It is not advisable to delete, rename or quarantine patched Windows components as doing so may affect system stability. Even though Windows locks its main files while they are active, modifications to the patched components may still affect them.
Disinfection using F-Secure Anti-Virus
If your F-Secure Anti-Virus (FSAV) detected a certain file as 'patch', please first select the "Disinfect" action. FSAV will then create a copy of the patched file and attempt to restore its contents; it will then add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.
Windows-based DisinfectionIf disinfection using FSAV fails, you may attempt to restore a recent System Restore point. In many cases, the patched system component will be replaced with clean version from the backup. Before restoring a System Restore point, it is advisable to backup all personal data to avoid possible losses when Windows rolls back to a previously saved state.
Caution: Manual repair is a risky process; it is recommended only for advanced users.
The last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system. You can then boot up and replace the patched file with a replacement taken from a clean system. Note: the file used for replacement must be the same version as a patched file.
A malware may patch a Windows system component for a variety of purposes - for example, in order to disable security; or to add malicious code to the component that can be executed when the component is run.
The most frequently patched components are:
26 July 2012: The detection Trojan.patched.sirefef.<variant> identifies the Zaccess rootkit, which patches the legitimate 'services.exe' Windows component.
Manual Repair for Sirefef/ZeroAccess infections
The following manual removal instructions apply to Windows 7 systems with a service.exe file infected by Trojan.patched.sirefef.<variant>, and with F-Secure Internet Security 2012 (FSIS 2012) installed.
Many users will also find files in the Java cache being detected for Blackhole exploits; this is the most commonly dropped on the computer on visits to compromised/malicious sites silently serving the exploits. The detected files may be removed.