[SOLVED] SFC (cbs) help

[Mr. Yanl]

Hello,

I'm working on a coworkers computer and need a little assistance. I've removed 2 rootkits, and a spattering of adware, and programs that seemed to not actually exist on the pc, but listed in the programs and features list (assuming due to the rootkits). I used malwarebytes, Avast, and Ccleaner, to clean up, and fix/repair thus far.

Anyway, with those removed, I found integrity issues with system files. You'll have to forgive my lack of details please, as this has been an ongoing battle since Friday night (that I never thought was going to become this involved) and my brain hurts. I've been all over every forum I can think of reading SFC issues, and if you've done that before, you know there's a lot (a lot that go nowhere too). From this point on I'll be sure to pass the messages along verbatim.

Typically sfc would stop scan at 9% and "windows resource protection could not perform the requested operation". I made it to 11% once. Other times, I would receive "windows resource protection could not start the requested operation", and when trying to use an installation disc to sfc offline, I would receive the "could not perform the requested operation" or "could not start". When receiving the unable to start error, I rebooted, logged into pc, and changed WMI from disabled, to enabled and automatic. Then reboot, to disc again to try sfc offline only to receive the same errors. I logged back into the pc and ran sfc /scannow from elevated cmd prompt, and am consistently getting the "found errors, but cant fix them" message.

I've attached the cbs log, and hopefully someone can tell me what's going on there, as I'm not sure how exactly to read it yet. Thank you in advance for any help or suggestions.

-Mr. Yanl

 

[tom982]

Hello Mr Yanl, welcome to Sysnative!

As you found out, there are lots of forums around, but I'll let you in on a little secret: we're the best!

This portion of your CBS log shows SFC failing, but doesn't give many details on why:

2014-02-11 21:04:30, Error                 CSI    00000042 (F) STATUS_OBJECT_NAME_NOT_FOUND #974166# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = (AllowSharingViolation), handle = {provider=NULL, handle=0}, da = (SYNCHRONIZE|FILE_READ_ATTRIBUTES), oa = @0xf4c8e0->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[122]"\??\C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17556_none_c7355d7da388cacc"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0xf4c8c0, as = (null), fa = 0, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), cd = FILE_OPEN, co = (FILE_SYNCHRONOUS_IO_NONALERT|0x00004000), eab = NULL, eal = 0, disp = Invalid)
[gle=0xd0000034]
2014-02-11 21:04:30, Error                 CSI    00000043@2014/2/12:02:04:30.747 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(2057): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
2014-02-11 21:04:31, Error                 CSI    00000044 (F) STATUS_OBJECT_NAME_NOT_FOUND #974165# from Windows::Rtl::SystemImplementation::CDirectory::OpenExistingDirectory(...)[gle=0xd0000034]
2014-02-11 21:04:31, Error                 CSI    00000045 (F) STATUS_OBJECT_NAME_NOT_FOUND #974164# from Windows::Rtl::SystemImplementation::CDirectory_IRtlDirectoryTearoff::OpenExistingDirectory(flags = 0, da = (SYNCHRONIZE), oa = @0xf4d1d8->SIL_OBJECT_ATTRIBUTES {s:40; on:"amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17556_none_c7355d7da388cacc"; a:(OBJ_CASE_INSENSITIVE)}, sa = (FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE), oo = (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT), dir = NULL, disp = Invalid)
[gle=0xd0000034]

To find out more, we're going to have to use another tool. Can you download and install the System Update Readiness Tool please?

Download System Update Readiness Tool for Windows 7 for x64-based Systems (KB947821) [November 2013] from Official Microsoft Download Centre

Post the log when it finishes:

C:\Windows\Logs\CBS\CheckSUR.persist.log

Tom

 

[Mr. Yanl]

Tom,

Thank you for the reply. Just finished what you said to do. here is the log. Again, thanks for the help.

 

[tom982]

Hi Mr Yanl,

Thanks, that's great. Would you mind running it one more time please, then posting the log again?

Tom

 

[Mr. Yanl]

Thanks again

 

[Mr. Yanl]

I was able to run sfc /scannow 100%, however still received the found errors but unable to repair them error. Ran the readiness tool once more, just to see, and the same 7 errors (or missing files) from the last CheckSUR.persist.log file are reported.

 

[tom982]

Hi Mr. Yanl,

SFC will be reporting the same errors in your CheckSUR log as it will be trying to check the files which are in fact missing. Let's replace them.

=================================
Checking System Update Readiness.
Binary Version 6.1.7601.22471
Package Version 22.0
2014-02-13 18:27

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store
(f)	CSI Manifest Missing	0x00000002	x86_microsoft-windows-js-debuggeride_31bf3856ad364e35_10.2.9200.20794_none_45d6aca6d07c99d7.manifest	x86_microsoft-windows-js-debuggeride_31bf3856ad364e35_10.2.9200.20794_none_45d6aca6d07c99d7	
(f)	CSI Payload File Missing	0x00000000	Amd64\hpoa440t.exp	amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13	
(f)	CSI Payload File Missing	0x00000000	Amd64\hpoa320t.gpd	amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13	
(f)	CSI Payload File Missing	0x00000000	winload.efi	amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f	
(f)	CSI Payload File Missing	0x00000000	winload.exe	amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f	
(f)	CSI Payload File Missing	0x00000000	winresume.efi	amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f	
(f)	CSI Payload File Missing	0x00000000	winresume.exe	amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f	

Summary:
Seconds executed: 402
 Found 7 errors
  CSI Manifest Missing Total count: 1
  CSI Payload File Missing Total count: 6

Unavailable repair files:
	winsxs\manifests\x86_microsoft-windows-js-debuggeride_31bf3856ad364e35_10.2.9200.20794_none_45d6aca6d07c99d7.manifest

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
3. Save any open documents and close all open windows.
4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
6. SFCFix will now process the script.
7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/16537616/Fixes/SFCFix/Scripts/MrYanl/SFCFix.zip

SFC Scan

1. Click on the Start
   
   button and in the search box, type Command Prompt
2. When you see Command Prompt on the list, right-click on it and select Run as administrator
3. When command prompt opens, copy and paste the following commands into it, press enter after each
   
   sfc /scannow
   
   Wait for this to finish before you continue
   
   copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
   
   
4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

I'm having difficulty tracing the missing manifest, so could you upload your components hive please so I can trace it myself?

Upload a file to Dropbox

Note: If you prefer, the same techniques can be applied to your Skydrive however these instructions may not necessarily work for Skydrive.

1. If you haven't already created a Dropbox account, please do so Here
2. Although this procedure can be done directly through the website, it is much easier to do so via the Windows client which can be downloaded from the Dropbox website:
   
   https://www.dropbox.com/install
   
3. After you have downloaded and installed that, you should now see Dropbox in your Favourites box in Windows Explorer. This is the folder that will be synchronised with the Dropbox servers, anything that you wish to back up online can be put in here, but today we will be using it to transfer files.
   
   
   
   
   
   
4. To access your Dropbox folder, just click on the link in the top left hand corner of Windows Explorer (accessible from any location - Documents etc.). Alternatively, you can double click on the icon
   
   found in your system tray (next to the time). If you are still having issues locating this folder, unless otherwise specified, it can be found under this location: C:\Users\{Your username}\Dropbox
5. Copy all of the following files to the Public folder in your Dropbox:
   
   • C:\Windows\system32\config\components (it has no file extension)
     
     
6. Select all files by pressing Ctrl+A then right-click and select Send to > Compressed (zipped) folder
7. This will create a .zip
   
   file in your Public folder.
8. Right-click on this file and select
   
   Copy Public Link then Paste (Ctrl+V) this link into your next post for me please

Tom

 

[Mr. Yanl]

Hi Tom,

Thanks for the help. Sorry took a couple to get back to you. The text file you requested was pretty long, so I've uploaded as attachment for viewing.

 

[Mr. Yanl]

https://www.dropbox.com/s/3hfiio4n0v8do1m/COMPONENTS.zip

 

[Mr. Yanl]

and here is the cbs.txt file.... I ran the steps you suggested last on 2-17-2014. Actually, it was too large for the forum limits to upload. I've placed that in dropbox as well.

https://www.dropbox.com/s/wd4osauqqiu7257/cbs.txt

 

[Mr. Yanl]

Tom,

I sincerely want to thank you for your help with this issue, however, my coworker has requested to have her pc back in it's current state. Now that it's working well enough to log in and she can backup her files, she has decided to reinstall windows once she saves everything she wants. Again, thank you for your expertise in this area.

-Mr. Yanl

 

[tom982]

Hi Mr. Yanl,

I'm so sorry for taking so long to get back to you! Things have been really busy for me recently and I've got so, so much to reply to here.

I'm glad to hear you've managed to get the computer up and running again, even if Windows had to be reinstalled. Feel free to post back if you ever need any more help!

Tom