Jump to content

I think my system still infected after clean install


Recommended Posts

I recently noticed a Trojan on my computer and have clean installed Windows. After 2 weeks it seems some sort of virus has returned. I noticed at start up there is a command prompt that opens and closes very fast.

I ran Malwarebytes and a few others that did not find anything bad, however I found a few weird entries in my Autoruns. 

File not found: cpuz155_x64.sys - (image path) -> \??\C:\Windows\temp\cpuz155\cpuz155_x64.sys
File not found: C:\Windows\temp\cpuz158\cpuz158_x64.sys        

When I run autoruns as an Admin, these entries go away and cannot be located. 

I tried researching these and it appears they could be related to Lian Li software, which I use. 

However, I have also found that these cpuz entries can be malware and related to a Trojan. 

I will attach my FRST log files, thank you for your help! 

 

 

 

FRST.txt Addition.txt

Link to post
Share on other sites

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

The following Fix will empty these folders:

  • Windows Temp
  • Users' Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin
  • HOSTS file

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saved as C:\Users\SKII\Downloads\FRST64.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. 
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
Link to post
Share on other sites

Wonder why they survived. Sense is a legit service. The uhssvc service seems to be part of Microsoft Update Health Tools (HKLM\...\{C6FD611E-7EFE-488C-A0E0-974C09EF6473}) (Version: 5.72.0.0 - Microsoft Corporation), so it is white listed.


Here are some applications that need an update:

Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
Google Chrome v.129.0.6668.60 Warning! Download Update
 
Security Task Manager 2.4 v.2.4 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it.

FRST64 was saved as C:\Users\SKII\Downloads\FRST64.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. 
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Link to post
Share on other sites

Great, I have updated these applications. 

Here is the new fixlog as well. 

I tried uninstalling Hwinfo and they even came back. 

Upon more research, I did see cpuz55 could be related to Lian Li software, and I do have that downloaded. 

But I also have read a lot about cpuz55 being a trojan such as this - https://vms.drweb.com/virus/?i=25785159

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

cpuz155 is not the issue. It's where it's being saved and then ran as a service.

NO program should permanently run from any TEMP folder as a service.

  • S3 cpuz155; C:\Windows\temp\cpuz155\cpuz155_x64.sys [41480 2024-09-30] (Microsoft Windows Hardware Compatibility Publisher -> CPUID) <==== ATTENTION

If you want the program install it into it's own folder not located in any temp folder.

 

Link to post
Share on other sites

I use Hwinfo to check temps, etc.

Unfortunately, I was affected by the Intel processor issue. My 13900k degraded and I just installed a new 14900k. 

I have used Hwinfo for years and never noticed the Cpuz55.

I found a comment on reddit claiming the Cpuz55 leads to LianLi Software which manages my fans. 
 

“I contacted Lian Li support but I don't see this being resolved until a patch removes the old "CPUZ155" drivers.

I get weekly BSOD from a file in my minidump called

"cpuz155_x64". I also found out its storing it in the C: (windows|temp\cpuz155\ folder which you can't deleted.

After disabling/uninstalling L-connect I was able to successfully stop CPUZ155 from running. i.e: "SC stop cpuz155" in the CMD panel would just keep running until L-Connect is terminated.

Lian Li really needs to stop being lazy and using 3rd party drivers "CPUID" to monitor thermal controls Just build your own like everyone else, otherwise there's vulnerabilities and crashing with old code.

guess I can't run L-Connect until its patched.”

I will attach new logs as soon as possible, thanks again!

 

 

Link to post
Share on other sites

L-Connect 3 1.7.4 (HKLM\...\9924ffa3-83bc-5a34-8cf3-c3a0a9f4d038) (Version: 1.7.4 - Lian-Li)

Still installed.

Update you Intel Graphics. See if the Automatic update tools may be able to detect your version against the latest.

Download Intel Drivers and Software

FRST64 was saved as C:\Users\SKII\Downloads\FRST64.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. 
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Link to post
Share on other sites

Okay, I will make sure the integrated graphics are up to date on my 14900k.

Im not sure if I should be trying to remove the Lian Li software. 

At the moment, it controls 9 fans inside my PC case.

I did have to install an old version of the LianLi software due to issues with their new version. The new version kept ramping my fan speeds up. 

I am just unsure how the previous Redditor associated Cpuz155 with the Lian Li software. 

 


 

 

Link to post
Share on other sites

So it does look like the cpuz155 ended up coming back. 

I am guessing it shows up after the L-Connect-3 Lian Li software is opened. 

Windows 24h2 is available now and I think I am going to do another clean install in a few days. 

After the next clean install, I'm going to try not installing the Lian Li software at first.

Here is another scan I ran just incase! Thanks again 

 

Addition.txt FRST.txt

Link to post
Share on other sites

I guess it is a temporary file created by the application:

R3 cpuz155; C:\Windows\temp\cpuz155\cpuz155_x64.sys [41480 2024-10-01] (Microsoft Windows Hardware Compatibility Publisher -> CPUID) <==== ATTENTION
R3 GPUZ-v2; C:\Users\SKII\AppData\Local\Temp\GPUZ-v2.sys [52008 2024-10-01] (TechPowerUp LLC -> ) <==== ATTENTION
 

I wouldn't worry about. Will contact the developer to remove the detection as malware.

How is the computer otherwise?

Link to post
Share on other sites

  • Root Admin
Posted (edited)
44 minutes ago, JSntgRvr said:

I wouldn't worry about. Will contact the developer to remove the detection as malware.

It's not listed as malware. It is not malware. It is listed because it is WRONG to install ANY software permanently as a Service in any TEMP folder.

The real fix is to contact the vendor Lian Li software and them them know what they're doing is against the recommendations of any security expert.

Ask them to create their own folder and install there if they want to do that.

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

How is the computer running otherwise at this time @SKII

Do you still need further assistance?

 

The computer is running fine, minus a system wide font issue I have been trying to troubleshoot. 

However I still experience a prompt opening and closing very quickly at the desktop. 

After booting and 1-2 minutes of sitting at the desktop doing nothing, it will pop-up and flash quickly. 

Is there any way to determine what is opening at that exact time frame? I could try to do a bit more testing. 

 

Link to post
Share on other sites

  • Root Admin

Please RESTART the computer and run the following

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • NOTE: You must allow AutoRuns to run for at least 20 minutes to complete the VirusTotal scan. If you attempt to save the file sooner it will not be complete
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

Hi, here are the logs for the new tests. 

Concerning the autoruns file, my scan looks like it completes very quickly. 

It will finish the scan in just a few seconds and then say 'Ready' in the bottom left corner. 

Should I still let it sit for 20 minutes? Sorry if I misunderstood. 

Thanks! 

FSS.txt Addition.txt FRST.txt

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.