Results 1 to 7 of 7
  1. #1
    New Lounger
    Join Date
    May 2011
    Location
    Liberty Hill, TX
    Posts
    8
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Hard Drive Failures Vista/7 - .NET Issues

    Discovered a fun little problem while working on an alleged hard drive failure, thought I would share:

    When a computer running Windows Vista or 7 crashes with hard-drive failure (in this particular case due to a virus), the first step in the recovery console or in a system restore is to unregister the .NET 2.0 Framework. Apparently, itís a feature that is supposed to prevent .NET-enabled viral code from using the existing libraries. However, the unregister is faulty in the Vista/7 recovery console and trashes the mscorlibs dll, or at least damages it. When the dll is re-registered, itís in a broken state. Anything that depends on the 2.0 libraries, then, will fail to work. This includes Visual Studio 2008/2010, MS Powerpoint 2010, advanced parts of MS Word 2010 and MS Excel 2010 (such as data-driven pivot tables) and SQL Server 2008. What you see is a window stating that mscorlibs.dll or one of its dependencies failed to load.

    Fun.

    As 2.0 and 3.5 are embedded in Windows 7 (and removing them would toast the OS entirely), itís not possible to reinstall them directly. Repair wonít work either, since the problem is that the OS thinks the damaged version of the dll is actually correct.

    Solution:
    Click Start/All Programs/Accessories, right click on Command prompt and select ďRun as AdministratorĒ
    At the command prompt type sfc /scannow
    Wait about 20 minutes for the scan to complete.
    You should see either that all problems are fixed or that the scan didnít find anything to do (this is actually a flaw in the reporting; it did find and correct the problem).

    Reboot the computer. Everything should be working now.

    For additional steps should the SFC fail, consult Jedi Master Aaron Stebner
    http://blogs.msdn.com/b/astebner/arc...ows-vista.aspx

  2. The Following User Says Thank You to korollyn For This Useful Post:

    Medico (2011-06-08)

  3. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    System File Checker is definitely one of the first places to go after a viral clean up if there are system stability issues being reported on a Win7 or Vista machine. It's a powerful addition to your tool box.

    By the way, what virus was it that attacked the hard drive? It's rare these days for a piece of malware to trash the drive - mostly they are after user credentials, banking details, ID theft and the like.....unless of course you run embedded Siemens kit

  4. #3
    New Lounger
    Join Date
    May 2011
    Location
    Liberty Hill, TX
    Posts
    8
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Sophos identified the virus as Mal/FakeAvCn-A and as CXMal/FakeAV-F

    This particular variant has been managing to go right past Sophos scanning, but gets caught while trying to do registry modifications. I’m not sure whether the Sophos interrupt or the virus itself is responsible for the trashing of the drive.

  5. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    So, it's a scareware trojan. Unless it's a very poorly crafted one, it will not attack the drive.

    It's purpose in life is to convince the victim that they are infected by various items of malware and encourage them to go to a compromised website to pay for the privilege of cleaning up the machine. Only of course it doesn't clean it up and the victims bank details are likely stolen in the process.

    Causing the drive to fail would be self defeating for it. However, writing registry values may make the target machine unstable.

    A system restore might have recovered the machine after the AV software reacted, but it rather depends on the nature of the registry corruption. Therefore, a system file check is a good bet before progressing to recovering via a system image if required.

    The drive should be perfectly serviceable.

  6. #5
    New Lounger
    Join Date
    May 2011
    Location
    Liberty Hill, TX
    Posts
    8
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Nope, infected the machine of one of our developers and, like I said before, slid right through Sophos. However, it was stopped when it attempted to make a registry change. Again, the issue was an alleged hard drive failure, wasn't an actual failure. System Restore fixed the virus, but as part of the process corrupted the .NET 2.0.

    So just to be clear, the System Restore was the fix to the virus, but it killed .NET 2.0. SFC was the fix for the built-in Windows 7 issue that affected .NET 2.0.

  7. #6
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Oops, I thought you said that the machine had crashed with a hard drive failure due to a virus infection?......

    Anyway, not to worry. As you note, the system file checker is a useful tool, especially if there is a weakness in the Win 7 system restore as reported.

    I haven't experienced that hazard myself, but definitely one to watch out for. In fact, I think I might have a play with that inside a VM, so I can be pre-armed next time I need to do a system restore.

  8. #7
    New Lounger
    Join Date
    May 2011
    Location
    Liberty Hill, TX
    Posts
    8
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Oops is right...re-read my original post and I see where the misunderstanding landed. What I meant was that the system appeared to have suffered a hard drive failure but in actuality just had some corrupted registry areas that threw an error saying hard drive failure. More than likely, when Sophos saw the registry modification, it went after the virus with a big axe and chopped up stuff that it perhaps shouldn't have. (Either that or the virus was designed just to trash things rather than steal money or bank info.)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •