In the last few days I have seen a massive outbreak of SFCPatched in C:\Windows\system32\sfc_os.dll. According to the virus database this means the file has been patched to disable Windows File Protection. However a full scan does not show any other virus or cause for this change to the operating system. Anyone else seeing this or had an experience with dealing with a threat that is 0day?
I am seeing the same. OAS detects the following files as PatchedSFC:
Here is a log file from one system:
3/23/2010 7:55:11 AM Engine version = 5400.1158
3/23/2010 7:55:11 AM AntiVirus DAT version = 5928.0
3/23/2010 7:55:11 AM Number of detection signatures in EXTRA.DAT = None
3/23/2010 7:55:11 AM Names of detection signatures in EXTRA.DAT = None
3/23/2010 7:55:24 AM Will be deleted after the next reboot (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\sfc_os.dll PatchedSFC (Potentially Unwanted Program)
3/23/2010 8:21:37 AM Deleted NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\zfcxx.tmp PatchedSFC (Potentially Unwanted Program)
3/23/2010 8:21:38 AM Will be deleted after the next reboot (Clean failed) NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\sfc_os.dll.exe PatchedSFC (Potentially Unwanted Program)
I too have been fighting this thing for the past week with little progress other than replacing the dlls. Infection vector seems to not be user driven but associated with some auto update process. My logs are practically identical to yours.
Message was edited by: nebuli on 3/24/10 8:03:37 AM CDTMessage was edited by: nebuli on 3/24/10 8:04:42 AM CDT
Don't stress too much, this is a result of an updated driver, that was recently added to the dat files. This driver better detects system components, that are representative of Windows "System File Checker" , being disabled. Typically, unless you have explicitly disabled this component of Windows, it's enabled by default. So this "Potentually Unwanted Program (PUP)", is there to make you aware, and then re-enable SFC
The only time it is usually disabled, is by malware (outside of system admins disabling it), so we have added (more recently, improved) detection for this setting.
This would only be a problem, if you run an full system scan, and reboot, and it actually comes back again. That would then imply that something on your system is re-disabling the feature.
Should that be the case, you will need to go down the road of finding a currently undetected file. Otherwise, if the detection doesn't come back, you should be in good shape.
Keep in mind, you could have been infected in the past, and this system change has gone undetected, until our dat update.
Post back with any questions,
We ran into this problem and have been working on a fix for nearly a week. I'm not sure it would be reasonable to infer a link between a disabled SFC and a PUP warning. Checking for a disable/enabled component like SFC/WFP should be a function of Access Protection.
Since the SFCPatched issue was highlighted here, I would like to esclate the problem i encounter recently.
My printer setup has gone and while I try to add new printer and the error message show "Operation could not be completed" after the McAfee Alert message shown as below:
3/22/2010 Move failed (Clean failed) spoolsv.exe C:\WINDOWS\system32\sfc_os.dll PatchedSFC (Potentially Unwanted Program)
I had tried to enable print spooler service via command "net start spooler" but it doesn't work.
Is it print spooler service corrupted? How to resolve the problem?
Patched_SFC found on my machine. When I try to update to Service Pack 3 I am unable to.
I likewise have found that my printer setup has gone and while I try to add new printer and the error message show "Operation could not be completed"
I've tried to enable print spooler service via command "net start spooler" but it doesn't work.
I think this may be more of a threat than originally thought?
to re-enable the printer you can edit this registry key to be like below and restart.
that gets the printer back, the value if affected is a hex value that I don't have handy sorry. but the file will still be detected if you scan on the dll file.
This is a massively annoying problem. Is there a fix yet from McAfee? Our guy that builds our images used Nlite, which appears to modify this file, so now we are spammed with 'virus' reports for pretty much every single one of our 200 Pcs in the building. Very very annoyed.
I've just been searching and don't find any other threads on this issue. Is there anymore information anywhere about this problem and possible solutions? we're getting around 40 reports per day logged to our helpdesk for this issue.Message was edited by: c@tfish on 3/31/10 2:47:23 AM CDT
that I'm not sure of.... I didn't think windows update became unusable at our organisation (we use WSUS) but will have to check, maybe the reports just are not alerting us much yet.
have you tried the reg key I pasted earlier? I'm not sure if everyones behaviour is the same, but I think what happened in our case is somebody disabled the windows file protection, perhaps in our images and the reg disable triggers this event. I'm not sure if it's a combination of the reg file and the file itself or just the file?
If it's on one machine you can replace the dll from windows CD, but for that you need to use a tool to have it replace after rename. I'm surprised this forum isn't full of complaints, this really hit us quickly and is extremely annoying.