Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


PE_Patched.ld in explorer.exe and winlogon.exe

  • Please log in to reply
2 replies to this topic

#1 Russ (with a virus)

Russ (with a virus)

  • Members
  • 2 posts
  • Local time:02:25 AM

Posted 04 October 2010 - 05:19 PM

Hello everyone,

I've found myself with a bit of a headache... I recently (two days ago) found myself faced with a search engine redirect problem. I ran ClamWin aintivirus, and MalwareBytes (the paid version) and found nothing. I downloaded TrendMicro's House Call program, which came up with two infected files: explorer.exe and winlogon.exe -- both of which were infected with the PE_Patched.ld trojan. Neither file can be successfully "cleaned." I did some searching and found that this trojan looks a lot like some of the other Patched variants, none of which looked very pretty.

Thankfully, MalwareBytes (along with a very large hosts file) is actively blocking the redirects, and apart from explorer.exe running a high memory usage, I'm seeing no ill effects... but it's what I'm not seeing that's bugging me. Plus the fact that I've got a bug that won't die.

Any ideas on a first step?


Edited by hamluis, 04 October 2010 - 05:24 PM.
Moved from XP forum to Am I Infected ~ Hamluis.

BC AdBot (Login to Remove)


#2 Russ (with a virus)

Russ (with a virus)
  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:25 AM

Posted 06 October 2010 - 08:38 PM

I fixed it. If anyone has this problem, here's what worked for me:

Using the Windows XP CD, run a repair installation. This will replace all of the system files, including the infected ones. I've run three full-system scans, and have turned up no trace of PE_Patched.ld, or any other virus/trojan, anywhere in my system.

Hope this helps to anyone else with this trojan.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,771 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:25 AM

Posted 07 October 2010 - 07:52 AM

I am glad to hear you resolved the malware problem but a Repair Install may not work for everyone as it depends on the type and extent of the infection.

In some cases a Win32.Patched threat detection can be indicative of a dangerous polymorphic file infector with IRCBot functionality such as Virut or Win32/Ramnit.A. This type of malware typically typically infects .exe, .scr files, compressed files (.zip, .cab, .rar), and script files (.php, .asp, .htm, .html, .xml) and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? File injectors will seek out critical system files and insert its code into them. In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer this type of infection remains on a computer, the more files it infects and corrupts so the degree of infection can vary. Additionaly, the system has likely been compromised by backdoor Trojans and there is no way to be sure the computer can ever be trusted again.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users