What is CPUID CPU-Z?
The Malwarebytes research team has determined that CPUID CPU-Z is a trojan.
This particular one injects downloaded JavaScript (JS) files into browser sessions and sets a proxy accompanied with a false SSL certificate to perform a man-in-the-middle (MITM) attack.
How do I know if my computer is affected by CPUID CPU-Z?
You may see this entry in your list of installed software:
and this icon in your startmenu and on your desktop:
How did CPUID CPU-Z get on my computer?
Trojans use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove CPUID CPU-Z?
Our program Malwarebytes can detect and remove this malware.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes CPUID CPU-Z completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the CPUID CPU-Z hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
and it blocks the domains where the trojn was downloaded from by the bundler:
and even if you should get infected it blocks the exploit that the trojan uses to perform the man-in-the-middle attack:
Technical details for experts
Possible signs in FRST logs:
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe.bak
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe
ProxyEnable: [S-1-5-21-{user GUID}] => Proxy is enabled.
ProxyServer: [S-1-5-21-{user GUID}] => http=127.0.0.1:8080;https=127.0.0.1:8080
R2 winamgr; C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe [9875968 2018-04-10] (Microsoft Corporation) [File not signed]
C:\Users\Public\Desktop\CPUID CPU-Z.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID
C:\Program Files\CPUID
CPUID CPU-Z 1.82.1 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.82.1 - )
FirewallRules: [TCP Query User{D3E7F7AC-72C7-4000-8B93-DD0DA199AD56}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe
FirewallRules: [UDP Query User{79ED0071-EA4B-4214-BD80-E472E1505F7A}C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe] => (Allow) C:\programdata\microsoft\windows\gpr\network\svcnetwk.exe
Alterations made by the installer:File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Program Files\CPUID\CPU-Z
Adds the file cpuz.exe"="12/20/2017 1:10 PM, 3517688 bytes, A
Adds the file cpuz.ini"="12/20/2017 1:15 PM, 594 bytes, A
Adds the file cpuz_eula.txt"="8/12/2015 8:57 PM, 7651 bytes, A
Adds the file cpuz_readme.txt"="12/20/2017 1:14 PM, 26325 bytes, A
Adds the file unins000.dat"="4/10/2018 8:40 AM, 3245 bytes, A
Adds the file unins000.exe"="4/10/2018 8:40 AM, 725157 bytes, A
Adds the folder C:\ProgramData\Microsoft\Windows\Audio
Adds the file winamgr.exe"="4/10/2018 8:40 AM, 9875968 bytes, A
Adds the file winamgr.exe.bak"="1/29/2018 2:03 PM, 9342976 bytes, A
Adds the folder C:\ProgramData\Microsoft\Windows\GPR\browser
Adds the file svchostctl.exe"="4/10/2018 8:40 AM, 216576 bytes, A
Adds the folder C:\ProgramData\Microsoft\Windows\GPR\func
Adds the file ca.crt"="4/10/2018 8:40 AM, 1094 bytes, A
Adds the file ca.key"="4/10/2018 8:40 AM, 887 bytes, A
Adds the file cert8.db"="4/10/2018 8:40 AM, 65536 bytes, A
Adds the file certutil.exe"="4/10/2018 8:40 AM, 103936 bytes, A
Adds the file chrome.exe"="4/10/2018 8:40 AM, 140736 bytes, A
Adds the file freebl3.dll"="4/10/2018 8:40 AM, 222208 bytes, A
Adds the file key3.db"="4/10/2018 8:40 AM, 16384 bytes, A
Adds the file libnspr4.dll"="4/10/2018 8:40 AM, 199680 bytes, A
Adds the file libplc4.dll"="4/10/2018 8:40 AM, 14336 bytes, A
Adds the file libplds4.dll"="4/10/2018 8:40 AM, 12288 bytes, A
Adds the file libvlc.dll"="4/10/2018 8:40 AM, 87040 bytes, A
Adds the file libvlcwk.dll"="4/10/2018 8:40 AM, 195072 bytes, A
Adds the file msvcr100.dll"="4/10/2018 8:40 AM, 773968 bytes, A
Adds the file nss3.dll"="4/10/2018 8:40 AM, 798720 bytes, A
Adds the file nssckbi.dll"="4/10/2018 8:40 AM, 370176 bytes, A
Adds the file nssdbm3.dll"="4/10/2018 8:40 AM, 108544 bytes, A
Adds the file nssutil3.dll"="4/10/2018 8:40 AM, 93696 bytes, A
Adds the file secmod.db"="4/10/2018 8:40 AM, 16384 bytes, A
Adds the file smime3.dll"="4/10/2018 8:40 AM, 97792 bytes, A
Adds the file softokn3.dll"="4/10/2018 8:40 AM, 172544 bytes, A
Adds the file sqlite3.dll"="4/10/2018 8:40 AM, 423936 bytes, A
Adds the file ssl3.dll"="4/10/2018 8:40 AM, 190976 bytes, A
Adds the folder C:\ProgramData\Microsoft\Windows\GPR\network
Adds the file default_cse.js"="4/10/2018 8:40 AM, 5900 bytes, A
Adds the file general.js"="4/10/2018 8:40 AM, 2252 bytes, A
Adds the file svcnetwk.exe"="4/10/2018 8:40 AM, 11952128 bytes, A
Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID\CPU-Z
Adds the file CPU-Z.lnk"="4/10/2018 8:40 AM, 893 bytes, A
Adds the file Edit CPU-Z Config File.lnk"="4/10/2018 8:40 AM, 893 bytes, A
Adds the file Uninstall CPU-Z.lnk"="4/10/2018 8:40 AM, 917 bytes, A
In the existing folder C:\Users\Public\Desktop
Adds the file CPUID CPU-Z.lnk"="4/10/2018 8:40 AM, 869 bytes, A
In the existing folder C:\Users\Public\Documents
Adds the file {DE764086-1C0A-4DD3-90BA-0B93BDD794BE}"="4/10/2018 8:41 AM, 34 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail]
"ChannelId"="REG_SZ", "icbusa20"
[HKEY_LOCAL_MACHINE\SOFTWARE\CPUID\CPU-Z]
"PATH"="REG_SZ", "C:\Program Files\CPUID\CPU-Z"
"PRODUCT_NAME"="REG_SZ", "CPUID CPU-Z"
"VERSION"="REG_SZ", "1.82.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\483A0ECB697A7E8FE5FB5DBCA52C7F82D70D8239]
"Blob"="REG_BINARY, ................ ...........................................................................................................................................................................................................K........................................................................................................................................................................................
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPUID CPU-Z_is1]
"DisplayIcon"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\cpuz.exe"
"DisplayName"="REG_SZ", "CPUID CPU-Z 1.82.1"
"DisplayVersion"="REG_SZ", "1.82.1"
"EstimatedSize"="REG_DWORD", 4166
"Inno Setup: App Path"="REG_SZ", "C:\Program Files\CPUID\CPU-Z"
"Inno Setup: Deselected Tasks"="REG_SZ", ""
"Inno Setup: Icon Group"="REG_SZ", "CPUID\CPU-Z"
"Inno Setup: Language"="REG_SZ", "default"
"Inno Setup: Selected Tasks"="REG_SZ", "desktopicon"
"Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)"
"Inno Setup: User"="REG_SZ", "{username}"
"InstallDate"="REG_SZ", "20180410"
"InstallLocation"="REG_SZ", "C:\Program Files\CPUID\CPU-Z\"
"MajorVersion"="REG_DWORD", 1
"MinorVersion"="REG_DWORD", 82
"NoModify"="REG_DWORD", 1
"NoRepair"="REG_DWORD", 1
"QuietUninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe" /SILENT"
"UninstallString"="REG_SZ", ""C:\Program Files\CPUID\CPU-Z\unins000.exe""
"VersionMajor"="REG_DWORD", 1
"VersionMinor"="REG_DWORD", 82
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CPUZ]
"(Default)"="REG_SZ", ""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winamgr]
"Description"="REG_SZ", "Windows Audio Manager"
"Display"="REG_SZ", "Windows Audio Manager"
"DisplayName"="REG_SZ", "Windows Audio Manager"
"ErrorControl"="REG_DWORD", 0
"ImagePath"="REG_EXPAND_SZ, ""C:\ProgramData\Microsoft\Windows\Audio\winamgr.exe" -s"
"ObjectName"="REG_SZ", "LocalSystem"
"Start"="REG_DWORD", 2
"Type"="REG_DWORD", 16
"WOW64"="REG_DWORD", 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"= REG_DWORD, 1
"ProxyServer"="REG_SZ", "http=127.0.0.1:8080;https=127.0.0.1:8080"
Malwarebytes log:Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 4/10/18
Scan Time: 8:54 AM
Log File: fdd2c3b4-3c8b-11e8-87ee-080027235d76.json
Administrator: Yes
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4674
License: Premium
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 245556
Threats Detected: 46
Threats Quarantined: 46
Time Elapsed: 2 min, 43 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 2
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674
Module: 3
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674
Registry Key: 2
Trojan.Egguard.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [1117], [-1],0.0.0
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\winamgr, Quarantined, [383], [489320],1.0.4674
Registry Value: 6
Trojan.Egguard.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0
Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0
Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0
Trojan.Egguard.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1117], [-1],0.0.0
Trojan.Egguard.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1117], [-1],0.0.0
Trojan.FakeMS, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINAMGR|IMAGEPATH, Quarantined, [3025], [506363],1.0.4674
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 4
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR, Quarantined, [1117], [505207],1.0.4674
File: 29
Trojan.Egguard.PrxySvrRST, C:\PROGRAMDATA\MICROSOFT\WINDOWS\GPR\NETWORK\GENERAL.JS, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\browser\svchostctl.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.crt, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ca.key, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\cert8.db, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\certutil.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\chrome.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\freebl3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\key3.db, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libnspr4.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplc4.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libplds4.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlc.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\libvlcwk.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\msvcr100.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nss3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssckbi.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssdbm3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\nssutil3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\secmod.db, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\smime3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\softokn3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\sqlite3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\func\ssl3.dll, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\default_cse.js, Quarantined, [1117], [505207],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\ProgramData\Microsoft\Windows\GPR\network\svcnetwk.exe, Quarantined, [1117], [505207],1.0.4674
Trojan.Agent, C:\PROGRAMDATA\MICROSOFT\WINDOWS\AUDIO\WINAMGR.EXE, Quarantined, [383], [489320],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\USERS\{username}\DESKTOP\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674
Trojan.Egguard.PrxySvrRST, C:\DOWNLOADS\CPU-Z.EXE, Quarantined, [1117], [505199],1.0.4674
Physical Sector: 0
(No malicious items detected)
(end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
