Thanks for the follow up. Users with many affected machines should keep
in mind that they can save the necessary commands as .txt files on a
floppy diskette and that they can then use the BATCH command in the
recovery console to process the .txt files on the floppy. It will save
lots of keystrokes and repetitive work! Example:
Save as undokb.txt
==============================================
cd %systemroot%\$NtUninstallkb931768-IE6SP1-2007... \spuninst
=================================================
At the Recovery console you can then issue:
batch a:\undokb.txt
and it will process the command and go to the directory, and save some
keystrokes. In the Recovery Console I don't think that you can run a
batch command inside another batch command so once at the directory you
can issue the uninstall batch command:
batch spuninst.txt
On the floppy you can save another text file:
Save as fixsfc.txt
======================================================
expand d:\i386\sfc.dl_ c:\winnt\system32\
=======================================================
You could then issue:
batch a:\fixsfc.txt
and the command to replace the sfc.dll will be processed.
Users should verify that the proper paths are entered in the commands,
the path in the first example is not complete.
John
- Show quoted text -
Hey guys,
Here is the email that Microsoft sent me today regarding the problem:
Hi Jared,
I got an update from the security team and I'm forwarding that along
to you.
Problem:
--------------
May 2007 Security Updates are installed and we are in a reboot loop
with the following bugcheck:
STOP: 0xc000021a (Fatal System Error)
The Windows Logon Process System process terminated unexpectedly
with a status of 0xC0000080 (0x0000000 0x00000000).
This only applies to Windows 2000.
Cause:
-----------
Contrary to what I said on Friday, the Malicious Software Removal Tool
(MSRT) actually finds (and not mistakenly thinks) that SFC.dll is
infected but MSRT instead of repairing the SFC.dll file, deletes it.
Resolution:
=================
1. Boot to Recovery Console using a Windows 2000 CD.
229716 Description of the Windows 2000 Recovery Console
http://support.microsoft.com/default.aspx?scid=kb;EN-US;229716
3. Copy the file SFC.DLL from the Windows 2000 CDROM or another
computer running Windows 2000 to %systemroot%\SYSTEM32. Here is an
example of copying the file from a Windows 2000 CD in recovery
console:
COPY d:\i386\sfc.dl_ c:\winnt\system32\sfc.dll
However since we copied the sfc.dll from the CD, we probably have an
older version so I'm sending you hot fix 836726 which you will need to
install to update the version currently installed.
According to the security team, not everyone that deployed this patch
MS07-27 ran into this issue with sfc.dll being deleted. If you ran
into this issue, it means that there is most likely a virus on your
system and they recommend that you run an AV scan before re-installing
the hotfix.
The hotfix has since been modified to repair the sfc.dll file if it
find corruption there rather than delete it.
3. Once you've completed the above steps you can reinstall MS07-027
and it should install successfully with no problems.
I'll send you the hotfix in a different email. Let me know if you have
any other questions.
836726 Windows component files are not removed in Microsoft
Windows 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;836726
Regards,
Funmi.
They also sent me another email with a link to the hotfix, although
apparantly they are monitoring the downloads because it is password
protected and will expire after 7 days. Microsoft said this is because
"WARNING: This fix is not publicly available through the Microsoft
website as it has not gone through full Microsoft regression testing",
otherwise I would post it here. However, the update is numbered
178695.
Of course, my question is if you can install the update if your
machine has already been affected?
We just restored the sfc file and disabled automatic updates for the
time being.
Good luck to all...
Jared
