Trojan:Win32/Patch.EP is a malicious executable detected by Microsoft Defender and other antivirus engines as a generic trojan that modifies or "patches" legitimate system files or running processes to inject malicious code. This threat belongs to a broader category of file-patching trojans designed to bypass security software, enable backdoor access, or prepare infected systems for additional malware payloads. While the ".EP" suffix indicates a specific variant classification by Microsoft's detection heuristics, many samples in this family share core behavior: they hook into Windows processes, modify executable code in memory, and establish persistence through multiple redundant mechanisms.

Trojan:Win32/Patch.EP — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

Infections typically surface when users notice unusual system slowdowns, unexpected network traffic, or antivirus alerts that trigger repeatedly even after apparent removal. The trojan's ability to modify running processes makes it particularly stubborn—traditional quick scans often fail because the malware re-injects itself into memory from hidden persistence points before the scanner completes its work.

If you suspect your computer is infected right now: Disconnect from the internet immediately (unplug ethernet or disable Wi-Fi) to prevent data exfiltration and stop the trojan from downloading additional malware. Do not enter passwords or access financial accounts until the infection is confirmed removed. If the infection persists after following the removal steps below, call us at (770) 554-0571 or bring your machine to our Roswell location—we can typically eliminate stubborn trojans same-day.

Threat Profile

Attribute Details
Threat Family Trojan:Win32/Patch (file-patching trojan family)
Detection Aliases Trojan.Generic, Gen:Variant.Patch, Trojan/Win32.Agent, HEUR:Trojan.Win32.Generic (varies by vendor)
Platform Windows XP through Windows 11 (32-bit and 64-bit variants)
First Observed Variants in this family documented since early 2010s; specific .EP variant classification established mid-2010s
Distribution Methods Software bundling, fake codec installers, malicious Office macros, drive-by downloads, exploit kit payloads
Persistence Mechanisms Registry Run keys, scheduled tasks, service creation, DLL sideloading, process injection into explorer.exe or svchost.exe
Primary Capabilities Code injection, process patching, security software evasion, backdoor functionality, downloader for secondary payloads
Common File Locations %APPDATA%\[random], %LOCALAPPDATA%\[GUID folders], %TEMP%, System32 (disguised as legitimate files)
Network Behavior Connects to command-and-control servers (typically HTTP/HTTPS on ports 80/443), downloads encrypted payloads, exfiltrates system information
Registry Artifacts HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, AppInit_DLLs modifications (typical for family)
Data at Risk Browser credentials, cryptocurrency wallets, session cookies, system fingerprinting data, potentially keylogged input
Removal Difficulty Moderate to High (due to process injection and multi-layered persistence)

How It Spreads

Trojan:Win32/Patch.EP rarely arrives alone. Most infections trace back to bundled software installers—particularly free utilities downloaded from third-party hosting sites rather than official vendor pages. Users searching for "free PDF converter" or "video codec pack" often land on download portals that wrap legitimate software in an installer packed with unwanted programs. The trojan embeds itself in these bundles, typically requiring users to skip past or ignore pre-checked installation options during setup.

Another common vector involves fake software updates or browser plugin prompts displayed on compromised websites. A user visits what appears to be a normal site, then sees a convincing popup claiming their Flash Player or Java is outdated. Clicking "Update Now" downloads a trojan dropper disguised as a legitimate installer. Email campaigns distributing malicious Office documents also serve as delivery mechanisms—the document contains macros that, when enabled, download and execute the trojan payload from a remote server.

The malware also spreads through exploitation of unpatched software vulnerabilities. Exploit kits like RIG or Fallout scan visitors for outdated browser plugins, Java versions, or Windows components, then silently deliver the trojan without any user interaction beyond visiting an infected page.

  • Software bundles: Free download sites packaging trojans with legitimate freeware
  • Fake updates: Fraudulent codec, Flash Player, or browser extension prompts on compromised sites
  • Malicious email attachments: Office documents with macro-based downloaders
  • Exploit kits: Drive-by downloads targeting unpatched browser or plugin vulnerabilities
  • Torrent/piracy sites: Cracked software installers containing embedded trojans
  • Malvertising: Malicious advertisements on legitimate sites redirecting to exploit landing pages
  • USB/removable media: Autorun-enabled trojans spreading from infected flash drives

What It Does On Your Machine

Once executed, Trojan:Win32/Patch.EP immediately attempts to inject code into running Windows processes—most commonly explorer.exe (the desktop shell) or svchost.exe instances (generic service host processes that won't raise immediate suspicion). This injection allows the trojan to operate with the permissions of legitimate system processes, making it harder for security software to identify the malicious activity. The patching happens in memory rather than on disk, meaning the original files remain unmodified while the running code is compromised.

The trojan establishes multiple persistence points simultaneously. It creates registry entries in the Run and RunOnce keys to ensure it launches at every system startup, often using randomized executable names to avoid pattern-based detection. Some variants also create scheduled tasks set to trigger at user login or at specific intervals throughout the day. More sophisticated samples install themselves as Windows services with innocuous-sounding names like "Windows Update Assistant" or "Security Center Support Service."

After securing its foothold, the trojan typically contacts a command-and-control server to report the successful infection and receive instructions. During this beacon process, it transmits basic system information: Windows version, installed antivirus software, IP address, and sometimes a list of installed applications. The C&C server may respond with commands to download additional malware—ransomware, cryptocurrency miners, information stealers, or remote access tools. This modular approach allows attackers to customize the infection based on the victim's profile. A home user might receive adware and browser hijackers; a business workstation might receive data-stealing tools targeting corporate credentials.

The performance impact varies widely. Some infections cause obvious symptoms: constant hard drive activity, sluggish response times, browsers redirecting to unwanted sites, or the computer fan running constantly due to cryptocurrency mining activity. Others operate almost invisibly, collecting data quietly and maintaining backdoor access for months without obvious signs. Users often first notice the infection when their antivirus flags it during a scan, or when they observe unexplained network traffic in their router logs.

Typical Filesystem and Registry Artifacts
C:\Users\[Username]\AppData\Local\{A7B3C9D2-4E5F-1234-5678-9ABCDEF01234}\svchost.exe C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\winlogon.exe C:\Windows\Temp\tmp[random].exe ; Registry persistence keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "SecurityUpdate" = "C:\Users\[User]\AppData\Local\{GUID}\svchost.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ "SystemCheck" = "C:\Windows\Temp\tmp4F3A.exe" ; Scheduled task (view with: schtasks /query /fo LIST /v) Task Name: \Microsoft\Windows\UpdateOrchestrator\Security Update Task Task To Run: C:\Users\[User]\AppData\Local\{GUID}\svchost.exe

Manual Removal — Step by Step

01

Disconnect From Network

Immediately disconnect your computer from the internet by unplugging the ethernet cable or disabling Wi-Fi. This prevents the trojan from communicating with its command server, downloading additional malware, or exfiltrating collected data. Keep the computer offline throughout the entire removal process.

02

Boot Into Safe Mode with Networking

Restart your computer and press F8 repeatedly during boot (or Shift+F8 on newer systems) to access Advanced Boot Options. Select "Safe Mode with Networking." This loads Windows with only essential drivers and services, preventing most malware from auto-starting while still allowing you to download scanning tools if needed. On Windows 10/11, you can also access this through Settings → Update & Security → Recovery → Advanced Startup → Restart Now, then Troubleshoot → Advanced Options → Startup Settings → Restart → Press 4 for Safe Mode with Networking.

03

End Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and examine running processes carefully. Look for suspicious entries: executable names that mimic legitimate Windows processes but are located in user folders rather than System32, or processes with random character names running from AppData or Temp directories. Right-click suspicious processes, select "Open File Location" to verify the path, then end the process. Note that the trojan may hide by injecting into legitimate processes like explorer.exe—you may need to restart explorer.exe after removal to clear the injection.

04

Remove Startup Persistence Entries

Press Win+R, type "msconfig" and hit Enter. Go to the Startup tab (or "Open Task Manager" on Windows 10/11, then the Startup tab there). Disable any suspicious entries with random names or pointing to executables in AppData folders. Next, open Registry Editor (Win+R, type "regedit") and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete any entries pointing to the trojan's executable paths you identified earlier. Check RunOnce keys in the same locations as well.

05

Delete Scheduled Tasks

Open Task Scheduler (search for it in the Start menu or type "taskschd.msc" in Run dialog). Expand Task Scheduler Library and review all tasks, especially those under Microsoft\Windows folders. Look for recently created tasks with suspicious names or actions pointing to executables in user directories. Right-click and delete any tasks associated with the trojan. You can also use Command Prompt (run as administrator) and type "schtasks /query /fo LIST /v" to view all tasks, then "schtasks /delete /tn [TaskName]" to remove specific ones.

06

Delete Malware Files and Folders

Navigate to the file locations you identified earlier (commonly C:\Users\[Username]\AppData\Local, AppData\Roaming, or Windows\Temp). Delete the entire GUID-named folders or any suspicious executables. You may need to show hidden files first: in File Explorer, click View → Options → Change folder and search options → View tab → Show hidden files, folders, and drives. If Windows prevents deletion claiming the file is in use, you're either still in normal mode (go back to Safe Mode) or the process is still running (return to step 3).

07

Run Malwarebytes Anti-Malware

Download and install Malwarebytes (from malwarebytes.com using a clean computer or smartphone, transferred via USB if your infected machine is offline). Run a full Threat Scan—this typically takes 30-90 minutes depending on drive size. Malwarebytes excels at detecting trojan remnants and related PUPs that might have installed alongside Patch.EP. Quarantine all detected items. Note that the free version provides excellent scanning; the premium version adds real-time protection.

08

Scan with Windows Defender Offline

After Malwarebytes completes, run Windows Defender Offline scan for a second opinion. Open Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan → Scan now. This will restart your computer into a pre-boot environment where the trojan cannot interfere with the scan. The scan takes about 15 minutes and automatically removes threats it finds. This step catches rootkit-level persistence that might survive normal-mode scans.

09

Reset Browser Settings

If you use Chrome, Edge, or Firefox, reset your browsers to default settings to remove any unwanted extensions or homepage changes the trojan installed. In Chrome/Edge: Settings → Reset settings → Restore settings to their original defaults. In Firefox: Help → More Troubleshooting Information → Refresh Firefox. This preserves bookmarks and passwords while removing extensions and resetting search engines. After resetting, manually review installed extensions and remove any you don't recognize.

10

Change Critical Passwords

Once you've confirmed the trojan is removed and you've reconnected to the internet, immediately change passwords for sensitive accounts—email, banking, Amazon, PayPal, etc. Do this from the cleaned computer or, preferably, from a known-clean device like your phone. Use strong, unique passwords for each account. Enable two-factor authentication wherever available, as this protects accounts even if the trojan captured your password before removal.

11

Reboot and Monitor

Restart your computer normally (exit Safe Mode) and monitor behavior for 24-48 hours. Watch for signs of reinfection: unexpected CPU usage, unknown processes in Task Manager, antivirus alerts, or browser redirects. Run quick scans with both Malwarebytes and Windows Defender daily for the first week. If symptoms return, the infection was more deeply rooted than manual removal could address—bring the machine to our shop for professional cleaning.

Prevention

  1. Download software only from official sources. Avoid third-party download sites like Download.com, Softonic, or CNET Downloads. Go directly to the developer's website. When searching Google for software, the official site should be the first non-ad result. If you see multiple "Download" buttons or the URL doesn't match the software name, you're likely on a bundling site.
  2. Pay attention during installation. Never click "Next" repeatedly without reading. Choose "Custom" or "Advanced" installation options, which reveal bundled software that "Express" installs hide. Uncheck any pre-selected optional offers. Legitimate software doesn't require you to install unrelated toolbars or system utilities.
  3. Keep Windows and all software updated. Enable automatic updates for Windows, browsers, and commonly exploited plugins (Java, Adobe Reader). Most infections through exploit kits target vulnerabilities patched months or years earlier. The May 2024 "Update Tuesday" patches closed dozens of holes that trojans still actively exploit on unpatched systems.
  4. Use a reputable real-time antivirus. Windows Defender (built into Windows 10/11) provides solid baseline protection if kept updated. For additional security, consider Malwarebytes Premium, ESET, or Bitdefender. Free antivirus is better than none, but paid versions typically offer superior detection rates and real-time behavioral monitoring that catches threats before they execute.
  5. Enable User Account Control and don't run as administrator daily. UAC prompts asking permission before programs make system changes aren't just annoyances—they're a critical defense layer. If you see a UAC prompt when you didn't intentionally install something, click "No." Running with standard user privileges rather than administrator rights limits the damage malware can do even if it executes.
  6. Be skeptical of email attachments and links. Don't enable macros in Office documents from unknown senders. Legitimate businesses don't send invoices or shipping notices as .docm or .xlsm files. When in doubt, contact the supposed sender through a verified channel (look up their phone number independently, don't call numbers in the email) to confirm they sent the attachment.
  7. Use an ad blocker. Extensions like uBlock Origin prevent malvertising—malicious advertisements on otherwise legitimate sites that redirect to exploit kits. This adds a layer of protection even when visiting trusted news sites or forums that might unknowingly serve compromised ads.
  8. Back up important files regularly. While not prevention, automated backups to an external drive or cloud service (OneDrive, Backblaze, etc.) ensure you can recover if you suffer a severe infection requiring a full Windows reinstall. Keep at least one backup copy disconnected from your computer so ransomware can't encrypt it.
Our Guarantee: When we remove malware at Computer Repair Roswell, the work comes with a 90-day warranty. If the same infection returns within three months (and you haven't introduced new risk factors like disabling your antivirus or installing pirated software), we'll re-clean the system at no additional charge. We stand behind our work because we take the time to verify complete removal—not just eliminate symptoms.

Bring It In

Trojan infections like Patch.EP can be frustrating to remove completely, especially when they've established multiple persistence mechanisms or downloaded additional malware before you caught them. If you've followed the steps above and still see suspicious behavior—or if you'd rather have professionals handle it from the start—bring your computer to our Roswell shop. We'll run a comprehensive diagnostic, remove the infection and any related threats, verify your system is clean, and optimize performance to get you back to normal operation. Most malware removals are completed same-day or within 24 hours.

We're located on Alpharetta Street in Roswell, open Monday through Saturday. Call us at (770) 554-0571 to check current wait times or schedule a drop-off. No appointment necessary—just bring the machine in and we'll get started. Our flat-rate malware removal service includes thorough cleaning, security recommendations specific to your usage patterns, and that 90-day reinfection warranty for your peace of mind.