Hello,
Today when i started my PC I did my weekly Avast scan. At the end of it, I had one infected object:
C:\Users\Name\AppData\Local\Temp\cpuz135\cpuz135_x64.sys (Avast telling me it is a Rootkit-Hidden service).
I tried deleting it, but when i try to do so it gives me an error:Error 0xA0000101.(-1610612479)
I cannot put it into quarantine neither, It tells me the object cant be moved. I checked into the temp folder and I cant find it in there.
Any help?
Thank you in advace :B
i think this is a FP
That driver is part of CPUID
You may want a malware specialist verification. 8)
Do you actually have CPUZ ?
If so is it the installed version or stand alone version ?
It is strange to see it in a Temp location to start with, especially if it were running, were you using it ?
It is also an old version, latest is 1.61, so I would suggest clearing your temp files/folder and use the latest version.
What detected it in avast, on-demand scan, file system shield or rootkit scan (8 minutes after boot) ?
Thanks for the very fast answers!
I do indeed have CPUID Hardware Monitor (Does it use the same files as CPU-Z?). As you said, it was in the temp folder, hence why I am worrying. I do not have it open except when I check temps/voltages etc… (so it was closed).
I do my scans manually, so I just ran a quick scan and got it as a result (I can screenshot the scan result/removal menu if you need it). How do I clean the temp folder? I am always suspicious when touching the AppData folder, since I am not really skilled in software, etc…
A screenshot of the scan result would help clarify which scan, etc.
I assume that you are using win7, since this is the 64bit version of cpuz ?
You can use something like CCleaner a general cr4p cleaner (hence its name) which clears temp files, not just in the temp folder. CCLEANER - CCleaner - Temp File Cleaner, etc..
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
I use w7 64, indeed.
I use CCleaner daily already, I didn’t know the registry/net scan/clean worked on temp files too, good to know!
Problem is, I can’t find the file in the path shown in the scan result. I never could, actually. I had an error when trying to delete it. I don’t know if it means the suspected file was just temporary there and vanished, or if the file got removed, or if the file decided to walk to another folder and hide there (for all I know lol, sorry for my basic knowledge of Virus/malewares).
Here is the result of the scan, hoping it will help. There are two screenshots:
In both cases, AVAST asks me to reboot when I close the menu.
Edit: I am not the most skilled Paint user neither 
Edit2: Also adding the fact that Avast doesnt find any threat anymore. It was only in the scan in which I sent the results.
I have HWMonitor, but I don’t know if it uses the CPU-Z files for the CPU monitoring in its monitoring of the hardware, since they are from the same company it is possible it installs that also). Again I don’t use the install version but the stand alone version, so ne registry entries or any processes running in the background.
The AppData area may be hidden in win7 I’m not a great fan of win7 on my Acer netbook, and there is a padlock over that Users\UserName\ folder (but I have access to mine (I have made many changes under win7 so that I’m the one in charge and now MS.
I have done a quick test and ran my standalone copy of CPU-Z and whilst it creates a cpuz_driver_5196.log file there is no cpuz driver file cleated in the C:\Users\UserName\AppData\Local\Temp\ folder. Closing CPU-Z clears the log from that Temp folder. Running the same test with my stand alone version of HWMonitor doesn’t create a cpuz folder or the cpuz driver file.
My recommendation (as I believe you have the installed version of both these utilities is to uninstall them and use the stand alone version (doesn’t require installation) comes as a .zip file and not a setup.exe file. I have a folder for all of my stand alone utilities that don’t require registry installation, etc. called Utilities-Non-Registry with sub-folders for the different utilities.
This is easy to keep track of and I have a shortcut to view the Utilities-Non-Registry folder (as a toolbar in XP and win7), this makes them easy to manage.
Very cool tips
I uninstalled HWmonitor just before you answered. I got an error with that SAME file (except it wasn’t from the temp folder, but from the sys32/drivers folder). It asked me if I wanted to delete it, I just clicked yes and it worked. I will now install the stand alone version of HWmonitor.
Does it mean the problem is fixed (or was it just a FP)? Is there a way to check if there is any rootkit left on my PC? Thank for the precious help.
Well the problem with drivers, if they aren’t signed, in a weird location (like this temp folder) and reasonably well known, look very suspicious and I think that this is what was going on.
As I mentioned earlier avast does an anti-rootkit scan 8 minutes after boot, and assuming there was a rootkit present it should have found it.
Hmmm, is there a way to do that rootkit scan manually? Or is it just some automatic scan made in the background?
I did some tests with kaspersky online Scan, Malewares bytes, SUPERantispyware and nothing was found (I kinda want to try with GMER too, if you know it). I guess the file is gone or it was just a False Positive. I am still wondering what this file was doing in this temp folder, lol ;D (not to mention I still don’t know if the file was really removed; as shown in the screenshots, I got an error everytime I try…maybe just a bug).
It is the same scan whether initiated manually or booting and waiting 8 minutes, in the avastUI, Scan Computer, you can create a custom scan and only select the anti-rootkit scan, there are different levels of sensitivity (Quick or Full anti-rootkit scan).
The avast anti-rootkit scanner is based on GMER and by the same guy who designed that (he now works for avast ;D). The major difference being the avast scanner is more user friendly where the GMER scan needs to be analysed and the avast scan tries to make the decisions.
The other point I’m trying to make is that this detection wasn’t made by the anti-rootkit scan, but the standard on-demand scan, but that doesn’t really coincide with this in your first post:
“C:\Users\Name\AppData\Local\Temp\cpuz135\cpuz135_x64.sys (Avast telling me it is a Rootkit-Hidden service).”
That is why I felt it was the anti-rootkit scan and asked if it were, so I’m somewhat confused as the results image doesn’t really match what I would expect from the anti-rootkit scan alert, see image example of an anti-rootkit detection, this is from avast6 but will be similar to avast7.
Hello
The scan was launched manually (It was a “quick scan”, one of the scans premade with Avast - not a customised scan, which included Rootkit scan (quick) normally). Now for the Avast version…mine is the free version and is in french (I am not sure of any of those variables change the font/page of the program itself?). I will try to find where the rootkit scan only is, thank you
Also, I did another scan today (a full/precise scan this time) and it told me that:
Some files couldn’t be scanned (error: the path specified doesn’t exist).
Not sure what it exactly means, and I am not sure if it’s related to the first problem neither 
Edit: It could simply be cause of some update…The number in the path is “12070701”, and when I check in the Avast folder the number in the path is “12070800”. Is that maybe related to the version/update of the program?
Nothing to worry about, those are are files in old virus definitions folders and avast is doing some housecleaning to keep the size used on the hard disk to a minimum. This just happens to have occurred between the time you started the scan and it reaching that old defs folder.
Fair enough.
Thank you very much for all the time spent helping me 
I found out how to do a customised scan. I ve put Rootkit (complete) only and ran it. Nothing was found. Let’s just assume it was a false positive, not like I can do much more
I checked my net, it isn’t slower than usual. The rest seems fine, nothing suspect found neither.
You’re welcome.