[C:\Windows\Windows Driver Foundation (WDF).exem Riskware, i'm infected?]

10 hours ago, Maurice Naggar said:

Hello. Thank you for the reports. The Block notice means that Malwarebytes is keeping your Windows system safe from potential harm. What is being blocked are Outbound attempts to reach the I P address 128.14.116(.)216 which appears to be a domain api(.)packetshare(.)io

I understand, but why this file Windows Driver Foundаtion (WDF).exe (it's located on C:\Windows folder) that is supposed to be from Windows is trying to connect to url?
is this file legit or i should delete it?

[C:\Windows\Windows Driver Foundation (WDF).exem Riskware, i'm infected?]

8 hours ago, Maurice Naggar said:

I need you to look on this folder D:\Descargas to see if it has the file named FRST64,exe

IF it does not show there, then I need you to Download and be sure to SAVE a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Do not click on any display ads when on that link-page. Understand that knowing where FRST64 is saved is very very important.

I rely my guidance on that file being on the folder D:\Descargas

Please run the following custom script. Read all of this before you start. 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  There are several bad settings on the system, such as disabling Windows Updates & preventing Operating system Updates from Microsoft. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. I It will attempt to clear temporary file areas. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

Please download the attached fixlist.txt file and save it to D:\Descargas

Fixlist.txt 16.2 kB · 2 downloads  <- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the D:\Descargas folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

• I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.

Have much patience.

This program almost let me with my WIndows installation unusable, after the reboot of my PC, goes in a "DIAGNOSTIC" infinite loop, i didn't have another option than use a Restore Point to get access to my Win. again, i will leave the Fixlog attached, but i will not run it again.

Also, the pop-up still showing up.

Fixlog.txt

[C:\Windows\Windows Driver Foundation (WDF).exem Riskware, i'm infected?]

4 hours ago, Maurice Naggar said:

Hello @ZeroCool22 My name is Maurice. I will guide you.

Lets keep these principles as we go along.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Do a RIGHT click on mb-support-1.9.1.977.exe & select "Run as Administrator" & reply YES & allow it to proceed forward.

Next click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply. This is a first step so that I can "see" what all is involved on this case.

I know what i have installed (if you know what i mean), i only want to know about the specific reported file "Windows Driver Foundation (WDF).exe"

mbst-grab-results.zip

[C:\Windows\Windows Driver Foundation (WDF).exem Riskware, i'm infected?]

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del evento de protección: 29/8/23
Hora del evento de protección: 16:30
Archivo de registro: 79e85646-46a2-11ee-8cc8-f02f7414c4fa.json

-Información del software-
Versión: 4.5.33.272
Versión de los componentes: 1.0.2069
Versión del paquete de actualización: 1.0.74583
Licencia: Premium

-Información del sistema-
SO: Windows 10 (Build 19045.2604)
CPU: x64
Sistema de archivos: NTFS
Usuario: System

-Detalles del sitio web bloqueado-
Sitio web malicioso: 1
, C:\Windows\Windows Driver Foundation (WDF).exe, Bloqueado, -1, -1, 0.0.0, , 

-Datos de sitio web-
Categoría: Riskware
Dominio: api.packetshare.io
Dirección IP: 128.14.116.216
Puerto: 80
Tipo: Saliente
Archivo: C:\Windows\Windows Driver Foundation (WDF).exe



(end)

[uploads2.krakenfiles.com and variants.]

kraken.com is a website to host files.

Every time i try to upload something, MB will block it.

💡 Note that the number after uploads will change every time, so it's not a static URL.

 

[i.ibb.co (imgbb.com). false positive?]

6 minutes ago, BjelakovicL said:

Hi,

The block will be removed. Sorry for the inconvenience.

Thank you.

[i.ibb.co (imgbb.com). false positive?]

 

[i.ibb.co (imgbb.com). false positive?]

I have using this site to host a lot of images since a long time.

 

But since 2 days ago i start getting warning from MB when i browse webs that have images hosted in this website.

I Also have images in my forum that are hosted on imgbb (lot of them) so now when ppl browse my forum will think there is something wrong with the forum lol.

Could you remove this warning please?

Site:

https://imgbb.com/

Random image for test:

https://ibb.co/album/LzQFj1

[Infected with false update.exe firefox in the folder Parallax!]

Just now, kevinf80 said:

Yes AdwCleaner is free, there is no paid for version with more features. As you`ve formatted your HD and reinstalled Windows I guess we can close out your thread..?

Yes, close it.

[Infected with false update.exe firefox in the folder Parallax!]

Just now, kevinf80 said:

Hiya ZeroCool22,

Thanks for those logs, continue:

Run FRST one more time:

Type the following in the edit box after "Search:".

Parallax

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.

Thank you,

Kevin

1 question, AdwCleaner is FREE or there is another Paid Version with more features?

I ask because yesterday when i had the infection problem it detect and put in quarantine the False FF profile created by the infection, you think i should have bot installed?

[My account is temporary suspended, can someone unblock it please? (read)]

Just now, Porthos said:

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help Please submit only one ticket.

 

Be advised it can take 3-7 weekdays for a response after the automated reply with your ticket number.

 

I finally could login in my account and deactivate the other dispositives. Thx!

[My account is temporary suspended, can someone unblock it please? (read)]

Just now, Porthos said:

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help Please submit only one ticket.

 

Be advised it can take 3-7 weekdays for a response after the automated reply with your ticket number.

 

Ok, thank you!

[Infected with false update.exe firefox in the folder Parallax!]

Just now, kevinf80 said:

Hiya ZeroCool22,

Thanks for those logs, continue:

Run FRST one more time:

Type the following in the edit box after "Search:".

Parallax

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.

Thank you,

Kevin

Thx for all the help, this incident come in handy because i was soon formatting and upgrading my PC, so i did it some hours ago, so it's a fresh start and i will be more careful from now on.

[My account is temporary suspended, can someone unblock it please? (read)]

Yesterday i had a problem infection:
 

So i formatted my PC and upgraded my MB and CPU.

So the first i do after formatting is download MB and activate it, so i need to deactivate other dispositives because it say i get it max number allowed or something like that, but now for some reason the saved login info in my back up profile of FF didn't works u try with various passwords and then my account got suspended or blocked temporary.

Can someone help me please?

I can provide proof mails of my purchase, i purchased MB on 2017 if proof are needed just tell me. I don't want to be without protections, even more with what happen to me yesterday.

Or if you guys just could deactivate all my dispositives so i can activate it on my new PC.

 

Thx in advance.

[Infected with false update.exe firefox in the folder Parallax!]

But i really don't know what to do, if just deleting that Parallax folder will make me get rid of this, also i have like another 4 extra Drives connected, don't know if some information got compromised, etc...

I must say every time that fake update tried to open that porn web MB stopped it.

Also since the last restart after doing what you told me, the fake update.exe didn't tried to open that web again (almost for now).

[Infected with false update.exe firefox in the folder Parallax!]

Searching on the net i found a guy who happen the same, the only difference was the fake update.exe firefox was in another folder...

https://forum.eset.com/topic/22684-firefox-uptadteexe-virus/page/3/

[Infected with false update.exe firefox in the folder Parallax!]

Thx for the reply @kevinf80

I will attach all the LOGS.

PD: I will admit i have some programs cracked like you will see, but what i want to get rod off is from that Parallax + fake update firefox.

PD2: ADWARE put in quarantine some False FF Profile but the folder Parallax in C:\Program Files (x86)\Common Files\Parallax still there.

AdwCleaner[C00].txt Scan result MB.txt Addition.txt FRST.txt

[Infected with false update.exe firefox in the folder Parallax!]

I got infected with this trying to install a utorrent program, after the alert i cancel the installation but this got passed.

 

The false firefox update.exe is located here:

C:\Program Files (x86)\Common Files\Parallax

And always try to connect to a porn web:
 

This folder was created at the exact time i cancelled the installation of utorrent:

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del evento de protección: 31/8/21
Hora del evento de protección: 5:57
Archivo de registro: 6dfd3db2-0a39-11ec-b402-18d6c702e0ef.json

-Información del software-
Versión: 4.4.4.126
Versión de los componentes: 1.0.1413
Versión del paquete de actualización: 1.0.44485
Licencia: Premium

-Información del sistema-
SO: Windows 10 (Build 19043.1165)
CPU: x64
Sistema de archivos: NTFS
Usuario: System

-Detalles del sitio web bloqueado-
Sitio web malicioso: 1
, C:\Program Files (x86)\Common Files\Parallax\update.exe, Bloqueado, -1, -1, 0.0.0, , 

-Datos de sitio web-
Categoría: Troyano
Dominio: agedporntube.com
Dirección IP: 103.224.182.207
Puerto: 80
Tipo: Saliente
Archivo: C:\Program Files (x86)\Common Files\Parallax\update.exe



(end)

Don't tell me a I'm Fuc*** and i will need to format my PC, also when i scan this fake update.exe MB says everything is ok, but it's obviously not!

 

It don't will be enough to delete this folder with IObit Uninstaller?

[Export Settings.]

I will format my PC and i will like to save/export muy current config of MB, so after the format, i can just install MB again and import my settings and then i don't need config it all again.

Something like NOD32 have:

I searched for this optin in MB but coudn't find it...

 

[Best combination soft protection for your PC...]

https://i.imgur.com/LXYDN7I.gif

[Malwarebytes Anti-Malware 2.0.3 Released]

Having the same problem, Real Time Protection (Malicius Webs) can't be activated!

 

https://www.youtube.com/watch?v=EYlfSALIsR4