Jump to content

Recommended Posts

Posted

Posted this to MSFN, but after a week I've still gotten no responses, hopefully I can get a better turnout here:

I've done some slipstream work with XP, Vista, and 7, and working in a computer shop I'm finding that a lot of recent viruses are permanently infecting system files, making them impossible to remove without reinstalling or doing major internal work on the OS. Obviously this is where SFC comes in, however, I've had some issues with it, and I'm wondering if you guys have any resolutions for me:

1. SFC won't work properly in XP using my slipstreamed discs. I've read that updating IE and other changes causes issues with being able to use the disc for the files, so my question is if there's any way for me to fix my discs so they work with SFC again, while still containing all the updates.

2. I couldn't manage to use the purgecache parameter in 7, has it changed or something?

3. Vista and 7's SFC is a joke. They pull data from WinSxS, the replacement for the dllcache folder, but disabling Windows File Protection is fairly straight forward, and from what I've seen viruses have had no difficulty doing so. I've tried running SFC from the install disc using the /offbootdir and /offwindir parameters, but it doesn't seem to make a difference, and typically I get the "SFC found problems but was unable to fix them" at the end, which is extremely frustrating to see, is there a method of using SFC in Vista/7 that makes it nearly as effective as XP's?

4. In Windows XP, the repair installation feature was godsend, I can't even begin to recall how many times I've fixed major XP issues using that option, unfortunately, MS decided to opt out of that feature in Vista/7, so instead I'm left with attempting an in-place upgrade, which is running the installer off the disc from inside the broken Windows (already a problem, if the system won't boot), and selecting the Upgrade option, which essentially reinstalls the OS, however, it's not nearly as effective as XP's repair install, and it requires their OS to at least boot correctly. Has anyone looked into creating essentially a repair install utility for Vista/7? My idea is that you'd mount the WIM files, select the right image, and expand all its files over the top of their OS, while simultaneously purging and recreating the WinSxS folder. The main issue I see with this is the registry related changes that would need to be made and updates newer than your disc. Will this ever be possible or is there a good workaround?

Any answers to any of these questions would be greatly appreciated!

Posted

While I cannot give good answers for the rest of your listed problems, I see the only way to make sure and remove your virus problem is to add that hdd to an already working system and scan the drive for viruses. First, this prevents the viruses from auto loading in the OS. Second, it stops any root kits from hiding themselves. Only when you have the virus(es) removed would I then say try to work with the hdd to get it working again.

Of course, the above is only applicable if you have access to another system that you can perfom said actions on. Otherwise, you are going to be fighting a losing battle to those virii you want to remove from the system.

Posted

I actually already do that, I typically boot into MiniXP or some other PE environment and begin by using D7 on the offline OS to clean out bad startup entries, BHOs, services, and anything else I can manually detect. From there I run RKill, TDSS Killer, ComboFix, Tweaking.com's All-In-One Windows Repair, Malwarebytes', and SUPER Antispyware.

TDSS Killer generally knocks out any rootkits, and is able to run since the offline cleanup typically fixes broken EXE attributes and removes the majority of the malware, the other tools are mostly to finish the job and repair the damage done. The problem is that recently I've found that the viruses are directly infecting system files, including the backups, and as a result my only option is to get fresh ones from the install disc, a task I'd obviously prefer not to do manually. Offline scanners either fail to remove the viruses or they permanently damage the OS by removing the infected system files altogether.

Posted (edited)

Luckily, there is a way to fix your problems. In doing a little research I came across the following. Assuming you are in a Windows 7 PE, you can use the program "sfc" to scan your directory. Likely you will need your original installation media. Here is the command line help for the file:

Microsoft ® Windows ® Resource Checker Version 6.0

Copyright © 2006 Microsoft Corporation. All rights reserved.

Scans the integrity of all protected system files and replaces incorrect version

s with correct Microsoft versions.

SFC [/sCANNOW] [/VERIFYONLY] [/sCANFILE=<file>] [/VERIFYFILE=<file>]

[/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory>]

/SCANNOW Scans integrity of all protected system files and repairs files with problems when possible.

/VERIFYONLY Scans integrity of all protected system files. No repair operation is performed.

/SCANFILE Scans integrity of the referenced file, repairs file if problems are identified. Specify full path <file>

/VERIFYFILE Verifies the integrity of the file with full path <file>. No repair operation is performed.

/OFFBOOTDIR For offline repair specify the location of the offline boot directory

/OFFWINDIR For offline repair specify the location of the offline windows directory

e.g.

sfc /SCANNOW

sfc /VERIFYFILE=c:\windows\system32\kernel32.dll

sfc /SCANFILE=d:\windows\system32\kernel32.dll /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows

sfc /VERIFYONLY

Even if you are not using a Win7 PE, you can do something similar from the "install" command line. Boot from your CD as if you were going to install it. Press <Shift>+<F10>. That should bring up a command prompt for you to work with.

Edited by crashfly

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...