Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

patch.exe wants permission to run on startup. 1771.EXE ?


  • Please log in to reply
2 replies to this topic

#1 abssorb

abssorb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 15 January 2009 - 05:38 AM

Hi,

Great forum!!

I recently had a laptop meltdown on virtumonde through firefox, despite having AVG Network 8 running. I got all the data off, spent about 3hrs trying to remove virtumonde, but decided to flatten and rebuild as I need it for my work.

But, whilst researching the removal, I think my desktop picked up an infection. :thumbsup: But I might be being paranoid. I'd welcome some advice.
Desktop is running Vista Ultimate 64 with AVG Network 8. As AVG failed to find the virumonde on the laptop, I don't trust it any more.

My first suspicion:

On reboot -
Windows alerts me that C:\Program Files (x86)\Media\Poker\Patch.exe is requesting permission to run


Now around the same time I did download some Windows Vista Ultimate Extras from
http://www.microsoft.com/windows/windows-v...res/extras.aspx

Including Hold 'em poker. So it might be legitimate. But, I couldn't see Microsoft having their own install need permission and them having a file simply called patch.exe.

Paranoia from the laptop maybe. But, searching revealed that is could be 1771.EXE
I found :http ://www.prevx.com/filenames/1164652541085110274-0/17712EEXE.html
(Edited: You have to cut paste to do the link, because clicking starts a new session on the prevx site)

Folder C:\Program Files (x86)\Media\Poker\ contains:
msinet.ocx (130k)
mswinsck.ocx (122k)
Patch.exe (36k)


adaware, AVG, PrevX, Malwarebytes and avast can't find anything wrong with these files.

Following advice here: http://www.bleepingcomputer.com/forums/ind...l=unknown+owner
I went through a few steps.

Malwarebytes came up with:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.


But nothing else. That removed OK, but on reboot, patch.exe wanted to run again.

Is this an infection?

Edited by abssorb, 15 January 2009 - 05:59 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:51 AM

Posted 15 January 2009 - 11:05 AM

Probably legit, but you can get the file "patch.exe" scanned by multiple scanners by submitting to one of the sites in the links below.
http://virusscan.jotti.org/
http://www.virustotal.com/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 abssorb

abssorb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 16 January 2009 - 03:11 AM

Those are really useful - thanks.

I tried the upload in both and they were all clean except for one - Panda.

I was sceptical, but paranoia won out. So, I deleted the directory. I then re-downloaded hold em from microsoft, and it went into a different folder! :thumbsup:

Hope this post works out useful for others too, as google didn't give very much back. For google's benefit, the path again:
C:\Program Files (x86)\Media\Poker\Patch.exe
C:\Program Files\Media\Poker\Patch.exe

:flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users