Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


patch.exe wants permission to run on startup. 1771.EXE ?

  • Please log in to reply
2 replies to this topic

#1 abssorb


  • Members
  • 2 posts
  • Local time:07:28 PM

Posted 15 January 2009 - 05:38 AM


Great forum!!

I recently had a laptop meltdown on virtumonde through firefox, despite having AVG Network 8 running. I got all the data off, spent about 3hrs trying to remove virtumonde, but decided to flatten and rebuild as I need it for my work.

But, whilst researching the removal, I think my desktop picked up an infection. :thumbsup: But I might be being paranoid. I'd welcome some advice.
Desktop is running Vista Ultimate 64 with AVG Network 8. As AVG failed to find the virumonde on the laptop, I don't trust it any more.

My first suspicion:

On reboot -
Windows alerts me that C:\Program Files (x86)\Media\Poker\Patch.exe is requesting permission to run

Now around the same time I did download some Windows Vista Ultimate Extras from

Including Hold 'em poker. So it might be legitimate. But, I couldn't see Microsoft having their own install need permission and them having a file simply called patch.exe.

Paranoia from the laptop maybe. But, searching revealed that is could be 1771.EXE
I found :http ://www.prevx.com/filenames/1164652541085110274-0/17712EEXE.html
(Edited: You have to cut paste to do the link, because clicking starts a new session on the prevx site)

Folder C:\Program Files (x86)\Media\Poker\ contains:
msinet.ocx (130k)
mswinsck.ocx (122k)
Patch.exe (36k)

adaware, AVG, PrevX, Malwarebytes and avast can't find anything wrong with these files.

Following advice here: http://www.bleepingcomputer.com/forums/ind...l=unknown+owner
I went through a few steps.

Malwarebytes came up with:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

But nothing else. That removed OK, but on reboot, patch.exe wanted to run again.

Is this an infection?

Edited by abssorb, 15 January 2009 - 05:59 AM.

BC AdBot (Login to Remove)


#2 buddy215


  • Moderator
  • 13,503 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:28 PM

Posted 15 January 2009 - 11:05 AM

Probably legit, but you can get the file "patch.exe" scanned by multiple scanners by submitting to one of the sites in the links below.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 abssorb

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:28 PM

Posted 16 January 2009 - 03:11 AM

Those are really useful - thanks.

I tried the upload in both and they were all clean except for one - Panda.

I was sceptical, but paranoia won out. So, I deleted the directory. I then re-downloaded hold em from microsoft, and it went into a different folder! :thumbsup:

Hope this post works out useful for others too, as google didn't give very much back. For google's benefit, the path again:
C:\Program Files (x86)\Media\Poker\Patch.exe
C:\Program Files\Media\Poker\Patch.exe


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users