Questions Regarding SFC
Posted 21 February 2012 - 11:42 PM
I've done some slipstream work with XP, Vista, and 7, and working in a computer shop I'm finding that a lot of recent viruses are permanently infecting system files, making them impossible to remove without reinstalling or doing major internal work on the OS. Obviously this is where SFC comes in, however, I've had some issues with it, and I'm wondering if you guys have any resolutions for me:
1. SFC won't work properly in XP using my slipstreamed discs. I've read that updating IE and other changes causes issues with being able to use the disc for the files, so my question is if there's any way for me to fix my discs so they work with SFC again, while still containing all the updates.
2. I couldn't manage to use the purgecache parameter in 7, has it changed or something?
3. Vista and 7's SFC is a joke. They pull data from WinSxS, the replacement for the dllcache folder, but disabling Windows File Protection is fairly straight forward, and from what I've seen viruses have had no difficulty doing so. I've tried running SFC from the install disc using the /offbootdir and /offwindir parameters, but it doesn't seem to make a difference, and typically I get the "SFC found problems but was unable to fix them" at the end, which is extremely frustrating to see, is there a method of using SFC in Vista/7 that makes it nearly as effective as XP's?
4. In Windows XP, the repair installation feature was godsend, I can't even begin to recall how many times I've fixed major XP issues using that option, unfortunately, MS decided to opt out of that feature in Vista/7, so instead I'm left with attempting an in-place upgrade, which is running the installer off the disc from inside the broken Windows (already a problem, if the system won't boot), and selecting the Upgrade option, which essentially reinstalls the OS, however, it's not nearly as effective as XP's repair install, and it requires their OS to at least boot correctly. Has anyone looked into creating essentially a repair install utility for Vista/7? My idea is that you'd mount the WIM files, select the right image, and expand all its files over the top of their OS, while simultaneously purging and recreating the WinSxS folder. The main issue I see with this is the registry related changes that would need to be made and updates newer than your disc. Will this ever be possible or is there a good workaround?
Any answers to any of these questions would be greatly appreciated!
- Nuno Brito likes this
Posted 22 February 2012 - 06:23 AM
With respect to WindowsXP installation disk (slipstream), if you used the right way, you should run sfc as it should, with the same cd that you installed Windows (your slipstream disk), but not work with the WindowsXP installation disk original/unmodified.
Sfc has a database that is on the PC. Therefore, if you try different versions of files, sfc can't work successful...
Anyway when sfc repair a file, are infected again ... (re-infected by infected processes active). By the type of infection, you have to do it externally, with a BootCD, as Win7PE_SE.
The manual way (expand files one by one), it's always better ... Although it takes time... after losing a few hours, you will have learned a lot more.
Will be better if you detect infected files or the name of the virus, although you can't disinfect them, and then ask for help at the right forum for this virus. Otherwise, your day will be an odyssey, replacing file by file, is a bit difficult to do in Windows Vista/7
But if you want to lose hours and hours, attempt to repair this manually.
Ps: Sometimes disinfect a PC can take 20 hours or maybe 2 days. Install Windows maybe 3 or 4 hours (with updates) or 8 or 10 hours according to the amount of software that you include. If you reinstall, you lose the Windows license unless you have the original disk of the machine owner... but virus clear!
(I speak Spanish, sorry if the translation is flawed.)
Posted 22 February 2012 - 06:55 AM
I am already using a PE to begin the removal process, I typically boot into MiniXP or some other PE environment and begin by using D7 on the offline OS to clean out bad startup entries, BHOs, services, and anything else I can manually detect. From there I run RKill, TDSS Killer, ComboFix, Tweaking.com's All-In-One Windows Repair, Malwarebytes', and SUPER Antispyware.
TDSS Killer generally knocks out any rootkits, and is able to run since the offline cleanup typically fixes broken EXE attributes and removes the majority of the malware, the other tools are mostly to finish the job and repair the damage done. The problem is that recently I've found that the viruses are directly infecting system files, including the backups, and as a result my only option is to get fresh ones from the install disc, a task I'd obviously prefer not to do manually. Offline scanners either fail to remove the viruses or they permanently damage the OS by removing the infected system files altogether.
Now, from my experience that usually leaves the virus completely disabled or removed, the problem is that in removing the virus I also damage the system, and must now use the OS discs to repair. I know that using a slipstreamed XP disc works if the install is from the same disc, however, usually I'm working with customer machines, and they still have their OEM installation on the system. A complete reinstall can't be done because they typically have programs and data that can't be transferred easily, or at least are more work than they're worth. Will running the sfc /purgecache command first allow me to use my slipstreamed discs on computers that didn't use them for the original installation?
I don't ever plan on manually expanding and replacing all of the files, and I actually think that doing that would likely break the system worse than it already is, I was wondering whether an automated tool could possibly be capable of doing it for me.
Posted 22 February 2012 - 08:49 AM
Please read: http://msdn.microsof...rdware/gg463455
At the same time you have the problem of "OEM installations". I'm sorry but no repair with disk... Mr. Micro$oft is an idiot!! (in this matter)...
Lately I've found extraneous files that reactivate Rootkits (that redirect internet searches). These files are hidden (hidden attribute) in the following locations (XP):
%TEMP% %USERPROFILE%\AppData\ %USERPROFILE%\Application Data\ %USERPROFILE%\Local AppData\ %USERPROFILE%\Local AppData\Application Data\ %USERPROFILE%\Local Settings\ %USERPROFILE%\Local Settings\Application Data\ C:\Windows\temp\
You should search these locations for each existing user on the machine... (and of course, delete these files from a BootCD)
You could tell me what virus is? which can not eliminate... Some anti-virus gave a virus name? Or you are in the dark?
Posted 22 February 2012 - 10:34 AM
Hmmm, maybe if you had posted it in the Windows 7 section instead of the XP one you might have had some replies.....
Posted this on MSFN, but after a week I've still gotten no responses, hopefully you guys can help me out:
Even now it is not clear if you have issues with XP, with 7 or with both (in which case you should really make TWO different threads, one for each OS.
For the record, it is not that you had much success on reboot.pro with this one:
maybe you could try to expand on the contents - as an example I have NO idea of what you are talking about in the above.
Very good use. Expecially coming from a "professional".
I typically boot into MiniXP or some other PE environment
Can I ask you WHY THE HECK there is a link to my profile in your signature?
Posted 22 February 2012 - 12:44 PM
Posted 22 February 2012 - 11:57 PM
The problem is that when it isn't your computer, you are not sure when the computer was infected. That complicates things quite a bit because Windows does not keep copies infinite, only a certain time / certain percentage of disk space.
With Win 7 I normally resort to a system restore which can be done from a Win 7 Recovery DVD, and roll back to an earlier point.
And every time the system is restored, he must do a scan to see if there are viruses that copy.
One possible solution is to restore the oldest copy and see what happens, but you must do all the work he already did it again
I think the time is running out to return the machine to its customer... clean viruses is always the hardest part. We must take into account everything, but everything and yet sometimes the result is: system damaged.. A simple example is when the system is infected by drivers that replace the network drivers and their registry keys.
When it´s computer from a company (in these terms of infection) I make a copy of the entire disk. If something fails, at least the data is in the copy, or I can restore the copy. But this takes much longer ... and it takes many gb free on an external drive to back up entire disk.
Falkoner: Best of luck my friend! If you give more details of what virus is reinfecting the system ... or the location where it's detected ... I could help more ...
Edited by u2o, 22 February 2012 - 11:59 PM.