Panda Cloud false positive? WUDFHost.exe

Discussion in 'other anti-virus software' started by AlexC, Feb 24, 2012.

Thread Status:
Not open for further replies.
  1. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Hey guys,

    i´ve just downloaded Winrar from softpedia (x32, softpedia secure download), and while installing Panda Cloud detected a virus. It comes to be WUDFHost.exe, located in C:\Program Files\Common Files\Windows Driver Foundation\WUDFHost.exe. I entered in shadow mode and tried to recover the file from quarantine to send to Virus Total, but the file wasn't there, neither in that location. In the report the detection is shown as a "suspect item".

    After googling a bit it seems that WUFHost.exe is a Microsoft file, so i'm wondering if the removal of that file will cause problems to my Windows installation...
     
  2. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Nothing being detected on my end, no one reported it also on the Panda Cloud forums yet. Will you post your event log please?
     
  3. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Here it goes:
     

    Attached Files:

  4. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Interesting since that's a windows file I always though that OS files were whitelisted in the cloud. Were you able to restore the file? I will see if I can find someone to look into it.

    By the way I just checked and my WUDFhost.exe is located in the Windows System32 folder on the machine.
     
    Last edited: Feb 24, 2012
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I have Panda Cloud and WinRAR on my netbook and no such problem.o_O
     
  6. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    No, Panda "says" that there's something in quarantine but there's nothing there:
     

    Attached Files:

  7. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    You said you have ShadowDefender? I wonder if this has something to do with Shadowmode.
     
  8. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I have Shadow Defender but i only use it on-demand, when i want to test software. When Panda detected the file shadow mode was off.
     
  9. The Shadow

    The Shadow Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    814
    Location:
    USA
    No problems whatsoever here running SD with PCAV. :thumb:
     
  10. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Just checked my other computers and none of them have had a detection like this.
     
  11. carat

    carat Guest

    +1 :)
     
  12. JoeBlack40

    JoeBlack40 Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    1,572
    Location:
    Romania
    Way to go Panda.....it seems they MUST DESPERATELY IMPLEMENT that "ask before any option" sooner than everything,before destroying someone's pc :thumbd:
     
    Last edited: Feb 25, 2012
  13. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Looks like an 'oddball' for sure.
    What has WUDFhost.exe got to do with WinRaR?

    Can anyone with Win7 confirm the location of WUDFhost.exe like yours?
    Perhaps it is a rogue or a ghost!
     
  14. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    My computer now only boots in safe mode lol. According to what i've read, the original location of WUDFHost.exe is in system32 folder, so maybe it is virus?

    That's not the computer i have in my signature, in this one i only have Panda Cloud AV and Shadow Defender (on-demand), and i use it mostly to test software.

    It would be interesting to know if the problem is a malware infection and from where (maybe softpedia winrar installer is compromissed? a drive-by? for any brave who wants to test it, here's the link -http://www.softpedia.com/dyn-postdownload.php?p=2461&t=0&i=1- :p or a problem with Panda.

    Anyway is cool to have the opportunity to fix my own computer :D
     
  15. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Thats the weird thing I have yet to see any other cases of this happening.
     
  16. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Do you use it for malware testing?
     
  17. dansorin

    dansorin Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    233
    Location:
    EU
    the WUDFHost.exe is in the system32 directory, no detection by PCAV here.
     
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I was able to restore the normal startup using "startup repair".

    @The Hammer
    No, i dont use it for malware testing.

    @dasorin
    The detection occurred in C:\Program Files\Common Files\Windows Driver Foundation\WUDFHost.exe

    I did a full scan with Emsisoft Emergency Kit that came with this:

    I uploaded the file to VirusTotal and AntiVir, Ikarus and Emsisoft identifies the file as malware. I suspect a lot that the WinRar installer was infected, since the Panda detection happened while installing that program. I'll try to access the quarantine folder (from Panda Cloud) through windows explorer to see if i can recover the file.
     

    Attached Files:

  19. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Ibrad,

    Can i PM you the file i recovered from the quarantine folder?
     
  20. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    If you PM a download link to the file that casued the issue I will send the link out to someone on the malware research time and see what they think of the file if you would like.
     
  21. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    PM sent :thumb:
     
  22. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Now that I think of it does Softpedia still work off mirrors provided off different companies servers? All it would take is one of these mirrors to become hacked to provide a fake version of WinRar that would only infect some.
     
Loading...
Thread Status:
Not open for further replies.