Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WORD macro virus - help & advice please [Solved]


  • This topic is locked This topic is locked

#31
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
I presume this zip file is intentionally unopenable ...

Attached Files


  • 0

Advertisements


#32
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts

I presume this zip file is intentionally unopenable ...


You are right. We don't won't to infect other users :)

All three are clean and I had no problems opening them. You can check every file you like like this.

Please go to: VirusTotal
  • Click the Choose File button and search for the file you want to upload:
  • Click Open
  • Then click Scan it! button
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

NOTE: If it says already scanned -- click Reanalyze now button

I'll do some research and see what we can do next.
  • 0

#33
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
I asked for tech assistance here. Here is what we need to do.

Step 1

You have 512MB of RAM on your system. It's bare minimum for XP SP3. Running it with RAID it could cause you a lot of problems.

If there is possibility you need to upgrade RAM.

Step 2

Please Uninstall Zona Alarm from your system. From ZA website there is minimum requirements:

Microsoft Windows, XP SP2 or SP3 Home / Professional
  • 32-bit, 1GB RAM
  • 1 GHz or faster processor
  • 100MB of available hard-disk space
Step 3

We need to check your second hard drive for errors too.

  • Go to Start -> My Computer
  • Right click on E: disk and click on Properties
  • Click on tab Tools and click on Check now... button
  • Check Automatically fix system errors and Scan for and attempt recovery of bad sectors
  • Click Start button
  • Confirm schedule disk check next time computer starts with Yes button
  • Restart your system and wait while system checks your disk for errors

Step 4

Can you please download VEW and save it to your Desktop: http://images.malwar...om/vino/VEW.exe

Double-click VEW.exe then under 'Select log to query':
Application
System

Under 'Select type to list' select:
Error
Information
Warning

  • Click the radio button for 'Number of events'
    Type 20 in the 1 to 20 box
    Then click the Run button.
    Notepad will open with the output log.

In Notepad, click Edit > Select all then Edit > Copy
Reply to this post, click in the reply window and press Ctrl+V on your keyboard to paste the log.

Step 5

Please don't forget to include these items in your reply:

  • VEW log
It would be helpful if you could post each log in separate post
  • 0

#34
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

There's an issue with WORD 2002 (which is the version I have) where smart tags modify a document as soon as it's opened. It only happens if smart tags have been turned on :
http://support.microsoft.com/kb/816473
My guess is that the hacker turned this on in one of my documents. I'm not sure if this is a setting for a single document or a global setting held in Normal.dot.

If you read the posts of musicat in this thread the implication is that the setting is held in Normal.dot :
http://boards.straig...p/t-423686.html
If that's true then I ought not to have the issue when I open one of my dozen 'infected' files.

But at least I have a partial explanation. And a fix.

If you're ready to do this I can open those files and check if smart tags is set to ON. Maybe you can see this feature is turned on in the 3 samples that you have ?

If someone ever posts a HELP topic on WORD macro viruses, maybe a link to this Knowledge Base article could be included. That might help quite a few folks...

Comments on the 4 new steps to follow.

trampas
  • 0

#35
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
I recall that TDSSkiller said my RAID driver is not digitally signed.

Something that I spotted when I last built this PC was Windows complained that the RAID driver had not been Logo tested. This copy of the driver had come off the original CD that was supplied with the PC. I used the CD as the source *this* time to ensure that the driver was clean. I haven't used it before.

So I decided to check which version of the RAID driver is on a 'manufacturer disk' that I created manually in 2005. The copy on the manufacturer disk is very probably the one that was supplied live on the PC when I bought it.

What I found was that the version on floppy disk was dated April 2003 and has size 73,856 bytes.

On CD (and currently active) is a driver dated Dec 2002 and size 61,408 bytes.

This is the first time I've noticed that the driver on CD is different to the one that was originally live.

Could be relevant. What do you think I should do next ?

t.

Edited by trampas, 11 April 2012 - 06:38 PM.

  • 0

#36
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Some comments on the new steps :
1. Increase system memory to 1MB. I'd like to have a think before doing this one because I've never noticed performance issues on this PC before. From 5 to 10 March it was running sweet as a nut. And I suspect that I'm unlikely to push it to the limit in the future.

2. I will happily uninstall ZoneAlarm, no problem and go back to using Comodo. Thanks for bringing this mismatch to my attention !

3. The E drive that you've seen in logs is a USB memory stick - plugged in some of the time. The RAID controller on the motherboard hides the two mirrored disks from the operating system, so what that actually means when testing for bad sectors I'm not absolutely certain.

I know that you've had OTL or Combofix do things with the E drive - maybe you want to review those results in the light of this comment. Was it to do with autorun.inf ?

4. I did a casual search on VEW.exe just to learn more about it but I saw a few things that seemed alarming. There's probably some confusion on my part but here's one example:
http://www.pcmaxutil...-fix-guide.html
I want to do this step but I'm just a bit concerned :(

Given the new information about my RAID driver maybe that needs to be updated first.

I plan to install Comodo anyway.

t
  • 0

#37
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

After further consideration I went ahead with updating the RAID driver. I took the version from my manufacturer disk as I'm pretty sure this is a credible release and not infected. (It still has no digital signature and no Logo testing).

I then uninstalled ZoneAlarm. This required a reboot and as part of that time there was a File System Check. The log of this, which is quite long, is attached. When I logged in as admin-su a program call CPES_cleaner ran in a command window. I think this is normal for ZoneAlarm uninstall.

You may wish to comment on the FSC log !

I then installed Comodo firewall and configured it using this very useful article (which is bang up to date) :
http://www.techsuppo...do-firewall.htm

I've done nothing at all with WORD or WORD docs. No further File System Checks so far.

trampas


Checking file system on C:
The type of the file system is NTFS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The multi-sector header signature for VCN 0x0 of index $I30
in file 0x1e5b is incorrect.
49 6d 61 67 65 50 61 74 68 19 2f 00 20 ce 2f 00 ImagePath./. ./.
e0 ff ff ff e0 5d 22 00 58 bf 22 00 40 dc 22 00 .....]".X."[email protected]".
Correcting error in index $I30 for file 7771.
The index bitmap $I30 in file 0x1e5b is incorrect.
Correcting error in index $I30 for file 7771.
The down pointer of current index entry with length 0x18 is invalid.
00 00 00 00 00 00 00 00 18 00 00 00 03 00 00 00 ................
ff ff ff ff ff ff ff ff 84 5e 8d 7c 69 fe cc 01 .........^.|i...
bc fa a9 7c 69 fe cc 01 bc fa a9 7c 69 fe cc 01 ...|i......|i...
Sorting index $I30 in file 7771.
The multi-sector header signature for VCN 0x0 of index $I30
in file 0x1e6e is incorrect.
a0 ff ff ff 6e 6b 20 00 00 d5 27 1b b6 fe cc 01 ....nk ...'.....
00 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 ................
The multi-sector header signature for VCN 0x1 of index $I30
in file 0x1e6e is incorrect.
68 62 69 6e 00 00 7b 00 00 10 00 00 00 00 00 00 hbin..{.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Correcting error in index $I30 for file 7790.
The index bitmap $I30 in file 0x1e6e is incorrect.
Correcting error in index $I30 for file 7790.
The down pointer of current index entry with length 0x98 is invalid.
b8 1e 00 00 00 00 03 00 98 00 7e 00 01 00 00 00 ..........~.....
6e 1e 00 00 00 00 03 00 b6 e2 9f 92 2f 18 cd 01 n.........../...
10 45 a2 92 2f 18 cd 01 10 45 a2 92 2f 18 cd 01 .E../....E../...
10 45 a2 92 2f 18 cd 01 00 d0 01 00 00 00 00 00 .E../...........
00 80 03 00 00 00 00 00 20 28 00 00 00 00 00 00 ........ (......
1e 01 5f 00 52 00 45 00 47 00 49 00 53 00 54 00 .._.R.E.G.I.S.T.
52 00 59 00 5f 00 55 00 53 00 45 00 52 00 5f 00 R.Y._.U.S.E.R._.
4e 00 54 00 55 00 53 00 45 00 52 00 5f 00 53 00 N.T.U.S.E.R._.S.
2d 00 31 00 2d 00 35 00 2d 00 32 00 30 00 31 00 -.1.-.5.-.2.0.1.
ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 ................
18 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff ................
Sorting index $I30 in file 7790.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Recovering orphaned file CHANGE~1.2 (7182) into directory file 7771.
Recovering orphaned file change.log.2 (7182) into directory file 7771.
Recovering orphaned file A0020629.lnk (7436) into directory file 7771.
Recovering orphaned file A0020621.ini (7572) into directory file 7771.
Recovering orphaned file A0020622.ini (7670) into directory file 7771.
Recovering orphaned file A0020623.RDB (7728) into directory file 7771.
Recovering orphaned file A0020624.RDB (7730) into directory file 7771.
Recovering orphaned file rp.log (7783) into directory file 7771.
Recovering orphaned file snapshot (7790) into directory file 7771.
Recovering orphaned file _REGIS~1 (7801) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_NTUSER_S-1-5-18 (7801) into directory file 7790.
Recovering orphaned file _REGIS~2 (7802) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_NTUSER_S-1-5-19 (7802) into directory file 7790.
Recovering orphaned file _REGIS~3 (7843) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_USRCLASS_S-1-5-19 (7843) into directory file 7790.
Recovering orphaned file _REGIS~4 (7864) into directory file 7790.
Recovering orphaned file _RF17F~1 (7865) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_USRCLASS_S-1-5-20 (7865) into directory file 7790.
Recovering orphaned file _R717A~1 (7870) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_NTUSER_S-1-5-21-1957994488-1715567821-725345543-1004 (7870) into directory file 7790.
Recovering orphaned file _R3ABC~1 (7975) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_USRCLASS_S-1-5-21-1957994488-1715567821-725345543-1004 (7975) into directory file 7790.
Recovering orphaned file _R718A~1 (7976) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_NTUSER_S-1-5-21-1957994488-1715567821-725345543-1005 (7976) into directory file 7790.
Recovering orphaned file _R3ACC~1 (8054) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_USRCLASS_S-1-5-21-1957994488-1715567821-725345543-1005 (8054) into directory file 7790.
Recovering orphaned file _REGIS~1.DE~ (8125) into directory file 7790.
Recovering orphaned file _REGISTRY_USER_.DEFAULT (8125) into directory file 7790.
Recovering orphaned file _R7E5D~1 (8186) into directory file 7790.
Recovering orphaned file _REGISTRY_MACHINE_SECURITY (8186) into directory file 7790.
Recovering orphaned file _R017D~1 (8187) into directory file 7790.
Recovering orphaned file _REGISTRY_MACHINE_SOFTWARE (8187) into directory file 7790.
Recovering orphaned file _R62E7~1 (8222) into directory file 7790.
Recovering orphaned file _REGISTRY_MACHINE_SYSTEM (8222) into directory file 7790.
Recovering orphaned file _R25B6~1 (8257) into directory file 7790.
Recovering orphaned file _REGISTRY_MACHINE_SAM (8257) into directory file 7790.
Recovering orphaned file ComDb.Dat (8259) into directory file 7790.
Recovering orphaned file domain.txt (8309) into directory file 7790.
Recovering orphaned file REPOSI~1 (8359) into directory file 7790.
Recovering orphaned file Repository (8359) into directory file 7790.
Recovering orphaned file RESTOR~1 (8453) into directory file 7771.
Recovering orphaned file RestorePointSize (8453) into directory file 7771.
Recovering orphaned file CHANGE~1.1 (8454) into directory file 7771.
Recovering orphaned file change.log.1 (8454) into directory file 7771.
Recovering orphaned file A0020616.RDB (8457) into directory file 7771.
Recovering orphaned file A0020617.RDB (8460) into directory file 7771.
Recovering orphaned file A0020619.RDB (8590) into directory file 7771.
Recovering orphaned file A0020620.ini (8677) into directory file 7771.
Recovering orphaned file A0020630.sys (8712) into directory file 7771.
Recovering orphaned file A0020614.lnk (9224) into directory file 7771.
Recovering orphaned file A0020615.lnk (9315) into directory file 7771.
Recovering orphaned file A0020625.ini (9812) into directory file 7771.
Recovering orphaned file A0020626.RDB (17114) into directory file 7771.
Recovering orphaned file A0020627.RDB (17115) into directory file 7771.
Recovering orphaned file A0020628.RDB (17116) into directory file 7771.
Recovering orphaned file A0020631.RDB (17127) into directory file 7771.
Recovering orphaned file A0020632.RDB (17129) into directory file 7771.
Recovering orphaned file A0020633.RDB (17130) into directory file 7771.
Recovering orphaned file A0020634.RDB (17131) into directory file 7771.
Recovering orphaned file A0020635.RDB (17132) into directory file 7771.
Recovering orphaned file A0020636.RDB (17133) into directory file 7771.
Recovering orphaned file A0020637.RDB (17134) into directory file 7771.
Recovering orphaned file DRIVET~1.TXT (17184) into directory file 7771.
Recovering orphaned file drivetable.txt (17184) into directory file 7771.
Recovering orphaned file A0020618.lnk (22674) into directory file 7771.
Cleaning up 9 unused index entries from index $SII of file 0x9.
Cleaning up 9 unused index entries from index $SDH of file 0x9.
Cleaning up 9 unused security descriptors.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

78140128 KB total disk space.
22982808 KB in 64293 files.
19940 KB in 4224 indexes.
0 KB in bad sectors.
138228 KB in use by the system.
65536 KB occupied by the log file.
54999152 KB available on disk.

4096 bytes in each allocation unit.
19535032 total allocation units on disk.
13749788 allocation units available on disk.

Internal Info:
20 0e 01 00 b0 0b 01 00 e5 68 01 00 00 00 00 00 ........h......
03 03 00 00 00 00 00 00 92 03 00 00 00 00 00 00 ................
24 b1 02 05 00 00 00 00 e6 e2 d1 28 00 00 00 00 $..........(....
70 46 60 07 00 00 00 00 00 00 00 00 00 00 00 00 pF`.............
00 00 00 00 00 00 00 00 42 a6 a1 3e 00 00 00 00 ........B..>....
e0 0a 39 b3 00 00 00 00 90 38 07 00 25 fb 00 00 ..9......8..%...
00 00 00 00 00 60 c2 7a 05 00 00 00 80 10 00 00 .....`.z........

Windows has finished checking your disk.
Please wait while your computer restarts.

Edited by trampas, 11 April 2012 - 08:59 PM.

  • 0

#38
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts

I did a casual search on VEW.exe just to learn more about it but I saw a few things that seemed alarming. There's probably some confusion on my part but here's one example:
http://www.pcmaxutil...-fix-guide.html
I want to do this step but I'm just a bit concerned :(


Don't worry. You must download VEW.exe from location that I gave you and you'll be safe. Please do step and post log for me. I just download it and check it myself.

Can you do Check disk again for me.

  • Go to Start -> My Computer
  • Right click on C: disk and clik on Properties
  • Click on tab Tools and click on Check now... button
  • Check Automatically fix system errors and Scan for and attempt recovery of bad sectors
  • Click Start button
  • Confirm schedule disk check next time computer starts with Yes button
  • Restart your system and wait while system checks your disk for errors

  • 0

#39
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
OK, ran the disk check again. It was clean. I can't quote the exact message because I can't see it in event viewer. It was something like :
"Checking the file system on C:
The type of file system is NTFS.

Check finished
... system is clean"

I'll do vew.exe next.

t.
  • 0

#40
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Now I see what VEW.exe does, that saves me a lot of effort !


Vino's Event Viewer v01c run on Windows XP in English
Report run at 12/04/2012 5:01:28 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 11/04/2012 7:21:06 AM
Type: error Category: 3
Event: 454 Source: ESENT
wuauclt (1584) Database recovery/restore failed with unexpected error -501.

Log: 'Application' Date/Time: 11/04/2012 7:21:06 AM
Type: error Category: 3
Event: 465 Source: ESENT
wuauclt (1584) Corruption was detected during soft recovery in logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 92 (0x0000005C). This logfile has been damaged and is unusable.

Log: 'Application' Date/Time: 11/04/2012 7:21:06 AM
Type: error Category: 3
Event: 465 Source: ESENT
wuauclt (1584) Corruption was detected during soft recovery in logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 92 (0x0000005C). This logfile has been damaged and is unusable.

Log: 'Application' Date/Time: 11/04/2012 7:21:06 AM
Type: error Category: 3
Event: 465 Source: ESENT
wuauclt (1584) Corruption was detected during soft recovery in logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 92 (0x0000005C). This logfile has been damaged and is unusable.

Log: 'Application' Date/Time: 06/04/2012 2:42:51 PM
Type: error Category: 0
Event: 3001 Source: LoadPerf
The performance counter name string value in the registry is incorrectly formatted. The bogus string is 2338, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section.

Log: 'Application' Date/Time: 06/04/2012 2:42:48 PM
Type: error Category: 0
Event: 3011 Source: LoadPerf
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section.

Log: 'Application' Date/Time: 06/04/2012 2:42:48 PM
Type: error Category: 0
Event: 3001 Source: LoadPerf
The performance counter name string value in the registry is incorrectly formatted. The bogus string is 2338, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section.

Log: 'Application' Date/Time: 05/04/2012 2:47:50 PM
Type: error Category: 0
Event: 3001 Source: LoadPerf
The performance counter name string value in the registry is incorrectly formatted. The bogus string is 2278, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section.

Log: 'Application' Date/Time: 05/04/2012 2:47:47 PM
Type: error Category: 0
Event: 3011 Source: LoadPerf
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section.

Log: 'Application' Date/Time: 05/04/2012 2:47:47 PM
Type: error Category: 0
Event: 3001 Source: LoadPerf
The performance counter name string value in the registry is incorrectly formatted. The bogus string is 2278, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section.

Log: 'Application' Date/Time: 05/04/2012 2:47:15 PM
Type: error Category: 0
Event: 2002 Source: PerfNet
Unable to open the Redirector service. Redirector performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 05/04/2012 2:47:15 PM
Type: error Category: 0
Event: 2004 Source: PerfNet
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 3
Event: 439 Source: ESENT
Catalog Database (840) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\tmp.edb. Error -1022.

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 490 Source: ESENT
svchost (840) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" for read / write access failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The open file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Log: 'Application' Date/Time: 02/04/2012 4:28:33 PM
Type: error Category: 1
Event: 485 Source: ESENT
svchost (840) An attempt to delete the file "C:\WINDOWS\system32\CatRoot2\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 12/04/2012 4:44:27 PM
Type: information Category: 0
Event: 1800 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 12/04/2012 4:44:24 PM
Type: information Category: 1
Event: 4096 Source: Avira Antivirus
The AntiVir service has been started successfully!

Log: 'Application' Date/Time: 12/04/2012 4:43:19 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user S-1-5-21-1957994488-1715567821-725345543-1004_Classes registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 4:43:19 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user S-1-5-21-1957994488-1715567821-725345543-1004 registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 12:03:57 PM
Type: information Category: 0
Event: 1800 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 12/04/2012 12:03:57 PM
Type: information Category: 1
Event: 4096 Source: Avira Antivirus
The AntiVir service has been started successfully!

Log: 'Application' Date/Time: 12/04/2012 12:03:08 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user SERVER\admin-su registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 12:03:08 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user SERVER\admin-su registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 12:01:15 PM
Type: information Category: 0
Event: 1800 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 12/04/2012 12:01:15 PM
Type: information Category: 1
Event: 4096 Source: Avira Antivirus
The AntiVir service has been started successfully!

Log: 'Application' Date/Time: 12/04/2012 12:00:24 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user S-1-5-21-1957994488-1715567821-725345543-1005_Classes registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 12:00:24 PM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user SERVER\serf registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 11:37:38 AM
Type: information Category: 0
Event: 1800 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 12/04/2012 11:37:38 AM
Type: information Category: 1
Event: 4096 Source: Avira Antivirus
The AntiVir service has been started successfully!

Log: 'Application' Date/Time: 12/04/2012 11:36:51 AM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user S-1-5-21-1957994488-1715567821-725345543-1004_Classes registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 11:36:51 AM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user S-1-5-21-1957994488-1715567821-725345543-1004 registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 11:31:27 AM
Type: information Category: 0
Event: 1800 Source: SecurityCenter
The Windows Security Center Service has started.

Log: 'Application' Date/Time: 12/04/2012 11:31:27 AM
Type: information Category: 1
Event: 4096 Source: Avira Antivirus
The AntiVir service has been started successfully!

Log: 'Application' Date/Time: 12/04/2012 11:30:36 AM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user SERVER\admin-su registry when it received a notification that no other applications or services were using the profile.

Log: 'Application' Date/Time: 12/04/2012 11:30:36 AM
Type: information Category: 0
Event: 1516 Source: Userenv
Windows unloaded user SERVER\admin-su registry when it received a notification that no other applications or services were using the profile.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 12/04/2012 4:43:17 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 4:43:13 PM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 12:03:07 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 12:03:03 PM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 12:00:22 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\serf registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 12:00:22 PM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 11:36:50 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 11:36:47 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 11:30:34 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 11:30:30 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 11:28:51 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 12/04/2012 11:20:15 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 11:20:11 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 11:08:17 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 11:08:12 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 11:00:32 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 11:00:28 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 12/04/2012 10:07:37 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\serf registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 12/04/2012 10:07:36 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 11/04/2012 9:11:14 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user SERVER\admin-su registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 12/04/2012 2:42:09 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
The event description cannot be found.

Log: 'System' Date/Time: 12/04/2012 11:02:53 AM
Type: error Category: 2
Event: 55 Source: Ntfs
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

Log: 'System' Date/Time: 11/04/2012 8:34:26 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 11/04/2012 8:34:26 PM
Type: error Category: 0
Event: 17 Source: W32Time
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Log: 'System' Date/Time: 11/04/2012 8:28:53 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 11/04/2012 8:28:53 PM
Type: error Category: 0
Event: 17 Source: W32Time
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Log: 'System' Date/Time: 10/04/2012 2:42:08 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
The event description cannot be found.

Log: 'System' Date/Time: 08/04/2012 2:42:07 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
The event description cannot be found.

Log: 'System' Date/Time: 08/04/2012 7:47:26 AM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/04/2012 5:16:51 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 100000d1, parameter1 00000008, parameter2 00000006, parameter3 00000000, parameter4 f848d01a.

Log: 'System' Date/Time: 07/04/2012 5:10:02 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 5:03:59 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 4:59:27 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 100000d1, parameter1 00020038, parameter2 00000002, parameter3 00000000, parameter4 f8489d8f.

Log: 'System' Date/Time: 07/04/2012 4:58:13 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 4:46:57 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 4:38:40 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 100000d1, parameter1 0a050038, parameter2 00000002, parameter3 00000000, parameter4 f8489d8f.

Log: 'System' Date/Time: 07/04/2012 4:31:17 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 3:15:18 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 100000d1, parameter1 00000097, parameter2 00000006, parameter3 00000000, parameter4 f84899bd.

Log: 'System' Date/Time: 07/04/2012 3:14:00 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

Log: 'System' Date/Time: 07/04/2012 3:09:49 PM
Type: error Category: 0
Event: 9 Source: viaraid
The device, \Device\Scsi\viaraid1, did not respond within the timeout period.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 12/04/2012 4:45:22 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the stopped state.

Log: 'System' Date/Time: 12/04/2012 4:45:21 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Application Layer Gateway Service service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:21 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The Application Layer Gateway Service service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:45:14 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The IMAPI CD-Burning COM Service service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:14 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The IMAPI CD-Burning COM Service service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:45:11 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Remote Access Connection Manager service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:10 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The SSDP Discovery Service service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:07 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The Remote Access Connection Manager service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:45:07 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Telephony service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:05 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The SSDP Discovery Service service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:45:05 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Fast User Switching Compatibility service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:05 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The Fast User Switching Compatibility service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:45:05 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Terminal Services service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:04 PM
Type: information Category: 0
Event: 7036 Source: Service Control Manager
The Network Location Awareness (NLA) service entered the running state.

Log: 'System' Date/Time: 12/04/2012 4:45:04 PM
Type: information Category: 0
Event: 7035 Source: Service Control Manager
The Network Location Awareness (NLA) service was successfully sent a start control.

Log: 'System' Date/Time: 12/04/2012 4:44:30 PM
Type: information Category: 0
Event: 17 Source: avgntflt
avgntflt.sys version 12.0.21.4 successfully loaded

Log: 'System' Date/Time: 12/04/2012 4:44:30 PM
Type: information Category: 0
Event: 17 Source: avipbb
avipbb.sys version 12.0.50.27 successfully loaded

Log: 'System' Date/Time: 12/04/2012 4:44:30 PM
Type: information Category: 0
Event: 17 Source: avkmgr
avkmgr.sys version 12.0.20.2 successfully loaded

Log: 'System' Date/Time: 12/04/2012 4:44:17 PM
Type: information Category: 0
Event: 6005 Source: EventLog
The Event log service was started.

Log: 'System' Date/Time: 12/04/2012 4:44:17 PM
Type: information Category: 0
Event: 6009 Source: EventLog
Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/04/2012 5:50:48 PM
Type: warning Category: 0
Event: 256 Source: PlugPlayManager
Timed out sending notification of device interface change to window of "SAS window"

Log: 'System' Date/Time: 08/04/2012 8:26:52 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 06/04/2012 10:58:39 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 06/04/2012 10:58:39 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 06/04/2012 10:55:03 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 06/04/2012 10:55:03 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 06/04/2012 10:33:57 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 06/04/2012 10:33:57 AM
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk1\D during a paging operation.

Log: 'System' Date/Time: 02/04/2012 11:10:02 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 01/04/2012 12:30:49 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 30/03/2012 8:25:43 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 29/03/2012 8:20:06 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 29/03/2012 4:55:57 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 27/03/2012 8:26:36 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 26/03/2012 9:06:55 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 24/03/2012 7:10:17 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 20/03/2012 9:45:37 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 17/03/2012 10:59:15 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 15/03/2012 9:01:43 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 13/03/2012 10:56:21 PM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
  • 0

Advertisements


#41
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
We tried to be specific about steps but this is old Word.

Step 1

First make sure Word is closed.
Go to Start then Search
Click on All files and folders
Click on More advanced option and select System and Hidden files
Do search for normal.dot
Rename all normal.dot to anormal.dot

Please copy and paste anormal.dot to C:\ so I can take sample of it and check it for any macros. Let me know when you do so.

Step 2

Start Word clicking on Word icon
Do not start it by double clicking .doc files

On the Tools menu, click Options.
Click the Save tab.
Click the Prompt to save Normal template check box.


Next...

On the Tools menu, click Options.
Click the Security tab.
Under Macro Security, click Macro Security.
Click the Security Level tab, and then select the highest security level.

then close Word and save the normal template.

Step 3

Time to open documents.

Now open a word doc that had problems. Does Word complain about macros? Does it open document?
  • 0

#42
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

Thanks for the last post. I already renamed Normal.dot for both users and allowed WORD to create a new file called Normal.dot in each case. The first Normal.dot is the one that seemed to be spreading the WORD virus/feature from one DOC file to another. The second one I made read-only very soon after it was generated. So I don't think it could have been modified by any actions after that.

I'm thinking that you'll be interested in the first Normal.dot for testing. If you could confirm I'll make that file available in c:\.

I still need to perform step 2b and 3.

trampas

Edited by trampas, 12 April 2012 - 07:16 AM.

  • 0

#43
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

I have interesting news on file corruptions and also on WORD 'save changes'.

I had some more file corruptions which prompted me to load the RAID Tool utility. It was back in 2005 when I last ran this and, in fact, whenever I've rebuilt my PC over the last 2 or 3 years I'd never reloaded this tool. So I loaded it from the CD.

When I ran it I checked the mirror disk and found it was not synchronised with the source. So I synchronised it. I thought it would be a good idea to search for bad sectors on each disk individually. I'd been prompted to try this, having found this comment on a forum :

"When working with arrays it is better to use the array controller (or SAN) to check for bad sectors as the controller has access to the physical disks and can check them one at a time."

However, I've not found any way to do this using the VIA RAID Tool. Having said that I've not noticed any further file corruption issues. I may need to come back to this but the unanswered questions are :
- How did the mirror come to be unsynchronised ?
- Does synchronising the mirror provide relief to the corruption issues ? If so, why ?
- How can I perform a chkdsk or equivalent on each disk ?

I performed steps 1-3 in your last post. Although there was no active Normal.dot file (as per step 1) when I came to step 2 I found that 'prompt to save normal template' was already checked. This is different to what I've found in the past and I can't explain it.

In step 2B the Security Level was already set to the highest level. This was not a surprise. I exited WORD and saved the new Normal.dot.

After that when I opened any WORD doc there were no messages about macros and every file opened without issue. Those which were displaying the 'save changes' issue before still were and those which weren't, still weren't.

Here's the new bit. If you tell WORD not to label text with smart tags the 'save changes' issue disappears ! It's documented in the MS article and in several forums (Tools> AutoCorrect Options> Smart Tags). If you know that you need to search for 'smart tags' it's quite easy to find (Thanks Microsoft!!!!)
http://support.microsoft.com/kb/816473

Some curiosities :
- the 'label text with smart tags' setting just mentioned is not stored in Normal.dot but it does affect every DOC on my PC as soon as the setting is changed.
- if I turn smart tags back on the problem that I used to have doesn't return (not so far)
- if a file is passed from one PC to another and opened in WORD, then saved, can that action alter the 'label text with smart tags' setting on the second PC ?

Maybe the configuration for smart tags is in another global WORD file or maybe it's in the registry. On another matter I've read that RTF files don't support smart tags so that could explain how I got my interim fix.

Possibly good news all round :))

I wondered what your thoughts were on these findings but more so regarding checking the RAID mirror disk for bad sectors. On the CD I also found this utility :
Mass_Tool\DIG6410.EXE

This is a VIA VT6410 RAID Controller Testing Program but I've little information on how to use it. I don't actually believe it would help with what I'd like to do but thought I'd just mention it.

trampas

Edited by trampas, 12 April 2012 - 06:51 PM.

  • 0

#44
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hmmmm

Connected the PC to the internet. Took some MS and Avira updates. The MS updates required a reboot after their download so I did that. Then ran Avira scan ....

Virus detected 13 April 2012
File C:\System Volume Information ... \A0019439.com
TR/Crypt.PEPM.Gen

This virus could've been downloaded whilst the PC was connected to the internet, but by what ?

The virus has been quarantined.

t.

Edited by trampas, 13 April 2012 - 03:18 AM.

  • 0

#45
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
That malware is in System Restore and it can't harm you now. We will remove it from there at the end of this fix.

Please stay tuned while I check something and get back to you soon.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP