Rootkit / hidden file ??
Welcome, Guest. Please login or register. Did you miss your activation email?


Pages: [1]
« previous next »
  Print  
Author Topic: Rootkit / hidden file ??  (Read 891 times)
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« on: March 26, 2011, 01:46:42 AM »
 Azn everyone,
I know Britec did a great tutorial on rootkit removal with "Icesword" but my question is I have done a scan with Sohos Anti-Rootkit  and it shows up a "Hidden file in               C:\ProgramData\Microsoft\search\data\Application\Windows\tmp.edb      Removable: YES ( but clean up not recommended for this file) so could someone advice should I remove or not remove because it is unnerving ? Also why is it not recommended ? Thank you for reading my post / problem  take care


tmy


 Bye
 
« Last Edit: March 26, 2011, 03:38:03 AM by Britec » Logged
www.stannic.com.au  Home Computing Services And Repairs
BJseal91
Hero Member
*****
Posts: 699



View Profile
« Reply #1 on: March 26, 2011, 02:27:32 AM »
.edb is a database file

read more about it here

http://www.fileinfo.com/extension/edb

do you have any database files setup on your computer / server machine

have you open up the location and run a virus check on the database file

Hope this helps a little bit more about the file

if you need to knoe more let me know and I will help you along the way

BJseal91
Logged
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #2 on: March 26, 2011, 02:39:17 AM »
 Azn Bradley,
well it's a client and friends PC by the looks of things it could be related to the emails if I'm thinking right fro the link you gave me. I did a Dr Webb boot scan fully updated and it found zero infections. If it turns out to be save to remove I guess it will only be possible in a live cd environment as it's hidden and when Windows has booted it is safe from detection and removal. Do you agree with my logic Bradley ?

I have some tools like MSDart for Windows 7 which the PC has installed as it's O/S do you think that will do it ? I'm very reluctant to remove as it could being my luck stuff up the emails...............................I don't know what to do ??          Huh?

What do you think Bradley ? Hey please take care now



tmy



 Bye
Logged
www.stannic.com.au  Home Computing Services And Repairs
BJseal91
Hero Member
*****
Posts: 699



View Profile
« Reply #3 on: March 26, 2011, 03:20:52 AM »
Tmy if you have msdart 6.5 for windows 7 do a scan with the built in scanner that finds a hell of a lot to be fair and if you are still unsure scan it with avast temperarly or what ever scanner they have and yes it could be linked to there email so if it is safe I would leave it where it is

Hope this helps

Bradley
Logged
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #4 on: March 26, 2011, 03:27:11 AM »
 Azn Bradley,
thank you for taking time to explain what you think in this case, I have done a scan already with the Dr Web which is able to update itself and read what Brian put up on the forum and as I say it's a case of leave it alone or remove it ? Let's see if any one has any more to add to this and then I will make a decision.

You should really get some sleep Bradley  hee hee you can't operate day and night hey take care and thank you for your help I really appreciate your time and advice.



tmy



 Bye
Logged
www.stannic.com.au  Home Computing Services And Repairs
BJseal91
Hero Member
*****
Posts: 699



View Profile
« Reply #5 on: March 26, 2011, 03:29:03 AM »
no worries
I did get a couple of hours sleep Laugh Wink
Logged
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #6 on: March 26, 2011, 09:20:08 PM »
 Azn Bradley,
how are you today ? I found more info on the rootkit so called on the system this is what I have found and I might leave it alone maybe yourself or Brian could have a look and see what you think : Protect Software GmbH related to this found by AVG that says its a rootkit  Acedrv11.sys with description ProtectDISC x64/x86 Hybrid Driver is a driver file from company Protect Software GmbH belonging to product ProtectDISC x64/x86 Hybrid Driver.
In total there are 1 launchpoints for this file . In total there are 1 launch points for this file.
There are 8 different variations of the file in our database and the file is digitally signed from Protect Software GmbH - VeriSign Time Stamping Services Signer - G2 There are 8 different variations of the file in our database and the file is digitally signed from Protect Software GmbH - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from Protect Software GmbH We do not recommend removing digitally signed files from Protect Software GmbH - so it could be some software copy protection ??

I have tried all ways to back up the ,ebd file but no matter how I try even with PE disks it will not allow acess or is not shown. Any ideas guys        Embarrassed by the way I went to bed at 4:30 AM and when I got up at around 11:00 AM I looked at the time in right side up land and found it to be 4:30 AM hope you were in land of nod.........................take care speak soon


tmy



 Bye
« Last Edit: March 26, 2011, 09:22:18 PM by tmy » Logged
www.stannic.com.au  Home Computing Services And Repairs
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #7 on: March 26, 2011, 10:29:04 PM »
 Azn guys
just to make things a bit more difficult the O/S Windows 7 prem is 64 bit limited with the software written for 64 bit          Embarrassed  I love this work      Laugh   I don't know getting buggered can't think ......................any ideas let me know always open to suggestions take care


tmy



 Bye
Logged
www.stannic.com.au  Home Computing Services And Repairs
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #8 on: March 26, 2011, 11:08:33 PM »
 Azn guys,
more info Sophos found hidden files unknown C:\programdata\microsoft\crypto\rsa\s-1-5-18  Removable Yes but clean up not recommended for this file    Embarrassed   what to do ? Getting more confused...........................managed to back up the \tmp.edb file to my removable so that is a start wondering if they are one and the same file AVG finds rootkits called  Acedrv11.sys with description ProtectDISC x64/x86 Hybrid Driver is a driver file from company Protect Software GmbH belonging to product ProtectDISC x64/x86 Hybrid Driver.
In total there are 1 launchpoints for this file . In total there are 1 launch points for this file.
There are 8 different variations of the file in our database and the file is digitally signed from Protect Software GmbH - VeriSign Time Stamping Services Signer - G2 There are 8 different variations of the file in our database and the file is digitally signed from Protect Software GmbH - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from Protect Software GmbH We do not recommend removing digitally signed files from Protect Software GmbH - so it could be some software copy protection ??

Sophos finds the  C:\programdata\microsoft\crypto\rsa\s-1-5-18  can you think of what I should do and if you agree it could be the same file descibed in a different way and could it be copy protection and ignore it ?


Take care lads


tmy



 Bye
Logged
www.stannic.com.au  Home Computing Services And Repairs
tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #9 on: March 28, 2011, 07:59:44 AM »
 Azn everyone, Bradley and Brian, ( When your feeling better mate )

I want to give this post a conclusion of what I have found in my opinion the most logical answer to the problem of the hidden file I have been pulling my hair out over the last few days ....................

The .EDB file extension identifies an Exchange Information Store Database file which belongs to the Microsoft Exchange mail server product. This file type stores information relating to the e-mail databases created by Microsoft Exchange.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb is a system file and can be excluded from scans. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

So as of now you can ignore this warning.

To make sure that your system is not affected by any virus, you can run a scan using Microsoft Security essentials

Now I did not write all the above that credit goes to some Microsoft expert Thahaseena M
Microsoft Answers Support Engineer.

Thanks goes to everyone who helped out on this, Brian and Bradley for their input in fact those are the only two        Wink  I will now slowly recover my head and rest till the next problem comes along and then it's in to it again. You see we learn every day in the problems we come up against take care


tmy




 Bye
« Last Edit: March 28, 2011, 09:33:20 AM by tmy » Logged
www.stannic.com.au  Home Computing Services And Repairs
Britec
Administrator
Hero Member
*****
Posts: 3497



View Profile
« Reply #10 on: March 28, 2011, 11:27:52 AM »
Microsoft Security Essentials reports finding a virus Exploit:JS/MS09002.C with the details:
Category: Exploit
 
Description: This program is dangerous and exploits the computer on which it is run.
 
Recommendation: Remove this software immediately.
 
Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.
 
Items:
file:C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb


This is Java Script Exploit which mean this is a vunerability that if you visit a website that contain this code then it code damage you or someone could gain access to your PC. The vulnerability has been resolved in Windows update , look at this http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
 
As you said after you remove this it will come up, I guess that you might have dropper in your PC or downloader that check the location and if the threat is not there then it will put it. In this case, try to upgrade MSE, then update MSE and run full system scan and remove everything.
 
If problem still happening contact support team at following link: https://support.microsoftsecurityessentials.com/
and click I think my computer is infected.
 
 
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:JS/MS09002.C

I would remove it, done a bit of hunting around for you tmy and it seems to be a nasty... just remove it to be on safe side.
Logged


tmy
Hero Member
*****
Posts: 673



View Profile WWW
« Reply #11 on: March 28, 2011, 11:57:22 AM »
 Azn Brian,
thanks a lot for that info ! What you doing up and a round ? Your supposed to be resting, getting better. I don't know how to fix this, you see since we spoke the PC has gotten progressively worse and worse I now find services have been stopped i can use the PC in safe mode but once I reboot to normal after one or two clicks it freezes up and you can't do any thing at all.

I'm knackered and don't know what to do next, if your feeling up to it please share your wisdom my mate much appreciated but only if your feeling better ok ?

Take care and get well soon hey ?                            Wink



tmy


 Bye
Logged
www.stannic.com.au  Home Computing Services And Repairs
Britec
Administrator
Hero Member
*****
Posts: 3497



View Profile
« Reply #12 on: March 28, 2011, 12:02:50 PM »
There is alot of people who have had that infection its hard to remove in some cases
Logged


Pages: [1]
  Print  
« previous next »
 
Jump to: