Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: WUDFHost.exe in the wrong folder: Is it a disguised infection?

05 Mar 2012   #1
ajfudge

Windows 7 Professional x64 | Windows ME | Windows 8 Dev Preview
 
 
WUDFHost.exe in the wrong folder: Is it a disguised infection?

Yesterday, WinPatrol detected that a process has enlisted itself on my Scheduled Tasks startup items. It was called WUDFHost.exe. I viewed the details and it said it was a component from Microsoft. So I dismissed it.

Some hours later, I rebooted. I noticed that my C:\ drive space usage have added about 2Gb Gb, which was odd because I haven't installed anything (in fact, I was trying to remove Java) and all my file operations were currently being held on D:\. I remembered to check out WUDFHost.exe and found that it was indeed an MS file and that it normally resides on C:\Windows\system32. I checked my C:\Windows\system32 and there was indeed my WUDFHost.exe. Then I checked the file that WinPatrol detected and it was placed in C:\Program Files (x86)\Common Files\Windows Driver Foundation. I immediately scanned that file with Norton 2012 and Malwarebytes (not at the same time, of course). They didn't think it was a threat. I then sandboxed my system just to see if any significant change will occur. There was none. So I rebooted my computer again, renamed the WUDFHost.exe in C:\Program Files (x86)\Common Files\Windows Driver Foundation and somehow I got back about 1GB of my C:\ disk space.

It's probably just nothing, but I can't leave it alone as I am getting paranoid now. What is it doing on my C:\Program Files (x86)\Common Files\Windows Driver Foundation folder? Is it safe? I can't delete it because it might actually turn out to be important. So I'll wait for some answers. For now, I'll leave under a different name.

NOTE: The WUDFHost.exe in C:\Windows\system32 and the one from C:\Program Files (x86)\Common Files\Windows Driver Foundation have different file sizes.


My System SpecsSystem Spec
.
05 Mar 2012   #2
DavidE

Multi-Boot W7_Pro_x64 W8.1_Pro_x64 W10_Pro_x64
 
 

I don't see a "Windows Driver Foundation" folder on a couple of PC's I looked at.

Did you by any chance install the "Windows Driver Kit (WDK)" on your PC?
My System SpecsSystem Spec
05 Mar 2012   #3
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Do you have Logitech Software?

Quote:
Wudfhost.exe
Quote:
with description Windows Driver Foundation - User-mode Driver Framework Host Process is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows
Wudfhost.exe process | What is Wudfhost.exe file?

Also, wudfhost.exe - PC Pitstop Process Library
My System SpecsSystem Spec
.

05 Mar 2012   #4
ajfudge

Windows 7 Professional x64 | Windows ME | Windows 8 Dev Preview
 
 

@David, no I did not install Windows Driver Kit.

@Jacee, I don't have Logitech software.
My System SpecsSystem Spec
05 Mar 2012   #5
DavidE

Multi-Boot W7_Pro_x64 W8.1_Pro_x64 W10_Pro_x64
 
 

OK
i google'd "Windows Driver Foundation" and it led me down that path...
WDK is for driver developers, so that seemed odd to me.

I'm not sure why you have the "Windows Driver Foundation" folder...
maybe someone else will know what/when/why it's created.
My System SpecsSystem Spec
05 Mar 2012   #6
ajfudge

Windows 7 Professional x64 | Windows ME | Windows 8 Dev Preview
 
 

David, thank you for looking into this. It's also very odd to me, especially because it just popped up all of a sudden (the fact that WinPatrol detected it all of a sudden).
I am not sure if this is relevant, but since you mentioned WDK, I remember that I installed ASUS Control Deck (a program that sets up screen brightness, volume, power plan). I can't say it's connected to WUDFHost.exe because I didn't pay attention to the time between its installation and the WUDFHost.exe detection. Any thoughts?
My System SpecsSystem Spec
05 Mar 2012   #7
DavidE

Multi-Boot W7_Pro_x64 W8.1_Pro_x64 W10_Pro_x64
 
 

Can you look in the "Windows Driver Foundation" folder and see if anything looks like something you know about to try and figure out where this folder came from?

i.e. Maybe you'll see something for "ASUS" .

Can you post a screen print of that folder showing what's in there?
Especially Application and Application extension files (.exe and .dll)?

You can look at datetime in explorer for this folder and see if that rings a bell for something you installed, but datetime can be "misleading".
My System SpecsSystem Spec
06 Mar 2012   #8
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Do you have a restore point from just before this problem appeared? That may be an easy way to undo this issue. You can also upload the C:\Program Files (x86)\Common Files\Windows Driver Foundation\WUDFHost.exe to Virus Total and see if anything alerts on it.

http://www.blackviper.com/windows-se...ork/#Windows_7

In reading, this often seems to be connected to external USB connected devices.

A Guy
My System SpecsSystem Spec
07 Mar 2012   #9
ajfudge

Windows 7 Professional x64 | Windows ME | Windows 8 Dev Preview
 
 

@David,
WUDFHost.exe is the only item inside that folder. There's no hidden dll or any other files. Its Date Modified, Date Created and Date Accessed all point to the same date: Mar. 4, 2012 (the same date WipPatrol has detected it).
I also uninsttalled ASUS Control Deck to test if it ill remove that WUDFHost.exe but it did not.


@A Guy,
Unfortunately, all of my restore points before Mar. 4, 2012 are now overwritten by new ones.
I submitted the file to Virus Total and here's the result: https://www.virustotal.com/file/5564...dffd/analysis/

I have an external hard drive connected all the time. I never plugged it on a different computer, so I can't think of a way it can get infected.



Here's an interesting bit though: When I scanned my system using Microsoft Security Essentials (with Norton and Malwarebytes disabled of course) it detected a file called KBDSMMSFI.dll which is a trojan Win32/Orsam!rts
I also scanned the suspicious WUDFHost.exe with MSE and it didn't think it's dangerous.
Since I'm running out of options and I am lost retracing my steps before the infection, I'll just revert to a backup I made last month. I'm very sure my system was clean then. I was hoping never to do it as I made a significant amount of configuration on my PC, but it's the only way to cure my paranoia.

Thanks to all who gave their time to help me out.
My System SpecsSystem Spec
07 Mar 2012   #10
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

I don't think you are infected. Both Emsisoft, and Ikarus use the same engine, so they will hit on the same thing. It's more a mystery how you got it rather than a concern IMHO. A Guy
My System SpecsSystem Spec
Reply

 WUDFHost.exe in the wrong folder: Is it a disguised infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
SFC can't repair mmdevapi.dll and %windir% folder perms are wrong
I'm trying to fix a Dell Inspiron 1545 running 32 bit Win7 Home Premium. Pentium T4300 cpu@2.1gHz. 3GB ram. Background: They brought me the laptop saying it was running slow and not able to get on the Internet. Ha! I found a multitude of problems and have worked my way through most of them. Many...
Performance & Maintenance
All shortcuts point to the wrong Program Files folder
Hi, Today I was asked to help in a problem with shortcuts in Windows 7 which pointed to the wrong non-existing location. The issue refers too all shortcuts connected with the Program Files folder. As I didn't know what is the issue the first idea was to create a completely new profile (i.e....
General Discussion
Java Error saying wrong folder??
Not sure if this is aloud here but I have a windows 7 32 bit. Im trying to install my printer and having errors with the drivers. Troubleshooting for that states I need to update JAVA. Ive tried deleting the old one and installing the new one and during the delete and the add it has an error saying...
Installation & Setup
whats wrong with my folder properties?
when i right click a folder on my network drive and choose properties the files and folders and the sizes just go up and up forever! see attached pic for example. there is no hope in hell theres almost the same amount of folders as there is files in there and the same goes for the size its nowhere...
Hardware & Devices
WUDFHost.exe constant 10% CPU usage normal?
Hi guys Just joined the forums, although I've lurked here for a while and I knew if someone knew the answer to this, it'd be you guys. I searched on google and on this forums and didn't find a relevant answer so here it goes: I've been running 7 x64 pro for a couple of weeks now, and...
Performance & Maintenance


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 21:18.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App