Recurring Detection - infection or part of a Windows update?

[shruiken15]

My computer is suddenly reporting detections; as far as I am aware, I have not done anything out of the ordinary to cause it. I quarantine and delete what Malwarebytes finds and subsequent scans come up clean, but upon restarting my computer it finds the same files again. Upon the first detection I was informed by Windows Defender that my 'app and browser control' function was turned off, but upon reactivating it it has remained active through multiple restarts. The detections in question are:

C:\Windows\system32\TASKS\microsoft\windows\application experience\pcapatchdbtask
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tree\microsoft\windows\application experience\pcapatchdbtask
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tasks\{a0dab0dd-267d-4c7d-bd14-d879c849f76f}
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tasks\{a0dab0dd-267d-4c7d-bd14-d879c849f76f}

The heading on the detection is 'Riskware/Generic.' Can someone tell me what this is? Is this an infection, or a disagreeable Windows update?

[Jsmith95]

I'm getting the same exact things, except I have 47 detected items. Considering it's suddenly happening to multiple people my guess is it has something to do with windows updates.

Here's a list of mine:

Registry Key: 37
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\PcaPatchDbTask, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FAC7C6DC-F680-4965-BF86-2AB1AF07F46D}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{FAC7C6DC-F680-4965-BF86-2AB1AF07F46D}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\StartupAppTask, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3D363385-64B8-4207-AC46-3EE180DD87F2}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{3D363385-64B8-4207-AC46-3EE180DD87F2}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{3D363385-64B8-4207-AC46-3EE180DD87F2}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\applicationdata\CleanupTemporaryState, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E003BEA4-7D11-4522-9834-25C3F9F93F53}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{E003BEA4-7D11-4522-9834-25C3F9F93F53}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{E003BEA4-7D11-4522-9834-25C3F9F93F53}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C9ABE41C-5E65-4E52-8BAD-4F1BCA3B5715}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C9ABE41C-5E65-4E52-8BAD-4F1BCA3B5715}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{C9ABE41C-5E65-4E52-8BAD-4F1BCA3B5715}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Autochk\Proxy, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{36A78C3E-A142-4F86-903E-AE26291F646C}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{36A78C3E-A142-4F86-903E-AE26291F646C}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B97C7632-DD50-4F07-8E4E-F1450795BF78}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{B97C7632-DD50-4F07-8E4E-F1450795BF78}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{B97C7632-DD50-4F07-8E4E-F1450795BF78}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\SharedPC\Account Cleanup, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8DB27523-093D-4B93-A00B-68F6317DFAE1}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{8DB27523-093D-4B93-A00B-68F6317DFAE1}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{8DB27523-093D-4B93-A00B-68F6317DFAE1}, Quarantined,
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\StateRepository\MaintenanceTasks, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Sysmain\WsSwapAssessmentTask, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{638672E6-20F1-499D-BFCC-9EA7935257C4}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{638672E6-20F1-499D-BFCC-9EA7935257C4}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\MAINTENANCE\{638672E6-20F1-499D-BFCC-9EA7935257C4}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{86158314-60CF-4F3F-85B5-2399327EA496}, Quarantined
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{86158314-60CF-4F3F-85B5-2399327EA496}, Quarantined

 

File: 10
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\PcaPatchDbTask, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\StartupAppTask, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\ApplicationData\CleanupTemporaryState, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Autochk\Proxy, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\SharedPC\Account Cleanup, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\StateRepository\MaintenanceTasks, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Sysmain\WsSwapAssessmentTask, Quarantined
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange, Quarantined
 

 

[shruiken15]

Yes - I'm seeing many posts all of a sudden with the same thing. It looks like this was a false positive and will be patched; many people are being chided for immediately deleting the files (like I have). Since I don't have an active system restore point, I hope I have not deleted anything critical.

[Jsmith95]

Fortunately for me I just quarantined them and did not delete them.

[shadowwar]

Quarantining is understandable. Its the deletion/emptying from the quarantine tab which is not necessary. The quarantine folder disables the files and stores them there. They cant possibly run anymore. Its always recommend to leave anything in quarantine at least 3 days in case you have to restore. Once you delete them from the quarantine tab there is no way to get them back anymore. 

 

[shruiken15]

So I have learned in following up this issue on the forums. I'm somewhat heartened by the fact that the files (some of them) seem to reappear on restart.

[Porthos]

19 minutes ago, shruiken15 said:

I'm somewhat heartened by the fact that the files (some of them) seem to reappear on restart.

Reappear as detection's? If so please post a new log.

[shruiken15]

4 minutes ago, Porthos said:

Reappear as detection's? If so please post a new log.

I stated in my initial post that upon restarting, these four files appear as detections: 

C:\Windows\system32\TASKS\microsoft\windows\application experience\pcapatchdbtask
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tree\microsoft\windows\application experience\pcapatchdbtask
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tasks\{a0dab0dd-267d-4c7d-bd14-d879c849f76f}
hklm\software\microsoft\windows nt\currentversion\schedule\taskcache\tasks\{a0dab0dd-267d-4c7d-bd14-d879c849f76f}

[Porthos]

23 minutes ago, shruiken15 said:

I stated in my initial post that upon restarting, these four files appear as detections: 

Please attach or paste the entire log. Did you update Malwarebytes? Those look like the FP's

[shruiken15]

I believe they are the False Positives and Malwarebytes says it is up to date. I was not trying to say that this was a separate event! Rather, that:

• I received the 47 FPs
• Quarantined and deleted them
• Re-scanned; Malwarebytes came up clean
• restarted my computer
• re-scanned; Malwarebytes listed the 4 FPs I mentioned in my initial post.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/19/21
Scan Time: 10:40 AM
Log File: 1b0d3376-b8b0-11eb-9054-08626637055e.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1292
Update Package Version: 1.0.40646
License: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: DESKTOP-ON8A8PN\Owner

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 273713
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 0 min, 26 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\PcaPatchDbTask, Quarantined, 11812, 941491, , , , , , 
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{A0DAB0DD-267D-4C7D-BD14-D879C849F76F}, Quarantined, 11812, 941491, , , , , , 
RiskWare.Injector.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{A0DAB0DD-267D-4C7D-BD14-D879C849F76F}, Quarantined, 11812, 941491, , , , , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
RiskWare.Injector.Generic, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\PcaPatchDbTask, Quarantined, 11812, 941491, 1.0.40646, , ame, , 9F0ACCD368DEBDA3AA6D8B29423CF3EE, 2E45B19A08F38A948D25B4F8A8459770531DF09A185633D61AE7B9DAC986A1A9

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[Porthos]

Update Package Version: 1.0.40646 is an old database. They were fixed in 1.0.40648

Check for updates and scan again. 1.0.40660 is the database at the time of this post.

 

 

Edited May 19, 2021 by Porthos

[shruiken15]

My current version is 1.0.40660. The scan results in my previous response are from earlier today, before I first made my post. I have not restarted my computer since making this forum post, as I was waiting to hear back for a response. I don't think there is currently an issue.

[Porthos]

Just now, shruiken15 said:

I don't think there is currently an issue.

So your current scan is clean assuming you restored these quarantine?

[shruiken15]

My current scan is clean. When I first received the detection alert, I quarantined and deleted the files; I now since know better, but the files are gone. I made the posting here after noticing that, upon quarantining and deletion, Malwarebytes would scan clean; but after restarting, Malwarebytes would detect the four files I mentioned in the scan and would not scan clean. So I would quarantine, delete, scan, restart...and scan again, with the same results. Now I know my Malwarebytes database is up to date; it scans clean; and I expect it to scan clean the next time I restart.

[Porthos]

2 minutes ago, shruiken15 said:

I made the posting here after noticing that, upon quarantining and deletion, Malwarebytes would scan clean; but after restarting, Malwarebytes would detect the four files I mentioned in the scan and would not scan clean.

I guess Windows was kind enough to at least replace those 4.

Thanks for your report.