I think a bit of XP Home died when Comodo Firewall 3.05 was uninstalled on 01/01/2009.
At 16:47:31.pagefile.sys was initialised upon a reboot to complete the removal.
From 16:48:53 to 16:49:13 there were 51 off new *.MOF files in System32\wbem\AutoRecover
Before this incident there were only 11 files with very old time stamps.
Of these 11 :-
4 survived without change
7 were updated and halved in size, and given new timestamps
and 44 brand new files arrived from nowhere.
At 16:49:12 Application Event log shows 4 off WinMgmt errors (while recovering repository file)
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF
C:\AC30D119A40F2C8C8708A20576\I386\LICWMI.MOF
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATIONFOUNDATION\SERVICEMODEL.MOF
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF
Before installing new protection I inspected the event log for errors and saw this WinMgnt stuff, and realised that, much as I feared, COMODO had hooked into the system to resist eviction by malware, and hung on too hard during removal.
I hoped that "while recovering repository file" indicated some sort of recovery process,
and I rebooted several times without further errors and hoped that indicated full recovery had been achieved.
I then installed Comodo CIS v3.10 (Firewall plus Anti-virus etc.) and all seemed well.
Several days later I compared C:\ with an image taken just before removal.
That is when I spotted those 51 off new *.MOF files and guessed they related to 4 WinMgmt errors.
Then horror of horrors, I saw C:\WINDOWS\system32\CatRoot2\dberr.txt going berserk.
Suddenly, after Comodo CIS v3.10 was fully installed and rebooted, it reported, e.g.
CatalogDB: 21:21:22 09/09/2009: File #2 at line #1236 encountered error 0x00000057
CatalogDB: 21:51:32 09/09/2009: File #2 at line #1236 encountered error 0x00000057
There are perhaps half a dozen such errors upon a reboot, and then at 1810 second intervals another such error is appended.
In-spite of all these errors, it still captured the normal information from a Patch Tuesday update a few weeks ago.
I see no further system / application event log errors.
It looks like everything sort of works, but it just isn't right, and I don't know if XP will capsize and sink.
I think a bit of XP was torn out when Comodo 3.05 was removed, and nothing needed that bit of XP until Comodo 3.10 was installed, and then the dberr.txt errors started and continue no matter what I have done since.
Comodo support have admitted to the "File #2 at line #1236" errors as something that has been seen with Vista, but not with XP, and advised that the subsequent v3.11 has fixed the problem. I updated to v 3.11 and this problem continues in XP.
I was advised it could be catroot2 corruption. I learnt to delete Catroot2 and allow it to rebuild. No real change but further anomalies arose ! !
Catroot2 originally held
...\System32\CatRoot2\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
13/08/2009 17:05 1,056,768 catdb
18/06/2007 19:53 8 TimeStamp
...\System32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
13/08/2009 17:05 1,056,768 catdb
19/08/2008 12:45 8 TimeStamp
...\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
13/08/2009 17:05 7,348,224 catdb
31/07/2009 10:53 8 TimeStamp
After using "net stop cryptsvc" and deleting catroot2 etc, after a reboot I had only
...\System32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
13/08/2009 19:06 1,056,768 catdb
After a second reboot I had an additional
...\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
13/08/2009 21:35 1,056,768 catdb
That seems to have removed 6 MB of bloat from ...(F750... ! !
Further reboots made no change - still no ...{00AA...
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} holds 220 files.
Apparently obsolete and unused and almost empty are :-
C:\WINDOWS\system32\CatRoot\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
18/06/2007 19:53 8 TimeStamp
16/05/2007 13:49 11,418 WLSetup.cat
C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
19/08/2008 12:45 8 TimeStamp
I have removed these "obsolete" folders, keeping only ...\system32\CatRoot\{F750...
and again deleted catroot2 and rebooted, and again after the first reboot there was
...\System32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
which surprised me since the corresponding folder had been removed from catroot,
and after the second reboot there was
...\System32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}.
"File #2 at line #1236" errors continued as before.
I restored Catroot and Catroot2 from an Acronis image taken just before anything was removed.
"File #2 at line #1236" errors just keep on going on and on.
Is there a quick fix to this please ?
Should I enter a LOOP :-
{
Restore the system to the original image taken before the removal of the old protection;
Remove original protection
} REPEAT until nothing is broken inn XP ?
One long long standing anomaly, where on earth is "oem43.CAT"
The last dberr.txt log before things went bad was
CatalogDB: 10:49:57 31/07/2009: Adding Catalog File: oem43.CAT
CatalogDB: 10:49:58 31/07/2009: DONE Adding Catalog File: oem43.CAT
CatalogDB: 10:51:18 31/07/2009: Adding Catalog File: oem43.CAT
CatalogDB: 10:51:19 31/07/2009: DONE Adding Catalog File: oem43.CAT
CatalogDB: 10:52:40 31/07/2009: Adding Catalog File: oem43.CAT
CatalogDB: 10:52:40 31/07/2009: DONE Adding Catalog File: oem43.CAT
CatalogDB: 10:53:07 31/07/2009: Adding Catalog File: KB972260-IE7.cat
CatalogDB: 10:53:07 31/07/2009: DONE Adding Catalog File: KB972260-IE7.cat
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} holds :-
oem0.cat through to oem56.cat, with a few gaps.
it holds oem42.cat and oem44.cat but absolutely no oem43.cat.
These "DONE Adding Catalog File: oem43.CAT" messages have happened for many Patch Tuesdays,
and none of the Acronis images from this periods of time have captured any oem43.cat.
Incidentally, why did Catroot and Catroot2 start with 3 off ..\{*} folders ?
Is it related to SP1 and SP2 and SP3 being installed at different times ?
And why does a rebuild of Catroot2 never create ...\{00AAC56B... etc,
but always creates the other two ?
regardless of whether Catroot holds only the relevant ..\{F750E6C3 or all 3 of the ...\{*}
If I ever get this fixed, and Catroot2 is as it was, will it be safe to have XP rebuild it and presumable prune the 6 MB space and time wasting bloat in 7,348,224 catdb
and to lose the apparently redundant ...\{00AAC56B... etc. ?
I am using XP Home edition with SP3.
I can restore the system from various Acronis partition images, including :-
Before removal of old protection ;
After installing new protection and before I knew there was a problem ;
After I knew there was a problem and before I started trying to fix it.
I would appreciate any advice upon fixing this, or I will continue to worry about when XP will crash.
Regards
Alan
