Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: SFC Warning

20 May 2013   #1
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 
SFC Warning

Hi guys,

As we commonly use SFC to troubleshoot problems across the board, I think it's best that you're aware of how the latest variant of the ZeroAccess malware interferes with SFC.

If SFC fails (and not just says it found corrupt files, it has to fail), ask for the full CBS log, not sfcdetails.txt! Scroll to the bottom and at the end of the SFC log, you should see why it failed. If you see something like this:

Code:
2013-05-18 16:51:23, Info                  CSI    000001ee [SR] Verifying 100 (0x00000064) components
2013-05-18 16:51:23, Info                  CSI    000001ef [SR] Beginning Verify and Repair transaction
2013-05-18 16:51:39, Error                 CSI    000001f0 (F) STATUS_FILE_IS_A_DIRECTORY #4676410# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = (AllowFileNotFound|AllowSharingViolation|AllowAccessDenied), handle = {provider=NULL, handle=0}, da = (SYNCHRONIZE|FILE_READ_ATTRIBUTES|FILE_READ_DATA), oa = @0xe6ea1c->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[129]"\SystemRoot\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0xe6e9d4, as = (null), fa = 0, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), cd = FILE_OPEN, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT), eab = NULL, eal = 0, disp = Invalid)
[gle=0xd00000ba]
2013-05-18 16:51:39, Error                 CSI    000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
2013-05-18 16:51:48, Error                 CSI    000001f2 (F) STATUS_FILE_IS_A_DIRECTORY #4676409# from Windows::Rtl::SystemImplementation::CDirectory::OpenExistingFile(...)[gle=0xd00000ba]
2013-05-18 16:51:48, Error                 CSI    000001f3 (F) STATUS_FILE_IS_A_DIRECTORY #4676408# from Windows::Rtl::SystemImplementation::CDirectory_IRtlDirectoryTearoff::OpenExistingFile(flags = (MissingFileIsOk|SharingViolationIsOk|AccessDeniedIsOk), da = (SYNCHRONIZE|FILE_READ_DATA), oa = @0xe6ebc4->SIL_OBJECT_ATTRIBUTES {s:20; on:"MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), oo = (FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE), file = NULL, disp = Invalid)
[gle=0xd00000ba]
In particular, the STATUS_FILE_IS_A_DIRECTORY error, then it is almost a certainty that the user is infected with ZeroAccess.

For those of you who are interested, it has symbolically linked many files associated with Windows Defender and or MSE to a completely different folder, hence blocking access:

Code:
Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
Volume in drive C has no label.
Volume Serial Number is 7378-680D

Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f

02/11/2006 13:35 <DIR> .
02/11/2006 13:35 <DIR> ..
02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
1 File(s) 65,640 bytes
2 Dir(s) 20,953,784,320 bytes free

C:\Windows\system32>
So any calls to C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll are being redirected to c:\windows\system32\config hence why SFC is returning a STATUS_FILE_IS_A_DIRECTORY error.

Tom


My System SpecsSystem Spec
.
20 May 2013   #2
gregrocker

 

Thanks Tom.

Does MB or MSE detect it yet, or does MSE get compromised too as per Defender?
My System SpecsSystem Spec
20 May 2013   #3
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

I'm not sure, but the dropper does get detected by MSE:

SFC Warning-mse.png

Encyclopedia entry: TrojanDropper:Win32/Sirefef.gen!E - Learn more about malware - Microsoft Malware Protection Center


The dropper is very sneaky actually. I'll post a video of it after lunch


My System SpecsSystem Spec
.

20 May 2013   #4
x BlueRobot

 

Thanks Tom, will be useful
My System SpecsSystem Spec
20 May 2013   #5
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Quote:
2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
"Longhorn" was the code name of Vista before the real name was announced, is that significant?

What is the log in your 2nd code box?

Thanks for the heads up mate!
My System SpecsSystem Spec
20 May 2013   #6
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

My pleasure, Harry.


Quote   Quote: Originally Posted by Britton30 View Post
Quote:
2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
"Longhorn" was the code name of Vista before the real name was announced, is that significant?

What is the log in your 2nd code box?

Thanks for the heads up mate!
When SFC fails to complete, it writes errors very similar to that to the CBS log. Here's a common one:


Code:
2013-01-28 12:44:48, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:48, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:51, Error                 CSI    00000ec1 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850892# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = (AllowAccessDenied), key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43044336 (0x0290cdf0))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec2@2013/1/28:12:44:51.279 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]
2013-01-28 12:44:51, Error                 CSI    00000ec3 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850891# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = 0, key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43045400 (0x0290d218))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec4@2013/1/28:12:44:51.319 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]
2013-01-28 12:44:51, Error                 CSI    00000ec5 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850890# from Windows::Rtl::SystemImplementation::CKey::OpenExistingKey(f = 2, da = (KEY_READ|DELETE), oa = @0x290d2b0, key = NULL, disp = (null))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec6 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850864# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec7 (F) STATUS_OBJECT_NAME_NOT_FOUND #46775063# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
2013-01-28 12:44:51, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:51, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]

But notice this is failing with ERROR_FILE_NOT_FOUND which is a perfectly acceptable reason for SFC to fail.


I've never understood what it means when it references these C++ definitions but Vista and 7 are so similar internally that it wouldn't surprise me if this is just a leftover from Vista that they didn't need to change


d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp
d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp


The second codebox shows that a hardlink exists on that file, confirming that's why SFC failed:


Code:
Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.


C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
Volume in drive C has no label.
Volume Serial Number is 7378-680D


Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f


02/11/2006 13:35 <DIR> .
02/11/2006 13:35 <DIR> ..
02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
1 File(s) 65,640 bytes
2 Dir(s) 20,953,784,320 bytes free


C:\Windows\system32>

The <SYMLINK> represents a symbolic link which essentially redirects calls to this file to another location - in this case C:\Windows\system32\config


Tom
My System SpecsSystem Spec
20 May 2013   #7
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

I reckon I need a lot more background to understand all of that Tom.
My System SpecsSystem Spec
20 May 2013   #8
cottonball

Windows 7 Home Premium
 
 

Thanks tom982!

This stuff is spreading like wildfire. There is work being done on it, but not sure as to whether a solution is yet found.

Like you mentioned, it symbolically links files associated with Windows Defender and/or MSE, and there are a couple of tools being used to detect and remove the junctions, but have not seen the final solution. Have you?
My System SpecsSystem Spec
20 May 2013   #9
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

Thanks for the heads-up, Tom!

I've never liked just looking at the SFCDETAILS output - because it misses an awful lot of diagnostics stuff which is necessary, and you almost always have to ask for the full log anyhow.
At least now I have a technical reason to get shirty if the CBS.log isn't forthcoming
My System SpecsSystem Spec
20 May 2013   #10
cottonball

Windows 7 Home Premium
 
 

tom982,

Looks like working with the "junction disfunction" and permissions takes care of this variant of ZeroAccess, as well as restores the ability to download files.
My System SpecsSystem Spec
Reply

 SFC Warning




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
A warning!!
Don't know if anyone has come across the site called RemoveVirus.*** and I haven't put the link in just in case it's a threat itself. But it goes on for several pages of security suites that have GUI's that look awfully similar to ones we use - one looks very much like the Kaspersky ISS and...
System Security
Warning!
What's this?please help.
General Discussion
Anybody else getting this warning?
So I'm going to check my email this morning and I get this warning page. I go to Comcast.Net several times a day to check my email and this is a new one to me, I've gotten this page before but usually from a site I haven't been to before. I'm just wondering if anyone else has gotten this warning...
System Security
Warning about IEPro 2.4.7 !
hi ! IEPro is a nice program that adds some improvements to Internet Explorer, like fx. DNS-prefetch. but a warning about IEPro 2.4.7: it comes with "ASK-Toolbar" !!! for those who doesn´t know: ASK-toolbar is considered a security risk by experts ! after installing IEPro as admin, i...
System Security
Win 7 rc Warning????
This is just odd. It has happened twice now. First on my x86 pc and just now on my Studio xps laptop. Windows action center alerts me to the fact that I do not have the most recent ,up to date version of Firefox. I do. 3.5.2 as well as the latest flash. I was thinking that I might as well install...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:21.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App