steve53

windows kernal file infected

Recommended Posts

Steve,

Can you send the log showing the original detection?

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Task: {111B3FD5-DB2C-41A1-BBA7-5E68DDAD6EA2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {2D6F776E-5840-402A-9F17-BF3BEF5CC2D4} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {95D733CF-1B06-4738-864D-7A497285CCB6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {B7F769C1-D083-49C4-8EC9-FF3BF53B0A06} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {D4B1F9F9-A010-47C9-A195-2F179FE7E16C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Hi Kevin,

 

It wasnt found during a scan. I was moving an icon in the start menu of Windows 10 and a warning flashed up. The only reference to it I can find now is:

 

Behaviour Blocker Log/05-10-2015/3600(PID)/C:\windows32\system32\DataExchangeHost.exe(Application)/Undefined event(0)(event)/Behaviour.RemoteControl

 

Please exuse my ignorane but when you say:

 

"NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work."

 

I am unsure what you mean. I have saved fixlist.txt to the desktop. What is the file FRST64? Do you mean the log of the FRST scan result?

Share this post


Link to post
Share on other sites

Hello,

My apologies for the delay, Kevin is currently away and I'll work with you on this problem until he gets back.

 

For the frst fix, the FRST64.exe executable has been saved in your downloads folder (its the tool that generated the log in your first post). Just make sure that fixlist.txt is saved there as well before running it and all will be fine. :)

 

Could you please visit http://www.virustotal.comand upload the file mentioned in your first post there? Please post me the link to the scan results. Most likely this is a false-positive detection and based on these results I can whitelist this.

Share this post


Link to post
Share on other sites

Hi Elise,

 

As requested I went to virus total.

 

I clicked on 'load file'. Navigated to c:\windows\system32\ but 'dataexchangeHost.exe' was not there. I tried putting 'data' in the filename box but the only entries that came up where 'dataclen.dll' and 'data exchange.dll'. I can find it in the location on my PC. <confused>

 

Re: "NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work."

 

I followed your instruction to put fixlist.txt in downloads. Kevin had asked me to save it to the desktop so I have just moved it to downloads - that ok?

 

Share this post


Link to post
Share on other sites

Since you can see the file, please right click it and select "send to >> zipped folder". Please attached the zipped file to your next reply.

Share this post


Link to post
Share on other sites

Steve,

The file appears to be clean. This appears to be a false positive detection by our Behavior Blocker.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.