Windows 7: "Resource protection found corrupt files..."

"but was unable to fix some of them."

Ok, I have a machine that was hit by a root kit, that's all removed now, but it will not boot...gets a 0000007B BSD error so I start in repair mode which creates an X: ram disk to operate from. When I get to a command propmt and run the SFC with OFFLINE options I get the above message which tells me to look in the Windows/LOGS/CBS/CBS.log file. The one on the C: was HUGE so I renamed it and ran SFC again. Hmmm no CBS.log was created this time either. I check the value of %windir% and it pointed to X:/Windows nope no CBS.log there either. Set the %windir varible to c:\windows and ran SFC AGAIN and guess what.... nothing.

WTH is going on here? If I knew what files were corrupted I could replace them manually but by not having a verbose mode in SFC I am lost.

HELLPPPPPP!

One thread I found says the cbs.log file is hidden so you need to remove the hidden attribute before you can see it.

cd \windows\logs
attrib -h cbs.log
notepad cbs.log


Another way is to redirect the log to a different location:

set WINDOWS_TRACING_LOGFILE=C:\TEMP\CBS.log
run sfc
Log will be in C:\TEMP\CBS.log

Above from this thread: SFC logs when running from a repair disk

Thanks that worked, now I have to find the find command that just displays failed files.
FIND "[SR]" CBS.LOG returns a lot of lines so I tried searching for "FAILED", "ERROR" and anything else I could think of to not avail.

I have not found a string to search for to find out what failed to be replaced but there are these entries...but they don't look like failed replacements either.


0000b7db [SR] Verify complete
0000b7dc [SR] Verifying 1 components
0000b7dd [SR] Beginning Verify and Repair transaction
0000b7de Repair results created:
POQ 11699 starts:
0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\892a58685213cd01db3c000058035003._0000000000000000.cdf-ms", Destination = [l:110{55}]"\??\C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms"
1: Move File: Source = [l:228{114}]"\SystemRoot\WinSxS\Temp\PendingRenames\49ed5c685213cd01dc3c000058035003.program_files_x86__676bbe2c 7241b694.cdf-ms", Destination = [l:146{73}]"\??\C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms"
2: Move File: Source = [l:252{126}]"\SystemRoot\WinSxS\Temp\PendingRenames\a94e5f685213cd01dd3c000058035003.program_files_x86_common_fi les_dfa3680ec228c528.cdf-ms", Destination = [l:170{85}]"\??\C:\Windows\WinSxS\FileMaps\program_files_x86_common_files_dfa3680ec228c528.cdf-ms"
3: Move File: Source = [l:286{143}]"\SystemRoot\WinSxS\Temp\PendingRenames\a94e5f685213cd01de3c000058035003.program_files_x86_common_fi les_microsoft_shared_635c287ec97ec0a5.cdf-ms", Destination = [l:204{102}]"\??\C:\Windows\WinSxS\FileMaps\program_files_x86_common_files_microsoft_shared_635c287ec97ec0a5 .cdf-ms"
4: Move File: Source = [l:294{147}]"\SystemRoot\WinSxS\Temp\PendingRenames\a94e5f685213cd01df3c000058035003.program_files_x86_common_fi les_microsoft_shared_ink_9d0caff456d5ade1.cdf-ms", Destination = [l:212{106}]"\??\C:\Windows\WinSxS\FileMaps\program_files_x86_common_files_microsoft_shared_ink_9d0caff456d5ade1 .cdf-ms"
5: Move File: Source = [l:302{151}]"\SystemRoot\WinSxS\Temp\PendingRenames\a94e5f685213cd01e03c000058035003.program_files_x86_common_fi les_microsoft_shared_ink_1.0_5645a6a00c765d40.cdf-ms", Destination = [l:220{110}]"\??\C:\Windows\WinSxS\FileMaps\program_files_x86_common_files_microsoft_shared_ink_1.0_5645a6a00c76 5d40.cdf-ms"
6: Set File Information: File = [l:128{64}]"\??\C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\1.0", Attributes = 00000080
POQ 11699 ends.

The strings you would look for is "corrupted" and "repairing" it appears I have only two files that failed
mfplay.dll
MxdwGc.exe
Here is what the log looks like for mfplay.dll

00003e17 Hashes for file member \??\C:\Windows\WinSxS\amd64_microsoft-windows-mfplay_31bf3856ad364e35_6.1.7600.16385_none_529f186c6d26d7ee\MFPlay.dll do not match actual file [l:20{10}]"MFPlay.dll" :
Found: {l:32 b:OrV3sP+tcU4j+PWipVCkifAmEDOWO20oMGEIl0B4xfk=} Expected: {l:32 b:UbkrU7hv7h02FMBf6tImB1QVRaoysQsJA8uboNmHhDI=}
00003e18 [SR] Cannot repair member file [l:20{10}]"MFPlay.dll" of Microsoft-Windows-MFPlay, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
00003e19 Hashes for file member \??\C:\Windows\WinSxS\amd64_microsoft-windows-mfplay_31bf3856ad364e35_6.1.7600.16385_none_529f186c6d26d7ee\MFPlay.dll do not match actual file [l:20{10}]"MFPlay.dll" :
Found: {l:32 b:OrV3sP+tcU4j+PWipVCkifAmEDOWO20oMGEIl0B4xfk=} Expected: {l:32 b:UbkrU7hv7h02FMBf6tImB1QVRaoysQsJA8uboNmHhDI=}
00003e1a [SR] Cannot repair member file [l:20{10}]"MFPlay.dll" of Microsoft-Windows-MFPlay, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
00003e1b [SR] This component was referenced by [l:178{89}]"Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.MediaFoundation"
00003e1c Hashes for file member \??\C:\Windows\System32\MFPlay.dll do not match actual file [l:20{10}]"MFPlay.dll" :
Found: {l:32 b:OrV3sP+tcU4j+PWipVCkifAmEDOWO20oMGEIl0B4xfk=} Expected: {l:32 b:UbkrU7hv7h02FMBf6tImB1QVRaoysQsJA8uboNmHhDI=}
00003e1d Hashes for file member \??\C:\Windows\WinSxS\amd64_microsoft-windows-mfplay_31bf3856ad364e35_6.1.7600.16385_none_529f186c6d26d7ee\MFPlay.dll do not match actual file [l:20{10}]"MFPlay.dll" :
Found: {l:32 b:OrV3sP+tcU4j+PWipVCkifAmEDOWO20oMGEIl0B4xfk=} Expected: {l:32 b:UbkrU7hv7h02FMBf6tImB1QVRaoysQsJA8uboNmHhDI=}
00003e1e [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:20{10}]"MFPlay.dll"; source file in store is also corrupted
00003e1f Repair results created:

Work through these steps to confirm infection is gone (unlikely) and run SFC from Command Line repeatedly, then attempt to repair boot if necessary: Troubleshooting Windows 7 Failure to Boot - Windows 7 Forums

But even if it starts a rootkit often cannot be cleaned up and requires running Factory Recovery or Recov disks or getting a superior Clean Reinstall - Factory OEM.
HP Recover Windows 7 Operating System Using HP Recovery - HP Customer Care (United States - English) Windows 7

There are steps in first blue link to copy out any stranded files, but keep in mind these need to be quarantined until scanned repeatedly by Malwarebytes and your AV.