GPU-Z v2.57.0 trojan alert

[GD83]

Hello, I am French, forgive me for the poor writing of my post, it is probably not serious but the latest version of GPU-Z causes problems with Windows 11.

It's in French but experts will understand the Windows protection history screens.

It is not possible to install GPU-Z without removing the threat, I don't know why my Windows detects this and not others, otherwise there would be many messages here.

Simple reporting of the problem.

What it says in summary:

Serious threat blocked, malicious act/malware, removed and quarantined (another related alert indicates quarantine).

 

[JohH]

What's the MD5 of the exe you have on your computer? It should be DB28131D2F25B980553974A6399E639D.

You can calculate it by opening powershell and running
Get-FileHash .\Downloads\GPU-Z.2.57.0.exe -Algorithm MD5

where the part in bold is the location of your GPU-Z executable

Edit: Disregard this. You're using an installer? Not sure what the checksum should be for that.
Download the exe from the TechPowerUp main page and verify it doesn't have the same detection.

 

[GD83]

Basic installation of the GPU-Z .exe available here, as usual.

There's definitely nothing dangerous here, I don't know why windows gets angry

Downloading the same .exe (already taken from the main page) gives the same result.

 

[arbiter]

where did you download it from if it was somewhere other then this site they might infected it

 

[ir_cow]

where did you download it from if it was somewhere other then this site they might infected it

Agree. get it from TPU.

 

[sam_86314]

Went ahead and ran the installer (downloaded from TPU) to get the hash. SHA256 is cff3be1e0f885dab1998e00d041abbaf8d9a521b818bcd73ea4c38a858638bc6

I've attached the file in question. It appears in <boot drive>\Users\<username>\AppData\Local\Temp when you install GPU-Z.

Interestingly, on VT

VirusTotal

VirusTotal

www.virustotal.com

Twelve detections, including Windows Security detecting as Trojan:Win32/AgentTesla!ml (though my AV doesn't detect it). The detection was different before I refreshed VT.

I trust TPU, so I'm assuming it's a false positive/heuristic match.

EDIT: I went ahead and checked an older version of GPU-Z (2.55.0). Looks like it used a different installer program

SHA256: 6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

VirusTotal

VirusTotal

www.virustotal.com

I've attached that one too, but I renamed it to differentiate them.

EDIT 2: 2.57.0 uses Inno Setup 6.1.0 while 2.55.0 uses 6.0.0

 

[Dr. Dro]

It's probably a false positive, probably a good idea to let @W1zzard know though

Cheers

 

[Shou Miko]

It's probably a false positive, probably a good idea to let @W1zzard know though

Cheers

Hmm I am wondering if OP has updated his Windows 11 and defender because my server is on Windows 11 Pro 22H2 Build 22621.3007 and mine doesn't find anything with the installer I just downloaded.

Windows Defender scanning GPUZ-.exe, unins000.dat and unins000.exe nothing found:

 

[W1zzard]

You are right, for some reason the installer gets a lot of detections now

I'm using regular Innosetup.. not sure why this is happening

Edit: next version of GPU-Z will use an installer that's digitally signed with our EV signature. Seems this helps a little bit

VirusTotal

VirusTotal

www.virustotal.com

 

[8up]

Downloaded GPU-Z-2.56.0 from techpowerup on Jan 19. Ran it again on Jan 22 and got an update notification. Clicked through to get the update, as I figured there was no reason to worry since I got the app from the horse's mouth.

Google searched within the past month for gpuz and a few malware keywords and came up with:

https://www.reddit.com/r/techsupport/comments/19d79ck
and

https://twitter.com/i/web/status/1749979028877095298

Going back farther in the archives, there seem to have been many such reports of malware coming via Techpowerup's GPUz, as well as CPUID's CPUz. What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access? Also, what are the odds of the latest version being flagged for 3 different keylogger/RAT malwares?

edit:

Just looked at the Virustotal results above (as I didn't think to click them earlier). Should have asked the odds of the latest version getting flagged for 3 or more different keylogger/RAT malwares.

Sure these COULD all be false positives, but even the most likely possibility it is not a certainty. I don't feel like putting any more thought into this. Mine is a brand new PC -- the first I've assembled in over a decade and it's only been used over the past couple weeks. The simplest and most effective solution for me, which coincidentally is also the only guaranty of no positives at all, is to repartition the hard drive and reinstall Winblows like it's 1998, avoiding the install of anything questionable until a proper backup has been made. I didn't like how the SSD was partitioned anyhow.

 

[R-T-B]

Sure these COULD all be false positives,

They are certainly false positives. Techpowerup is a identifiable business with a US HQ that would be gone pretty quick if peddling malware.

If it bothers you though, you can wait for the next release that w1zzard will sign with his business code signing cert, that will certainly clear it up.

FYI some of my original mods I do for ksp get multiple flags so this is not unheard of, just overeager AV at work.

 

[sam_86314]

I wonder if antivirus engines just don't like Inno Setup installers.

I've made installers in Inno Setup before, so out of curiosity, I submitted one of mine to VT.

VirusTotal

VirusTotal

www.virustotal.com

Five AV engines detected it.

Spoiler: Boring Technical Stuff

For those who are curious, it's the setup executable from a repack I made of Skyrim for personal use. I wanted to back the game up to DVDs, and I also wanted to learn how installers work.

All this setup file does is ask for an install location and ask you to select what is installed. Then, it simply unpacks an archive into the target location and then offers to install DirectX and VC runtimes.

It just uses standard LZMA2 compression for the files.

I even still have the source file for this installer. I don't really want to share it as text, but I'll show a screenshot.

 

[W1zzard]

I wonder if antivirus engines just don't like Inno Setup installers.

that, and the lower quality AV engines are way too sensitive and will flag virtually everything.

If you create an empty program that does nothing it will get flagged by those, too.

Sure these COULD all be false positives, but even the most likely possibility it is not a certainty

It is a certainty, look at Virustotal, reputable antivirus engines. These don't flag GPU-Z

What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access?

Correct, a .sys driver gets extracted to %TEMP% and loaded, requires admin privileges to run, accesses hardware in various ways

Five AV engines detected it.

Yeah.. it's always the same guys .. CrowdStrike, SecureAge, MaxSecure etc

 

[Teddy1983]

I also have a problem, regardless of which server I download from.

 

[W1zzard]

I also have a problem, regardless of which server I download from.

Yeah, this is not a server issue on our end, but an antivirus false positive. Running GPU-Z without installation works fine though, right?

You can submit it here for analysis, to help improve Defender:

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.

www.microsoft.com

 

[AusWolf]

Wait a minute... "gpuz_installer.exe"? Shouldn't it be called "GPU-Z.2.57.0.exe"? Are you sure you downloaded it from this site, and not a fake one that looks like it, but isn't?

 

[W1zzard]

Wait a minute... "gpuz_installer.exe"? Shouldn't it be called "GPU-Z.2.57.0.exe"? Are you sure you downloaded it from this site, and not a fake one that looks like it, but isn't?

He downloaded GPU-Z.2.57.0.exe correctly. When you click on "start installer" within GPU-Z, it will extract "gpuz_installer.exe" to %TEMP% and run it

 

[AusWolf]

He downloaded GPU-Z.2.57.0.exe correctly. When you click on "start installer" within GPU-Z, it will extract "gpuz_installer.exe" to %TEMP% and run it

Ah, I see!

By the way, I've just downloaded and updated to the latest version without any issues. It did ask for a system restart, though, which it hasn't before. I'm on Windows 10, using only Defender as AV.

 

[W1zzard]

By the way, I've just downloaded and updated to the latest version without any issues. It did ask for a system restart, though, which it hasn't before. I'm on Windows 10, using only Defender as AV.

Interesting .. so maybe the definitions have already been updated

 

[AusWolf]

Interesting .. so maybe the definitions have already been updated

Maybe. Or maybe the definitions on my PC are out of date.

 

[Count von Schwalbe]

I had downloaded it yesterday, and installed it today. Defender, SentinelOne, and ESET all gave it a pass.

 

[Assimilator]

Downloaded GPU-Z-2.56.0 from techpowerup on Jan 19. Ran it again on Jan 22 and got an update notification. Clicked through to get the update, as I figured there was no reason to worry since I got the app from the horse's mouth.

View attachment 331443

Google searched within the past month for gpuz and a few malware keywords and came up with:

https://www.reddit.com/r/techsupport/comments/19d79ck
and

https://twitter.com/i/web/status/1749979028877095298

Going back farther in the archives, there seem to have been many such reports of malware coming via Techpowerup's GPUz, as well as CPUID's CPUz. What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access? Also, what are the odds of the latest version being flagged for 3 different keylogger/RAT malwares?

edit:

Just looked at the Virustotal results above (as I didn't think to click them earlier). Should have asked the odds of the latest version getting flagged for 3 or more different keylogger/RAT malwares.

Sure these COULD all be false positives, but even the most likely possibility it is not a certainty. I don't feel like putting any more thought into this. Mine is a brand new PC -- the first I've assembled in over a decade and it's only been used over the past couple weeks. The simplest and most effective solution for me, which coincidentally is also the only guaranty of no positives at all, is to repartition the hard drive and reinstall Winblows like it's 1998, avoiding the install of anything questionable until a proper backup has been made. I didn't like how the SSD was partitioned anyhow.

You should educate yourself before making such uninformed and alarmist posts.

 

[W1zzard]

You should educate yourself before making such uninformed and alarmist posts.

He has every right to come here and be worried. Actually I appreciate learning about this, so I can do something about it (vs not knowing about it in the first place)

 

[Teddy1983]

I've sent the file for analysis. Yes I'm sure I downloaded from a reliable source, hence from the forum. I have the latest definitions of wondows defender window 11 and nadl message. I've downloaded from here
Pobierz za darmo TechPowerUp GPU-Z w wersji 2.57.0 | TechPowerUp

 

[W1zzard]

So it's just a question of getting the signatures updated now.

Their internal tool did confirm the detection when I submitted it