ErnieSiteList and ErnieUserList

Microsoft Security - Privacy Concerns

I found two unknown directories on my PC in my user profile.  I have, so far, been unable to identify what put them there, which process owns them, and when I delete them (using Admin escalated privileges) they come back after a few minutes or immediately after reboot.

     c:\users\username\appdata\local\ErnieSitelist\container.dat

     c:\users\username\appdata\local\ErnieUserlist\container.dat

     C:\Users\username\AppData\LocalLow\EmieSiteList\container.dat

     C:\Users\username\AppData\LocalLow\EmieUserlist\container.dat

It was time, anyway, so I wiped the drive using factory low-level overwriting and performed a clean install of Windows 8.1 Pro using a freshly downloaded ISO from Microsoft; one with an ESD distribution, written to a new just out-of-the-bedamned-hardshell-plastic flashdrive..

I just completed the clean install, in this sequence:

Boot to flashdrive and let Windows create partitions then install.  Reboot.  Check AppData; no folders found.

Activate.  Check AppData; no folders found.

Run first Update; install everything except Bing Bar and Desktop.    Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

Add Feature Windows Media Center.  Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

Run Updates a second time.  Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

Remove MS C++ v12 x86 and x64 installed during Update.    Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

Download from MSDN (http://msdn.microsoft.com/en-us/vstudio/default) Redistributables MS C++ x86 and x64, 2005, 2008, 2010, and 2012.4 versions, and install in sequence.  Check AppData after each install; no folders found.  Reboot after each install and check AppData; no folders found.

Run Updates a third time.  Response was No Updates Available.  Check AppData; no folders found.

Reboot.  Check AppData; all four sub-directories are now present.

These sub-directories and dat-files are not, so far, present in the AppData\Roaming directory.

There is nothing except Microsoft Windows 8.1 Pro WMC and the 10 MS C++ packages installed; and MS Silverlight and AMD (videocard) Catalyst Control Center on the machine.  Windows Defender is present but is installed as part of Windows 8 and 8.1; and its' updates are provided via the MS Update process.  All - repeat ALL of these items are provided by Microsoft.

My questions are:  What are the ERNIE directories for; what program created them, and what does the various container.dat files "contain"?  And . . . if not absolutely necessary, How do I get rid of them and keep them from coming back?

First attempt at Solution:

Permissions are Full for System, UserName, and group Administrators.  The UserName is the Owner, and Effective Permissions for each of the 3 is Full.

Open Command Prompt (Admin)

C:\Windows\system32>cd\

C:\>attrib -r -h +s C:\Users\Carl\AppData\Local\EmieSiteList\container.dat

C:\>attrib -r -h +s C:\Users\Carl\AppData\Local\EmieSiteList

C:\>attrib -r -h +s C:\Users\Carl\AppData\Local\EmieUserList

C:\>attrib -r -h +s C:\Users\Carl\AppData\Local\EmieUserList\container.dat

C:\>attrib -r -h +s C:\Users\Carl\AppData\LocalLow\EmieUserList\container.dat

C:\>attrib -r -h +s C:\Users\Carl\AppData\LocalLow\EmieUserList

C:\>attrib -r -h +s C:\Users\Carl\AppData\LocalLow\EmieSiteList

C:\>attrib -r -h +s C:\Users\Carl\AppData\LocalLow\EmieSiteList\container.dat

C:\>

BOTH Files and Directories are no longer Hidden.  The Directories still show that the files within are READ-Only, but checking the actual file shows that it is no longer R-O.

I then deleted each of the 4 directories and  closed Windows (File) Explorer.

After less than 3 minutes reading pages on the internet (at Microsoft's Ask Windows Community), I opened Windows Explorer to check and found that the sub-directories had re-created themselves in both the Local and LocalLow directories.

The container.dat files were back in the Local sub-dir and after another few minutes, also back in the LocalLow sub-dir.

Both the sub-directories and the container.dat files are once again Super-Hidden.

Analysis using Windows utilities and SysInternals and NirSoft tools have not identified which object or process or service owns these objects.

Answer
Answer

Hi,

There are many different malware detection and cleaning applications, including Microsoft’s own Malicious Software Removal Tool (MSRT), which is a free download here. The problem with most anti-malware tools is that they rely on malware signatures also known as malware definition updates to detect the malicious code. Whenever a new piece of malware is discovered, the vendor of any Antivirus software has to update the database that is the algorithm to recognize the new malware. Malware authors are prolific, though, and new malware is discovered on a daily basis, so the anti-malware vendors are always one step behind.

That means users are left unprotected against the new threats for some amount of time, depending on how rapidly the vendors can create, test and deploy updates. This is the reason why often one tool will find malware that another misses, and when a threat is brand new, none of the tools may find it. That’s the basis of the “Zero Day” concept – a threat that’s so new there are no protections against it yet in place.

Thus the need for manual malware cleaning methods. Although it’s much more convenient to just run an anti-malware application and hope for the best, if you notice suspicious behavior occurring on your system and those programs can’t find anything wrong, you can delve deeper to find it yourself instead of waiting for the vendors to get the tools updated. You can do that with Sysinternals utilities such as Process Monitor,

Manually Identifying and Cleaning Malware

The steps involved in the manual malware detection and cleaning process, as follows:

  1. Disconnect the machine from the network.
  2. Identify the malicious processes and drivers.
  3. Suspend and terminate the identified processes.
  4. Identify and delete any malware autostarts.
  5. Delete the malware files.
  6. Reboot and repeat.

This can be a multi-step process because malware writers often create very robust software. It’s designed to withstand your efforts to kill it or even morph itself in to something entire different(Like a polymorphic virus that changes its virus signature i.e., its binary pattern every time it replicates and infects a new file in order to keep from being detected by an antivirus program.)

Step one is a precautionary one. Disconnecting from the network prevents your infected machine from infecting others on the network, being disconnected from the network will also enable you to fully observing the malware’s normal actions and completely understanding how it works and all that it does.

How do you identify processes that are suspicious? Look for those processes that have no icon, have no descriptive or company name, or that are unsigned Microsoft images. Also focus on those processes that live in the Windows directory, that include strange URLs in their strings, that have open TCP/IP endpoints or that host suspicious DLLs or services (hiding as a DLL instead of a process). Many are packed – compressed or encrypted – and many malware authors write their own packers so you don’t find the common packer signatures. Most malicious software will have some or all of these characteristics.

So how do you go about examining the processes in the first place? Many IT pros would start with the obvious: Task Manager’s Processes tab. Task Manager has been improved in Vista and Windows 7, in comparison to Windows XP. The Description column, which gives you information about what application is using each process, is a welcome feature that’s shown in Figure 1.


Figure 1

You can get additional information in Task Manager by going to the View menu and clicking Select Columns, then checking the boxes you want, as shown in Figure 2.


Figure 2

For example, you can display the image path name to show the full path to the file that’s connected to the process. Or you can check the Command Line box to show the command, with any parameters or switches that was used to launch the process (malware often has strange looking command lines). You can see this additional information in Figure 3.


Figure 3

Another way to get more info about a process in Task Manager is to right click it and select Properties, which will open its Properties dialog box. Here you can see information regarding its file type, location and size, digital signature, copyright information, versioning (most malware doesn’t have version information), permissions, etc. All of this is a good start, but Task Manager still doesn’t give you quite the in-depth look at a process that you can get with a tool such as the Sysinternals Process Explorer.

Using Process Explorer to Identify Malware

Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. It runs on Windows XP and above. Current version is 14.1 and you can get it here. You can also run it from this link 

As you can see in Figure 4, it gives you a different view of your processes than what you get with Task Manager.


Figure 4

You’ll notice that in Process Explorer, the process tree in the left column shows parent-child relationships. If one process looks suspicious, related processes may also be. An extremely handy feature is the ability to right click a process and select “Search online” to do a web search for information about the process, as shown in Figure 5.


Figure 5

One thing to keep in mind, though, is that some malware will use pseudo random generated process names, in order to prevent you from finding any information in a search.

To know more about Process Monitor and how to use it sniff out malwares I suggest you follow this link:

http://blogs.technet.com/b/askperf/archive/2007/06/01/troubleshooting-with-process-monitor.aspx

Remember, though, that malware authors can also get digital certificates for their software, so the existence of a valid certificate does not guarantee that the process isn’t malicious.

Lastly, I would request you to take a look in to this link regarding EMIEsitelist and EMIEuserlist hidden directories and dat files :
 
 
 
Hope this information was helpful.
 
Regards.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

 
 

Question Info


Last updated April 19, 2020 Views 43,762 Applies to: