It's Borked!!
WinCustomize Forums
Hey guys, anyone ever have SFC Scannow to fail?
I had a virus yesterday, got it fixed, but now I get this error when I try to run SFC Scannow on Windows 8 Pro MCE.
It always fails at 64%.
Maybe the virus changed something in the registry or you didn't get all of the virus removed? I'm just guessing here.
1. Are you running it as an Administrator? And, did you do it in "Safe Mode"? If not, do so.
2. Did you put in any MS 'Fixits' regarding the font exploit? http://technet.microsoft.com/en-us/security/bulletin/ms11-087
Deny access to T2EMBED.DLL That might be preventing SFC /scannow, although I remember that s failing at 15%, so I doubt it.
You could try booting to the installation dvd, select repair options. From there choose command prompt and run sfc.
3. You might also try to run chkdsk /f /r as an admin....again, from safe mode.
4. Is this an HDD or SSD? If it's a HDD can you check for 'immanent failure'?
5. You might check this: http://social.technet.microsoft.com/Forums/windows/en-US/52834d80-f863-43ac-8b65-fc71bd173f5e/sfc-scannow-fails-at-15?forum=w7itprogeneral
Did you do any of the things recommended in my article http://drjbhl.joeuser.com/article/448314/Some_Useful_Links_For_Windows_8_Users ?
Look at the screenshot.
2. No.
3. Done
4. SSD
5. I'll check.
I made the recovery drive flash drive.
So you have the recovery flash drive...have you used it?
What virus did you have and how did you fix it?
Can you try after C:\Windows\system32> enter c: and then 'enter'
You should get
C:\>
now enter (immediately after the C:\>attrib –s –h *.* /S /D There's a space between attrib and -s and -h and *.* and /S and /D
Which will unhide files which shouldn't have been hidden (and might have been by the virus) and make them readable and fixable.
Then try sfc /scannow in admin mode.
No, I don't want to do a recovery. I don't want to lose all my programs, etc.
No, I get C:\Windows\system32> again
I'll probably do a repair install. But I had hoped for an easier fix.
There's little question that you had a virus that reset things.
Did you look this virus up...and what it does, exactly - i.e. which settings it changes?
Which virus was it, Jim?
You can try this software to fix the effects of the virus [review of it] : http://www.ghacks.net/2010/02/09/recover-operating-system-after-virus-attack/
download here: http://sourceforge.net/projects/viruseffectremo/
No Doc, all I know was it was a trojan and it resided in C:\Program Files (x86)\Google\Desktop.
Malwarebytes, and ASC Ultimate's Bit Defender A/V both claimed to quarantine it, but it kept coming back.
I had to boot into Win7, then browse to Win8 C:\Program Files (x86)\Google\Desktop and delete it.
Actually, I am having a few other problems as well, like my mouse double clicking when it should be single clicking, and my PC runs a disk check at every reboot.
Considering a clean reinstall, if the repair install doesn't work. 
[quote who="DrJBHL" reply="9" id="3402280"]download here: http://sourceforge.net/projects/viruseffectremo/[/quote]
Trying this now.
You have to make sure it's gone, Jim. Don't you remember the name of the Trojan?
Once you have the name of the Trojan, you look it up on the net...especially at ESET and the antiviral software sites.
They generally have exact instructions as to how to remove it.
Do what they say before trying to repair effects.
Too late.
OK, after looking up the virus, which was trojan.sirefef.gy,it said to run KasperskyTDSSkiller, then ComboFix. I did those, and cleaned what was found, then ran SFC scannow and it ran 100%. Found some stuff, and fixed them!
Seems all is well, at the moment.
Thanks for the help, Doc.
/me crosses fingers...;)
Thanks Jafo. Now, if only I knew where I got the virus....
I'm guessing an infected site, maybe even facebook. It settled in the Google folder, so I was probably using Chrome at the time?
in Windows you use:
cd c:\
You're welcome Jim.
the folder ( C:\Program Files (x86)\Google\Desktop ) doesnt even exist on standart, if created by a trojan your AV must be out of date,lame or the attack above low budget...in this last case i would not just sit back and cross my fingers that everything is fine
Not to mention that this is a very strange place for a trojan to settle...
All i read was that the problem is fixed but could you provide a bit more info on how you fixed it and what was found?
If you do not know the name i have one for you that is related to that folder its called Tr.Zaccess/Zeroaccess
...could be a trojan / or a rootkit
Edit just read more about it:
https://forums.malwarebytes.org/index.php?showtopic=133003
before you look through the log
make a search on the page if you like ( CTRL + F ) not type systemroot\system32
something like that should be highlighted as text
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
That is BAD!
If you'll read further, you see I did say what it was and how I fixed it.
No A/V catches everything.
Well, all scan show I'm now clean, but it looks like maybe a format and reinstall may be in order. 
Could blow in a backup, but I'm also having a disk check every boot.
trojan.sirefef.gy is packed with Zeroaccess !!!
its just a different name used by the AV-company of your AV
http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide
http://en.wikipedia.org/wiki/ZeroAccess_botnet
http://www.trojaner-board.de/119680-trojan-sirefef-gy-eingefangen-tun.html
its in german they point out that you should stay offline change online banking passwords on a different computer even if it looks clean they recommend a clean install.
sorry RND I must have been blind... 
didnt see trojan.sirefef.gy but then i wasnt to far of since both are the same with a different name
I normaly do not make postings to "BUMP" but in this case i think it is wise because i dont know if MR. RND/JIM uses online Banking
IF someone has his contact inform him kindly TY
OH and BUMP!
Welcome Guest! Please take the time to register with us.