Microsoft Security Essentials repeatedly detects Nemucod in recreated tmp.edb

Today, I got a popup saying that I would be logged off in 1 minute.  Sure enough, it happened.

I updated the malware definitions of MSE, Malwarebytes Free, and Spybot S&D free, then ran full scans in sequence.  The latter two came up with nothing concerning, but MSE reported Nemucod, and cited c:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.  I made the GUI selections to remove that, and was prompted to reboot.  Upon logging in again, MSE displays a message saying that it was cleaning the malware, and that nothing need be done.  Minutes later, MSE displays a warning again, and the details refer to Nemucod again.  So I go through the removal routine again, but this seems to go in and "endless" loop (by which I mean  iterations so far).  The time stamp of tmp.edb always seems about as recent as the most recent reboot.

I used an admin account and tried manually deleting tmp.edb, but am told that the resource is busy.  I booted in safe mode, but tmp.edb was nowhere to be found.  Only when I booted in normal mode again did tmp.edb gets recreated.

Web browsing indicates that tmp.edb is a database file used by Windows, though I'm not sure if it is exactly the same path as above.

I am afraid that the malware isn't truly gone, and that MSE will pop up the warning again.  What should I do?  I am using Windows 7.

AFTERNOTE: This is an acknowledgment of the suggestions that the MSE report might be a false positive.  Two other AVs do not flag the problem that MSE does, and the cited file is a Windows file.  One that goes away when I boot in safe mode.  Some new details that make this even harder to assess is the fact that the indicators of Nemucod's presence is highly varied (e.g. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:JS/Nemucod and https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=JS/Nemucod), which makes it hard to check whether this is a false positive.

UPDATE: To see if new MSE definitions might now exclude this trigger, I updated definitions at 2am 2018-12-16 EST and ran a full scan. The trigger recurs. Since the definitions were still those created on 2018-12-15, however, this should not be a suprise. As the tmp.edb is a Windows Search file, I disabled Windows Search as suggested on Stack Exchange and confirmed the absence of tmp.edb after rebooting. As a further measure, I downloaded new MSE definitions created 2018-12-16 07:44 EST and did a full scan, which came up clean. I find Windows Search useful, however, so I re-enabled it, which caused the MSE alarms after reboot (and tmp.edb was present again). I was hopeful that new definitions created 12:47 EST would not generate the alarm, but they still did. On a positive front, I updated MalwareBytes Free definitions, and enabled rootkit detection -- the scan came up clean.

UPDATE: I can't believe that this problem persists with virus definitions dated 2018-12-25. Why does no one else encounter this?

I have posted this to Stack Exchange at https://superuser.com/questions/1384963/microsoft-security-essentials-repeatedly-detects-nemucod-in-recreated-tmp-edb.

 

Question Info


Last updated March 16, 2019 Views 458 Applies to:

Best answer is: reinstall / format your harddrive.

There is no way to be 100% sure that you remove everything with your antivirus!

Also, my recomendation is to stop using Windows 7 and buy/install Windows 10.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

My guess is that it is a false positive. I would instruct MSE to ignore this particular file.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

MSE is probably missing a deeper infection that is replacing the file.

Download the free version of Malwarebytes and make sure Settings > Protection > Scan Options > Scan for rootkits is turned on.

The scan can take a while but you may be surprised with the results.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

@Frederik Long: Thanks, I was wondering about the false positive.  But it's Windows's own file, so that would be odd.  The evidence is mounting, however.

@Texas Techsys: The evidence is mounting that it is a false positive, but I am curious about what MalwareBytes's rootkit scan will uncover. Will follow up after completing current troubleshooting: (i) full scan using new MSE definitions from this morning, *after* disabling Windows Search and confirming the absence of tmp.edb; (ii) re-enabling Windows Search and checking whether tmp.edb trips up the new MSE definitions.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

In addition to running Malwarebytes (a good recommendation) I suggest you also do an online scan of the file in question here -

https://www.virustotal.com/en/

Technician / Consultant

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I am hesitant to submit files off-site for scanning.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.