DataExchangeHost.exe running on my pc but I don’t have a Virtual Machine

[TheLobster123]

Hello,

 

About a month ago I noticed that I had a service called DataExchangeHost.exe running on my task manager. I did some searching and found out that some virtual machines use the program. I decided to restart my pc to see if that would fix things and it certainly did. After the restart I didn’t see DataExchangeHost. I also did some antivirus scans using Malwarebytes, McAfe and Windows Defender to see if anything was wrong and all scans came out good. 
 

Skip forward to today and I noticed that the service was up and running again. I decided to stop the process and come here to see if it could be malware or if it’s just part of windows. 
 

I’m running Windows 10 home, the latest version and I have a HP Pavillion 15 eg0073cl. 
 

Any help would be appreciated.
 

Note: I don’t use virtual machines not have any installed 

[AdvancedSetup]

Hello @TheLobster123

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[TheLobster123]

Hello,

These are the logs.

Addition.txt AdwCleaner[S00].txt FRST.txt Malwarebytes Scan.txt

[AdvancedSetup]

I don't see that process running in the logs. DataExchangeHost.exe

 

I do see that the computer appears to possibly be a business machine? It's trying to connect and authorize with a Microsoft Azure Cloud service.

 

Application errors:
==================
Error: (01/20/2021 07:57:06 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-NHHH2TI2$ via https://INTC-KeyId-xxxxxx.microsoftaik.azure.net/templates/Aik/scep failed:

 

Is this a work computer you've taken home?

 

 

[TheLobster123]

Hello,

Nope this is a home computer.

 

What can this mean?

[TheLobster123]

I would like to also mention I have Java Development Kit and Python installed on my pc. Also I use my college email which is based on outlook.

[AdvancedSetup]

None of those rely on Azure

We could change the workgroup and see if that resets anything that may have been associated.

Review the following and change the Workgroup to something else. The name doesn't really matter all that much.

 

https://www.tenforums.com/tutorials/36133-change-workgroup-windows-10-a.html

Then restart the computer a couple of times and then get me new FRST logs

 

[TheLobster123]

Will do

What can cause this to happen? Do i have malware?

[TheLobster123]

FRST.txtAddition.txt

Here are the new logs

[AdvancedSetup]

As you can see, these are the only accounts on the system.

==================== Accounts: =============================

Administrator (S-1-5-21-3251781293-701323939-3677769584-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3251781293-701323939-3677769584-503 - Limited - Disabled)
Guest (S-1-5-21-3251781293-701323939-3677769584-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3251781293-701323939-3677769584-504 - Limited - Disabled)
znath (S-1-5-21-3251781293-701323939-3677769584-1001 - Administrator - Enabled) => C:\Users\znath

 

So, only your own znath account is enabled and available and does have Administrator rights. There are no other accounts logging into the computer without your password.

 

Please click on Start and type in Reliability and run that and check on any issues the computer has been having

 

 

[TheLobster123]

Hello, so I opened reliability monitor and the only error that shows is that sysInfoCap stopped working. Apart from that I can’t see anything else. 

[TheLobster123]

The other things that show are just successful updates. 

[AdvancedSetup]

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

[TheLobster123]

Hello, here is the log:

MTB.txt

[AdvancedSetup]

No new, unknown accounts on Windows
No new, unknown networks on the route for networking

Let me have you run a Microsoft Safety Scanner

 

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

[AdvancedSetup]

Afterwards, give me a list of Folders you want to forcefully remove. NOTE: Folders forcefully removed cannot be restored so make sure you really want to remove them.

 

[TheLobster123]

Hello, I’m currently doing a full scan using the indicated software. Will let you know the result. I don’t have any folders I want to remove. Do you suggest any? 

[AdvancedSetup]

Sorry, I was helping someone else that was wanting to remove some folders.

Let me know if you're still seeing this exchange process show up again once done.

 

[TheLobster123]

Hello,

I ran the program three times.

The first time it froze up

The second time i did a quick scan and it found something

The third time I did a full scan and it didn't find anything.

Here are the logs:

 

 

Full Scan.txt Quick Scan.txt

[TheLobster123]

I would like to mention DataExchangeHost.exe stopped showing up after stopping it earlier today before I posted here.

[AdvancedSetup]

The logs looks good. I don't see any obvious signs of something trying to load that shouldn't be.

Keep an eye out and if you see anything let me know.

 

[TheLobster123]

Hello, thanks for the help. I have three questions before we end.  Any that you can answer will be appreciated 

1. Did my computer have malware? 
 

2. You mentioned that my computer was trying to reach Azure servers. Where we able to fix that? 
 

3. What could’ve caused DataExchangeHost to show up? 
 

Again thanks for all the help. 

[AdvancedSetup]

1. I did not see anything obvious and using various scanners they did not either
2. We would have to double check by restarting the computer and seeing if a new entry in the Event Logs shows up for it. Basically open Event Viewer and look for a new entry. You can filter for EventID: 86
3. Difficult to say for sure as it was not there in the logs to try to track down. It appears you were able to remove it already so it was not there for me to track down.

 

[TheLobster123]

Hello @AdvancedSetup,

Ill do what you mentioned in step 2 as soon as I get home. I did a quick google search and it said that event EventID: 86 was an error that occurred when pinging a server. My concern is that I’m not trying to ping a server. I mainly use the computer for gaming and for college work. So I don’t know why my computer would be pinging an Azure server.
 

I’m not good with network stuff so forgive me if this sounds dumb, I’m just concerned about my computer sharing data with an unknown Server. 

[AdvancedSetup]

Okay, so.. finding nothing on this for malware I decided to review the "dataexchangehost.exe" file a bit more.

This is a digitally signed file from Microsoft and is included with Windows core operating system files.

The following key
HKEY_CLASSES_ROOT\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}
(DataExchangeHost)

Leads to this next key
HKEY_CLASSES_ROOT\AppID\DataExchangeHost.exe

Which has an appID of
{C2E9756F-8155-4EAC-9ED5-0B690169D412}

Which leads to
HKEY_CLASSES_ROOT\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
(default) %SystemRoot%\system32\dataexchange.dll

So: {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8} leads to Drag and Drop for work on WinPE work here
http://mistyprojects.co.uk/documents/winpe_tweaks/readme.files/DragNDrop.htm

HKEY_CLASSES_ROOT\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}
AppID {C2E9756F-8155-4EAC-9ED5-0B690169D412}
(default) C:\Windows\System32\DataExchangeHost.exe

Then DatExchangeHost leads to
HKEY_CLASSES_ROOT\OneCoreContracts\Windows.Internal.PlatformExtensions.DragDropExperience\Desktop

Which then leads to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.DataTransfer.DragDrop.Core.CoreDragDropManager
(DllPath) %SystemRoot%\system32\DataExchange.dll

Then you can also see that OLE here also has the same key name that points back to %SystemRoot%\system32\dataexchange.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Extensions
DragDropExtension: {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}

Then DragDropHost entry has: {228826af-02e1-4226-a9e0-99a855e455a6}
(default) ImmersiveShellBroker
(AppID) {2fd08a73-d1f1-43eb-b888-24c2496f95fd}

 

Also, here are some ASCII strings from within the file that also backs up this is used for Drag and Drop

onecore\internal\sdk\inc\wil\opensource\wil\resource.h
WilError_03
RtlNtStatusToDosErrorNoTeb
RtlDllShutdownInProgress
RtlDisownModuleHeapAllocation
pcshell\shell\dataexchange\host\exe\dataexchangehost.cpp
pcshell\shell\dataexchange\host\lib\dragdropbroker.cpp
pcshell\shell\dataexchange\host\lib\olebroker.cpp
Ubad locale name
generic
unknown error
iostream
iostream stream error
system
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
pcshell\shell\dataexchange\host\lib\dragwindow.cpp
invalid string position
string too long
bad cast
UXpcshell\shell\dataexchange\host\lib\DragVisual.h
pcshell\shell\dataexchange\host\lib\dragvisual.cpp
$}Npcshell\shell\dataexchange\host\lib\inputcapture.cpp
RtlQueryFeatureConfiguration
RtlRegisterFeatureConfigurationChangeNotification
RtlUnregisterFeatureConfigurationChangeNotification
RtlNotifyFeatureUsage
NtQueryWnfStateData
NtUpdateWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
onecore\internal\sdk\inc\wil\Staging.h
WilStaging_02
pcshell\shell\dataexchange\host\lib\dragdropoperationinternal.cpp
vector<T> too long
Immersive
DragDropSession
onecore\internal\sdk\inc\wil\opensource/wil/result.h
pcshell\shell\dataexchange\host\lib\oleinteroptarget.cpp
Bmap/set<T> too long
iV2
_pcshell\shell\dataexchange\host\lib\edp.cpp
_WT
pcshell\shell\dataexchange\host\lib\shelldroptargetmediator.cpp
Fapcshell\shell\dataexchange\host\lib\droptargetmediator.cpp
Fpcshell\shell\dataexchange\host\lib\dragdropargs.cpp
bad allocation
onecore\shell\lib\calleridentity\calleridentity.cpp
onecore\shell\lib\calleridentity\calleridentity_window.cpp
onecore\shell\lib\calleridentity\calleridentity_capability.cpp
R~A
onecoreuap\shell\dataexchange\common\lib\winrtexclusiontoken.cpp
LXaK
onecoreuap\shell\dataexchange\common\lib\edp.cpp

 

So, in a nutshell that file (dataexchangehost.exe) is for Drag and Drop operations and exchanging the data between apps

 

 

 

 

Edited January 25, 2021 by AdvancedSetup
updated information