Windows components that have been 'patched' by a malicious application, usually to facilitate the malware's operations. The affected component and the purpose of the patching may vary depending on the malware in question.
It is not advisable to delete, rename or quarantine patched Windows components as doing so may affect system stability. Even though Windows locks its main files while they are active, modifications to the patched components may still affect them.
Disinfection using F-Secure Anti-Virus
If your F-Secure Anti-Virus (FSAV) detected a certain file as 'patch', please first select the "Disinfect" action. FSAV will then create a copy of the patched file and attempt to restore its contents; it will then add a renaming command into the Windows Registry in order to replace the patched file with a cleaned one during the next Windows startup.
If disinfection using FSAV fails, you may attempt to restore a recent System Restore point. In many cases, the patched system component will be replaced with clean version from the backup. Before restoring a System Restore point, it is advisable to backup all personal data to avoid possible losses when Windows rolls back to a previously saved state.
If the System Restore option fails, you may attempt to repair the component using the 'repair' option included on Windows installation discs. To do so, boot the computer from the CD and select the option to repair. Again, it is advisable to backup your personal data before doing so.
Caution: Manual repair is a risky process; it is recommended only for advanced users.
The last resort is to attach a hard drive with a patched file as slave to a similar Windows-based system. You can then boot up and replace the patched file with a replacement taken from a clean system. Note: the file used for replacement must be the same version as a patched file.
A malware may patch a Windows system component for a variety of purposes - for example, in order to disable security; or to add malicious code to the component that can be executed when the component is run.
The most frequently patched components are:
26 July 2012: The detectionTrojan.patched.sirefef.[variant] identifies the Zaccess rootkit, which patches the legitimate 'services.exe' Windows component.
Manual Repair for Sirefef/ZeroAccess infections
The following manual removal instructions apply to Windows 7 systems with a service.exe file infected by Trojan.patched.sirefef.[variant], and with F-Secure Internet Security 2012 (FSIS 2012) installed.
- Turn off real-time scanning to prevent interference with the removal process.
- Boot to safe mode
- search for the backup copy of services.exe; this copy will usually be:
- C:\Windows\Winsxs\[directory path]\services.exe
- C:\Windows\Assembly\gac\desktop.ini OR \gac_32\desktop.ini
- Please send a copy to the Submit A Sample (SAS) for a Labs Analyst to create the necessary detection.
- Then boot to Safe Mode to manually locate the n files at the locations listed above. Rename the files to "n.vir", then restart in normal mode and delete the entire folder with those files.
- If any file is locked by services.exe, first fix services.exe as above.
Many users will also find files in the Java cache being detected for Blackhole exploits; this is the most commonly dropped on the computer on visits to compromised/malicious sites silently serving the exploits. The detected files may be removed.