Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 11


In the last few days I have seen a massive outbreak of SFCPatched in C:\Windows\system32\sfc_os.dll. According to the virus database this means the file has been patched to disable Windows File Protection. However a full scan does not show any other virus or cause for this change to the operating system. Anyone else seeing this or had an experience with dealing with a threat that is 0day?

10 Replies
Level 7
Report Inappropriate Content
Message 2 of 11

Re: SFCPatched

I am seeing the same.  OAS detects the following files as PatchedSFC:





Here is a log file from one system:

3/23/2010                7:55:11 AM                              Engine version                          =          5400.1158

3/23/2010                7:55:11 AM                              AntiVirus   DAT version                 =     5928.0

3/23/2010                7:55:11 AM                              Number of detection signatures in EXTRA.DAT =              None

3/23/2010                7:55:11 AM                              Names of detection signatures in EXTRA.DAT  =              None

3/23/2010                7:55:24 AM              Will be deleted after the next reboot (Clean failed)            NT AUTHORITY\SYSTEM                C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\sfc_os.dll      PatchedSFC (Potentially Unwanted Program)

3/23/2010                8:21:37 AM              Deleted   NT AUTHORITY\NETWORK SERVICE                C:\WINDOWS\system32\wbem\wmiprvse.exe                C:\WINDOWS\system32\zfcxx.tmp      PatchedSFC (Potentially Unwanted Program)

3/23/2010                8:21:38 AM              Will be deleted after the next reboot (Clean failed)            NT AUTHORITY\NETWORK SERVICE                C:\WINDOWS\system32\wbem\wmiprvse.exe    C:\WINDOWS\system32\sfc_os.dll.exe               PatchedSFC (Potentially Unwanted Program)

Level 7
Report Inappropriate Content
Message 3 of 11

Re: SFCPatched

I too have been fighting this thing for the past week with little progress other than replacing the dlls.  Infection vector seems to not be user driven but associated with some auto update process.  My logs are practically identical to yours.

Message was edited by: nebuli on 3/24/10 8:03:37 AM CDT

Message was edited by: nebuli on 3/24/10 8:04:42 AM CDT
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: SFCPatched

Don't stress too much, this is a result of an updated driver, that was recently added to the dat files.  This driver better detects system components, that are representative of Windows "System File Checker" , being disabled. Typically, unless you have explicitly disabled this component of Windows, it's enabled by default. So this "Potentually Unwanted Program (PUP)", is there to make you aware, and then re-enable SFC

The only time it is usually disabled, is by malware (outside of system admins disabling it), so we have added (more recently, improved) detection for this setting.

This would only be a problem, if you run an full system scan, and reboot, and it actually comes back again.  That would then imply that something on your system is re-disabling the feature.

Should that be the case, you will need to go down the road of finding a currently undetected file.  Otherwise, if the detection doesn't come back, you should be in good shape.

Keep in mind, you could have been infected in the past, and this system change has gone undetected, until our dat update.

Post back with any questions,

- David

Level 7
Report Inappropriate Content
Message 5 of 11

Re: SFCPatched

We ran into this problem and have been working on a fix for nearly a week.  I'm not sure it would be reasonable to infer a link between a disabled SFC and a PUP warning.  Checking for a disable/enabled component like SFC/WFP should be a function of Access Protection.

Level 7
Report Inappropriate Content
Message 6 of 11

Re: SFCPatched

Hi all,

Since the SFCPatched issue was highlighted here, I would like to esclate the problem i encounter recently.

My printer setup has gone and while I try to add new printer and the error message show "Operation could not be completed" after the McAfee Alert message shown as below:

3/22/2010 Move failed (Clean failed) spoolsv.exe C:\WINDOWS\system32\sfc_os.dll PatchedSFC (Potentially Unwanted Program)

I had tried to enable print spooler service via command "net start spooler" but it doesn't work.

Is it print spooler service corrupted? How to resolve the problem?

Please advise.

Re: SFCPatched

Patched_SFC found on my machine. When I try to update to Service Pack 3 I am unable to.

I likewise have found that my  printer setup has gone and while I try to add new printer and the error  message show "Operation could not be completed"

I've tried  to enable print spooler service via command "net start spooler" but it  doesn't work.

I think this may be more of a threat than originally thought?

Level 7
Report Inappropriate Content
Message 8 of 11

Re: SFCPatched

to re-enable the printer you can edit this registry key to be like below and restart.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

that gets the printer back, the value if affected is a hex value that I don't have handy sorry. but the file will still be detected if you scan on the dll file.

This is a massively annoying problem. Is there a fix yet from McAfee? Our guy that builds our images used Nlite, which appears to modify this file, so now we are spammed with 'virus' reports for pretty much every single one of our 200 Pcs in the building. Very very annoyed.

I've just been searching and don't find any other threads on this issue. Is there anymore information anywhere about this problem and possible solutions? we're getting around 40 reports per day logged to our helpdesk for this issue.

Message was edited by: c@tfish on 3/31/10 2:47:23 AM CDT

Re: SFCPatched

It also makes windows update unusable. Any fixes for that?

Re: SFCPatched

that I'm not sure of.... I didn't think windows update became unusable at our organisation (we use WSUS) but will have to check, maybe the reports just are not alerting us much yet.

have you tried the reg key I pasted earlier? I'm not sure if everyones behaviour is the same, but I think what happened in our case is somebody disabled the windows file protection, perhaps in our images and the reg disable triggers this event. I'm not sure if it's a combination of the reg file and the file itself or just the file?

If it's on one machine you can replace the dll from windows CD, but for that you need to use a tool to have it replace after rename. I'm surprised this forum isn't full of complaints, this really hit us quickly and is extremely annoying.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community