Sophos Anti-Rootkit found:

S

SBMongoos

[H]ard|Gawd
Joined
Jul 22, 2001
Messages
1,134
the following: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb

But is says:

Area: Local hard drives
Description: Unknown hidden file
Location: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

I'm running Windows 7 Pro 64bit. Anyone seen this or is this nothing to worry about. Some times these apps get things right and some times not. I feel like this is too vague.
 
tmp.edb is a temp database for exchange transaction processing, no clue why it would be in that location though. It should be in Mdbdata or Dsadata folders

another thing is, you probably do not even have exchange anything on that machine. Strange indeed, get Sophos support on the horn and ask them
 
tmp.edb is a temp database for exchange transaction processing, no clue why it would be in that location though.
Click to expand...

Its in the same location as the Op's on my Win7 x64 install
 
I have a file named tmp.edb in the same location on my Win7 x64 install as well.

SBMongoos, is it named "tm p.edb" or "tmp.edb"? If it's named "tm p.edb", is there also a "tmp.edb" in the same folder? If it has somehow been renamed with the space in the name, that could be why Sophos is freaking out - and both files should be considered suspicious until proven otherwise, because it seems unlikely that the user would have done that accidentally.
 
evilsofa said:
I have a file named tmp.edb in the same location on my Win7 x64 install as well.

SBMongoos, is it named "tm p.edb" or "tmp.edb"? If it's named "tm p.edb", is there also a "tmp.edb" in the same folder? If it has somehow been renamed with the space in the name, that could be why Sophos is freaking out - and both files should be considered suspicious until proven otherwise, because it seems unlikely that the user would have done that accidentally.
Click to expand...

No, I copy/pasted that message right from Sophos. But I see your point. I went right to the directory and it is "tmp.edb". And it's the only one no other file with similar name.
 
That's the temp database for the Windows Search service. I'd imagine that you can probably delete it without anything too bad happening (maybe lose your search history or similar). If it does blow up, restore your backup of the file.

I'm guessing it's a false positive since it's inside a database related to searching. If you did get something on your system earlier, it's possible that it cached some part of the bad file, similar to how System Restore backups can contain bad files. However, I'm not sure exactly what Search caches, and if there's any real danger from part of an infection getting cached.
 
I have the same file, tmp.edb at 8.06mb

If its picked up tm p.edb then unhide and show system files, as it might be hidden.
 
I ganked all these files last night and saw no ill effects.

You'll have to kill search and indexing in order to release the file lock on a couple of the files in the folder so you can delete them but there is no ill effect from doing so.
 
Hmm..

I've just been noticing a couple of apps lately that crash when closing. One of which is Outlook 2007 half of the time. I scanned the .pst file with scanpst and that helped for maybe two days. Annoying as hell. Seem my PC is running a little slower than usual.

I see Eset has a small update that "might" help with Outlook. Not confident though.
 
somehow if we all have it in exactly the same place, somehow i doubt its anythign bad, especially sicne all my Av and security apps dont detect it.

Using eset smart security, malwarebytes anti malware, also scanned for rootkits, and ran some online av scans and nothing is showing it as something bad, so carry on with life people.
 
You must log in or register to reply here.
Back
Top