Threat description


Category: Malware
Type: Trojan
Platform: W32


Windows components that have been 'patched' by a malicious application, usually to facilitate the malware's operations. The affected component and the purpose of the patching may vary depending on the malware in question.



It is not advisable to delete, rename or quarantine patched Windows components as doing so may affect system stability. Even though Windows locks its main files while they are active, modifications to the patched components may still affect them.

Disinfection using F-Secure Anti-Virus

If your F-Secure Anti-Virus (FSAV) detected a certain file as 'patch', please first select the "Disinfect" action. FSAV will then create a copy of the patched file and attempt to restore its contents; it will then add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.

Windows-based Disinfection

If disinfection using FSAV fails, you may attempt to restore a recent System Restore point. In many cases, the patched system component will be replaced with clean version from the backup. Before restoring a System Restore point, it is advisable to backup all personal data to avoid possible losses when Windows rolls back to a previously saved state.

If the System Restore option fails, you may attempt to repair the component using the 'repair' option included on Windows installation discs. To do so, boot the computer from the CD and select the option to repair. Again, it is advisable to backup your personal data before doing so.

Manual Repair

Caution: Manual repair is a risky process; it is recommended only for advanced users.

The last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system. You can then boot up and replace the patched file with a replacement taken from a clean system. Note: the file used for replacement must be the same version as a patched file.

Technical Details

A malware may patch a Windows system component for a variety of purposes - for example, in order to disable security; or to add malicious code to the component that can be executed when the component is run.

The most frequently patched components are:

  • winlogon.exe
  • wininet.dll
  • kernel32.dll
  • iexplore.exe

26 July 2012: The detectionTrojan.patched.sirefef.[variant] identifies the Zaccess rootkit, which patches the legitimate 'services.exe' Windows component.

Manual Repair for Sirefef/ZeroAccess infections

The following manual removal instructions apply to Windows 7 systems with a service.exe file infected by Trojan.patched.sirefef.[variant], and with F-Secure Internet Security 2012 (FSIS 2012) installed.

  • Turn off real-time scanning to prevent interference with the removal process.
  • Boot to safe mode
  • search for the backup copy of services.exe; this copy will usually be:
    • C:\Windows\Winsxs\[directory path]\services.exe
    Go to C:\windows\system32\ folder and rename the infected copy of the services.exe file to 'services.exe.vir' (use cmd.exe if necessary) Copy the backup services.exe file from the Winsxs folder to C:\Windows\system32\ After reboot, open the FSIS 2012 product and uncheck the "scan only known file types" setting under manual scanning. Next, run a full system scan. The product should detect items in the following locations:
    • C:\Users\[user]\appdata\local\{[numbers]}\n
    • C:\Windows\Installer\{[numbers]}\n
    • C:\Windows\Assembly\gac\desktop.ini OR \gac_32\desktop.ini
    The product should then prompt for reboot to remove one of the n files listed above. Note: if the n files are not detected by the product:
    • Please send a copy to the Submit A Sample (SAS) for a Labs Analyst to create the necessary detection.
    • Then boot to Safe Mode to manually locate the n files at the locations listed above. Rename the files to "n.vir", then restart in normal mode and delete the entire folder with those files.
    • If any file is locked by services.exe, first fix services.exe as above.
    After reboot, manually delete all remaining traces of the malware by deleting the {[numbers]} folders Finally, re-enable real-time scanning, reboot and run another full scan.

Many users will also find files in the Java cache being detected for Blackhole exploits; this is the most commonly dropped on the computer on visits to compromised/malicious sites silently serving the exploits. The detected files may be removed.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More