How to find what program is using a particular file? (fidbox.dat, fidbox.idx)

How can I find out what's using these two hidden files:

C:\WINDOWS\system32\drivers\fidbox.dat
C:\WINDOWS\system32\drivers\fidbox.idx

They are always in use. If I delete them, they come back automatically after reboot, and fidbox.dat keeps growing; I think it was 5GB at one point. I managed to constrain them earlier by deleting them from Recovery Console, and replacing them with empty files with equivalent names and attributes set to hidden, system, and read-only. That way they remained at 0 size, and I experienced no errors or any problems.

However, recently I tried to run Rxaco PerfectDisk 10, but it crashed. I set it to run on boot, which appeared to work (not sure what it actually did). However, in the log files it said (fuller log attached):

I'm not sure if that error report was from a regular PD10 analysis attempt resulting in a crash, or from the boot-time defrag. In any case, I deleted size-0 dummy fidbox files, but new ones appeared on reboot, fidbox.dat is growing again, and PD10 still doesn't work. Unlocker just says those files are being used by System, but no details as to which system process is behind them.

I've googled the topic, and came up with something about ZoneAlarm and Kaspersky. I've used freeware products from both companies in the past, but they are long gone; uninstalled and I manually cleaned up all the leftovers I could find.

How can I find out what program or process is behind these files? Is there a program that can be set to listen in on an active dat-file to find out what processes modify it, read it, use it, ... ?

 

http://www.majorgeeks.com/Process_Explorer_d4566.html
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx

By using a righteous combination of these 3 programs you can track (in real time) which files are doing what, where they write to the registry and hard drive, and the parent processes and programs responsible.... good luck!

(EDIT- a little research shows that the fidbox files are Kaspersky related; several other security programs use the Kaspersky engine so if you don't use Kaspersky antivirus, it may be one of these other programs using it; I also found references to fidbox and Zone Alarm and the two may be related)

 

I've ran Process Monitor, which is the above links suggested. It gives a lot of info, so I searched for fidbox.dat, and the only process I've caught accessing it so far has been svchost.exe -k netsvcs [PID=1608 yesterday (iirc), and 1504 right now].

It performed the following operations on fidbox.dat around 2:10pm my time:

FASTIO_NETWORK_QUERY_OPEN
IRP_MJ_CREATE
IRP_MJ_QUERY_INFORMATION
IRP_MJ_CLEANUP
IRP_MJ_CLOSE

Each successful, and taking about ~0.00005 seconds on average.

The same svchost.exe went to perform the same operations on fltmgr.sys, ftdisk.sys, hdaudio.sys, ... all in the drivers folder.

5 min later I opened Firefox, and svchost again performed a FASTIO_NETWORK_QUERY_OPEN, but nothing else. Last write time is ~2:10pm, so I assume svchost.exe is adding things to fidbox.dat.

I also ran "svchost viewer," which provided the following (additional?) info:

The svchost with PID 1504 is using ~14MB of memory (memory use varies; only 6MB when I reloaded svchost viewer).
Data written = ~7MB
Data read is = ~15MB
Active threads = 76
Running services: AudioSrv, Browser, CryptSvc, Dhcp, dmserver, EventSystem, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, W32Time, winmgmt, wscsvc, wuauserv, WZCSVC

Note: I assume the 7MB, for example, is the amount this svchost has written so far this session, and the services are ones that it is responsible for - they are all basic and necessary system services by the way.

I'm pretty sure that svchost.exe -k netsvcs is not malicious, and all the services seem legit. But fidbox.dat, which started growing from scratch yesterday, is now up to 10MB. Even fidbox.idx has gone up from 6KB to 100KB. (The files accesses by svchost do not appear to be ballooning up).

Also worth a note: I've had procmon on while typing this, and I just noticed that svchost had accessed fidbox.dat last at 3:03:09 PM (another FASTIO_NETWORK_QUERY_OPEN). However, the last write time on fidbox.dat is 3:03:03 PM, so I'm wondering whether there was a delay/error in procmon's activity log, or whether it was another process that wrote in fidbox, that was not recorded by procmon. fwiw, per procmon's display record, my anti-virus (ravmond.exe) was accessing C:\WINDOWS\system32\wbem\Logs\FrameWork.log from 3:03:02 PM to 3:03:08 PM, so the timing is there, but not mention of fidbox.

I also noticed that fidbox.dat and fidbox.idx are the only files of their type in the my system32\drivers folder. It contains mostly .sys-files (about 360 of them) and some .dll, although there are other exceptions too.

 

I've used Kaspersky's free AVP tool several times, but I never kept it long - just downloaded, installed, ran, and then uninstalled... I'll install it on another computer I have to see if adds (and leaves behind) fidbox.dat.

And I previously used ZoneAlarm Firewall (free version 7 or 7.5), but switched to Online Armor about 6 months ago.

I'm wondering if some program put fidbox.dat in the drivers folder and integrated into an important system routine to act as a sort of spunge (can .dat files do that?), but then failed to remove it... In any case, I still need to find out how to get rid of it completely since it seems to perform no useful function.

 

SOLVED! (i think)

Turns out I did have some Kaspersky leftovers remaining in the drivers folder and registry. I assume they were pumping up fidbox.

More details for those interested:

I originally ran one of those removal tools for Kaspersky Antivirus after a regular uninstall. It didn't find anything, so I thought I was clear. But while looking at the system32\drivers folder, I noticed these entries with names consisting of numbers only, 3782369712.sys or 2327123.dll (not the real names, and there's a legit MS file like that too, so careful). Anyway, these ones were marked (file description) as Kaspersky driver files, so I deleted them.

My other computer also had fidbox files, but they hadn't been active for a long time. Since they weren't locked, I was able to look at fidbox.dat on that machine. Turns out it contained "FIDD L_; ÀH @ " followed by 5MB worth of space (as viewed by notepad). I guess each time the svchost or something else hit it, it grew by another dot or space, or such... I did a search for the date/time of their creation on that machine and found another leftover file; oem13.inf. It had something to do with FltMgr, "FSFilter Activity Monitor", and "is-U4LEVdrv"... Those terms pop-up within legitimate reg keys, but they also lead me to a number of leftover Kaspersky entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KLIF

and various LEGACY_is-[8 caharacter] entries across different ControlSets. Values like these:

LEGACY_KLIF
LEGACY_IS-M7DMUDRV
LEGACY_IS-NCT5ODRV
LEGACY_IS-OLH9UDRV
LEGACY_IS-5OAF0DRV
LEGACY_IS-77J93DRV
LEGACY_IS-223MUDRV

I deleted the legacy values without a problem, but I had to boot to safe mode before I could delete HKLM\SYSTEM\ControlSet001\Services\KLIF and it's subdirs and values.

Following that I deleted fidbox.dat and fidbox.idx, booted to normal mode, and so far so good. No boot problems, no error messages, and the fidbox files have not reappeared.

Note: I won't be using Kaspersky AVP Tool again, but apparently (per google findings) there are other anti-malware and firewall utilities that may add fidbox to the drivers folder. Also, I may have messed up the removal myself originally - maybe something went wrong and I used a registry restore (ERUNT) that returned previously cleared values, or maybe I wasn't careful enough regarding potential conflicts with other anti-malware programs I had installed.

 

Here's my experience...

I had at one point in time used Kaspersky's stand-alone Virus Removal Tool and then uninstalled it.

I was having all sorts of problems and eventually I traced the issue an almost 6 gigabyte (!) fidbox.dat file. I could not rename or delete it as it was in use. By that "another application" of course.

There were no references to Kaspersky or KLIF in my registry.

I ran Autoruns and under the Everything tab I did a search for Kaspersky and sure enough there was a service running! On my system it was named "is-8E4BRdrv" using 25421555.sys, the latter being found in the drivers folder.

I deleted the sys file and removed the is-8E4BRdrv key from the registry, rebooted and I was able to delete the two fidbox files! And they haven't been back since.

BTW, I did look at those dat and it was nothing but 6 gigs of ZEROs!!! One huge zero padded text file!!!

Thanks Kaspersky!! Your products ain't never coming near my systems again.

 

It is not really fair to blame kaspersky when it comes to the virus removal tools, as your either already infected when you use it or your using a tool you shouldn't be.

Q

 

This thread isn't about an infected system or the use of an appropriate tool. It's about the Kaspersky uninstaller failing to remove a hidden driver and a hidden cryptic system file that continues to write a hidden zero padded file (fibox.dat) with no size limitation deep in the Windows system file structure. A simple google search of "fidbox" reveals this is a major issue affecting a wide spectrum of users to this day for years. Darn straight I can blame Kaspersky!

I posted up my fix here so as to juxtapose it against On edge's experience in the hopes it will help some one else whose system got hosed - as The Major ranks high in google hits.

 

No but my post, were i used it as an example is.

Yes it is a known problem and ideally it would not happen at all, but the point i made, is that to be in a situation where you need to use those virus-removal-tools, means that your system is already infected and probably damaged, it hard to program for every possibility in every set-up, let alone when you throw in the variables of a malware damaged OS.

So ther is always going to be bugs and casualties of malware removal, but it is not really fair to blame kaspersky, they are trying to help you fix the damage that another piece of code caused.

Im sure it will help and im sure it is appreciated, the more opinions the better IMO


Q