for 10days. Because some of my projects are in the new version. So while the earlier version allows me to run the new version file. The videos clips made in v2.6.1 are lost in v2.5. Even thou the thumbnail show up as correct location but on clicking the captured thumbnail the location data of the clicked images and each camera shows up as 0,0,0. All the thumbnails. So I have to redo all the clip locations again to make all the movies/clips again. So yeah that’s a drab but its k will manage.
I will remain on this version for now until 2.7 comes. Which seems around the corner as already videos have come out in YT for it. I understand the updating breaks some stuff but i guess it shouldn’t break it so bad that we loose work done.
(Humble Feedback): I think DEVS need to take more care in their process of updates. Rather than just adding more features IN, with broken links between the updates of the software. So that we can revert back to earlier versions incase of an issue like this ever occurs.

I am writing here time and again because:
1.You to understand what I have gone thru, maybe you can help. And to better the system of management/deployment. I or anyone would prefer the EXE come directly from the host website like all other software rather than linking from a github page download.
2. Others who might go thru this issue and not do the same thing i did.
DO NOT GIVE IT ADMIN RIGHTS WHEN THE PROGRAM ASKS FOR IT. REVERT BACK TO PREVIOUS VERSION.

Thanks
Monks

Alright UPDATE:

Just updated to the 2.7.0.0443 from the base app on PC-1 without a problem. And because it’s working fine now, i am installing 2.5.0 on my PC-2 and then will update to 2.7 on PC-2. As like what i did with PC-1. Using the same exe i had earlier.
And now this

Its going to 500% plus and just keeps downloading something or some file. Lets see untill where it reaches or does it even download the file correctly. Im guessing its going to the SUN!!

Feels like there is something wrong during this downloading of files. or the source of where it downloads from.

Hello, thanks for the feedback. The previous 2.5 online installer is no longer being maintained at this time. I can send you a full 2.5 installer if you need it.

Please do thanks.

WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free Hope this can help you.