Running WinXP Pro, English version, SP3, all uppdates; and McAfee Internet Security.
McAfee keeps telling me that I have an infection with "PatchedSFC". McA can not remove it, so I went for help on mcafee.com - Virus-info. There it says that PatchedSFC is the same as "PWS-Satiloler.d", a password stealer, and that it "covers a modified (or patched) Windows File Protection component."
(This makes sense as Windows File Protection came up with a message yesterday saying to put in the WinXP installation CD, as some files had been replaced by fake ones. But whichever CD I used, I got the message that it is not the right one (I think the computer came installed, without CD but with license, but I have used my XP CDs before to fix/install other components))
Furthermore, the McA-virus-info says that if McA can not remove it, to replace the MBR and describes the standard method (Boot XP-cd, R, fixmbr). That's when I get the message that the Master Boot Record is a "Non-standard MBR", "If you replace it you loose all your partitions", etc.
On other sites I've found that you can get this message if you are running a boot manager or if you have a virus, in which case you would loose the partitions because the partition table is moved. Some poster on one discussion says "Just do it - I've done this many times. Just a standard message"
So, do I or Don't I? What's the solution? How to get rid of PatchedSFC? Is reformatting the only way?
Not running any boot manager or anything. Just a plain simple XP install on a Lenovo laptop.
Is there no experience with PatchedSFC among McA users?
There is now
According to McAfee's threat database at http://vil.nai.com/vil/content/v_249816.htm this is a PUP (Potentially Unwanted Program). I say it's a bit worse than that.
The "PatchedSFC" is intended to disable Windows File Protection (WFP).
Windows File Protection is a mechanism, used to protect the windows system files and to prevent users/attackers to modify/delete system files.
Also, WFP uses System File check DLL (sfc_os.dll) to replace the system files when it is missed/damaged.
This binary is created by patching two bytes of the legitimate file (sfc_os.dll). Thus it provides access to attackers/users to replace/delete system files.
The following registry value has been modified
There was a spate of questions about this a couple of years ago. The best thread I've seen so far is this one
Best advice appears to be : if McAfee can't/won't clean it properly, run Malwarebytes free version (from HERE).
Then check the registry key in regedit and, if it's set to ffffff9d, reset that value to 0.