• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

GPU-Z v2.57.0 trojan alert

G

GD83

New Member
Joined
Jan 25, 2024
Messages
3 (0.01/day)
Hello, I am French, forgive me for the poor writing of my post, it is probably not serious but the latest version of GPU-Z causes problems with Windows 11.

It's in French but experts will understand the Windows protection history screens.

It is not possible to install GPU-Z without removing the threat, I don't know why my Windows detects this and not others, otherwise there would be many messages here.

Simple reporting of the problem.




Capture d'écran 2024-01-25 010339.png


What it says in summary:

Serious threat blocked, malicious act/malware, removed and quarantined (another related alert indicates quarantine).
 
What's the MD5 of the exe you have on your computer? It should be DB28131D2F25B980553974A6399E639D.

You can calculate it by opening powershell and running
Get-FileHash .\Downloads\GPU-Z.2.57.0.exe -Algorithm MD5

where the part in bold is the location of your GPU-Z executable

Edit: Disregard this. You're using an installer? Not sure what the checksum should be for that.
Download the exe from the TechPowerUp main page and verify it doesn't have the same detection.
 
Last edited:
Basic installation of the GPU-Z .exe available here, as usual.

There's definitely nothing dangerous here, I don't know why windows gets angry o_O

Downloading the same .exe (already taken from the main page) gives the same result.
 
where did you download it from if it was somewhere other then this site they might infected it
 
Went ahead and ran the installer (downloaded from TPU) to get the hash. SHA256 is cff3be1e0f885dab1998e00d041abbaf8d9a521b818bcd73ea4c38a858638bc6

I've attached the file in question. It appears in <boot drive>\Users\<username>\AppData\Local\Temp when you install GPU-Z.

Interestingly, on VT

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Twelve detections, including Windows Security detecting as Trojan:Win32/AgentTesla!ml (though my AV doesn't detect it). The detection was different before I refreshed VT.

I trust TPU, so I'm assuming it's a false positive/heuristic match.

EDIT: I went ahead and checked an older version of GPU-Z (2.55.0). Looks like it used a different installer program

SHA256: 6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

I've attached that one too, but I renamed it to differentiate them.

EDIT 2: 2.57.0 uses Inno Setup 6.1.0 while 2.55.0 uses 6.0.0

gpu-z-installer-compare.png
 

Attachments

Last edited:
It's probably a false positive, probably a good idea to let @W1zzard know though

Cheers
 
Dr. Dro said:
It's probably a false positive, probably a good idea to let @W1zzard know though

Cheers
Click to expand...

Hmm I am wondering if OP has updated his Windows 11 and defender because my server is on Windows 11 Pro 22H2 Build 22621.3007 and mine doesn't find anything with the installer I just downloaded.

W11Pro.GPUZ.png


Windows Defender scanning GPUZ-.exe, unins000.dat and unins000.exe nothing found:
GPUZ.MD.png
 
You are right, for some reason the installer gets a lot of detections now

I'm using regular Innosetup.. not sure why this is happening

Edit: next version of GPU-Z will use an installer that's digitally signed with our EV signature. Seems this helps a little bit

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
Last edited:
Downloaded GPU-Z-2.56.0 from techpowerup on Jan 19. Ran it again on Jan 22 and got an update notification. Clicked through to get the update, as I figured there was no reason to worry since I got the app from the horse's mouth.

1706219560595.png


Google searched within the past month for gpuz and a few malware keywords and came up with:

https://www.reddit.com/r/techsupport/comments/19d79ck

and

https://twitter.com/x/status/1749979028877095298

Going back farther in the archives, there seem to have been many such reports of malware coming via Techpowerup's GPUz, as well as CPUID's CPUz. What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access? Also, what are the odds of the latest version being flagged for 3 different keylogger/RAT malwares?

edit:

Just looked at the Virustotal results above (as I didn't think to click them earlier). Should have asked the odds of the latest version getting flagged for 3 or more different keylogger/RAT malwares.

Sure these COULD all be false positives, but even the most likely possibility it is not a certainty. I don't feel like putting any more thought into this. Mine is a brand new PC -- the first I've assembled in over a decade and it's only been used over the past couple weeks. The simplest and most effective solution for me, which coincidentally is also the only guaranty of no positives at all, is to repartition the hard drive and reinstall Winblows like it's 1998, avoiding the install of anything questionable until a proper backup has been made. I didn't like how the SSD was partitioned anyhow.
 
Last edited:
8up said:
Sure these COULD all be false positives,
Click to expand...
They are certainly false positives. Techpowerup is a identifiable business with a US HQ that would be gone pretty quick if peddling malware.

If it bothers you though, you can wait for the next release that w1zzard will sign with his business code signing cert, that will certainly clear it up.

FYI some of my original mods I do for ksp get multiple flags so this is not unheard of, just overeager AV at work.
 
I wonder if antivirus engines just don't like Inno Setup installers.

I've made installers in Inno Setup before, so out of curiosity, I submitted one of mine to VT.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Five AV engines detected it.

For those who are curious, it's the setup executable from a repack I made of Skyrim for personal use. I wanted to back the game up to DVDs, and I also wanted to learn how installers work.

my-setup-file.png


All this setup file does is ask for an install location and ask you to select what is installed. Then, it simply unpacks an archive into the target location and then offers to install DirectX and VC runtimes.

It just uses standard LZMA2 compression for the files.

I even still have the source file for this installer. I don't really want to share it as text, but I'll show a screenshot.

my-setup-file-source.png
 
sam_86314 said:
I wonder if antivirus engines just don't like Inno Setup installers.
Click to expand...
that, and the lower quality AV engines are way too sensitive and will flag virtually everything.

If you create an empty program that does nothing it will get flagged by those, too.

8up said:
Sure these COULD all be false positives, but even the most likely possibility it is not a certainty
Click to expand...
It is a certainty, look at Virustotal, reputable antivirus engines. These don't flag GPU-Z

8up said:
What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access?
Click to expand...
Correct, a .sys driver gets extracted to %TEMP% and loaded, requires admin privileges to run, accesses hardware in various ways

sam_86314 said:
Five AV engines detected it.
Click to expand...
Yeah.. it's always the same guys .. CrowdStrike, SecureAge, MaxSecure etc
 
I also have a problem, regardless of which server I download from.
 

Attachments

  • Zrzut ekranu 2024-01-26 091835.png
    Zrzut ekranu 2024-01-26 091835.png
    75.7 KB · Views: 92
Teddy1983 said:
I also have a problem, regardless of which server I download from.
Click to expand...
Yeah, this is not a server issue on our end, but an antivirus false positive. Running GPU-Z without installation works fine though, right?

You can submit it here for analysis, to help improve Defender:

Submit a file for malware analysis - Microsoft Security Intelligence

Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
www.microsoft.com
 
Last edited:
Wait a minute... "gpuz_installer.exe"? Shouldn't it be called "GPU-Z.2.57.0.exe"? Are you sure you downloaded it from this site, and not a fake one that looks like it, but isn't? :wtf:
 
AusWolf said:
Wait a minute... "gpuz_installer.exe"? Shouldn't it be called "GPU-Z.2.57.0.exe"? Are you sure you downloaded it from this site, and not a fake one that looks like it, but isn't? :wtf:
Click to expand...
He downloaded GPU-Z.2.57.0.exe correctly. When you click on "start installer" within GPU-Z, it will extract "gpuz_installer.exe" to %TEMP% and run it
 
W1zzard said:
He downloaded GPU-Z.2.57.0.exe correctly. When you click on "start installer" within GPU-Z, it will extract "gpuz_installer.exe" to %TEMP% and run it
Click to expand...
Ah, I see! :ohwell:

By the way, I've just downloaded and updated to the latest version without any issues. It did ask for a system restart, though, which it hasn't before. I'm on Windows 10, using only Defender as AV.
 
AusWolf said:
By the way, I've just downloaded and updated to the latest version without any issues. It did ask for a system restart, though, which it hasn't before. I'm on Windows 10, using only Defender as AV.
Click to expand...
Interesting .. so maybe the definitions have already been updated
 
W1zzard said:
Interesting .. so maybe the definitions have already been updated
Click to expand...
Maybe. Or maybe the definitions on my PC are out of date. :ohwell: :D
 
8up said:
Downloaded GPU-Z-2.56.0 from techpowerup on Jan 19. Ran it again on Jan 22 and got an update notification. Clicked through to get the update, as I figured there was no reason to worry since I got the app from the horse's mouth.

View attachment 331443

Google searched within the past month for gpuz and a few malware keywords and came up with:

https://www.reddit.com/r/techsupport/comments/19d79ck

and

https://twitter.com/x/status/1749979028877095298

Going back farther in the archives, there seem to have been many such reports of malware coming via Techpowerup's GPUz, as well as CPUID's CPUz. What could be in GPUz and CPUz that looks so much like either of these keylogger and/or RAT malwares? Something to do with the required low level hardware access? Also, what are the odds of the latest version being flagged for 3 different keylogger/RAT malwares?

edit:

Just looked at the Virustotal results above (as I didn't think to click them earlier). Should have asked the odds of the latest version getting flagged for 3 or more different keylogger/RAT malwares.

Sure these COULD all be false positives, but even the most likely possibility it is not a certainty. I don't feel like putting any more thought into this. Mine is a brand new PC -- the first I've assembled in over a decade and it's only been used over the past couple weeks. The simplest and most effective solution for me, which coincidentally is also the only guaranty of no positives at all, is to repartition the hard drive and reinstall Winblows like it's 1998, avoiding the install of anything questionable until a proper backup has been made. I didn't like how the SSD was partitioned anyhow.
Click to expand...
You should educate yourself before making such uninformed and alarmist posts.
 
Assimilator said:
You should educate yourself before making such uninformed and alarmist posts.
Click to expand...
He has every right to come here and be worried. Actually I appreciate learning about this, so I can do something about it (vs not knowing about it in the first place)
 
1706271100103.png


So it's just a question of getting the signatures updated now.

Their internal tool did confirm the detection when I submitted it
1706271154807.png
 
You must log in or register to reply here.
Back
Top