CPU-Z and HWMonitor Malware Download: What to Check After the CPUID Compromise

If you downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from cpuid.com during the April 9-10, 2026 compromise window, treat that download as suspicious until you check the exact file, folder, and account exposure. The original signed CPUID files were reportedly not modified, but the site briefly showed malicious download links that could deliver a legitimate-looking utility together with a malicious CRYPTBASE.dll loader.

This guide is for home users and PC builders who installed, updated, or almost installed CPU-Z or HWMonitor around that incident and now need practical cleanup steps instead of another news recap.

What happened to the CPUID downloads?

Researchers reported that the CPUID website was compromised and that download URLs for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor were replaced with links to malicious files. Securelist observed the longer window from about April 9, 15:00 UTC to April 10, 10:00 UTC, while CPUID’s public statement to security press described a shorter roughly six-hour side-API compromise and said the original signed files were not affected [1] [2].

The important user-facing point is simple: the danger was the download path, not ordinary CPU temperature monitoring. If your browser, updater, or download history shows a strange installer from that window, check it before trusting the system.

How to tell whether you were exposed

Start with the timeline. If you downloaded after CPUID fixed the site and you used a normal CPUID download page, the risk is lower. If the download happened on April 9 or April 10, 2026, check the file and behavior more carefully.

• Open your browser downloads list and look for CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor, or HWiNFO_Monitor_Setup.exe around April 9-10.
• Check whether the installer came from a CPUID page but redirected to a non-CPUID host, a Cloudflare R2 bucket, or an unfamiliar domain.
• Look in the extracted or installed folder for CRYPTBASE.dll sitting next to cpuz_x64.exe, HWMonitor_x64.exe, or another CPUID executable.
• Treat a Russian-language installer, a mismatched filename, or a security-tool alert during the download as a strong warning sign.
• If you only downloaded the file and never opened it, delete it and scan the system anyway. If you ran it, continue with the deeper cleanup steps below.

Cleanup steps if you ran the installer

1. Disconnect from sensitive accounts first. Close browsers, password managers, crypto wallets, FTP clients, and remote-access tools until the machine is checked.
2. Remove the suspicious package. Uninstall the CPUID tool from Apps & Features if it was installed, then delete the downloaded archive or installer from Downloads, Desktop, and any build/utility folders.
3. Search for the sideloading clue. Use File Explorer search for CRYPTBASE.dll. The normal Windows copy belongs under C:\Windows\System32 or C:\Windows\SysWOW64; a copy next to a downloaded CPU-Z or HWMonitor executable is suspicious.
4. Check startup persistence. Review Task Manager startup apps, Task Scheduler, shell:startup, and recently created services for unfamiliar entries created after the download time.
5. Run a full malware scan. Use your installed security tool, then run a second-opinion scan with Gridinsoft Anti-Malware to check loaders, staged payloads, and leftover persistence that a quick browser-download warning may not cover.
6. Rotate exposed credentials from a clean device. If you ran the suspicious installer, change browser-saved passwords, email passwords, game/store accounts, crypto-wallet credentials where applicable, FTP credentials, and any admin or remote-access passwords. Revoke old sessions where the account provider allows it.
7. Reinstall only after cleanup. Download CPU-Z or HWMonitor again from the official CPUID pages after the system is clean. As of May 27, 2026, CPUID lists CPU-Z 2.20.1 and HWMonitor 1.63 on its official software pages [3] [4].

Do you need to reinstall Windows?

Do not jump straight to a Windows reinstall just because you visited the CPUID website. A reinstall becomes reasonable when you executed the suspicious installer and then find persistence, unexpected remote access, account theft, cryptocurrency-wallet access, or repeated detections after cleanup.

If Defender or another security tool blocked the download before execution, the safer path is to delete the file, run a full scan, review browser/download history, and monitor important accounts. If you bypassed warnings or ran the installer, assume stored browser credentials may be exposed until you rotate them from a clean device.

How Gridinsoft helps in this case

Gridinsoft Anti-Malware is useful here because the problem is not just “is CPU-Z safe?” The practical question is whether a malicious companion file, loader, scheduled task, or staged payload remained after a poisoned download. Run a full scan after removing the suspicious installer, then review detections by path and creation time so you can separate normal CPUID files from files that arrived through the compromised download flow.

FAQ

Related cleanup: if the suspicious download involves a legitimate-looking executable loading an unexpected DLL, use our nethost.dll and ProtonVPN.exe malware cleanup guide to check side-loading, persistence, and account recovery steps.

References

1. Securelist Threat Response. “CPU-Z / HWMonitor watering hole infection – a copy-pasted attack.” Securelist, posted April 10, 2026, updated April 16, 2026, accessed May 27, 2026. https://securelist.com/tr/cpu-z/119365/
2. Eduard Kovacs. “CPUID Hacked to Serve Trojanized CPU-Z and HWMonitor Downloads.” SecurityWeek, April 13, 2026, accessed May 27, 2026. https://www.securityweek.com/cpuid-hacked-to-serve-trojanized-cpu-z-and-hwmonitor-downloads/
3. CPUID. “CPU-Z.” CPUID official software page, accessed May 27, 2026. https://www.cpuid.com/softwares/cpu-z.html
4. CPUID. “HWMonitor.” CPUID official software page, accessed May 27, 2026. https://www.cpuid.com/softwares/hwmonitor.html