Was working with a customer in which SEP flagged malware located on this week-old PC. Upon investigation, I found that the malware was named MicTray64. A quick bit of research showed this to be a key logger. So we took care of it and changed her passwords. The customer inquired where the malware had come from.

I investigated a little further and that's when I discovered that HP has been shipping PCs with a Key logger preinstalled in their Conexant Audio drivers. The key logger is included in a service called MicTray64 that is meant to check keyboard shortcuts for microphone usage. The key logger launches at log on, and records every key stroke and saves it into a log C:\Users\Public\MicTray.log, so anyone on that pc has access to said log.

Supposedly the log deletes itself when the user logs off. But this file could be easily accessed and it stores everything, including credentials in plain text.

The issue originated because a debugging feature for testing should have been disabled prior to deployment, but that obviously didn't happen. This issue has been found to go back as far as 2015.

To resolve the user needs the most up to date driver, which was released by HP on May 24, 2017. Any driver version prior to this ( Rev.A) may contain that key logger feature.