Jump to content

C:\Windows\Windows Driver Foundation (WDF).exem Riskware, i'm infected?


Recommended Posts

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del evento de protección: 29/8/23
Hora del evento de protección: 16:30
Archivo de registro: 79e85646-46a2-11ee-8cc8-f02f7414c4fa.json

-Información del software-
Versión: 4.5.33.272
Versión de los componentes: 1.0.2069
Versión del paquete de actualización: 1.0.74583
Licencia: Premium

-Información del sistema-
SO: Windows 10 (Build 19045.2604)
CPU: x64
Sistema de archivos: NTFS
Usuario: System

-Detalles del sitio web bloqueado-
Sitio web malicioso: 1
, C:\Windows\Windows Driver Foundation (WDF).exe, Bloqueado, -1, -1, 0.0.0, , 

-Datos de sitio web-
Categoría: Riskware
Dominio: api.packetshare.io
Dirección IP: 128.14.116.216
Puerto: 80
Tipo: Saliente
Archivo: C:\Windows\Windows Driver Foundation (WDF).exe



(end)

gmuvRTq.png

giphy.gif

Link to post
Share on other sites

Hello :welcome:@ZeroCool22 My name is Maurice. I will guide you.

Lets keep these principles as we go along.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Do a RIGHT click on mb-support-1.9.1.977.exe & select "Run as Administrator" & reply YES & allow it to proceed forward.

Next click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply. This is a first step so that I can "see" what all is involved on this case.

Link to post
Share on other sites

4 hours ago, Maurice Naggar said:

Hello :welcome:@ZeroCool22 My name is Maurice. I will guide you.

Lets keep these principles as we go along.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Do a RIGHT click on mb-support-1.9.1.977.exe & select "Run as Administrator" & reply YES & allow it to proceed forward.

Next click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply. This is a first step so that I can "see" what all is involved on this case.

I know what i have installed (if you know what i mean), i only want to know about the specific reported file "Windows Driver Foundation (WDF).exe"

mbst-grab-results.zip

Link to post
Share on other sites

Hello. Thank you for the reports. The Block notice means that Malwarebytes is keeping your Windows system safe from potential harm. What is being blocked are Outbound attempts to reach the I P address 128.14.116(.)216 which appears to be a domain api(.)packetshare(.)io
I will be sending you a later reply with a special script to run.

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Next action step:
Disable ( turn OFF ) Fast Startup
https://www.windowscentral.com/how-disable-windows-10-fast-startup

Then restart the computer

Link to post
Share on other sites

I need you to look on this folder D:\Descargas to see if it has the file named FRST64,exe

IF it does not show there, then I need you to Download and be sure to SAVE a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Do not click on any display ads when on that link-page. Understand that knowing where FRST64 is saved is very very important.

I rely my guidance on that file being on the folder D:\Descargas

Please run the following custom script. Read all of this before you start. 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  There are several bad settings on the system, such as disabling Windows Updates & preventing Operating system Updates from Microsoft. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. I It will attempt to clear temporary file areas. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

Please download the attached fixlist.txt file and save it to D:\Descargas

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the D:\Descargas folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

  • I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.

Have much patience.

Link to post
Share on other sites

8 hours ago, Maurice Naggar said:

I need you to look on this folder D:\Descargas to see if it has the file named FRST64,exe

IF it does not show there, then I need you to Download and be sure to SAVE a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Do not click on any display ads when on that link-page. Understand that knowing where FRST64 is saved is very very important.

I rely my guidance on that file being on the folder D:\Descargas

Please run the following custom script. Read all of this before you start. 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  There are several bad settings on the system, such as disabling Windows Updates & preventing Operating system Updates from Microsoft. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. I It will attempt to clear temporary file areas. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

Please download the attached fixlist.txt file and save it to D:\Descargas

Fixlist.txt 16.2 kB · 2 downloads  <- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the D:\Descargas folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

  • I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.

Have much patience.

This program almost let me with my WIndows installation unusable, after the reboot of my PC, goes in a "DIAGNOSTIC" infinite loop, i didn't have another option than use a Restore Point to get access to my Win. again, i will leave the Fixlog attached, but i will not run it again.

Also, the pop-up still showing up.

A4U4xE8.png

Fixlog.txt

Link to post
Share on other sites

10 hours ago, Maurice Naggar said:

Hello. Thank you for the reports. The Block notice means that Malwarebytes is keeping your Windows system safe from potential harm. What is being blocked are Outbound attempts to reach the I P address 128.14.116(.)216 which appears to be a domain api(.)packetshare(.)io

I understand, but why this file Windows Driver Foundаtion (WDF).exe (it's located on C:\Windows folder) that is supposed to be from Windows is trying to connect to url?
is this file legit or i should delete it?

Link to post
Share on other sites

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

Anyone other than the Original Poster ZeroCool22 start your own New help-request-Topic. See https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

On the malware-removal-sub forum we do NOT do group participation. This Topic is ONLY for ZeroCool22

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.