SFC Warning

[tom982]

Hi guys,

As we commonly use SFC to troubleshoot problems across the board, I think it's best that you're aware of how the latest variant of the ZeroAccess malware interferes with SFC.

If SFC fails (and not just says it found corrupt files, it has to fail), ask for the full CBS log, not sfcdetails.txt! Scroll to the bottom and at the end of the SFC log, you should see why it failed. If you see something like this:

2013-05-18 16:51:23, Info                  CSI    000001ee [SR] Verifying 100 (0x00000064) components
2013-05-18 16:51:23, Info                  CSI    000001ef [SR] Beginning Verify and Repair transaction
2013-05-18 16:51:39, Error                 CSI    000001f0 (F) STATUS_FILE_IS_A_DIRECTORY #4676410# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = (AllowFileNotFound|AllowSharingViolation|AllowAccessDenied), handle = {provider=NULL, handle=0}, da = (SYNCHRONIZE|FILE_READ_ATTRIBUTES|FILE_READ_DATA), oa = @0xe6ea1c->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[129]"\SystemRoot\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0xe6e9d4, as = (null), fa = 0, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), cd = FILE_OPEN, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT), eab = NULL, eal = 0, disp = Invalid)
[gle=0xd00000ba]
2013-05-18 16:51:39, Error                 CSI    000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
2013-05-18 16:51:48, Error                 CSI    000001f2 (F) STATUS_FILE_IS_A_DIRECTORY #4676409# from Windows::Rtl::SystemImplementation::CDirectory::OpenExistingFile(...)[gle=0xd00000ba]
2013-05-18 16:51:48, Error                 CSI    000001f3 (F) STATUS_FILE_IS_A_DIRECTORY #4676408# from Windows::Rtl::SystemImplementation::CDirectory_IRtlDirectoryTearoff::OpenExistingFile(flags = (MissingFileIsOk|SharingViolationIsOk|AccessDeniedIsOk), da = (SYNCHRONIZE|FILE_READ_DATA), oa = @0xe6ebc4->SIL_OBJECT_ATTRIBUTES {s:20; on:"MpEvMsg.dll"; a:(OBJ_CASE_INSENSITIVE)}, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), oo = (FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE), file = NULL, disp = Invalid)
[gle=0xd00000ba]

In particular, the STATUS_FILE_IS_A_DIRECTORY error, then it is almost a certainty that the user is infected with ZeroAccess.

For those of you who are interested, it has symbolically linked many files associated with Windows Defender and or MSE to a completely different folder, hence blocking access:

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
Volume in drive C has no label.
Volume Serial Number is 7378-680D

Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f

02/11/2006 13:35 <DIR> .
02/11/2006 13:35 <DIR> ..
02/11/2006 13:35 <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
1 File(s) 65,640 bytes
2 Dir(s) 20,953,784,320 bytes free

C:\Windows\system32>

So any calls to C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\MpEvMsg.dll are being redirected to c:\windows\system32\config hence why SFC is returning a STATUS_FILE_IS_A_DIRECTORY error.

Tom

 

[gregrocker]

Thanks Tom.

Does MB or MSE detect it yet, or does MSE get compromised too as per Defender?

 

[tom982]

I'm not sure, but the dropper does get detected by MSE:



Encyclopedia entry: TrojanDropper:Win32/Sirefef.gen!E - Learn more about malware - Microsoft Malware Protection Center


The dropper is very sneaky actually. I'll post a video of it after lunch

 

[x BlueRobot]

Thanks Tom, will be useful

 

[Britton30]

2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]

"Longhorn" was the code name of Vista before the real name was announced, is that significant?

What is the log in your 2nd code box?

Thanks for the heads up mate!

 

[tom982]

My pleasure, Harry.

2013-05-18 16:51:39, Error CSI 000001f1@2013/5/18:15:51:39.437 (F) d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp(1849): Error STATUS_FILE_IS_A_DIRECTORY originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]

"Longhorn" was the code name of Vista before the real name was announced, is that significant?

What is the log in your 2nd code box?

Thanks for the heads up mate!

When SFC fails to complete, it writes errors very similar to that to the CBS log. Here's a common one:

2013-01-28 12:44:48, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:48, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:51, Error                 CSI    00000ec1 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850892# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = (AllowAccessDenied), key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43044336 (0x0290cdf0))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec2@2013/1/28:12:44:51.279 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]
2013-01-28 12:44:51, Error                 CSI    00000ec3 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850891# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = 0, key = {provider=NULL, handle=0}, da = (KEY_READ|DELETE|KEY_WOW64_64KEY), oa = @0x290ce50->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[217]"\Registry\Machine\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-g..ebuild-search-index_31bf3856ad364e35_none_6bd558451d4e7a1e\v!6.1.7601.21720"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 43045400 (0x0290d218))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec4@2013/1/28:12:44:51.319 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]
2013-01-28 12:44:51, Error                 CSI    00000ec5 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850890# from Windows::Rtl::SystemImplementation::CKey::OpenExistingKey(f = 2, da = (KEY_READ|DELETE), oa = @0x290d2b0, key = NULL, disp = (null))[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec6 (F) STATUS_OBJECT_NAME_NOT_FOUND #46850864# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
2013-01-28 12:44:51, Error                 CSI    00000ec7 (F) STATUS_OBJECT_NAME_NOT_FOUND #46775063# from Windows::Rtl::SystemImplementation::CKey::DeleteRecursively(...)[gle=0xd0000034]
2013-01-28 12:44:51, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2013-01-28 12:44:51, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]

But notice this is failing with ERROR_FILE_NOT_FOUND which is a perfectly acceptable reason for SFC to fail.


I've never understood what it means when it references these C++ definitions but Vista and 7 are so similar internally that it wouldn't surprise me if this is just a leftover from Vista that they didn't need to change


d:\longhorn\base\wcp\sil\merged\ntu\ntsystem.cpp
d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp


The second codebox shows that a hardlink exists on that file, confirming that's why SFC failed:

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.


C:\Windows\system32>dir C:\Windows\WinSxS\x86_security-malware-windows-defender-
events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f\
Volume in drive C has no label.
Volume Serial Number is 7378-680D


Directory of C:\Windows\WinSxS\x86_security-malware-windows-defender-events_31b
f3856ad364e35_6.0.6000.16386_none_b3613e39beae266f


02/11/2006 13:35 <DIR> .
02/11/2006 13:35 <DIR> ..
02/11/2006 13:35 [B]<SYMLINK>[/B] MpEvMsg.dll [B][c:\windows\system32\config][/B]
1 File(s) 65,640 bytes
2 Dir(s) 20,953,784,320 bytes free


C:\Windows\system32>

The <SYMLINK> represents a symbolic link which essentially redirects calls to this file to another location - in this case C:\Windows\system32\config


Tom

 

[Britton30]

I reckon I need a lot more background to understand all of that Tom.

 

[cottonball]

Thanks tom982!

This stuff is spreading like wildfire. There is work being done on it, but not sure as to whether a solution is yet found.

Like you mentioned, it symbolically links files associated with Windows Defender and/or MSE, and there are a couple of tools being used to detect and remove the junctions, but have not seen the final solution. Have you?

 

[NoelDP]

Thanks for the heads-up, Tom!

I've never liked just looking at the SFCDETAILS output - because it misses an awful lot of diagnostics stuff which is necessary, and you almost always have to ask for the full log anyhow.
At least now I have a technical reason to get shirty if the CBS.log isn't forthcoming

 

[cottonball]

tom982,

Looks like working with the "junction disfunction" and permissions takes care of this variant of ZeroAccess, as well as restores the ability to download files.

 

[tom982]

Thanks tom982!

This stuff is spreading like wildfire. There is work being done on it, but not sure as to whether a solution is yet found.

Like you mentioned, it symbolically links files associated with Windows Defender and/or MSE, and there are a couple of tools being used to detect and remove the junctions, but have not seen the final solution. Have you?

Nope, it's above my pay grade I'm afraid

 

[cottonball]

Your pay grade and mine = 0!!!

Fortunately, some with higher paygrades solved the issue.

 

[cyrilhubert]

Thanks for telling. My laptop was hit by ZeroAccess. MSE failed to scan when hidden folder was scanned and scanning stopped as Not Responding. SFC reported Windows Resource Protection at 21% then 19%.Elevated to run as administrator still failed and used startup repair command prompt same result. No choice but to reformat and execute clean installation Windows 7 again.

 

[Jacee]

So in a 'nutshell' C++ fails on MpEvMsg.dll > Client Security kernel-mode mini-filter, which gives/allows buffer overflows and exploitation... this would be a 'pointer' not a 'referrence'.

References cannot be null, whereas pointers can; every reference refers to some object, although it may or may not be valid

Just trying to get the basic understanding of this too. It all goes back to inadequate security, not updating Windows (and other vulnerable programs, such as Java and Adobe) and taking chances with file sharing (P2P).

 

[tom982]

So in a 'nutshell' C++ fails on MpEvMsg.dll > Client Security kernel-mode mini-filter, which gives/allows buffer overflows and exploitation... this would be a 'pointer' not a 'referrence'.

References cannot be null, whereas pointers can; every reference refers to some object, although it may or may not be valid

Just trying to get the basic understanding of this too. It all goes back to inadequate security, not updating Windows (and other vulnerable programs, such as Java and Adobe) and taking chances with file sharing (P2P).

Thanks for the update, Jacee


Whilst the security software plays a large part in this, quite a lot of the onus is on the user in the first place. As far as I know this variant doesn't come with any form of exploit and requires the user to elevate the program by accepting the UAC prompt - but they've disguised this by loading their dodgy dll under an installer for Adobe Flash Player so the UAC prompt says that Flash wants to elevate, not the ZeroAccess dropper.


If a website ever says you have outdated software, be sure to check this yourself from the vendors website and don't download the file they are offering!

 

[sygnus21]

I found this thread very interesting as I'm not as savvy when it comes to the inner workings of Windows. As someone mentioned, this is above my pay grade (for now). But it is a fascinating read, and something to learn about.

That said, this caught my attention...

If a website ever says you have outdated software, be sure to check this yourself from the vendors website and don't download the file they are offering!

I was doing a Google search for something and ran across a site that piqued my interest. Normally I watch what site I enter, but the article got the better of me. Anyway I clicked the link, and was greeted with a "Your Flash" isn't working, click here to update". Well me being the suspicious type, and knowing my Flash was working, I ignored it. A few hour later I'm looking at this tread and see the above quote :shock:

Thank god for my intuition, and knowing my system!

So yes, keeping your programs, including Windows updated can avoid such problems. I get in arguments about this all the time, but some have the attitude of "if it ain't broke, don't fix it.

Anyway thanks for the info.

 

[Britton30]

Sygnus I have found lately there are a lot of sites which pop up a window saying My Flash Player is out of date. I always ignore them too.

 

[sygnus21]

Sygnus I have found lately there are a lot of sites which pop up a window saying My Flash Player is out of date. I always ignore them too.

Some could be legit, but this is where knowing your PC and your (updating) habits comes into play. I'm pretty obsessive about keeping my stuff updated so when that one popped up it just made me think.

Anyway I don't want to hijack the thread, I just wanted to add that little tid-bit.

Peace

 

[x BlueRobot]

So in a 'nutshell' C++ fails on MpEvMsg.dll > Client Security kernel-mode mini-filter, which gives/allows buffer overflows and exploitation... this would be a 'pointer' not a 'reference'.

References cannot be null, whereas pointers can; every reference refers to some object, although it may or may not be valid

Couldn't this BSOD potentially also occur from stack buffer overruns?

STOP 0x000000F7: DRIVER_OVERRAN_STACK_BUFFER ~ BSOD Index

 

[Kaktussoft]

Is the faulty symlink always MpEvMsg.dll, or is this just an example?

In case it's always MpEvMsg.dll:

1. delete the symlink
2. reinstall microsoft security essentials

Of course this doesn't remove ZeroAccess, but fixes the SFC problem(?) Or is this not the whole story