SFC Scannow

It's Borked!!

By on October 8, 2013 2:07:25 PM from WinCustomize Forums WinCustomize Forums

RedneckDude

Join Date 04/2009
+1443

Hey guys, anyone ever have SFC Scannow to fail?

 

I had a virus yesterday, got it fixed, but now I get this error when I try to run SFC Scannow on Windows 8 Pro MCE.

 

It always fails at 64%.

 

 

33 Replies
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 2:14:16 PM from WinCustomize Forums WinCustomize Forums

Maybe the virus changed something in the registry or you didn't get all of the virus removed?   I'm just guessing here. 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 2:19:35 PM from WinCustomize Forums WinCustomize Forums

1. Are you running it as an Administrator? And, did you do it in "Safe Mode"? If not, do so.

2. Did you put in any MS 'Fixits' regarding the font exploit? http://technet.microsoft.com/en-us/security/bulletin/ms11-087

Deny access to T2EMBED.DLL That might be preventing SFC /scannow, although I remember that s failing at 15%, so I doubt it.

You could try booting to the installation dvd, select repair options. From there choose command prompt and run sfc.

3. You might also try to run chkdsk /f /r as an admin....again, from safe mode.

4. Is this an HDD or SSD? If it's a HDD can you check for 'immanent failure'?

5. You might check this: http://social.technet.microsoft.com/Forums/windows/en-US/52834d80-f863-43ac-8b65-fc71bd173f5e/sfc-scannow-fails-at-15?forum=w7itprogeneral


Did you do any of the things recommended in my article http://drjbhl.joeuser.com/article/448314/Some_Useful_Links_For_Windows_8_Users ?

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 2:49:43 PM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,
1. Are you running it as an Administrator?

Look at the screenshot.

 

2. No.

 

3. Done

4. SSD

5. I'll check.

 

I made the recovery drive flash drive.

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
October 8, 2013 2:54:41 PM from WinCustomize Forums WinCustomize Forums

2. Isn't for Windows 8.

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 3:43:40 PM from WinCustomize Forums WinCustomize Forums

Quoting RedneckDude,
I made the recovery drive flash drive.

So you have the recovery flash drive...have you used it?

What virus did you have and how did you fix it?

Can you try after C:\Windows\system32> enter c: and then 'enter'

You should get 

C:\>

now enter (immediately after the C:\>attrib –s –h *.* /S /D    There's a space between attrib and -s and -h and *.* and /S and /D

Which will unhide files which shouldn't have been hidden (and might have been by the virus) and make them readable and fixable.

Then try sfc /scannow in admin mode.

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 4:32:39 PM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,
So you have the recovery flash drive...have you used it?

No, I don't want to do a recovery. I don't want to lose all my programs, etc.

 

 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 4:34:37 PM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,
Can you try after C:\Windows\system32> enter c: and then 'enter'
You should get
C:\>

 

No, I get C:\Windows\system32> again

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 4:37:35 PM from WinCustomize Forums WinCustomize Forums

I'll probably do a repair install. But I had hoped for an easier fix.

 

 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 5:32:35 PM from WinCustomize Forums WinCustomize Forums

There's little question that you had a virus that reset things.

Did you look this virus up...and what it does, exactly - i.e. which settings it changes?

Which virus was it, Jim?

You can try this software to fix the effects of the virus [review of it] : http://www.ghacks.net/2010/02/09/recover-operating-system-after-virus-attack/

 

download here: http://sourceforge.net/projects/viruseffectremo/

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 5:46:21 PM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,
Did you look this virus up...and what it does, exactly - i.e. which settings it changes?
Which virus was it, Jim?

No Doc, all I know was it was a trojan and it resided in C:\Program Files (x86)\Google\Desktop.

 

Malwarebytes, and ASC Ultimate's Bit Defender A/V both claimed to quarantine it, but it kept coming back.

 

I had to boot into Win7, then browse to Win8  C:\Program Files (x86)\Google\Desktop and delete it.

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 5:52:10 PM from WinCustomize Forums WinCustomize Forums

Actually, I am having a few other problems as well, like my mouse double clicking when it should be single clicking, and my PC runs a disk check at every reboot.

 

Considering a clean reinstall, if the repair install doesn't work. 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 5:52:41 PM from WinCustomize Forums WinCustomize Forums

[quote who="DrJBHL" reply="9" id="3402280"]download here: http://sourceforge.net/projects/viruseffectremo/[/quote]

Trying this now.

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 6:05:54 PM from WinCustomize Forums WinCustomize Forums

You have to make sure it's gone, Jim. Don't you remember the name of the Trojan?

Once you have the name of the Trojan, you look it up on the net...especially at ESET and the antiviral software sites.

They generally have exact instructions as to how to remove it.

Do what they say before trying to repair effects.

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 6:41:19 PM from WinCustomize Forums WinCustomize Forums

Quoting DrJBHL,
Do what they say before trying to repair effects.

Too late.

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 9:13:56 PM from WinCustomize Forums WinCustomize Forums

OK, after looking up the virus, which was trojan.sirefef.gy,it said to run KasperskyTDSSkiller, then ComboFix. I did those, and cleaned what was found, then ran SFC scannow and it ran 100%. Found some stuff, and fixed them!

 

Seems all is well, at the moment.

 

Thanks for the help, Doc.

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 9:37:25 PM from WinCustomize Forums WinCustomize Forums

Quoting RedneckDude,
Seems all is well, at the moment.

Jafo crosses fingers...

Reason for Karma (Optional)
Successfully updated karma reason!
October 8, 2013 9:47:20 PM from WinCustomize Forums WinCustomize Forums

Thanks Jafo. Now, if only I knew where I got the virus....

 

I'm guessing an infected site, maybe even facebook. It settled in the Google folder, so I was probably using Chrome at the time?

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 5:56:10 AM from WinCustomize Forums WinCustomize Forums

I've been to FB on and off. Do you have the HTTPS installed?

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 7:22:26 AM from WinCustomize Forums WinCustomize Forums

Quoting RedneckDude,


Quoting DrJBHL, reply 5Can you try after C:\Windows\system32> enter c: and then 'enter'
You should get
C:\>

 

No, I get C:\Windows\system32> again

 

 

 in Windows you use:

cd c:\

 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 7:25:39 AM from WinCustomize Forums WinCustomize Forums

Quoting RedneckDude,
Thanks for the help, Doc.

You're welcome Jim.

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 8:34:13 AM from WinCustomize Forums WinCustomize Forums

 the folder ( C:\Program Files (x86)\Google\Desktop ) doesnt even exist on standart, if created by a trojan your AV must be out of date,lame or the attack above low budget...in this last case i would not just sit back and cross my fingers that everything is fine
Not to mention that this is a very strange place for a trojan to settle...

All i read was that the problem is fixed but could you provide a bit more info on how you fixed it and what was found?

If you do not know the name i have one for you that is related to that folder its called Tr.Zaccess/Zeroaccess
...could be a trojan / or a rootkit

Edit just read more about it:
https://forums.malwarebytes.org/index.php?showtopic=133003

before you look through the log
make a search on the page if you like ( CTRL + F ) not type systemroot\system32

something like that should be highlighted as text 
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND

That is BAD! 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 12:20:51 PM from WinCustomize Forums WinCustomize Forums

Quoting Roloccolor,
All i read was that the problem is fixed but could you provide a bit more info on how you fixed it and what was found?

 

If you'll read further, you see I did say what it was and how I fixed it.

 

 

Quoting Roloccolor,
the folder ( C:\Program Files (x86)\Google\Desktop ) doesnt even exist on standart, if created by a trojan your AV must be out of date,lame or the attack above low budget...

No A/V catches everything.

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 12:24:50 PM from WinCustomize Forums WinCustomize Forums

 

 

 

Well, all scan show I'm now clean, but it looks like maybe a format and reinstall may be in order.   

 

 

Could blow in a backup, but I'm also having a disk check every boot.  

 

 

 

 

 

 

 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 5:14:41 PM from WinCustomize Forums WinCustomize Forums

trojan.sirefef.gy is packed with Zeroaccess !!!  

its just a different name used by the AV-company of your AV
http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide
http://en.wikipedia.org/wiki/ZeroAccess_botnet

http://www.trojaner-board.de/119680-trojan-sirefef-gy-eingefangen-tun.html
its in german they point out that you should stay offline change online banking passwords on a different computer even if it looks clean they recommend a clean install.
 

sorry RND I must have been blind...    didnt see trojan.sirefef.gy but then i wasnt to far of since both are the same with a different name

Quoting RedneckDude,
Quoting Roloccolor, reply 21
the folder ( C:\Program Files (x86)\Google\Desktop ) doesnt even exist on standart, if created by a trojan your AV must be out of date,lame or the attack above low budget...
No A/V catches everything.

What i ment with that is that if a "trojan" manages to create a folder without beeing detected it isnt average class "medium" normaly these things get stopped right away i know that no AV catches every intruder no offense ment...


Quoting RedneckDude,
Well, all scan show I'm now clean, but it looks like maybe a format and reinstall may be in order.  

I would do the same
this is a backdoor trojan with rootkit functionality RND.. no matter how hard you clean you will break stuff or have dirty little remainings on your system
+ the Danger of beeing ripped off and keylogged in the worst case.. 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 9, 2013 6:02:48 PM from WinCustomize Forums WinCustomize Forums

I normaly do not make postings to "BUMP" but in this case i think it is wise because i dont know if MR. RND/JIM uses online Banking
IF someone has his contact inform him kindly TY
OH and BUMP! 

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108432  walnut2   Server Load Time: 00:00:00.0000187   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2014 Stardock Corporation. All Rights Reserved.