locked
Trojan:Win32/Patched.L Can't be Removed RRS feed

  • Question

  • Forefront is reporting Trojan:Win32/Patched.L on a computer.  Pressing Clean or Apply Action seems to have no affect - the warning re-appears.  How do I remove this trojan?

    Wednesday, August 5, 2009 4:14 PM

Answers

  • Hi,

     

    Thank you for your post.

     

    I think you should update the FCS and then ran a full scan. The infect files may be quarantined. Also, you can upload the source file to the Malware Protection Portal https://www.microsoft.com/security

     

    Regards,


    Nick Gu - MSFT
    • Marked as answer by Nick Gu - MSFT Thursday, August 13, 2009 7:32 AM
    Tuesday, August 11, 2009 5:52 AM

All replies

  • In these cases what you need to do is call Microsoft support and say you have a security issue. they will help you for free if i'm not missinformed.

    Also, if you have the source file, you can upload it to the new Malware Protection Portal https://www.microsoft.com/security

    Good Luck!
    /Johan
    MCSE, forefront spec | www.msforefront.com
    Wednesday, August 5, 2009 7:55 PM
  • Forefront is indicating that the infected file is ws2_32.dll.  Because that dll is used for windows sockets, I can't get to the internet on that machine & can't upload the file.

    However, I found a copy of the dll.  I cut the infected file from windows/system32 & pasted it into a folder that I created just to hold it.  Then, I copied the good dll to system32.  I was surprised when a dialog asked if I wanted to replace the file.  An infected file had been added back to system32.

    Replacing the infected file with the good one seemed to work.  The good file has not been replaced by an infected file, so far.  I'm running a full scan on the computer, & once that's finished, I'll reconnect to the internet & upload the infected file.

    I am concerned that a process may be monitoring system32 to replace ws2_32.dll if it gets deleted.  If there is such a process, I don't know how to identify it & remove it.

    Thanks,
    John
    Thursday, August 6, 2009 4:23 PM
  • Hi!

    There is a native windows service that monitors changes to system32. "Windows file protection" if any changes (even delete/cut) to protected files in system32 are made, a fresh copy of the file will overwrite the changed one in system32 (i forget the name of the repository, but it's a folder on your drive). I suspect that this is what you are experiencing.   


    Read more here:

    http://support.microsoft.com/kb/222193

    /Johan


    MCSE, forefront spec | www.msforefront.com
    Friday, August 7, 2009 7:34 AM
  • Hi Johan,

    When properties are displayed for the infected file, the Version tab is missing.  (The Version tab for the good file shows File Version, Description, etc...)

    From the kb, if the file is deleted from windows\system32, it is restored from a backup copy at WINDOWS\system32\dllcache.  When I look at the properties of the backup copy, I see the Version tab.  So, the current backup copy looks fine. 

    If the backup copy is good, why was the infected copy restored after I deleted it & after Forefront deleted it? One explanation might be that when the file is replaced in system32, the backup in dllcache is also replaced.  So, when Forefront & I deleted the file from system32, the infected backup was restored, but when I replaced the infected file, a copy of the replacement was placed in dllcache.  Do you know if that is how Windows file protection works?

     As you suggested, I tried to submit the infect file through the Malware Protection Portal, but the submission failed, with this error "Your request could not be processed, please try again. If the problem persists please contact Customer support ". 

    I contacted customer support through online chat & was asked to run Windows Live OneCare Protection scan.  The protection scan found the infected file, but cleaning the file failed with "1 issue not able to be cleaned" & the file still appears in the folder I moved it to from system32.

    Customer support also suggested zipping the infected file before sending it, but winzip failed to zip it.

    John

    Friday, August 7, 2009 11:46 AM
  • Although the protectin scan failed to clean the file, I ran a full scan with Forefront, & it no longer detects the virus. 

    Friday, August 7, 2009 7:03 PM
  • Hi,

     

    Thank you for your post.

     

    I think you should update the FCS and then ran a full scan. The infect files may be quarantined. Also, you can upload the source file to the Malware Protection Portal https://www.microsoft.com/security

     

    Regards,


    Nick Gu - MSFT
    • Marked as answer by Nick Gu - MSFT Thursday, August 13, 2009 7:32 AM
    Tuesday, August 11, 2009 5:52 AM
  • Hello :

    I am faced this Problem Before :

    First Diable windows file Protection , then Make scan on the Infected Folder , you must be Local Admin ,,,

    to Disbale WFM

    setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).

    Pleae Update Me if its worked or not

    Sunday, August 16, 2009 8:43 AM