I recently had a laptop meltdown on virtumonde through firefox, despite having AVG Network 8 running. I got all the data off, spent about 3hrs trying to remove virtumonde, but decided to flatten and rebuild as I need it for my work.
But, whilst researching the removal, I think my desktop picked up an infection. But I might be being paranoid. I'd welcome some advice.
Desktop is running Vista Ultimate 64 with AVG Network 8. As AVG failed to find the virumonde on the laptop, I don't trust it any more.
My first suspicion:
On reboot -
Windows alerts me that C:\Program Files (x86)\Media\Poker\Patch.exe is requesting permission to run
Now around the same time I did download some Windows Vista Ultimate Extras from
Including Hold 'em poker. So it might be legitimate. But, I couldn't see Microsoft having their own install need permission and them having a file simply called patch.exe.
Paranoia from the laptop maybe. But, searching revealed that is could be 1771.EXE
I found :http ://www.prevx.com/filenames/1164652541085110274-0/17712EEXE.html
(Edited: You have to cut paste to do the link, because clicking starts a new session on the prevx site)
Folder C:\Program Files (x86)\Media\Poker\ contains:
adaware, AVG, PrevX, Malwarebytes and avast can't find anything wrong with these files.
Following advice here: http://www.bleepingcomputer.com/forums/ind...l=unknown+owner
I went through a few steps.
Malwarebytes came up with:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
But nothing else. That removed OK, but on reboot, patch.exe wanted to run again.
Is this an infection?
Edited by abssorb, 15 January 2009 - 05:59 AM.