Author Topic: cpuz135_x64.sys (temp folder) - False positive?  (Read 31816 times)

0 Members and 1 Guest are viewing this topic.

Lava_sc

  • Guest
cpuz135_x64.sys (temp folder) - False positive?
« on: July 07, 2012, 05:42:41 PM »
Hello,

Today when i started my PC I did my weekly Avast scan. At the end of it, I had one infected object:

C:\Users\Name\AppData\Local\Temp\cpuz135\cpuz135_x64.sys (Avast telling me it is a Rootkit-Hidden service).

I tried deleting it, but when i try to do so it gives me an error:Error 0xA0000101.(-1610612479)
I cannot put it into quarantine neither, It tells me the object cant be moved. I checked into the temp folder and I cant find it in there.

Any help?

Thank you in advace :B

adotd

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #1 on: July 07, 2012, 06:02:05 PM »
i think this is a FP

http://www.cpuid.com/

That driver is part of CPUID

You may want a malware specialist verification. 8)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #2 on: July 07, 2012, 06:06:33 PM »
Do you actually have CPUZ ?
If so is it the installed version or stand alone version ?

It is strange to see it in a Temp location to start with, especially if it were running, were you using it ?

It is also an old version, latest is 1.61, so I would suggest clearing your temp files/folder and use the latest version.

What detected it in avast, on-demand scan, file system shield or rootkit scan (8 minutes after boot) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #3 on: July 07, 2012, 06:19:39 PM »
Thanks for the very fast answers!

I do indeed have CPUID Hardware Monitor (Does it use the same files as CPU-Z?). As you said, it was in the temp folder, hence why I am worrying. I do not have it open except when I check temps/voltages etc... (so it was closed).

I do my scans manually, so I just ran a quick scan and got it as a result (I can screenshot the scan result/removal menu if you need it). How do I clean the temp folder? I am always suspicious when touching the AppData folder, since I am not really skilled in software, etc...


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #4 on: July 07, 2012, 06:32:08 PM »
A screenshot of the scan result would help clarify which scan, etc.

I assume that you are using win7, since this is the 64bit version of cpuz ?
You can use something like CCleaner a general cr4p cleaner (hence its name) which clears temp files, not just in the temp folder. CCLEANER - CCleaner - Temp File Cleaner, etc..

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #5 on: July 07, 2012, 06:49:02 PM »
I use w7 64, indeed.

I use CCleaner daily already, I didn't know the registry/net scan/clean worked on temp files too, good to know!

Problem is, I can't find the file in the path shown in the scan result. I never could, actually. I had an error when trying to delete it. I don't know if it means the suspected file was just temporary there and vanished, or if the file got removed, or if the file decided to walk to another folder and hide there (for all I know lol, sorry for my basic knowledge of Virus/malewares).

Here is the result of the scan, hoping it will help. There are two screenshots:

1. This is what happens when I try to delete the file (the error on the right)
2. This is what happens when I try to put the file into the vault/chest (The message on the right means literally "This demand isn't supported/This demand can't be taken into account")

In both cases, AVAST asks me to reboot when I close the menu.

Edit: I am not the most skilled Paint user neither :D
Edit2: Also adding the fact that Avast doesnt find any threat anymore. It was only in the scan in which I sent the results.
« Last Edit: July 07, 2012, 07:50:26 PM by Lava_sc »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #6 on: July 07, 2012, 07:55:01 PM »
I have HWMonitor, but I don't know if it uses the CPU-Z files for the CPU monitoring in its monitoring of the hardware, since they are from the same company it is possible it installs that also). Again I don't use the install version but the stand alone version, so ne registry entries or any processes running in the background.

The AppData area may be hidden in win7 I'm not a great fan of win7 on my Acer netbook, and there is a padlock over that Users\UserName\ folder (but I have access to mine (I have made many changes under win7 so that I'm the one in charge and now MS.

I have done a quick test and ran my standalone copy of CPU-Z and whilst it creates a cpuz_driver_5196.log file there is no cpuz driver file cleated in the C:\Users\UserName\AppData\Local\Temp\ folder. Closing CPU-Z clears the log from that Temp folder. Running the same test with my stand alone version of HWMonitor doesn't create a cpuz folder or the cpuz driver file.

My recommendation (as I believe you have the installed version of both these utilities is to uninstall them and use the stand alone version (doesn't require installation) comes as a .zip file and not a setup.exe file. I have a folder for all of my stand alone utilities that don't require registry installation, etc. called Utilities-Non-Registry with sub-folders for the different utilities.

This is easy to keep track of and I have a shortcut to view the Utilities-Non-Registry folder (as a toolbar in XP and win7), this makes them easy to manage.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #7 on: July 07, 2012, 08:04:41 PM »
Very cool tips

I uninstalled HWmonitor just before you answered. I got an error with that SAME file (except it wasn't from the temp folder, but from the sys32/drivers folder). It asked me if I wanted to delete it, I just clicked yes and it worked. I will now install the stand alone version of HWmonitor.

Does it mean the problem is fixed (or was it just a FP)? Is there a way to check if there is any rootkit left on my PC? Thank for the precious help.
« Last Edit: July 07, 2012, 08:07:47 PM by Lava_sc »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #8 on: July 07, 2012, 09:16:58 PM »
Well the problem with drivers, if they aren't signed, in a weird location (like this temp folder) and reasonably well known, look very suspicious and I think that this is what was going on.

As I mentioned earlier avast does an anti-rootkit scan 8 minutes after boot, and assuming there was a rootkit present it should have found it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #9 on: July 07, 2012, 09:24:19 PM »
Hmmm, is there a way to do that rootkit scan manually? Or is it just some automatic scan made in the background?

I did some tests with kaspersky online Scan, Malewares bytes, SUPERantispyware and nothing was found (I kinda want to try with GMER too, if you know it). I guess the file is gone or it was just a False Positive. I am still wondering what this file was doing in this temp folder, lol  ;D (not to mention I still don't know if the file was really removed; as shown in the screenshots, I got an error everytime I try...maybe just a bug).
« Last Edit: July 07, 2012, 09:32:34 PM by Lava_sc »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #10 on: July 07, 2012, 11:50:59 PM »
It is the same scan whether initiated manually or booting and waiting 8 minutes, in the avastUI, Scan Computer, you can create a custom scan and only select the anti-rootkit scan, there are different levels of sensitivity (Quick or Full anti-rootkit scan).

The avast anti-rootkit scanner is based on GMER and by the same guy who designed that (he now works for avast ;D). The major difference being the avast scanner is more user friendly where the GMER scan needs to be analysed and the avast scan tries to make the decisions.

The other point I'm trying to make is that this detection wasn't made by the anti-rootkit scan, but the standard on-demand scan, but that doesn't really coincide with this in your first post:
"C:\Users\Name\AppData\Local\Temp\cpuz135\cpuz135_x64.sys (Avast telling me it is a Rootkit-Hidden service)."

That is why I felt it was the anti-rootkit scan and asked if it were, so I'm somewhat confused as the results image doesn't really match what I would expect from the anti-rootkit scan alert, see image example of an anti-rootkit detection, this is from avast6 but will be similar to avast7.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #11 on: July 08, 2012, 01:55:00 PM »
Hello :D

The scan was launched manually (It was a "quick scan", one of the scans premade with Avast - not a customised scan, which included Rootkit scan (quick) normally). Now for the Avast version...mine is the free version and is in french (I am not sure of any of those variables change the font/page of the program itself?). I will try to find where the rootkit scan only is, thank you :D

Also, I did another scan today (a full/precise scan this time) and it told me that:
Some files couldn't be scanned (error: the path specified doesn't exist).

Not sure what it exactly means, and I am not sure if it's related to the first problem neither :P

Edit: It could simply be cause of some update...The number in the path is "12070701", and when I check in the Avast folder the number in the path is "12070800". Is that maybe related to the version/update of the program?
« Last Edit: July 08, 2012, 02:07:51 PM by Lava_sc »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #12 on: July 08, 2012, 03:42:59 PM »
Nothing to worry about, those are are files in old virus definitions folders and avast is doing some housecleaning to keep the size used on the hard disk to a minimum. This just happens to have occurred between the time you started the scan and it reaching that old defs folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Lava_sc

  • Guest
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #13 on: July 08, 2012, 04:02:37 PM »
Fair enough.

Thank you very much for all the time spent helping me :)

I found out how to do a customised scan. I ve put Rootkit (complete) only and ran it. Nothing was found. Let's just assume it was a false positive, not like I can do much more :P

I checked my net, it isn't slower than usual. The rest seems fine, nothing suspect found neither.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: cpuz135_x64.sys (temp folder) - False positive?
« Reply #14 on: July 08, 2012, 04:18:12 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security