What is CPUID CPU-Z?
The Malwarebytes research team has determined that CPUID CPU-Z is a trojan.
This particular one injects downloaded JavaScript (JS) files into browser sessions and sets a proxy accompanied with a false SSL certificate to perform a man-in-the-middle (MITM) attack.
How do I know if my computer is affected by CPUID CPU-Z?
You may see this entry in your list of installed software:
and this icon in your startmenu and on your desktop:
How did CPUID CPU-Z get on my computer?
Trojans use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove CPUID CPU-Z?
Our program Malwarebytes can detect and remove this malware.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes CPUID CPU-Z completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the CPUID CPU-Z hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
and it blocks the domains where the trojn was downloaded from by the bundler:
and even if you should get infected it blocks the exploit that the trojan uses to perform the man-in-the-middle attack:
Technical details for experts
Possible signs in FRST logs:
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe.bak (Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe (Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe ProxyEnable: [S-1-5-21-{user GUID}] => Proxy is enabled. ProxyServer: [S-1-5-21-{user GUID}] => http=127.0.0.1:8080;https=127.0.0.1:8080 R2 winamgr; C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe [9875968 2018-04-10] (Microsoft Corporation) [File not signed] C:\Users\Public\Desktop\CPUID CPU-Z.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID C:\Program Files\CPUID CPUID CPU-Z 1.82.1 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.82.1 - ) FirewallRules: [TCP Query User{D3E7F7AC-72C7-4000-8B93-DD0DA199AD56}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe FirewallRules: [UDP Query User{79ED0071-EA4B-4214-BD80-E472E1505F7A}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exeAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\CPUID\CPU-Z Adds the file cpuz.exe"="12/20/2017 1:10 PM, 3517688 bytes, A Adds the file cpuz.ini"="12/20/2017 1:15 PM, 594 bytes, A Adds the file cpuz_eula.txt"="8/12/2015 8:57 PM, 7651 bytes, A Adds the file cpuz_readme.txt"="12/20/2017 1:14 PM, 26325 bytes, A Adds the file unins000.dat"="4/10/2018 8:40 AM, 3245 bytes, A Adds the file unins000.exe"="4/10/2018 8:40 AM, 725157 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Audio Adds the file winamgr.exe"="4/10/2018 8:40 AM, 9875968 bytes, A Adds the file winamgr.exe.bak"="1/29/2018 2:03 PM, 9342976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\browser Adds the file svchostctl.exe"="4/10/2018 8:40 AM, 216576 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\func Adds the file ca.crt"="4/10/2018 8:40 AM, 1094 bytes, A Adds the file ca.key"="4/10/2018 8:40 AM, 887 bytes, A Adds the file cert8.db"="4/10/2018 8:40 AM, 65536 bytes, A Adds the file certutil.exe"="4/10/2018 8:40 AM, 103936 bytes, A Adds the file chrome.exe"="4/10/2018 8:40 AM, 140736 bytes, A Adds the file freebl3.dll"="4/10/2018 8:40 AM, 222208 bytes, A Adds the file key3.db"="4/10/2018 8:40 AM, 16384 bytes, A Adds the file libnspr4.dll"="4/10/2018 8:40 AM, 199680 bytes, A Adds the file libplc4.dll"="4/10/2018 8:40 AM, 14336 bytes, A Adds the file libplds4.dll"="4/10/2018 8:40 AM, 12288 bytes, A Adds the file libvlc.dll"="4/10/2018 8:40 AM, 87040 bytes, A Adds the file libvlcwk.dll"="4/10/2018 8:40 AM, 195072 bytes, A Adds the file msvcr100.dll"="4/10/2018 8:40 AM, 773968 bytes, A Adds the file nss3.dll"="4/10/2018 8:40 AM, 798720 bytes, A Adds the file nssckbi.dll"="4/10/2018 8:40 AM, 370176 bytes, A Adds the file nssdbm3.dll"="4/10/2018 8:40 AM, 108544 bytes, A Adds the file nssutil3.dll"="4/10/2018 8:40 AM, 93696 bytes, A Adds the file secmod.db"="4/10/2018 8:40 AM, 16384 bytes, A Adds the file smime3.dll"="4/10/2018 8:40 AM, 97792 bytes, A Adds the file softokn3.dll"="4/10/2018 8:40 AM, 172544 bytes, A Adds the file sqlite3.dll"="4/10/2018 8:40 AM, 423936 bytes, A Adds the file ssl3.dll"="4/10/2018 8:40 AM, 190976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\GPR\network Adds the file default_cse.js"="4/10/2018 8:40 AM, 5900 bytes, A Adds the file general.js"="4/10/2018 8:40 AM, 2252 bytes, A Adds the file svcnetwk.exe"="4/10/2018 8:40 AM, 11952128 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z Adds the file CPU-Z.lnk"="4/10/2018 8:40 AM, 893 bytes, A Adds the file Edit CPU-Z Config File.lnk"="4/10/2018 8:40 AM, 893 bytes, A Adds the file Uninstall CPU-Z.lnk"="4/10/2018 8:40 AM, 917 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file CPUID CPU-Z.lnk"="4/10/2018 8:40 AM, 869 bytes, A In the existing folder C:\Users\Public\Documents Adds the file {DE764086-1C0A-4DD3-90BA-0B93BDD794BE}"="4/10/2018 8:41 AM, 34 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail] "ChannelId"="REG_SZ", "icbusa20" [HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z] "PATH"="REG_SZ", "C:\Program Files\CPUID\CPU-Z" "PRODUCT_NAME"="REG_SZ", "CPUID CPU-Z" "VERSION"="REG_SZ", "1.82.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\483A0ECB697A7E8FE5FB5DBCA52C7F82D70D8239] "Blob"="REG_BINARY, ................ ...........................................................................................................................................................................................................K........................................................................................................................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPUID CPU-Z_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\cpuz.exe" "DisplayName"="REG_SZ", "CPUID CPU-Z 1.82.1" "DisplayVersion"="REG_SZ", "1.82.1" "EstimatedSize"="REG_DWORD", 4166 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\CPUID\CPU-Z" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "CPUID\CPU-Z" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180410" "InstallLocation"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 82 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe"" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 82 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CPUZ] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winamgr] "Description"="REG_SZ", "Windows Audio Manager" "Display"="REG_SZ", "Windows Audio Manager" "DisplayName"="REG_SZ", "Windows Audio Manager" "ErrorControl"="REG_DWORD", 0 "ImagePath"="REG_EXPAND_SZ, ""C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe" -s" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"= REG_DWORD, 1 "ProxyServer"="REG_SZ", "http=127.0.0.1:8080;https=127.0.0.1:8080"Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/10/18 Scan Time: 8:54 AM Log File: fdd2c3b4-3c8b-11e8-87ee-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4674 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245556 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 2 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Module: 3 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674 Registry Key: 2 Trojan.Egguard.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [1117], [-1],0.0.0 Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\winamgr, Quarantined, [383], [489320],1.0.4674 Registry Value: 6 Trojan.Egguard.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1117], [-1],0.0.0 Trojan.Egguard.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0 Trojan.FakeMS, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINAMGR|IMAGEPATH, Quarantined, [3025], [506363],1.0.4674 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR, Quarantined, [1117], [505207],1.0.4674 File: 29 Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR\NETWORK\GENERAL.JS, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.crt, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.key, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\cert8.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\certutil.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\chrome.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\freebl3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\key3.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libnspr4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplc4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplds4.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlc.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlcwk.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\msvcr100.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nss3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssckbi.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssdbm3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssutil3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\secmod.db, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\smime3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\softokn3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\sqlite3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ssl3.dll, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\default_cse.js, Quarantined, [1117], [505207],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674 Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\USERS\{username}\DESKTOP\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674 Trojan.Egguard.PrxySvrRST, C:\DOWNLOADS\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention