F-Secure
Tools
Trojan:W32/Trojan.Win32.Patched
| Name : | Trojan:W32/Trojan.Win32.Patched |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
Summary
Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code. The most frequently patched components are:
winlogon.exe
wininet.dll
kernel32.dll
iexplore.exe
winlogon.exe
wininet.dll
kernel32.dll
iexplore.exe
Disinfection
It is not advised to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.
If your F-Secure Anti-Virus detected a certain file as Trojan.Win32.Patched, please first try to select the "Disinfect" action. In this case, F-Secure Anti-Virus will create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.
In case the approach described above fails, try to restore one of the recent System Restore points. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid loosing it when Windows rolls back to a previously saved state.
Windows Installation discs contain a repair option. Boot from the CD and select the option to repair. Again, it is advised to backup your personal data.
If nothing helps to clean an patched system component, the last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system. Note that a file used for replacement must be the same version as a patched file! This operation should be done by an experienced computer technician only.
If your F-Secure Anti-Virus detected a certain file as Trojan.Win32.Patched, please first try to select the "Disinfect" action. In this case, F-Secure Anti-Virus will create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.
In case the approach described above fails, try to restore one of the recent System Restore points. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid loosing it when Windows rolls back to a previously saved state.
Windows Installation discs contain a repair option. Boot from the CD and select the option to repair. Again, it is advised to backup your personal data.
If nothing helps to clean an patched system component, the last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system. Note that a file used for replacement must be the same version as a patched file! This operation should be done by an experienced computer technician only.
Additional Details
Achtung: False Positive Notification
The 2008-11-04_04 database contained a false positive on a German language Windows XP Service Pack 2 file called User32.dll.
The detection was named Trojan.Win32.Patched.dn and is resolved in the 2008-11-04_06 update.
If you were alerted to Trojan.Win32.Patched.dn, please make sure that you have the most current update, and that User32.dll has not been renamed.
The User32.dll is located in the C:\WINDOWS\system32 folder.
The 2008-11-04_04 database contained a false positive on a German language Windows XP Service Pack 2 file called User32.dll.
The detection was named Trojan.Win32.Patched.dn and is resolved in the 2008-11-04_06 update.
If you were alerted to Trojan.Win32.Patched.dn, please make sure that you have the most current update, and that User32.dll has not been renamed.
The User32.dll is located in the C:\WINDOWS\system32 folder.