0

In response to having this question marked as a duplicate, I added at the end a section explaining why this is not a generic malware removal question.

Today, I got a popup saying that I would be logged off in 1 minute. Sure enough, it happened.

I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence. The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb. I made the GUI selections to remove that, and was prompted to reboot. Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done. Minutes later, MSE displays a warning again, and the details refer to Nemucod again. So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean iterations so far). The time stamp of tmp.edb always seems about as recent as the most recent reboot.

I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy. I booted in safe mode, but tmp.edb was nowhere to be found. Only when I booted in normal mode again did tmp.edb gets recreated.

Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.

I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.

What should I do? I am using Windows 7 Professional 64-bit. enter image description here

Why this is not a generic malware removal question

One reader marked this question as a duplicating a generic best practice and recovery thread, but if it is accepted as a duplicate, then it means that the generic original precludes any further question on malware. The specificness of this question includes the fact that it isn't necessarily asking how to remove a virus. It doesn't even presume that there is an infection. I describe how two other AVs do not flag the problem that MSE does, and the fact that the cited file is a Windows file. One that goes away when I boot in safe mode. Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. here and here), which makes it hard to check whether this is a false positive.

UPDATE

To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested by Jatmin and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.

UPDATE

I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?

I have posted this to the Microsoft forum and reported this to Microsoft.

user2153235
  • 1,543

2 Answers2

1

You have a couple of options to confirm or refute the claim by a particular security product that a file is infected. Note that both of these methods require you to share the file with a third party*:

  1. Scan the suspect file with security products from several other vendors. Because most security products should not be installed side-by-side on the same machine, the simplest way I know to do this is by using the site VirusTotal.com. According to their How it works page:

    VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content....Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets.

    However, if you don't want to use this (or a similar) site, you could uninstall your existing antivirus software and install another one, though that seems painful to do. Another option would be to take the file to another computer, but that risks spreading the threat if it's legitimate.

  2. Submit a false-positive report to the antivirus vendor. Each vendor's process for this is different and if you actually need to hear back from them as to whether the threat is real or not, it may be necessary to open a technical support request rather than simply use their false-positive reporting process. You will be asked to send them a copy of the file as part of this.

*In the comments you've shared your concern about sharing the potentially infected file with a third party. While this is understandable, you must realize that unless you are able to analyze the file yourself, you will have no choice but to involve a third party. And since no one can tell you whether the file is infected without inspecting it, the obvious conclusion is that you will necessarily have to share the file with whomever you ask to determine if it's infected or not.

I say Reinstate Monica
  • 26,651
-3

Just a stupid thing to suggest here. Temporarily disable windows search and see if tmp.edb goes away after reboot. If it does (it should) just add the .edb extension to MSE exclusions, or at least THAT tmp.edb file to exclusions. It seems winblows is detecting itself as a virus....which means it is FINALLY doing something right!! (giggle, I like winblows in actuality-it runs games far better than my linux boxes:-).

https://community.sophos.com/kb/en-us/118310

https://answers.microsoft.com/en-us/protect/forum/all/is-tmpedb-a-threat/f219d7aa-3368-4d51-b4df-53400e3cbb96

Jatmin
  • 9