Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do You Recognize This File, Please?


  • Please log in to reply
23 replies to this topic

#1 Reena

Reena

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 19 February 2008 - 07:59 AM

I use WinPatrol Plus, a programme I like. It gives me information, or a link to information, about most of the files on my system..
Whilst glancing through my hidden files this morning I came across this one.

ebcaeb1_r.dll

WinPatrol admitted it was not known to them. Google returned not a single answer, unless I mis-typed the file name. I did check carefully.

Do you know what it is and does, please? It is in C:\Windows \ System 32.

Windows XP
IE7 and Firefox
ZoneAlarm Pro
AVG

My thanks.

Edited by Reena, 19 February 2008 - 02:45 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:25 AM

Posted 19 February 2008 - 12:18 PM

Hello Reena,

When you have a file that you don't recognize, it's a good idea to submit it to JottiScan and VirusTotal for additional analysis. Please post the results from the scans in your next reply and indicate which is from Jotti and which from VirusTotal.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 19 February 2008 - 03:28 PM

Thank you, I tried that but as it is a hidden file I could not find how to get it to these two programmes.

I have found the following:

ebcaeb1_r
ebcaeb1_r.dll
Path: C:\WINDOWS\system32\ebcaeb1_r.dll
First Detected by WinPatrol: 01/17/2008 21:29
Click for Plus Info

The latter is no help as nothing is known. However it does say in the Information section:

QUOTE If the program you're looking at doesn't include a company name or version number we recommend caution.
If the filename is made up of random characters like PDQDLIXKF.DLL or WINKaghye.exe we recommend you disable this program and rebootUNQUOTE.

It also warns :

The program you requested was not found in our database.
This doesn't necessarily mean you should remove this program.

I did checkout Properties . It said : Application Extension
Opens with Unknown Application
Size : 23 bytes
Size on Disk : 4.00 KB

Created 4th Jan 2008


To be honest, I am tempted to "delete" this file and hope for the best. If something doesn't work as a result at least I'll know it's needed!!

Edited by Reena, 19 February 2008 - 03:37 PM.


#4 OleGreyGhost

OleGreyGhost

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 20 February 2008 - 02:57 AM

Hi Reena,

Concerning your mysterious file " ebcaeb1_r.dll "

Thank you, I tried that but as it is a hidden file I could not find how to get it to these two programmes.


You can unhide the file.
Open up a DOS window with the command prompt.
Navigate to the C:\WINDOWS\system32 directory.
Type in the command: Attrib -s -h ebcaeb_r.dll.
Then exit back to windows.

This should make the file visible to windows expolrer. You will be able to ship the file to he two locations suggested by Orange Blossom and report back the findings as suggested.

Regards, OleGreyGhost
IntelŪ PentiumŪ 4 CPU 3.20GHz (2 CPUs) ^ Memory: 2048MB RAM Kingston PC 3200 CL3
Epox 4PLAI (Rev 1.3) Breeds Hill Chipset ^ AwardBIOS v6.00PG ^ 2x200Gig HD(4 logical drives)
eVga GeForce 7800 GS (AGP) Mem: 256 MB GDDR3 DirectX 9.0c (4.09.0000.0904)
Operating Windows XP Professional (5.1, Build 2600) Service Pack 2 (Oem)
ZA Security Suite^Spyware Detector^Max Reg Cleaner^Ad Aware 2007^Spybot S&D and CCleaner.

#5 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 22 February 2008 - 10:50 AM

OleGreyGhost, I know you open up DOS with the cmd prompt but I don't know what to do next and I am reluctant to just go ahead and guess!

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:25 AM

Posted 22 February 2008 - 01:54 PM

OleGreyGhost, I know you open up DOS with the cmd prompt but I don't know what to do next and I am reluctant to just go ahead and guess!

Show hidden files:
http://www.bleepingcomputer.com/tutorials
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 22 February 2008 - 03:38 PM

Thank you, Garmanma. It doesn't show up, strangely, so I can't understand why Winpatrol listed it.

#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:25 AM

Posted 22 February 2008 - 03:44 PM

While I'm not familiar with WinPatrol, some programs will reflect things that are located in "Quarantine". Could this be the case with your system?
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#9 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 22 February 2008 - 06:16 PM

Hello, John.

I will check more thoroughly tomorrow. I am in the UK and it is late here!

#10 OleGreyGhost

OleGreyGhost

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 23 February 2008 - 02:40 AM

Hi Reena,

Sorry I am so slow to respond.

If you followed Garmanmas' suggestion and it is not showing up, the question becomes does Winpatrol have a quarantine feature? Or did you use any other security program to check for malware. Did that program have a quarantine feature? If the answer is yes, then un-quarantine the dll to return it to its' directory (in this case system32).
If you still cannot locate the file then try my method below:

What i mean by navigate is to change directories.
Usually when entering a dos window, you will find yourself at C:\ Documents and Settings\your computer name.
Return to the root directory by typing in what is between the quotes "cd \", make sure you put in the space before the back slash.
You should be at the C: prompt.
Then type in "cd \windows\system32", but not the quotes.
You should now see your blinking cursor after C:\windows\system32.
At this point you would use the attrib command by typing what is between the quotes. 'Attrib -s -h -r ebcaeb_r.dll".
(I added the -r parameter so you would be able to delete the file, when you determine the appropriate action to take).
Then type in "dir /p". This will give you a listing of all the files in the system32 directory, one page at a time, pausing after each page. Just hit any key to bring up the next page.

Hope this works for you.

Regards, OleGreyGhost
IntelŪ PentiumŪ 4 CPU 3.20GHz (2 CPUs) ^ Memory: 2048MB RAM Kingston PC 3200 CL3
Epox 4PLAI (Rev 1.3) Breeds Hill Chipset ^ AwardBIOS v6.00PG ^ 2x200Gig HD(4 logical drives)
eVga GeForce 7800 GS (AGP) Mem: 256 MB GDDR3 DirectX 9.0c (4.09.0000.0904)
Operating Windows XP Professional (5.1, Build 2600) Service Pack 2 (Oem)
ZA Security Suite^Spyware Detector^Max Reg Cleaner^Ad Aware 2007^Spybot S&D and CCleaner.

#11 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 23 February 2008 - 06:38 AM

Thank you. This worked as far as the 'Attrib -s -h -r ebcaeb_r.dll entry. Then I got "Cannot find the path specified".

Will check the Quarantine suggestion.

#12 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 24 February 2008 - 07:45 AM

No, nothing in Quarantine!

#13 M...

M...

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 24 February 2008 - 08:57 AM

Hello Reena,

In your earlier posts, you said the file was named ebcaeb1_r.dll, located at C:\WINDOWS\system32\ebcaeb1_r.dll

In later posts, where you used the attrib command, you attempted to manipulate a file called ebcaeb_r.dll, as in Attrib -s -h -r ebcaeb_r.dll

Try the attrib command again (using the process described above), but this time specify Attrib -s -h -r ebcaeb1_r.dll (i.e., don't forget the 1 following the b in the file name).

#14 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:25 AM

Posted 24 February 2008 - 09:32 AM

Nice catch M...! :thumbsup:
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#15 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:02:25 PM

Posted 24 February 2008 - 10:59 AM

John commented : Nice catch M...!
Thanks, M.




I copied and pasted and so left out the 1 in my posting.However, I did use the correct format when I followed the directions. I checked again to be sure and the official comment is:

"Not recognised as an internal or external command, operable programme or batch file".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users