2 Replies Latest reply on May 25, 2012 8:03 AM by Hayton

    PatchedSFC - Non-standard MBR

      Running WinXP Pro, English version, SP3, all uppdates; and McAfee Internet Security.

       

      McAfee keeps telling me that I have an infection with "PatchedSFC". McA can not remove it, so I went for help on mcafee.com - Virus-info. There it says that PatchedSFC is the same as "PWS-Satiloler.d", a password stealer, and that it "covers a modified (or patched) Windows File Protection component."

      (This makes sense as Windows File Protection came up with a message yesterday saying to put in the WinXP installation CD, as some files had been replaced by fake ones. But whichever CD I used, I got the message that it is not the right one (I think the computer came installed, without CD but with license, but I have used my XP CDs before to fix/install other components))

      Furthermore, the McA-virus-info says that if McA can not remove it, to replace the MBR and describes the standard method (Boot XP-cd, R, fixmbr). That's when I get the message that the Master Boot Record is a "Non-standard MBR", "If you replace it you loose all your partitions", etc.

       

      On other sites I've found that you can get this message if you are running a boot manager or if you have a virus, in which case  you would loose the partitions because the partition table is moved.  Some poster on one discussion says "Just do it - I've done this many times. Just a standard message"

       

      So, do I or Don't I? What's the solution? How to get rid of PatchedSFC?  Is reformatting the only way?

       

      Not running any boot manager or anything. Just a plain simple XP install on a Lenovo laptop.

        • 1. Re: PatchedSFC - Non-standard MBR

          Is there no experience with PatchedSFC among McA users?

          • 2. Re: PatchedSFC - Non-standard MBR
            Hayton

            uhu wrote:

             

            Is there no experience with PatchedSFC among McA users?

             

            There is now

             

            According to McAfee's threat database at http://vil.nai.com/vil/content/v_249816.htm  this is a PUP (Potentially Unwanted Program). I say it's a bit worse than that.

             

            The "PatchedSFC" is intended to disable Windows File Protection (WFP).

            Windows File Protection is a mechanism, used to protect the windows system files and to prevent users/attackers to modify/delete system files.

            Also, WFP uses System File check DLL (sfc_os.dll) to replace the system files when it is missed/damaged.

            This binary is created by patching two bytes of the legitimate file (sfc_os.dll). Thus it provides access to attackers/users to replace/delete system files.

            The following registry value has been modified

            • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
              “SFCDisable” = "ffffff9d"

             

            There was a spate of questions about this a couple of years ago. The best thread I've seen so far is this one

            http://forum.worldstart.com/showthread.php?t=146140#post1512437

             

            Best advice appears to be : if McAfee can't/won't clean it properly, run Malwarebytes free version (from HERE).

             

            Then check the registry key in regedit and, if it's set to ffffff9d, reset that value to 0.