Unknown Cause and Cure?

ColTom2

Hi:

I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
running XP Home Edition SP3 and both have the latest Windows Updates.

Yesterday the same thing below happened to both computers:

Apparently something has caused the following file to be created:

C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)

The applicable associated Process is svchost.exe, Path Locked, PID 1388,
Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.

The way that I found this file was that I ran a regular Windows Defrag and
afterwards it said that this file could not be defragged because it was in
use. As far as I know I never had this file before and for sure if it did it
never appeared as not being able to be defragged.

I have tried repeatedly to delete the file, but cannot and get the following
Error Deleting File: Cannot delete tmp: It is being used by another process
or program etc.

I suspended svchost.exe PID3188 with Sysinternals Process Explorer and tried
to delete this file, but got the same error deletion notice.

In addition, I scanned the entire CatRooit2 folder with both AV and 4
spyware applications and the results were negative. HijackThis also did not
indicate any abnormalities.

I would be most appreciative if anyone can tell me what caused the creation
of this file and how do I remove it and prevent it from reoccurring. I have
tried everything that I could think of.... Hopefully there is some expert
out there who has the answer!

Thanks,

ColTom2

Pegasus \(MVP\)

"ColTom2" <noemailaddress@nomail.com> wrote in message
news:OQ51iZsmJHA.1216@TK2MSFTNGP02.phx.gbl...
> Hi:
>
> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> running XP Home Edition SP3 and both have the latest Windows Updates.
>
> Yesterday the same thing below happened to both computers:
>
> Apparently something has caused the following file to be created:
>
> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>
> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>
> The way that I found this file was that I ran a regular Windows Defrag and
> afterwards it said that this file could not be defragged because it was in
> use. As far as I know I never had this file before and for sure if it did
> it
> never appeared as not being able to be defragged.
>
> I have tried repeatedly to delete the file, but cannot and get the
> following
> Error Deleting File: Cannot delete tmp: It is being used by another
> process
> or program etc.
>
> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
> tried
> to delete this file, but got the same error deletion notice.
>
> In addition, I scanned the entire CatRooit2 folder with both AV and 4
> spyware applications and the results were negative. HijackThis also did
> not
> indicate any abnormalities.
>
> I would be most appreciative if anyone can tell me what caused the
> creation
> of this file and how do I remove it and prevent it from reoccurring. I
> have
> tried everything that I could think of.... Hopefully there is some expert
> out there who has the answer!
>
> Thanks,
>
> ColTom2

Why do you actuall want to delete this file? Just because you can't defrag
it? Remember the old saying - "If it ain't broke, don't fix it!"

ColTom2

I would like to know the background of what caused the creation of this
file, as well as the fix if possible. There has to be a reason and I am
hoping that someone knows.

Thanks


"Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
news:OcsWldsmJHA.1172@TK2MSFTNGP04.phx.gbl...

"ColTom2" <noemailaddress@nomail.com> wrote in message
news:OQ51iZsmJHA.1216@TK2MSFTNGP02.phx.gbl...
> Hi:
>
> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> running XP Home Edition SP3 and both have the latest Windows Updates.
>
> Yesterday the same thing below happened to both computers:
>
> Apparently something has caused the following file to be created:
>
> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>
> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>
> The way that I found this file was that I ran a regular Windows Defrag and
> afterwards it said that this file could not be defragged because it was in
> use. As far as I know I never had this file before and for sure if it did
> it
> never appeared as not being able to be defragged.
>
> I have tried repeatedly to delete the file, but cannot and get the
> following
> Error Deleting File: Cannot delete tmp: It is being used by another
> process
> or program etc.
>
> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
> tried
> to delete this file, but got the same error deletion notice.
>
> In addition, I scanned the entire CatRooit2 folder with both AV and 4
> spyware applications and the results were negative. HijackThis also did
> not
> indicate any abnormalities.
>
> I would be most appreciative if anyone can tell me what caused the
> creation
> of this file and how do I remove it and prevent it from reoccurring. I
> have
> tried everything that I could think of.... Hopefully there is some expert
> out there who has the answer!
>
> Thanks,
>
> ColTom2

Why do you actuall want to delete this file? Just because you can't defrag
it? Remember the old saying - "If it ain't broke, don't fix it!"

DL

http://support.microsoft.com/kb/822798

"ColTom2" <noemailaddress@nomail.com> wrote in message
news:OjrKhnsmJHA.4540@TK2MSFTNGP04.phx.gbl...
>I would like to know the background of what caused the creation of this
> file, as well as the fix if possible. There has to be a reason and I am
> hoping that someone knows.
>
> Thanks
>
>
> "Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
> news:OcsWldsmJHA.1172@TK2MSFTNGP04.phx.gbl...
>
> "ColTom2" <noemailaddress@nomail.com> wrote in message
> news:OQ51iZsmJHA.1216@TK2MSFTNGP02.phx.gbl...
>> Hi:
>>
>> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
>> running XP Home Edition SP3 and both have the latest Windows Updates.
>>
>> Yesterday the same thing below happened to both computers:
>>
>> Apparently something has caused the following file to be created:
>>
>> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>>
>> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
>> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>>
>> The way that I found this file was that I ran a regular Windows Defrag
>> and
>> afterwards it said that this file could not be defragged because it was
>> in
>> use. As far as I know I never had this file before and for sure if it did
>> it
>> never appeared as not being able to be defragged.
>>
>> I have tried repeatedly to delete the file, but cannot and get the
>> following
>> Error Deleting File: Cannot delete tmp: It is being used by another
>> process
>> or program etc.
>>
>> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
>> tried
>> to delete this file, but got the same error deletion notice.
>>
>> In addition, I scanned the entire CatRooit2 folder with both AV and 4
>> spyware applications and the results were negative. HijackThis also did
>> not
>> indicate any abnormalities.
>>
>> I would be most appreciative if anyone can tell me what caused the
>> creation
>> of this file and how do I remove it and prevent it from reoccurring. I
>> have
>> tried everything that I could think of.... Hopefully there is some expert
>> out there who has the answer!
>>
>> Thanks,
>>
>> ColTom2
>
> Why do you actuall want to delete this file? Just because you can't defrag
> it? Remember the old saying - "If it ain't broke, don't fix it!"
>
>
>

PA Bear [MS MVP]

Reboot then try again.

ColTom2 wrote:
> Hi:
>
> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> running XP Home Edition SP3 and both have the latest Windows Updates.
>
> Yesterday the same thing below happened to both computers:
>
> Apparently something has caused the following file to be created:
>
> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>
> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>
> The way that I found this file was that I ran a regular Windows Defrag and
> afterwards it said that this file could not be defragged because it was in
> use. As far as I know I never had this file before and for sure if it did
> it
> never appeared as not being able to be defragged.
>
> I have tried repeatedly to delete the file, but cannot and get the
> following
> Error Deleting File: Cannot delete tmp: It is being used by another
> process
> or program etc.
>
> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
> tried
> to delete this file, but got the same error deletion notice.
>
> In addition, I scanned the entire CatRooit2 folder with both AV and 4
> spyware applications and the results were negative. HijackThis also did
> not
> indicate any abnormalities.
>
> I would be most appreciative if anyone can tell me what caused the
> creation
> of this file and how do I remove it and prevent it from reoccurring. I
> have
> tried everything that I could think of.... Hopefully there is some expert
> out there who has the answer!
>
> Thanks,
>
> ColTom2

ColTom2

I have rebooted many times, as I have been trying to resolve this for two
days.

Thanks


"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:eidUq4smJHA.500@TK2MSFTNGP06.phx.gbl...
Reboot then try again.

ColTom2 wrote:
> Hi:
>
> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> running XP Home Edition SP3 and both have the latest Windows Updates.
>
> Yesterday the same thing below happened to both computers:
>
> Apparently something has caused the following file to be created:
>
> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>
> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>
> The way that I found this file was that I ran a regular Windows Defrag and
> afterwards it said that this file could not be defragged because it was in
> use. As far as I know I never had this file before and for sure if it did
> it
> never appeared as not being able to be defragged.
>
> I have tried repeatedly to delete the file, but cannot and get the
> following
> Error Deleting File: Cannot delete tmp: It is being used by another
> process
> or program etc.
>
> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
> tried
> to delete this file, but got the same error deletion notice.
>
> In addition, I scanned the entire CatRooit2 folder with both AV and 4
> spyware applications and the results were negative. HijackThis also did
> not
> indicate any abnormalities.
>
> I would be most appreciative if anyone can tell me what caused the
> creation
> of this file and how do I remove it and prevent it from reoccurring. I
> have
> tried everything that I could think of.... Hopefully there is some expert
> out there who has the answer!
>
> Thanks,
>
> ColTom2

ColTom2

I have not encountered any program installations or updates that I could not
install so this KB Article I do not think would apply.

Thanks




"DL" <address@invalid> wrote in message
news:eTMKlssmJHA.5124@TK2MSFTNGP03.phx.gbl...
http://support.microsoft.com/kb/822798

"ColTom2" <noemailaddress@nomail.com> wrote in message
news:OjrKhnsmJHA.4540@TK2MSFTNGP04.phx.gbl...
>I would like to know the background of what caused the creation of this
> file, as well as the fix if possible. There has to be a reason and I am
> hoping that someone knows.
>
> Thanks
>
>
> "Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
> news:OcsWldsmJHA.1172@TK2MSFTNGP04.phx.gbl...
>
> "ColTom2" <noemailaddress@nomail.com> wrote in message
> news:OQ51iZsmJHA.1216@TK2MSFTNGP02.phx.gbl...
>> Hi:
>>
>> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
>> running XP Home Edition SP3 and both have the latest Windows Updates.
>>
>> Yesterday the same thing below happened to both computers:
>>
>> Apparently something has caused the following file to be created:
>>
>> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>>
>> The applicable associated Process is svchost.exe, Path Locked, PID 1388,
>> Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>>
>> The way that I found this file was that I ran a regular Windows Defrag
>> and
>> afterwards it said that this file could not be defragged because it was
>> in
>> use. As far as I know I never had this file before and for sure if it did
>> it
>> never appeared as not being able to be defragged.
>>
>> I have tried repeatedly to delete the file, but cannot and get the
>> following
>> Error Deleting File: Cannot delete tmp: It is being used by another
>> process
>> or program etc.
>>
>> I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
>> tried
>> to delete this file, but got the same error deletion notice.
>>
>> In addition, I scanned the entire CatRooit2 folder with both AV and 4
>> spyware applications and the results were negative. HijackThis also did
>> not
>> indicate any abnormalities.
>>
>> I would be most appreciative if anyone can tell me what caused the
>> creation
>> of this file and how do I remove it and prevent it from reoccurring. I
>> have
>> tried everything that I could think of.... Hopefully there is some expert
>> out there who has the answer!
>>
>> Thanks,
>>
>> ColTom2
>
> Why do you actuall want to delete this file? Just because you can't defrag
> it? Remember the old saying - "If it ain't broke, don't fix it!"
>
>
>

beamish

"ColTom2" wrote:

> I have rebooted many times, as I have been trying to resolve this for two
> days.
>
> Thanks
>
>
> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> news:eidUq4smJHA.500@TK2MSFTNGP06.phx.gbl...
> Reboot then try again.
>
> ColTom2 wrote:
> > Hi:
> >
> > I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> > running XP Home Edition SP3 and both have the latest Windows Updates.
> >
> > Yesterday the same thing below happened to both computers:
> >
> > Apparently something has caused the following file to be created:
> >
> > C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
> >
> > The applicable associated Process is svchost.exe, Path Locked, PID 1388,
> > Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
> >
> > The way that I found this file was that I ran a regular Windows Defrag and
> > afterwards it said that this file could not be defragged because it was in
> > use. As far as I know I never had this file before and for sure if it did
> > it
> > never appeared as not being able to be defragged.
> >
> > I have tried repeatedly to delete the file, but cannot and get the
> > following
> > Error Deleting File: Cannot delete tmp: It is being used by another
> > process
> > or program etc.
> >
> > I suspended svchost.exe PID3188 with Sysinternals Process Explorer and
> > tried
> > to delete this file, but got the same error deletion notice.
> >
> > In addition, I scanned the entire CatRooit2 folder with both AV and 4
> > spyware applications and the results were negative. HijackThis also did
> > not
> > indicate any abnormalities.
> >
> > I would be most appreciative if anyone can tell me what caused the
> > creation
> > of this file and how do I remove it and prevent it from reoccurring. I
> > have
> > tried everything that I could think of.... Hopefully there is some expert
> > out there who has the answer!
> >
> > Thanks,
> >
> > ColTom2
>
>
Hello,
Found this, http://technet.microsoft.com/en-us/l...EXCHG.65).aspx
take care.
beamish.

Twayne

ColTom2 wrote:
> Hi:
>
> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
> running XP Home Edition SP3 and both have the latest Windows Updates.
>
> Yesterday the same thing below happened to both computers:
>
> Apparently something has caused the following file to be created:
>
> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>
> The applicable associated Process is svchost.exe, Path Locked, PID
> 1388, Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>
> The way that I found this file was that I ran a regular Windows
> Defrag and afterwards it said that this file could not be defragged
> because it was in use. As far as I know I never had this file before
> and for sure if it did it never appeared as not being able to be
> defragged.
>
> I have tried repeatedly to delete the file, but cannot and get the
> following Error Deleting File: Cannot delete tmp: It is being used by
> another process or program etc.
>
> I suspended svchost.exe PID3188 with Sysinternals Process Explorer
> and tried to delete this file, but got the same error deletion notice.
>
> In addition, I scanned the entire CatRooit2 folder with both AV and 4
> spyware applications and the results were negative. HijackThis also
> did not indicate any abnormalities.
>
> I would be most appreciative if anyone can tell me what caused the
> creation of this file and how do I remove it and prevent it from
> reoccurring. I have tried everything that I could think of....
> Hopefully there is some expert out there who has the answer!
>
> Thanks,
>
> ColTom2

Well, if you look up temp.edb on Google, you'll find an interesting
range of used for such a file, all either database or trojan related.
It's possible it's legit if you're using Exchange Server, for instance,
and just wasn't deleted as it was supposed to be. I'll leave it to you
to peruse the many hits for it though, not knowing anything about your
machine.

From the trojan side of things, since one of the Google hits hinted at a
trojan, I looked it up at Bill P Studios and got this:
=========
tmp.edb

Company:
Copyright:
Version:
Path: tmp.edb

Created
First Detected
File Size



Virus Alert – TMP0267.EXE

TMP.0267.exe may have installed on your system as part of the
Trojan.Spabot virus. You'll probably find this in your Windows folder
and may see it associated with "mdetect". This virus spreads via email
and the main function of it seems to be a mail relay used by spammers.
This virus writes a file with the name tmp.***x where the x's are a
series of random numbers.

We'd recommend removing this file using WinPatrol. First, go to your
Active Tasks and kill the file there. Next, go to your Startup Programs
and remove the file there.

Additional background information on this virus can be found at
http://securityresponse.symantec.com...an.spabot.html.

Virus
Remove
=================
It recommends using WinPatrol because Bill P Studios IS WinPatrol, so
.... that's logical. Apparently Norton AV would remove it too, from the
sound of it. IF it's the trojan, etc..

So, that tells me that Symantec/Norton knows about the trojan and it's
probably worth visiting the URL above to see what it says there.
Symantec is always good about having Manual Removal instructions too if
it turns out you actually have the trojan in question.
Actually I probably should have searched there first, since there may
have been a lot more information and more hits about it. Often these
things have a lot of variants to go along with them and if that's known
it'll be detailed there. I'll leave that part of the research to you<g>.

Best of luck, and heres' hoping it's not actually a trojan,

Twayne

Twayne

Pegasus (MVP) wrote:
> "ColTom2" <noemailaddress@nomail.com> wrote in message
> news:OQ51iZsmJHA.1216@TK2MSFTNGP02.phx.gbl...
>> Hi:
>>
>> I have a Sony Desktop running XP MCE(2005) SP3 and a Toshiba laptop
>> running XP Home Edition SP3 and both have the latest Windows Updates.
>>
>> Yesterday the same thing below happened to both computers:
>>
>> Apparently something has caused the following file to be created:
>>
>> C:\WINDOWS\System32\CatRoot2\tmp.edb (file size 1,032kb)
>>
>> The applicable associated Process is svchost.exe, Path Locked, PID
>> 1388, Handle 2616, and Process Path C:\WINDOWS\System32\svchost.exe.
>>
>> The way that I found this file was that I ran a regular Windows
>> Defrag and afterwards it said that this file could not be defragged
>> because it was in use. As far as I know I never had this file before
>> and for sure if it did it
>> never appeared as not being able to be defragged.
>>
>> I have tried repeatedly to delete the file, but cannot and get the
>> following
>> Error Deleting File: Cannot delete tmp: It is being used by another
>> process
>> or program etc.
>>
>> I suspended svchost.exe PID3188 with Sysinternals Process Explorer
>> and tried
>> to delete this file, but got the same error deletion notice.
>>
>> In addition, I scanned the entire CatRooit2 folder with both AV and 4
>> spyware applications and the results were negative. HijackThis also
>> did not
>> indicate any abnormalities.
>>
>> I would be most appreciative if anyone can tell me what caused the
>> creation
>> of this file and how do I remove it and prevent it from reoccurring.
>> I have
>> tried everything that I could think of.... Hopefully there is some
>> expert out there who has the answer!
>>
>> Thanks,
>>
>> ColTom2
>
> Why do you actuall want to delete this file? Just because you can't
> defrag it? Remember the old saying - "If it ain't broke, don't fix
> it!"

But ... you don't know it ain't broke. If he's been zombie'd or is
being used as a bot of some sort, his machine might not be "broke" from
a user standpoint, but whenever anything isn't "right" in a machine, it
bears investigation. Literally millions of computers are being used as
bots in DOS and DDOS attacks the their users never even have a hint of
anything being wrong. Besides, he stated right up front that he wanted
to know more about it.
Sheesh.

Twayne