Wudfhost.exe

[Harry Bloomfield]

Hi,

I'm no expert on virii and recently my system was badly infected. By default
I have Avira AV running, so I have no idea how it got past that - but it
managed to disable Avira. In fact it was my attempts to get that back into
operation which led me to suspect a possible virus.

I could not get that going again, so I tried a fresh download and the
install failed with errors, I downloaded numerous other free AV software and
all failed to install. I then used one of the online scanners which
confirmed the problem - I could not even manage a safe boot into XP, it just
blue screened. Checking what processes were running I found Wudfhost.exe
which was one I didn't recognise, plus a file with what seemed to be a
random number.exe - I could stop the processes, but they would reappear
within seconds.

I could not find any information about solving it on the Internet so in
desperation I ran a search for Wudfhost in my registry, finding it in a
section called Wudf. I deleted the complete section, after which I could
once again install AV software and check for anything else which might be
lurking on my system - it found lots more and managed to clear it all.

 

[Gabriele Neukam]

I could not get that going again, so I tried a fresh download and the install
failed with errors, I downloaded numerous other free AV software and all
failed to install. I then used one of the online scanners which confirmed the
problem - I could not even manage a safe boot into XP, it just blue screened.

Sounds very familiar, look here:

http://isc.sans.org/diary.html?storyid=3807
http://isc.sans.org/diary.html?storyid=3817

Did you by chance recently buy anything that counts as a "drive" (USB
stick, M3 player, photo frame, whatever), that hosts ab "autorun.inf"?


Gabriele Neukam

(e-mail address removed)

--
If everybody started to do what they think should be done for the
common
good, democracy would not exist anymore.
-
Guillermito in alt.comp.virus

 

[Harry Bloomfield]

Sounds very familiar, look here:

http://isc.sans.org/diary.html?storyid=3807
http://isc.sans.org/diary.html?storyid=3817

Did you by chance recently buy anything that counts as a "drive" (USB
stick, M3 player, photo frame, whatever), that hosts ab "autorun.inf"?


Gabriele Neukam

(e-mail address removed)

--
If everybody started to do what they think should be done for the common
good, democracy would not exist anymore.
-
Guillermito in alt.comp.virus

The symptoms were very similar, but no I have not bought or added any new
devices recently. I don't remember whether msconfig was disabled or not and
rather than not be able to browse AV sites - I was able to download them,
but nothing I downloaded would successfully install.

 

[James Egan]

blue screened. Checking what processes were running I found Wudfhost.exe
which was one I didn't recognise, plus a file with what seemed to be a
random number.exe - I could stop the processes, but they would reappear
within seconds.

When this happens, close down the first process (wudfhost.exe) and
when it restarts it will be as a child of the process which restarted
it (strange number.exe) so you then need to kill the process *tree* of
the second process. This is a right click option of the windows task
manager or preferably use process explorer which shows the parent
child relationship more clearly.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx



Jim.