steve53 0 Posted October 5, 2015 Report Share Posted October 5, 2015 Emsisoft Anti-Malware has drawn my attention to c:\windows\system32\dataexchangeHost.exe as a windows kernal file that is infected. I would be grateful for some help with this scan_151005-222937.txtFRST.txtAddition.txt Thank you, Steve. Link to post Share on other sites
Kevin Zoll 309 Posted October 6, 2015 Report Share Posted October 6, 2015 Steve, Can you send the log showing the original detection? Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Task: {111B3FD5-DB2C-41A1-BBA7-5E68DDAD6EA2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {2D6F776E-5840-402A-9F17-BF3BEF5CC2D4} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {95D733CF-1B06-4738-864D-7A497285CCB6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {B7F769C1-D083-49C4-8EC9-FF3BF53B0A06} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {D4B1F9F9-A010-47C9-A195-2F179FE7E16C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTIONClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
steve53 0 Posted October 6, 2015 Author Report Share Posted October 6, 2015 Hi Kevin, It wasnt found during a scan. I was moving an icon in the start menu of Windows 10 and a warning flashed up. The only reference to it I can find now is: Behaviour Blocker Log/05-10-2015/3600(PID)/C:\windows32\system32\DataExchangeHost.exe(Application)/Undefined event(0)(event)/Behaviour.RemoteControl Please exuse my ignorane but when you say: "NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work." I am unsure what you mean. I have saved fixlist.txt to the desktop. What is the file FRST64? Do you mean the log of the FRST scan result? Link to post Share on other sites
Elise 277 Posted October 8, 2015 Report Share Posted October 8, 2015 Hello, My apologies for the delay, Kevin is currently away and I'll work with you on this problem until he gets back. For the frst fix, the FRST64.exe executable has been saved in your downloads folder (its the tool that generated the log in your first post). Just make sure that fixlist.txt is saved there as well before running it and all will be fine. Could you please visit http://www.virustotal.comand upload the file mentioned in your first post there? Please post me the link to the scan results. Most likely this is a false-positive detection and based on these results I can whitelist this. Link to post Share on other sites
steve53 0 Posted October 8, 2015 Author Report Share Posted October 8, 2015 Hi Elise, As requested I went to virus total. I clicked on 'load file'. Navigated to c:\windows\system32\ but 'dataexchangeHost.exe' was not there. I tried putting 'data' in the filename box but the only entries that came up where 'dataclen.dll' and 'data exchange.dll'. I can find it in the location on my PC. <confused> Re: "NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work." I followed your instruction to put fixlist.txt in downloads. Kevin had asked me to save it to the desktop so I have just moved it to downloads - that ok? Link to post Share on other sites
Elise 277 Posted October 8, 2015 Report Share Posted October 8, 2015 Can you try copy/pasting the file name into the box? Link to post Share on other sites
steve53 0 Posted October 8, 2015 Author Report Share Posted October 8, 2015 I did try that that - didnt work Link to post Share on other sites
Elise 277 Posted October 8, 2015 Report Share Posted October 8, 2015 Since you can see the file, please right click it and select "send to >> zipped folder". Please attached the zipped file to your next reply. Link to post Share on other sites
steve53 0 Posted October 9, 2015 Author Report Share Posted October 9, 2015 Here you go...thanks Elise DataExchangeHost.zip Link to post Share on other sites
Kevin Zoll 309 Posted October 9, 2015 Report Share Posted October 9, 2015 Steve, The file appears to be clean. This appears to be a false positive detection by our Behavior Blocker. Link to post Share on other sites
steve53 0 Posted October 9, 2015 Author Report Share Posted October 9, 2015 ok, thanks guys. Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2015 Report Share Posted October 12, 2015 How are things running? Link to post Share on other sites
Kevin Zoll 309 Posted October 15, 2015 Report Share Posted October 15, 2015 Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts