SFC Warning

[tom982]

Is the faulty symlink always MpEvMsg.dll, or is this just an example?

In case it's always MpEvMsg.dll:

1. delete the symlink
2. reinstall microsoft security essentials

Of course this doesn't remove ZeroAccess, but fixes the SFC problem(?) Or is this not the whole story

It's always on MpEvMsg.dll but there are many other files. I can't go into any details on the security side of things I'm afraid as I haven't finished my training yet, I just wanted to give you guys a heads up if you see SFC failing with this error

 

[tiberriver256]

ESET Removal Tool

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.

 

[cottonball]

@Kaktussoft

Never thought of ZeroAccess as a story, but, your comment made me laugh. It is a story, and a long one!!


From what I have read...

The new ZeroAccess Rootkit variant can get in the system, make a mess of some services, and then go after the Microsoft Security Client and Windows Defender to set symbolic links.

If I understand correctly, looking into these gives a clue:
C:\Program Files\Microsoft Security Client\MpEvMsg.dll
C:\Program Files\Windows Defender\MpSvc.dll

Unfortunately, the above is "not the whole story"...

...the story continues, and using WD as an example, need to find and remove the symbolic links on the files of Windows Defender. Then, turn the page of the storybook, for the previous is not enough. The files altered permissions need reset!



There are now some tools that will take care of the problem, either entirely, or to some extent.

We can be sure tool developers are working incessantly to give this new ZeroAccess story, like many times before, a good ending.

 

[tom982]

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.

Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom

 

[Britton30]

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.

Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom

how does this work? Is the Sirefef removal tool a command line tool?

 

[cottonball]

Britton30,

Is the Sirefef removal tool a command line tool?

The answer is No and Yes!! Not trying to confuse you!!

The ESETSirefefCleaner tool is run like any other tool, double-click, and follow a certain routine, etc.

However, once done, if the system still has problems, you go to an elevated command prompt, and run the tool in manual repair mode: /r

Have not used this tool, and do not know whether it addresses MSE, or whether it resets the permissions of all the files affected in WD and MSE.

Tom might give it a whirl in his VM...

 

[Britton30]

Thanks, I'm totally unfamiliar with running stuff from command line.

 

[cottonball]

If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.

 

[tom982]

If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.

I thought ZeroAccess wasn't a rootkit any more? I suppose it depends how you define a rootkit, but I don't think user mode 'rootkits' are real rootkits It switched to usermode in the last variant and I'm pretty sure this is the same because I can't see a driver anywhere.


Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode | Naked Security

 

[Fett]

Hey guys, I created an account on here just to post to this thread. I was having this same problem, SFC would not complete due to these Windows Defender/MSE files having an issue. I ran the Eset Sirefef remover tool with the /r option and it was able to fix the issue with these files. SFC now completes (It actually didn't even need to complete to fix my overall issue, once these files were repaired, my main issue was resolved).

Just wanted to say thanks, I've been working this for hours.

 

[gregrocker]

Nice to know. May I ask how exactly you found this thread? What were the google search words, if you remember?

The reason I ask is it seems Google can prioritize hot threads for a certain issue in real time, even parsing the content for exactness.

 

[Fett]

I searched for:

STATUS_FILE_IS_A_DIRECTORY cbs.log

 

[gregrocker]

So google is indexing our content in real time. Good. Many don't know that John works on this constantly and is one key to the Forums' smashing success.

This helps countless thousands who are savvy enough to type in the error text, or even deftly describe the issue.

It also causes our threads to live on forever, which is why they've never closed and deserve updating even if you come across a really old one.

 

[PenaPP]

Thx guys - ESET Sirefef Cleaner worked so SFC can run again now.

Fett: I found it with the same query