1 2 Previous Next 10 Replies Latest reply on Mar 31, 2010 9:11 PM by cdiazborda

    SFCPatched

      In the last few days I have seen a massive outbreak of SFCPatched in C:\Windows\system32\sfc_os.dll. According to the virus database this means the file has been patched to disable Windows File Protection. However a full scan does not show any other virus or cause for this change to the operating system. Anyone else seeing this or had an experience with dealing with a threat that is 0day?

        • 1. Re: SFCPatched

          I am seeing the same.  OAS detects the following files as PatchedSFC:

          C:\WINDOWS\system32\sfc_os.dll.exe

          C:\WINDOWS\system32\sfc_os.dll

          C:\WINDOWS\system32\zfcxx.tmp

          C:\WINDOWS\system32\dllcache\zfcxx.tmp

           

          Here is a log file from one system:

          3/23/2010                7:55:11 AM                              Engine version                          =          5400.1158

          3/23/2010                7:55:11 AM                              AntiVirus   DAT version                 =     5928.0

          3/23/2010                7:55:11 AM                              Number of detection signatures in EXTRA.DAT =              None

          3/23/2010                7:55:11 AM                              Names of detection signatures in EXTRA.DAT  =              None

          3/23/2010                7:55:24 AM              Will be deleted after the next reboot (Clean failed)            NT AUTHORITY\SYSTEM                C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\sfc_os.dll      PatchedSFC (Potentially Unwanted Program)

          3/23/2010                8:21:37 AM              Deleted   NT AUTHORITY\NETWORK SERVICE                C:\WINDOWS\system32\wbem\wmiprvse.exe                C:\WINDOWS\system32\zfcxx.tmp      PatchedSFC (Potentially Unwanted Program)

          3/23/2010                8:21:38 AM              Will be deleted after the next reboot (Clean failed)            NT AUTHORITY\NETWORK SERVICE                C:\WINDOWS\system32\wbem\wmiprvse.exe    C:\WINDOWS\system32\sfc_os.dll.exe               PatchedSFC (Potentially Unwanted Program)

          • 2. Re: SFCPatched

            I too have been fighting this thing for the past week with little progress other than replacing the dlls.  Infection vector seems to not be user driven but associated with some auto update process.  My logs are practically identical to yours.

             

             

            Message was edited by: nebuli on 3/24/10 8:03:37 AM CDT

             

             

            Message was edited by: nebuli on 3/24/10 8:04:42 AM CDT
            • 3. Re: SFCPatched
              dmeier

              Don't stress too much, this is a result of an updated driver, that was recently added to the dat files.  This driver better detects system components, that are representative of Windows "System File Checker" , being disabled. Typically, unless you have explicitly disabled this component of Windows, it's enabled by default. So this "Potentually Unwanted Program (PUP)", is there to make you aware, and then re-enable SFC

               

              The only time it is usually disabled, is by malware (outside of system admins disabling it), so we have added (more recently, improved) detection for this setting.

               

              This would only be a problem, if you run an full system scan, and reboot, and it actually comes back again.  That would then imply that something on your system is re-disabling the feature.

               

              Should that be the case, you will need to go down the road of finding a currently undetected file.  Otherwise, if the detection doesn't come back, you should be in good shape.

               

              Keep in mind, you could have been infected in the past, and this system change has gone undetected, until our dat update.

               

              Post back with any questions,

               

              - David

              • 4. Re: SFCPatched
                dwarren

                We ran into this problem and have been working on a fix for nearly a week.  I'm not sure it would be reasonable to infer a link between a disabled SFC and a PUP warning.  Checking for a disable/enabled component like SFC/WFP should be a function of Access Protection.

                • 5. Re: SFCPatched

                  Hi all,

                   

                  Since the SFCPatched issue was highlighted here, I would like to esclate the problem i encounter recently.

                   

                  My printer setup has gone and while I try to add new printer and the error message show "Operation could not be completed" after the McAfee Alert message shown as below:

                   

                  3/22/2010 Move failed (Clean failed) spoolsv.exe C:\WINDOWS\system32\sfc_os.dll PatchedSFC (Potentially Unwanted Program)

                   

                  I had tried to enable print spooler service via command "net start spooler" but it doesn't work.

                   

                  Is it print spooler service corrupted? How to resolve the problem?

                   

                  Please advise.

                  • 6. Re: SFCPatched

                    Patched_SFC found on my machine. When I try to update to Service Pack 3 I am unable to.

                     

                    I likewise have found that my  printer setup has gone and while I try to add new printer and the error  message show "Operation could not be completed"

                     

                     

                    I've tried  to enable print spooler service via command "net start spooler" but it  doesn't work.

                     

                     

                     

                     

                    I think this may be more of a threat than originally thought?

                    • 7. Re: SFCPatched

                      to re-enable the printer you can edit this registry key to be like below and restart.

                       

                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
                      "SFCDisable"=dword:00000000

                       

                      that gets the printer back, the value if affected is a hex value that I don't have handy sorry. but the file will still be detected if you scan on the dll file.

                       

                      This is a massively annoying problem. Is there a fix yet from McAfee? Our guy that builds our images used Nlite, which appears to modify this file, so now we are spammed with 'virus' reports for pretty much every single one of our 200 Pcs in the building. Very very annoyed.

                       

                      I've just been searching and don't find any other threads on this issue. Is there anymore information anywhere about this problem and possible solutions? we're getting around 40 reports per day logged to our helpdesk for this issue.

                       

                       

                      Message was edited by: c@tfish on 3/31/10 2:47:23 AM CDT
                      • 8. Re: SFCPatched

                        It also makes windows update unusable. Any fixes for that?

                        • 9. Re: SFCPatched

                          that I'm not sure of.... I didn't think windows update became unusable at our organisation (we use WSUS) but will have to check, maybe the reports just are not alerting us much yet.

                           

                          have you tried the reg key I pasted earlier? I'm not sure if everyones behaviour is the same, but I think what happened in our case is somebody disabled the windows file protection, perhaps in our images and the reg disable triggers this event. I'm not sure if it's a combination of the reg file and the file itself or just the file?

                           

                          If it's on one machine you can replace the dll from windows CD, but for that you need to use a tool to have it replace after rename. I'm surprised this forum isn't full of complaints, this really hit us quickly and is extremely annoying.

                          1 2 Previous Next