This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 83%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
A couple of days ago, I was watching YouTube when a “Do you want to allow this app to make changes to your computer” window popped up. It was onedrivepatcher.exe
As I was not installing or updating anything, I found it suspicious and did not click on either yes or no. The window disappeared on its own after a while. I assumed that means no access is allowed, please correct me if I’m wrong.
After a quick google search indicated onedrivepatcher.exe is a malware.
Norton and nordVPN threat protection both failed to catch it.
Under task manager -
In the meantime, Norton was being manually updated which triggered a restart.
After the restart, the weird program was gone from details. I assumed it was the malware and it was a temp file that was purged with the restart. Assumed is playing a big part here as I’m pretty much a computer idiot.
Did the following scans
All came back ok apart from the event id 1001 issue mentioned above
I assumed with all these checks that the malware had not successfully installed/infected my pc but want some professional opinion.
I am making this post as I read a Reddit post saying that it is a DLL sideloading malware and assume compromised and to reinstall Windows
I want some suggestions if it is really necessary to reinstall window as I do not have a recent backup and is it just better to reinstall to be on the safe side? Also, if I do go down this route, will a factory reset enough as I don’t have a usb drive to download window on?
Is there any other check I do to confirm?
Also, just curious, what does onedrivepatcher.exe do?
Thanks in advance
I posted this on Tom’s hardware and the respond is really making me scared. Is my pc done?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 28.999999999999996%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
Hello,
Since multiple security tools have already scanned your system and found nothing else, the chance of an actual infection seems low. There is also a possibility that the UAC prompt you saw was just an advertisement made to look like a real UAC window.
One thing I’d like to confirm:
When the UAC prompt appeared, did the background screen turn dark (as it normally does with a genuine UAC prompt).
I can’t remember exactly as it has been a few days but I think it looks like a genuine UAC prompt
Thanks for the update.
Even if it looked like a genuine UAC prompt, it can still be difficult to judge based on appearance alone, since some ads or pop‑ups can imitate the UAC style.
To understand the situation more clearly, could you recall one thing:
when the UAC prompt appeared, did the background screen dim or fade out?
A real UAC prompt normally forces the entire screen to dim and prevents any interaction with the browser or other apps.
Thanks for the help. Honestly, I can’t remember and have nothing to refer to as it disappeared just as I was going to take a picture of it.
However, going by just memory which is definitely not reliable in this case. It did not dimmed or at least not as much as normal.
One thing that I do remember almost to 100% is the publisher was Microsoft Corporation which is probably why it slipped through Norton firewall.
Do you think it can hide itself from the scans and also did the reboot actually got rid of it although I did not delete the file itself? These are currently what I worry about the most.
Based on everything you’ve described, there is no evidence that your system is infected.
All your scans came back clean, the file disappeared immediately, nothing returned after reboot, and there is no actual onedrivepatcher.exe on your system.
So the chance of a real infection is extremely low, even though we can never say “100% guaranteed” in these situations.
If you still feel uneasy, you can do the following:
Back up your important files
Use System Restore to roll your PC back to a point before this happened
System Restore
– This does not delete your personal data
– It removes anything that might have been installed
If you still worry after that, use your manufacturer’s factory reset option
– This returns the system to a completely clean state
For future protection, I strongly recommend enabling:
Windows Security → Ransomware Protection (Controlled Folder Access)
This blocks untrusted apps from modifying your personal files.
Smart App Control (SAC)
If your system supports it, SAC blocks unknown or suspicious apps before they can run.
With these features enabled, even if something similar appears again, Windows will block it automatically.
The behavior described matches a likely malware or deceptive software attempt, and the safest assumption is that the system may have been exposed even if no file named onedrivepatcher.exe is currently visible.
Because malware and deceptive software can hide, rename themselves, or make changes that are not obvious, there is no supported way in the provided context to definitively prove that the system is clean just by checking Task Manager, Task Scheduler, or a few scans.
When there is a credible suspicion of malware infection and uncertainty about whether it was fully removed, the documented guidance is:
For this scenario, that means:
If malware has caused irreversible or uncertain changes, the context explicitly recommends reset/restore/reinstall as the remediation path rather than trying to chase individual suspicious processes.
The context does not provide specific information on what onedrivepatcher.exe does, so no supported description of that executable’s behavior can be given here.
References:
