Showing results for 
Search instead for 
Did you mean: 
Level 7

PatchedSFC - Non-standard MBR

Running WinXP Pro, English version, SP3, all uppdates; and McAfee Internet Security.

McAfee keeps telling me that I have an infection with "PatchedSFC". McA can not remove it, so I went for help on - Virus-info. There it says that PatchedSFC is the same as "PWS-Satiloler.d", a password stealer, and that it "covers a modified (or patched) Windows File Protection component."

(This makes sense as Windows File Protection came up with a message yesterday saying to put in the WinXP installation CD, as some files had been replaced by fake ones. But whichever CD I used, I got the message that it is not the right one (I think the computer came installed, without CD but with license, but I have used my XP CDs before to fix/install other components))

Furthermore, the McA-virus-info says that if McA can not remove it, to replace the MBR and describes the standard method (Boot XP-cd, R, fixmbr). That's when I get the message that the Master Boot Record is a "Non-standard MBR", "If you replace it you loose all your partitions", etc.

On other sites I've found that you can get this message if you are running a boot manager or if you have a virus, in which case  you would loose the partitions because the partition table is moved.  Some poster on one discussion says "Just do it - I've done this many times. Just a standard message"

So, do I or Don't I? What's the solution? How to get rid of PatchedSFC?  Is reformatting the only way?

Not running any boot manager or anything. Just a plain simple XP install on a Lenovo laptop.

0 Kudos
2 Replies
Level 7

Re: PatchedSFC - Non-standard MBR

Is there no experience with PatchedSFC among McA users?

0 Kudos
Level 18

Re: PatchedSFC - Non-standard MBR

uhu wrote:

Is there no experience with PatchedSFC among McA users?

There is now

According to McAfee's threat database at  this is a PUP (Potentially Unwanted Program). I say it's a bit worse than that.

The "PatchedSFC" is intended to disable Windows File Protection (WFP).

Windows File Protection is a mechanism, used to protect the windows system files and to prevent users/attackers to modify/delete system files.

Also, WFP uses System File check DLL (sfc_os.dll) to replace the system files when it is missed/damaged.

This binary is created by patching two bytes of the legitimate file (sfc_os.dll). Thus it provides access to attackers/users to replace/delete system files.

The following registry value has been modified

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    “SFCDisable” = "ffffff9d"

There was a spate of questions about this a couple of years ago. The best thread I've seen so far is this one

Best advice appears to be : if McAfee can't/won't clean it properly, run Malwarebytes free version (from HERE).

Then check the registry key in regedit and, if it's set to ffffff9d, reset that value to 0.

0 Kudos