Trojan:W32/Patched

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:W32/Patched, Trojan.Win32.Patched

Summary

Trojan:W32/Patched is a detection for files (usually Windows components) that are patched by a malicious application.

Removal

It is not advisable to delete, rename or quarantine patched Windows components because it may affect system stability. Even though Windows locks its main files while it is active, it might be still possible to affect them.

Disinfection

If your F-Secure Anti-Virus detected a certain file as Trojan.Win32.Patched, please first try to select the "Disinfect" action. In this case, F-Secure Anti-Virus will create a copy of a patched file, try to restore its contents, and then it will add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.

System Restore Points

In case the approach described above fails, try to restore one of the recent System Restore points. In many cases a patched system component will be replaced with a clean one. Before restoring a System Restore point it is advised to backup all personal data to avoid loosing it when Windows rolls back to a previously saved state.

Repair

Windows Installation discs contain a repair option. Boot from the CD and select the option to repair. Again, it is advisable to backup your personal data.

If nothing helps to clean an patched system component, the last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system, boot up and to replace a patched file with a file taken from a clean system.

Note: A file used for replacement must be the same version as a patched file. This operation should be done by an experienced computer technician only.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The purpose of patching varies. For example, some malware will patch system components in order to disable security, such as the Windows Safe File Check feature; others will add malicious code to a system component and then patch certain functions of the original file to point to the added code.

The most frequently patched components are:

  • winlogon.exe
  • wininet.dll
  • kernel32.dll
  • iexplore.exe

Note

Achtung: False Positive Notification

The 2008-11-04_04 database contained a false positive on a German language Windows XP Service Pack 2 file called User32.dlllocated in the C:\WINDOWS\system32 folder. The detection was named Trojan.Win32.Patched.dn and is resolved in the 2008-11-04_06 update.

If you were alerted to Trojan.Win32.Patched.dn, please make sure that you have the most current update, and that User32.dll has not been renamed.