Unknown Cause and Cure?

  • Thread starter Thread starter ColTom2
  • Start date Start date
C

ColTom2

Hi:

I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
running XP Home Edition SP3 and both have the latest Windows Updates.

Yesterday the same thing below happened to both computers:

Apparently something has caused the following file to be created:

C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)

The applicable associated Process is svchost.exe, Path Locked, PID 1388,
Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.

The way that I found this file was that I ran a regular Windows Defrag and
afterwards it said that this file could not be defragged because it was in
use. As far as I know I never had this file before and for sure if it did it
never appeared as not being able to be defragged.

I have tried repeatedly to delete the file, but cannot and get the following
Error Deleting File: Cannot delete tmp: It is being used by another process
or program etc.

I suspended svchost.exe PID3188 with Sysinternals Process Explorer and tried
to delete this file, but got the same error deletion notice.

In addition, I scanned the entire CatRooit2 folder with both AV and 4
spyware applications and the results were negative. HijackThis also did not
indicate any abnormalities.

I would be most appreciative if anyone can tell me what caused the creation
of this file and how do I remove it and prevent it from reoccurring. I have
tried everything that I could think of.... Hopefully there is some expert
out there who has the answer!

Thanks,

ColTom2
 
ColTom2 said:
Hi:

I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
running XP Home Edition SP3 and both have the latest Windows Updates.

Yesterday the same thing below happened to both computers:

Apparently something has caused the following file to be created:

C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)

The applicable associated Process is svchost.exe, Path Locked, PID 1388,
Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.

The way that I found this file was that I ran a regular Windows Defrag and
afterwards it said that this file could not be defragged because it was in
use. As far as I know I never had this file before and for sure if it did
it
never appeared as not being able to be defragged.

I have tried repeatedly to delete the file, but cannot and get the
following
Error Deleting File: Cannot delete tmp: It is being used by another
process
or program etc.

I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
tried
to delete this file, but got the same error deletion notice.

In addition, I scanned the entire CatRooit2 folder with both AV and 4
spyware applications and the results were negative. HijackThis also did
not
indicate any abnormalities.

I would be most appreciative if anyone can tell me what caused the
creation
of this file and how do I remove it and prevent it from reoccurring. I
have
tried everything that I could think of.... Hopefully there is some expert
out there who has the answer!

Thanks,

ColTom2
Click to expand...

Why do you actuall want to delete this file? Just because you can't defrag
it? Remember the old saying - "If it ain't broke, don't fix it!"
 
I would like to know the background of what caused the creation of this
file, as well as the fix if possible. There has to be a reason and I am
hoping that someone knows.

Thanks



ColTom2 said:
Hi:

I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
running XP Home Edition SP3 and both have the latest Windows Updates.

Yesterday the same thing below happened to both computers:

Apparently something has caused the following file to be created:

C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)

The applicable associated Process is svchost.exe, Path Locked, PID 1388,
Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.

The way that I found this file was that I ran a regular Windows Defrag and
afterwards it said that this file could not be defragged because it was in
use. As far as I know I never had this file before and for sure if it did
it
never appeared as not being able to be defragged.

I have tried repeatedly to delete the file, but cannot and get the
following
Error Deleting File: Cannot delete tmp: It is being used by another
process
or program etc.

I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
tried
to delete this file, but got the same error deletion notice.

In addition, I scanned the entire CatRooit2 folder with both AV and 4
spyware applications and the results were negative. HijackThis also did
not
indicate any abnormalities.

I would be most appreciative if anyone can tell me what caused the
creation
of this file and how do I remove it and prevent it from reoccurring. I
have
tried everything that I could think of.... Hopefully there is some expert
out there who has the answer!

Thanks,

ColTom2
Click to expand...

Why do you actuall want to delete this file? Just because you can't defrag
it? Remember the old saying - "If it ain't broke, don't fix it!"
 
http://support.microsoft.com/kb/822798

ColTom2 said:
I would like to know the background of what caused the creation of this
file, as well as the fix if possible. There has to be a reason and I am
hoping that someone knows.

Thanks





Why do you actuall want to delete this file? Just because you can't defrag
it? Remember the old saying - "If it ain't broke, don't fix it!"
Click to expand...
 
I have rebooted many times, as I have been trying to resolve this for two
days.

Thanks


Reboot then try again.
 
ColTom2 said:
Hi:

I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
running XP Home Edition SP3 and both have the latest Windows Updates.

Yesterday the same thing below happened to both computers:

Apparently something has caused the following file to be created:

C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)

The applicable associated Process is svchost.exe, Path Locked, PID
1388, Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.

The way that I found this file was that I ran a regular Windows
Defrag and afterwards it said that this file could not be defragged
because it was in use. As far as I know I never had this file before
and for sure if it did it never appeared as not being able to be
defragged.

I have tried repeatedly to delete the file, but cannot and get the
following Error Deleting File: Cannot delete tmp: It is being used by
another process or program etc.

I suspended svchost.exe PID3188 with Sysinternals Process Explorer
and tried to delete this file, but got the same error deletion notice.

In addition, I scanned the entire CatRooit2 folder with both AV and 4
spyware applications and the results were negative. HijackThis also
did not indicate any abnormalities.

I would be most appreciative if anyone can tell me what caused the
creation of this file and how do I remove it and prevent it from
reoccurring. I have tried everything that I could think of....
Hopefully there is some expert out there who has the answer!

Thanks,

ColTom2
Click to expand...

Well, if you look up temp.edb on Google, you'll find an interesting
range of used for such a file, all either database or trojan related.
It's possible it's legit if you're using Exchange Server, for instance,
and just wasn't deleted as it was supposed to be. I'll leave it to you
to peruse the many hits for it though, not knowing anything about your
machine.

From the trojan side of things, since one of the Google hits hinted at a
trojan, I looked it up at Bill P Studios and got this:
=========
tmp.edb

Company:
Copyright:
Version:
Path: tmp.edb

Created
First Detected
File Size



Virus Alert – TMP0267.EXE

TMP.0267.exe may have installed on your system as part of the
Trojan.Spabot virus. You'll probably find this in your Windows folder
and may see it associated with "mdetect". This virus spreads via email
and the main function of it seems to be a mail relay used by spammers.
This virus writes a file with the name tmp.xxxx where the x's are a
series of random numbers.

We'd recommend removing this file using WinPatrol. First, go to your
Active Tasks and kill the file there. Next, go to your Startup Programs
and remove the file there.

Additional background information on this virus can be found at
http://securityresponse.symantec.com/avcenter/venc/data/trojan.spabot.html.

Virus
Remove
=================
It recommends using WinPatrol because Bill P Studios IS WinPatrol, so
.... that's logical. Apparently Norton AV would remove it too, from the
sound of it. IF it's the trojan, etc..

So, that tells me that Symantec/Norton knows about the trojan and it's
probably worth visiting the URL above to see what it says there.
Symantec is always good about having Manual Removal instructions too if
it turns out you actually have the trojan in question.
Actually I probably should have searched there first, since there may
have been a lot more information and more hits about it. Often these
things have a lot of variants to go along with them and if that's known
it'll be detailed there. I'll leave that part of the research to you<g>.

Best of luck, and heres' hoping it's not actually a trojan,

Twayne
 
Pegasus said:
Why do you actuall want to delete this file? Just because you can't
defrag it? Remember the old saying - "If it ain't broke, don't fix
it!"
Click to expand...

But ... you don't know it ain't broke. If he's been zombie'd or is
being used as a bot of some sort, his machine might not be "broke" from
a user standpoint, but whenever anything isn't "right" in a machine, it
bears investigation. Literally millions of computers are being used as
bots in DOS and DDOS attacks the their users never even have a hint of
anything being wrong. Besides, he stated right up front that he wanted
to know more about it.
Sheesh.

Twayne
 
ColTom2 said:
I have rebooted many times, as I have been trying to resolve this for
two days.

Thanks


Reboot then try again.
Click to expand...

It might be worth examining your firewall and router logs in the event
this does turn out to be some sort of trojan as mentioned earlier.
Often they'll show there and if you're lucky they'll show as blocked.

Twayne
 
ColTom2 said:
This appears to mainly be directed to Exchange Servers which I do not
believe is applicable in this case.

Thanks





Hello,
Found this,
http://technet.microsoft.com/en-us/library/bb124808(EXCHG.65).aspx
take care.
beamish.
Click to expand...

Hello,
Using Windows Xp Home sp3. I could not locate a tmp.edb file.
Agree, thought it was of interest concerning the use of .edb.
Have you searched for .edb files?
Have found many logs with this extension, plus edb.dll, edb.chk.
Locations, Catroot2, Software Data Base and PC Health.
This seems to be an extension that is used by Windows
for several purposes, including Windows Update installations.
The tmp.edb may be a corrupted file or some malwear.
Have you unchecked protected system operating files?
Then tried a third party utility like "Unlocker" or a
rename utility. Followed by rebooting.
take care.
beamish.
 
Pursuant to that first link to the kb article you were given - the article
deals with the inability to install updates due to the corruption of the cat
(catalog) files or the edb database that keeps track of them.

So- are you having problems installing updates?

edb is the name of the so called "jet" database MSFT uses for all sorts of
things, exchange as you noticed, but also Active directory and others. the
edb logs are a record of changes made to one of those databases, tmp.edb
files are temporary versions of the database. For some reason, the tmp file
did not get deleted. So the question is - are you having any problems since
it showed up?

If you have scanned it and it shows clean, you can follow procedures in the
kb article to get rid of it - or, a simpler version here:
http://forums.techarena.in/windows-xp-support/338095.htm

Or, again, if scanned and no malware found, you can forget about it. I have
no way of knowing what event caused its creation. Generally, some sort of
problem, apparently minor, since you didn't notice it.

btw, are you trying to delete it with an administrator account? if so, and
you still want to delete it, right click the file, props, security,
advanced, owner, and then take ownership if you do not already have it.

Mike
 
Back
Top