New
#1
SFC Warning
Hi guys,
As we commonly use SFC to troubleshoot problems across the board, I think it's best that you're aware of how the latest variant of the ZeroAccess malware interferes with SFC.
If SFC fails (and not just says it found corrupt files, it has to fail), ask for the full CBS log, not sfcdetails.txt! Scroll to the bottom and at the end of the SFC log, you should see why it failed. If you see something like this:
In particular, the STATUS_FILE_IS_A_DIRECTORY error, then it is almost a certainty that the user is infected with ZeroAccess.Code:2013-05-18 16:51:23, Info CSI 000001ee [SR] Verifying 100 (0x00000064) components 2013-05-18 16:51:23, Info CSI 000001ef [SR] Beginning Verify and Repair transaction 2013-05-18 16:51:39, Error CSI 000001f0 (F) STATUS_FILE_IS_A_DIRECTORY #4676410# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = (AllowFileNotFound|AllowSharingViolation|AllowAccessDenied), handle = {provider=NULL, handle=0}, da = (SYNCHRONIZE|FILE_READ_ATTRIBUTES|FILE_READ_DATA), oa = @0xe6ea1c->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[129]"\SystemRoot\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0xe6e9d4, as = (null), fa = 0, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), cd = FILE_OPEN, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT), eab = NULL, eal = 0, disp = Invalid) [gle=0xd00000ba] 2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null) [gle=0x80004005] 2013-05-18 16:51:48, Error CSI 000001f2 (F) STATUS_FILE_IS_A_DIRECTORY #4676409# from Windows::Rtl::SystemImplementation::CDirectory::OpenExistingFile(...)[gle=0xd00000ba] 2013-05-18 16:51:48, Error CSI 000001f3 (F) STATUS_FILE_IS_A_DIRECTORY #4676408# from Windows::Rtl::SystemImplementation::CDirectory_IRtlDirectoryTearoff::OpenExistingFile(flags = (MissingFileIsOk|SharingViolationIsOk|AccessDeniedIsOk), da = (SYNCHRONIZE|FILE_READ_DATA), oa = @0xe6ebc4->SIL_OBJECT_ATTRIBUTES {s:20; on:"MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), oo = (FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE), file = NULL, disp = Invalid) [gle=0xd00000ba]
For those of you who are interested, it has symbolically linked many files associated with Windows Defender and or MSE to a completely different folder, hence blocking access:
So any calls to C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll are being redirected to c:\windows\system32\config hence why SFC is returning a STATUS_FILE_IS_A_DIRECTORY error.Code:Microsoft Windows [Version 6.0.6002] Copyright © 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender- events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\ Volume in drive C has no label. Volume Serial Number is 7378-680D Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f 02/11/2006 13:35 <DIR> . 02/11/2006 13:35 <DIR> .. 02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config] 1 File(s) 65,640 bytes 2 Dir(s) 20,953,784,320 bytes free C:\Windows\system32>
Tom
Last edited by tom982; 20 May 2013 at 09:07.