AVG detects Win64/Patched.A.Gen trojan

Welcome to Major Geeks!

Sounds like you have a ZeroAccess infection. Not sure why you would wait so long to fix this. This is a dangerous infection which may have been stealing personal information. See the below link for a quick summary on ZeroAccess:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99


To properly remove this infection, we will need to run our standard cleaning procedure to collect a bunch of logs. Then additional manual steps will be necessary.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Okay I was correct that you have a ZeroAccess infection. It has infected your C:\Windows\system32\services.exe system files and we need to replace it. In order to do this, we will first need to run a scan with another special tool named FRST which will provide an additional log. Then after I have this new log, I will start your actual fix which will again make use of FRST.

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

Nope! You cannot run it from Windows

It must be run from the Recovery Environment as requested. So you are saying your PC manufacturer did not install Windows with this feature as it should be? Especially if not providing a Windows system boot DVD!!!!


See the below for additional help in getting to Advanced Boot Options:

http://www.sevenforums.com/tutorials/666-advanced-boot-options.html

 

You're welcome.

Most likely not completely.

If you deleted the services.exe file, you would have major problems running Windows. Thus it could not have deleted it. What we were going to be doing was to replace the file with a clean backup copy hidden in another folder on your PC.

However there were other components of this infection besides the services.exe file that have to be remove and there could be additional damage to Windows that needs to be repaired. I advise you to run the below now so that a full checkup and complete fix ( if necessary ) can be performed:


READ & RUN ME FIRST. Malware Removal Guide

Strongly not recommended. Consider yourself the lucky one of hundreds who have run Norton Power Eraser and then had a totally unusable PC. Norton Power Eraser (NPE) is known to delete required and necessary Windows files which then breaks the operating system completely. Since Windows is not running when you run NPE, the operating system files are not protected and you are not blocked from removing them which can have serious bad side effects. So unless NPE has made a lot of changes to how their program works to avoid delete required system files and has made it possible for the program to search for any replacements on a PC to use to repair the problem, I would not recommend using it to fix problems like this.

So while I'm happy to hear it seems to have worked for you and has not broken your PC, I recommend against it except as a last straw.