SFC Warning

Page 1 of 4 123 ... LastLast

  1. Posts : 2,663
    Windows 8.1 Pro x64
       #1

    SFC Warning


    Hi guys,

    As we commonly use SFC to troubleshoot problems across the board, I think it's best that you're aware of how the latest variant of the ZeroAccess malware interferes with SFC.

    If SFC fails (and not just says it found corrupt files, it has to fail), ask for the full CBS log, not sfcdetails.txt! Scroll to the bottom and at the end of the SFC log, you should see why it failed. If you see something like this:

    Code:
    2013-05-18 16:51:23, Info                  CSI    000001ee [SR] Verifying 100 (0x00000064) components
    2013-05-18 16:51:23, Info                  CSI    000001ef [SR] Beginning Verify and Repair transaction
    2013-05-18 16:51:39, Error                 CSI    000001f0 (F) STATUS_FILE_IS_A_DIRECTORY #4676410# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = (AllowFileNotFound|AllowSharingViolation|AllowAccessDenied), handle = {provider=NULL, handle=0}, da = (SYNCHRONIZE|FILE_READ_ATTRIBUTES|FILE_READ_DATA), oa = @0xe6ea1c->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[129]"\SystemRoot\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0xe6e9d4, as = (null), fa = 0, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), cd = FILE_OPEN, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT), eab = NULL, eal = 0, disp = Invalid)
    [gle=0xd00000ba]
    2013-05-18 16:51:39, Error                 CSI    000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null)
    [gle=0x80004005]
    2013-05-18 16:51:48, Error                 CSI    000001f2 (F) STATUS_FILE_IS_A_DIRECTORY #4676409# from Windows::Rtl::SystemImplementation::CDirectory::OpenExistingFile(...)[gle=0xd00000ba]
    2013-05-18 16:51:48, Error                 CSI    000001f3 (F) STATUS_FILE_IS_A_DIRECTORY #4676408# from Windows::Rtl::SystemImplementation::CDirectory_IRtlDirectoryTearoff::OpenExistingFile(flags = (MissingFileIsOk|SharingViolationIsOk|AccessDeniedIsOk), da = (SYNCHRONIZE|FILE_READ_DATA), oa = @0xe6ebc4->SIL_OBJECT_ATTRIBUTES {s:20; on:"MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), oo = (FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE), file = NULL, disp = Invalid)
    [gle=0xd00000ba]
    In particular, the STATUS_FILE_IS_A_DIRECTORY error, then it is almost a certainty that the user is infected with ZeroAccess.

    For those of you who are interested, it has symbolically linked many files associated with Windows Defender and or MSE to a completely different folder, hence blocking access:

    Code:
    Microsoft Windows [Version 6.0.6002]
    Copyright © 2006 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
    events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
    Volume in drive C has no label.
    Volume Serial Number is 7378-680D
    
    Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
    f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f
    
    02/11/2006 13:35 <DIR> .
    02/11/2006 13:35 <DIR> ..
    02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
    1 File(s) 65,640 bytes
    2 Dir(s) 20,953,784,320 bytes free
    
    C:\Windows\system32>
    So any calls to C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll are being redirected to c:\windows\system32\config hence why SFC is returning a STATUS_FILE_IS_A_DIRECTORY error.

    Tom
    Last edited by tom982; 20 May 2013 at 09:07.
      My Computer

  2.    #2

    Thanks Tom.

    Does MB or MSE detect it yet, or does MSE get compromised too as per Defender?
      My Computer


  3. Posts : 2,663
    Windows 8.1 Pro x64
    Thread Starter
       #3

    I'm not sure, but the dropper does get detected by MSE:

    SFC Warning-mse.png

    Encyclopedia entry: TrojanDropper:Win32/Sirefef.gen!E - Learn more about malware - Microsoft Malware Protection Center


    The dropper is very sneaky actually. I'll post a video of it after lunch :)
      My Computer

  4.    #4

    Thanks Tom, will be useful :)
      My Computer


  5. Posts : 24,479
    Windows 7 Ultimate X64 SP1
       #5

    2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
    [gle=0x80004005]
    "Longhorn" was the code name of Vista before the real name was announced, is that significant?

    What is the log in your 2nd code box?

    Thanks for the heads up mate!
      My Computer


  6. Posts : 2,663
    Windows 8.1 Pro x64
    Thread Starter
       #6

    My pleasure, Harry.


    Britton30 said:
    2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
    [gle=0x80004005]
    "Longhorn" was the code name of Vista before the real name was announced, is that significant?

    What is the log in your 2nd code box?

    Thanks for the heads up mate!
    When SFC fails to complete, it writes errors very similar to that to the CBS log. Here's a common one:


    Code:
    2013-01-28 12:44:48, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2013-01-28 12:44:48, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2013-01-28 12:44:51, Error                 CSI    00000ec1 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850892# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = (AllowAccessDenied), key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43044336 (0x0290cdf0))[gle=0xd0000034]
    2013-01-28 12:44:51, Error                 CSI    00000ec2@2013/1/28:12:44:51.279 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
    [gle=0x80004005]
    2013-01-28 12:44:51, Error                 CSI    00000ec3 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850891# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = 0, key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43045400 (0x0290d218))[gle=0xd0000034]
    2013-01-28 12:44:51, Error                 CSI    00000ec4@2013/1/28:12:44:51.319 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
    [gle=0x80004005]
    2013-01-28 12:44:51, Error                 CSI    00000ec5 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850890# from Windows::Rtl::SystemImplementation::CKey::OpenExistingKey(f = 2, da = (KEY_READ|DELETE), oa = @0x290d2b0, key = NULL, disp = (null))[gle=0xd0000034]
    2013-01-28 12:44:51, Error                 CSI    00000ec6 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850864# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
    2013-01-28 12:44:51, Error                 CSI    00000ec7 (F) STATUS_OBJECT_NAME_NOT_FOUND #46775063# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
    2013-01-28 12:44:51, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2013-01-28 12:44:51, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]

    But notice this is failing with ERROR_FILE_NOT_FOUND which is a perfectly acceptable reason for SFC to fail.


    I've never understood what it means when it references these C++ definitions but Vista and 7 are so similar internally that it wouldn't surprise me if this is just a leftover from Vista that they didn't need to change :)


    d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp
    d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp


    The second codebox shows that a hardlink exists on that file, confirming that's why SFC failed:


    Code:
    Microsoft Windows [Version 6.0.6002]
    Copyright © 2006 Microsoft Corporation. All rights reserved.
    
    
    C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
    events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
    Volume in drive C has no label.
    Volume Serial Number is 7378-680D
    
    
    Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
    f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f
    
    
    02/11/2006 13:35 <DIR> .
    02/11/2006 13:35 <DIR> ..
    02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
    1 File(s) 65,640 bytes
    2 Dir(s) 20,953,784,320 bytes free
    
    
    C:\Windows\system32>

    The <SYMLINK> represents a symbolic link which essentially redirects calls to this file to another location - in this case C:\Windows\system32\config :)


    Tom
      My Computer


  7. Posts : 24,479
    Windows 7 Ultimate X64 SP1
       #7

    I reckon I need a lot more background to understand all of that Tom.
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #8

    Thanks tom982!

    This stuff is spreading like wildfire. There is work being done on it, but not sure as to whether a solution is yet found.

    Like you mentioned, it symbolically links files associated with Windows Defender and/or MSE, and there are a couple of tools being used to detect and remove the junctions, but have not seen the final solution. Have you?
      My Computer


  9. Posts : 21,482
    Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
       #9

    Thanks for the heads-up, Tom!

    I've never liked just looking at the SFCDETAILS output - because it misses an awful lot of diagnostics stuff which is necessary, and you almost always have to ask for the full log anyhow.
    At least now I have a technical reason to get shirty if the CBS.log isn't forthcoming :)
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #10

    tom982,

    Looks like working with the "junction disfunction" and permissions takes care of this variant of ZeroAccess, as well as restores the ability to download files.
      My Computer


 
Page 1 of 4 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:06.
Find Us