WUDFHost.exe in the wrong folder: Is it a disguised infection?

[ajfudge]

Yesterday, WinPatrol detected that a process has enlisted itself on my Scheduled Tasks startup items. It was called WUDFHost.exe. I viewed the details and it said it was a component from Microsoft. So I dismissed it.

Some hours later, I rebooted. I noticed that my C:\ drive space usage have added about 2Gb Gb, which was odd because I haven't installed anything (in fact, I was trying to remove Java) and all my file operations were currently being held on D:\. I remembered to check out WUDFHost.exe and found that it was indeed an MS file and that it normally resides on C:\Windows\system32. I checked my C:\Windows\system32 and there was indeed my WUDFHost.exe. Then I checked the file that WinPatrol detected and it was placed in C:\Program Files (x86)\Common Files\Windows Driver Foundation. I immediately scanned that file with Norton 2012 and Malwarebytes (not at the same time, of course). They didn't think it was a threat. I then sandboxed my system just to see if any significant change will occur. There was none. So I rebooted my computer again, renamed the WUDFHost.exe in C:\Program Files (x86)\Common Files\Windows Driver Foundation and somehow I got back about 1GB of my C:\ disk space.

It's probably just nothing, but I can't leave it alone as I am getting paranoid now. What is it doing on my C:\Program Files (x86)\Common Files\Windows Driver Foundation folder? Is it safe? I can't delete it because it might actually turn out to be important. So I'll wait for some answers. For now, I'll leave under a different name.

NOTE: The WUDFHost.exe in C:\Windows\system32 and the one from C:\Program Files (x86)\Common Files\Windows Driver Foundation have different file sizes.

 

[DavidE]

I don't see a "Windows Driver Foundation" folder on a couple of PC's I looked at.

Did you by any chance install the "Windows Driver Kit (WDK)" on your PC?

 

[Jacee]

Do you have Logitech Software?

Wudfhost.exe

with description Windows Driver Foundation - User-mode Driver Framework Host Process is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows

Wudfhost.exe process | What is Wudfhost.exe file?

Also, wudfhost.exe - PC Pitstop Process Library

 

[ajfudge]

@David, no I did not install Windows Driver Kit.

@Jacee, I don't have Logitech software.

 

[DavidE]

OK
i google'd "Windows Driver Foundation" and it led me down that path...
WDK is for driver developers, so that seemed odd to me.

I'm not sure why you have the "Windows Driver Foundation" folder...
maybe someone else will know what/when/why it's created.

 

[ajfudge]

David, thank you for looking into this. It's also very odd to me, especially because it just popped up all of a sudden (the fact that WinPatrol detected it all of a sudden).
I am not sure if this is relevant, but since you mentioned WDK, I remember that I installed ASUS Control Deck (a program that sets up screen brightness, volume, power plan). I can't say it's connected to WUDFHost.exe because I didn't pay attention to the time between its installation and the WUDFHost.exe detection. Any thoughts?

 

[DavidE]

Can you look in the "Windows Driver Foundation" folder and see if anything looks like something you know about to try and figure out where this folder came from?

i.e. Maybe you'll see something for "ASUS" .

Can you post a screen print of that folder showing what's in there?
Especially Application and Application extension files (.exe and .dll)?

You can look at datetime in explorer for this folder and see if that rings a bell for something you installed, but datetime can be "misleading".

 

[A Guy]

Do you have a restore point from just before this problem appeared? That may be an easy way to undo this issue. You can also upload the C:\Program Files (x86)\Common Files\Windows Driver Foundation\WUDFHost.exe to Virus Total and see if anything alerts on it.

http://www.blackviper.com/windows-s...ndation-user-mode-driver-framework/#Windows_7

In reading, this often seems to be connected to external USB connected devices.

A Guy

 

[ajfudge]

@David,
WUDFHost.exe is the only item inside that folder. There's no hidden dll or any other files. Its Date Modified, Date Created and Date Accessed all point to the same date: Mar. 4, 2012 (the same date WipPatrol has detected it).
I also uninsttalled ASUS Control Deck to test if it ill remove that WUDFHost.exe but it did not.


@A Guy,
Unfortunately, all of my restore points before Mar. 4, 2012 are now overwritten by new ones.
I submitted the file to Virus Total and here's the result: https://www.virustotal.com/file/556...00e8e14cd11ffc7e32c1d7f2dd6e36edffd/analysis/

I have an external hard drive connected all the time. I never plugged it on a different computer, so I can't think of a way it can get infected.



Here's an interesting bit though: When I scanned my system using Microsoft Security Essentials (with Norton and Malwarebytes disabled of course) it detected a file called KBDSMMSFI.dll which is a trojan Win32/Orsam!rts
I also scanned the suspicious WUDFHost.exe with MSE and it didn't think it's dangerous.
Since I'm running out of options and I am lost retracing my steps before the infection, I'll just revert to a backup I made last month. I'm very sure my system was clean then. I was hoping never to do it as I made a significant amount of configuration on my PC, but it's the only way to cure my paranoia.

Thanks to all who gave their time to help me out.

 

[A Guy]

I don't think you are infected. Both Emsisoft, and Ikarus use the same engine, so they will hit on the same thing. It's more a mystery how you got it rather than a concern IMHO. A Guy

 

[ajfudge]

@A Guy,
that's a mystery to me too. My mistake was I did not pay enough attention.
PS: What are these (screenshot below). Those files with lots of letters and numbers. They showed up on my drive C:\ this morning.

 

[A Guy]

Hmmm, right click one and choose Properties, see if you can get any clue. Did you get any windows updates today? A Guy

 

[ajfudge]

Nope. Didn't get Windows Update. Files like that used to appear occasionally on my drive C:\ last year, but since I don't know what it's called so I can't research it. Is it related to Norton antivirus? Because I let Norton do a full scan before I slept and I assume it just finished scanning when these weird files appeared. Norton was the only active process when I slept.

Below is a Properties screenshot of one:

 

[DavidE]

Maybe try to rename and/or delete WUDFHost.exe ?
If it is malware it probably would not let you, or it would "rebuild" it after a re-boot...
If you can rename it and some legitimate program did put it there, maybe you'll get an error message when it looks for it so you would know where it came from.

As far as the new files in question, maybe post the screenshot and ask if Norton might have created them on the Norton forum.

 

[ajfudge]

@David,
I already renamed WUDFHost.exe to WUDFHost.exe.BAK (I think I mentioned this on my first post) and like what you anticipate, I am also waiting for a program to have an error related to this WUDFHost.exe
If after a week and my laptop seems unaffected, then I will delete it.

I postponed restoring my backup because A.Guy don't think I have an infection.
So right now, all I have to do is monitor my laptop's behavior if there are any significant changes, etc.

I will do what you say and post those weird files to Norton. But if anyone has any idea what it is, please share what you know.

ADDITIONAL INFO: Last year, whenever those weird files appear, I move them to a different folder and see if it affects my system or produce any errors. Then I delete it when I'm sure it's safe to be removed. I'm just curious what they are, what they do, what produced them, why they appear in the first place.

 

[DavidE]

Ah, i apologize - i didn't re-read the whole thread...

It sounds like you're doing pretty much the same things i would do to figure this out.

I agree with A Guy, it doesn't sound like an infection, but i would still be concerned/curious as you are...

 

[ajfudge]

@David,
It's just weird how these things happen. And I don't always pay attention to them because I'm busy doing something else on my PC. It just freaks me out when something's being quirky and I want to figure it out so I'd know how to prevent/fix it.

Thank you for your time, David.

 

[A Guy]

Would you believe...

Popped up a minute ago. Only thing just added was a giveaway of Ashampoo Burning Studio 2012. I forgot to hit the Plus info and see what Winpatrol had to say about it. I blocked it and deleted the folder from common files. I was surprised to say the least having followed this thread

A Guy

 

[ajfudge]

@A Guy,
what a weird coincidence. But I don't have Ashampoo or any product related to it, so I still don't know where mine came from. I'm starting tot believe that mine came from a portable software. Hmmm.

 

[alacarre]

Response to "All of my restore points before [date] are gone"

This is the most effective way that I know of to protect your restore points. It is not 100% bullet proof as I had all of mine wiped out by "something" a few weeks ago, but prior to that my restore points never disappeared on me. Not one. This method, I guess you could say, is the most difficult one to defeat by Malware or Microsoft, the two major threats whose purpose is to cut you off from the past.

Step 1. Create a restore point if you don't already have one.
Step 2. Go to Control Panel / Administrative Tools / Services
Step 3. Locate the service called "Microsoft Software Shadow Copy Provider"
Step 4. Stop the service if it is currently running.
Step 5. Set the service's Startup Type to "disabled"

Following this point no more restore points can be made by any software. The only way for you to lose them would be for "something" to completely wipe out all of your restore points (which happened to me so I had to go back to my "hard restore point" which is the installation disk for Windows 7).

Now whenever you want to restore your system, or create a new restore point you have to re-enable that service and set its startup type to "Manual", and then take whatever action you wanted to do, and then repeat the above steps to lock your restore points once again.

Prior to me losing all of my restore points I had never lost a single one. The event log is filled with the thousands and thousands of failures to create restore points (99% of which come from Microsoft). Allowing Microsoft to make restore points is tantamount to discarding all of your restore points as the daily (multiple) restore point creation does not care if there are any restore points already existing, it simply tosses them out in order to make space for a new one, even the ones that you explicitly made which the operating system has no right to destroy.

- Alan