Jump to content
betsar

False Positive - HxTsr.exe quarantined & cannot restore

Recommended Posts

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Okay it looks like you're going to have to do a repair on it then. We could go through some longer steps to change permissions, etc to get the file back in place but  a repair is probably the better option here.

Please review these 2 links on how to repair the system. Both provide the same basic information but written a bit differently.

http://answers.microsoft.com/en-us/windows/wiki/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93

http://www.tenforums.com/tutorials/2895-sfc-command-run-windows-10-a.html


Let me know how that goes.

Thank you

Ron

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

No luck:

_________________________________________

Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\WINDOWS\system32>

________________________________________

Although Windows 10 standard install includes the "Mail" client, I am not sur that it is considered part of the OS and SFC would be part of its scan.

Thanks

Share this post


Link to post
Share on other sites

Please start an elevated Admin command prompt and go ahead and run the following.

 

DISM /Online /Cleanup-Image /RestoreHealth

See if that makes any changes

 

Share this post


Link to post
Share on other sites

No luck - file still missing after running DISM (see attached)DISM-Results_File-List.jpg:

______________________________________

C:\Users\Administrator>DISM /Online /Cleanup-Image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.10586.0

Image Version: 10.0.10586.0

[==========================100.0%==========================]
The restore operation completed successfully.
The operation completed successfully.

C:\Users\Administrator>

______________________________________

Thanks

Share this post


Link to post
Share on other sites

Okay, so have you ever modified permissions before on the system? I'd rather not have to write up an article on this so let me see if I can find a decent article that explains how to change the permissions to put the file back in place.

 

Share this post


Link to post
Share on other sites

Please follow the articles here. You may need to take ownership of the folder if it's blocked at that level. Then copy the file in place, then restore the original permissions back to the TrustedInstaller account.

Let me know if you need further help with this.

How to take ownership and get full access to files and folders in Windows 10
http://winaero.com/blog/how-to-take-ownership-and-get-full-access-to-files-and-folders-in-windows-10/

How to restore the TrustedInstaller ownership in Windows 10
http://winaero.com/blog/how-to-restore-the-trustedinstaller-ownership-in-windows-10/

 

Share this post


Link to post
Share on other sites

Also the original Owner was displayed as System rather than TrustedInstaller.  When I restore should I use System?

 

Share this post


Link to post
Share on other sites

Sorry for the delay. This is actually taking longer than expected. I've taken full ownership of all folders and files under the C:\Program Files\WindowsApps  folders. I can delete files and I can move files but I cannot add files. Monitoring under Process Monitor is not showing why it's blocked only that it gets an access denied message. I still looking at seeing if I can find out what is causing that. We may have to resort to a Linux USB boot disk to try to fix this. Will check back in again hopefully tomorrow.

Do you have a USB thumb drive to format and setup as a bootable disk to use or do you already have some type of boot repair type disk?'

 

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

Hi Ron,

I hope there is an easier solution but If it is the only way, I can buy a USB drive to use.  What size would be needed?  Also what should I do about the ownership change I made, change it back to System which was the original owner or TrustedInstaller shown in instructions you provided earlier?  It is looking like HxTsr.exe was a very unfortunate false positive, I have been without the email and calendar client since May 5th.

Thanks.

Share this post


Link to post
Share on other sites

All you need is a USB Flash thumb drive. I'd say 8GB just in case you wanted to install an OS on it.

http://www.bestbuy.com/site/pny-attache-8gb-usb-2-0-flash-drive-black/9737178.p?id=1218164033407&skuId=9737178

http://www.newegg.com/Product/Product.aspx?Item=N82E16820171497

Then we can install a Linux OS on it for now and boot from that to replace the file.

Just a reminder though that we did post that this beta should not be tested on a production system.

As this is the very first beta we do encourage beta users to install the product in non-production environments for testing purposes.

https://forums.malwarebytes.org/topic/177751-introducing-malwarebytes-anti-ransomware-beta/?do=findComment&comment=1014661

Typically these USB Flash drives are plentiful now days and surprised you don't have one, but perhaps even a friend or neighbor might have one you can borrow (as long as it's blank with no data on it) as we will need to format the drive.

Let me know when ready.

I'm going to write up an article today or tonight on how to create the bootable Linux USB disk.

 

Share this post


Link to post
Share on other sites

STEP A
Download Rufus to a location you can easily find after closing your browser.

Rufus is a utility that helps format and create bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc.
https://rufus.akeo.ie/
https://rufus.akeo.ie/downloads/rufus-2.9.exe

STEP B
Download the Ubuntu Desktop .iso image to a location you can easily find after closing your browser.

http://www.ubuntu.com/download/desktop
http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso

STEP C
Follow the instructions from this article starting at STEP 1
(make sure the USB disk does not have any data on it that you want as it will be deleted)

How to create a bootable USB stick on Windows
http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

STEP D
After restarting your computer you may need to press one of the Function keys such as F2 or F12 to choose to boot from the USB Flash drive.
When it starts from the USB Flash drive choose the option "Try Ubuntu without installing" and presss the Enter key

STEP E
Open the Files application from the toolbar. Then browse to your file located on your original disk. It will probably have a lablel of the drive. Should  not be too difficult to determine which drive it is.
C:\Users\Russ\Desktop\HxTsr.exe

STEP F
Select your file and click COPY. Then browse to the following location and click PASTE

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.6868.40731.0._x64__8wekyb3d8bbwe

The file should copy there without any issues. Wait a few seconds for the caching of the file to complete the copy. Then click on the top right little gear icon and choose Shut Down for the computer.

STEP G
Remove the USB Flash drive from the computer and power the computer back on. The file HxTsr.exe should now be in place where it belongs. Open My Computer and browse to that location again and verify the file is there.

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.6868.40731.0._x64__8wekyb3d8bbwe\HxTsr.exe

STEP H
Now test the mail program and verify if it works now and let me know.

Thanks

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

I went back and reread your posts from the beginning and I did not see anyone suggest that you perform a System Restore.

Did you try a System Restore ? If not then I would try that and find a Restore Point from before this file was removed.

How to Do a System Restore of Windows 10
http://www.tenforums.com/tutorials/4588-system-restore-windows-10-a.html

If System Restore does not work or does not fix the issue then you can use the Linux method above but a System Restore should fix it too.

 

Share this post


Link to post
Share on other sites

Hi Ron,

Does System Restore save files like HxTsr.exe that are from Win10 apps like the Mail client and not part of the OS?

Thanks

Share this post


Link to post
Share on other sites

Difficult to say as it is in an "controlled" area of the system. Certainly no harm in running a restore. It either works or it does not. Just create a new one now before running the restore and see how it goes. If it does not give the results you're looking for then restore it back to the one you just now created.

Thanks again

 

Share this post


Link to post
Share on other sites

There must have been a Microsoft update that restored the hxtsr.exe, the file is back in the folder and the Win 10 Mail client is working again.

My only remaining concern is that MBARW still crashes when trying to add the file to exclusions to prevent its future quarantine (see attached).  I have completely uninstalled MBARW per the instructions provided in this post and confirmed that all identified folders were removed and reinstalled from the Admin account and still get the same crash.

Thanks

MBARW_Exclusions_Error.jpg

Share this post


Link to post
Share on other sites

Please run the following for me.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Copy and paste or type in the following into the Search box:  HxTsr*
  • It will make a log (Search.txt) in the same directory the tool is run. Please attach it to your reply.

 

Thanks

 

 

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.