Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: SFC Warning

22 May 2013   #21
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Quote   Quote: Originally Posted by Kaktussoft View Post
Is the faulty symlink always MpEvMsg.dll, or is this just an example?

In case it's always MpEvMsg.dll:
  1. delete the symlink
  2. reinstall microsoft security essentials
Of course this doesn't remove ZeroAccess, but fixes the SFC problem(?) Or is this not the whole story
It's always on MpEvMsg.dll but there are many other files. I can't go into any details on the security side of things I'm afraid as I haven't finished my training yet, I just wanted to give you guys a heads up if you see SFC failing with this error


My System SpecsSystem Spec
.
23 May 2013   #22
tiberriver256

Windows Vista 32 bit
 
 
ESET Removal Tool

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.
My System SpecsSystem Spec
23 May 2013   #23
cottonball

Windows 7 Home Premium
 
 

@Kaktussoft

Never thought of ZeroAccess as a story, but, your comment made me laugh. It is a story, and a long one!!


From what I have read...

The new ZeroAccess Rootkit variant can get in the system, make a mess of some services, and then go after the Microsoft Security Client and Windows Defender to set symbolic links.

If I understand correctly, looking into these gives a clue:
C:\Program Files\Microsoft Security Client\MpEvMsg.dll
C:\Program Files\Windows Defender\MpSvc.dll

Unfortunately, the above is "not the whole story"...

...the story continues, and using WD as an example, need to find and remove the symbolic links on the files of Windows Defender. Then, turn the page of the storybook, for the previous is not enough. The files altered permissions need reset!



There are now some tools that will take care of the problem, either entirely, or to some extent.

We can be sure tool developers are working incessantly to give this new ZeroAccess story, like many times before, a good ending.
My System SpecsSystem Spec
.

23 May 2013   #24
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Quote   Quote: Originally Posted by tiberriver256 View Post
Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.
Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom
My System SpecsSystem Spec
23 May 2013   #25
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Quote   Quote: Originally Posted by tom982 View Post
Quote   Quote: Originally Posted by tiberriver256 View Post
Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.
Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom
how does this work? Is the Sirefef removal tool a command line tool?
My System SpecsSystem Spec
23 May 2013   #26
cottonball

Windows 7 Home Premium
 
 

Britton30,

Quote:
Is the Sirefef removal tool a command line tool?
The answer is No and Yes!! Not trying to confuse you!!

The ESETSirefefCleaner tool is run like any other tool, double-click, and follow a certain routine, etc.

However, once done, if the system still has problems, you go to an elevated command prompt, and run the tool in manual repair mode: /r

Have not used this tool, and do not know whether it addresses MSE, or whether it resets the permissions of all the files affected in WD and MSE.

Tom might give it a whirl in his VM...
My System SpecsSystem Spec
23 May 2013   #27
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Thanks, I'm totally unfamiliar with running stuff from command line.
My System SpecsSystem Spec
23 May 2013   #28
cottonball

Windows 7 Home Premium
 
 

If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.
My System SpecsSystem Spec
24 May 2013   #29
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Quote   Quote: Originally Posted by cottonball View Post
If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.
I thought ZeroAccess wasn't a rootkit any more? I suppose it depends how you define a rootkit, but I don't think user mode 'rootkits' are real rootkits It switched to usermode in the last variant and I'm pretty sure this is the same because I can't see a driver anywhere.


Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode | Naked Security
My System SpecsSystem Spec
24 May 2013   #30
Fett

Windows 7 Pro 32
 
 

Hey guys, I created an account on here just to post to this thread. I was having this same problem, SFC would not complete due to these Windows Defender/MSE files having an issue. I ran the Eset Sirefef remover tool with the /r option and it was able to fix the issue with these files. SFC now completes (It actually didn't even need to complete to fix my overall issue, once these files were repaired, my main issue was resolved).

Just wanted to say thanks, I've been working this for hours.
My System SpecsSystem Spec
Reply

 SFC Warning




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
A warning!!
Don't know if anyone has come across the site called RemoveVirus.*** and I haven't put the link in just in case it's a threat itself. But it goes on for several pages of security suites that have GUI's that look awfully similar to ones we use - one looks very much like the Kaspersky ISS and...
System Security
Warning!
What's this?please help.
General Discussion
Anybody else getting this warning?
So I'm going to check my email this morning and I get this warning page. I go to Comcast.Net several times a day to check my email and this is a new one to me, I've gotten this page before but usually from a site I haven't been to before. I'm just wondering if anyone else has gotten this warning...
System Security
Warning about IEPro 2.4.7 !
hi ! IEPro is a nice program that adds some improvements to Internet Explorer, like fx. DNS-prefetch. but a warning about IEPro 2.4.7: it comes with "ASK-Toolbar" !!! for those who doesn´t know: ASK-toolbar is considered a security risk by experts ! after installing IEPro as admin, i...
System Security
Win 7 rc Warning????
This is just odd. It has happened twice now. First on my x86 pc and just now on my Studio xps laptop. Windows action center alerts me to the fact that I do not have the most recent ,up to date version of Firefox. I do. 3.5.2 as well as the latest flash. I was thinking that I might as well install...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:57.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App