SORRY - Patched.A issue with logs attached this time

Okay, here goes. I have a legitimately purchased, expensive software pack called Native Instruments Komplete 5 (studio software), and I went to install it on my new computer last night but could not find the serial number anywhere in my files. Making what in retrospect was a terrible decision, I decided to see if anyone had posted a working serial for this program online, and when I downloaded what I thought was going to be that serial number, I appear to have contracted the patched.a virus. My AVG software keeps warning me about (and proving unable to fix) the following files:

1. Virus identified Win64/Patched.A - object is c:\Windows\System32\services.exe (AVG says it's white-listed)

2. Trojan horse BackDoor.Generic15.CGSY - obhect is c:\Windows\assembly\GAC_32\Desktop.ini (AVG says "infected")

3. Trojan horse Generic29.ANPX - object is c:\Windows\assembly\GAC_64\Desktop.ini (AVG says "infected")

In addition to AVG's warnings, I'm also periodically getting random windows/sites opening in Chrome when I'm trying to go somewhere else. Good times.

Can someone please help? I'm desperate. Many, many thanks.

LOGS IN TWO POSTS, ONE HERE, ONE BELOW. THANKS.

 

jedodes - Patched.A problem -SECOND SET OF LOGS

Second set of logs for problem mentioned in my first post. Please note: for some reason, TDSSkiller kept running and coming back with a result of something like "There is still undetected malware," so, thinking this was part of the process, I his Scan again (the only option it gave me) a couple more times. Finally, when nothing changed, I simply rebooted the computer the way the post said it should ask me to. I ended up with two logs. One is attached, but the other is too big (635 KB) to attach. Not sure whether this matter.

Again, thanks so much for any help you can provide.

 

Re: jedodes - Patched.A problem -SECOND SET OF LOGS

Hmm, looks like this post went up right away, but my first post (with the first several logs and a longish explanation of the problem) hasn't. I'll wait to see if it just takes a few minutes, but if not, I'll repost all of that as a reply to this as well. Thanks.

 

Re: jedodes - Patched.A problem -SECOND SET OF LOGS

TRYING THIS AGAIN - FIRST SET OF LOGS AND EXPLANATION.

Okay, here goes. I have a legitimately purchased, expensive software pack called Native Instruments Komplete 5 (studio software), and I went to install it on my new computer last night but could not find the serial number anywhere in my files. Making what in retrospect was a terrible decision, I decided to see if anyone had posted a working serial for this program online, and when I downloaded what I thought was going to be that serial number, I appear to have contracted the patched.a virus. My AVG software keeps warning me about (and proving unable to fix) the following files:

1. Virus identified Win64/Patched.A - object is c:\Windows\System32\services.exe (AVG says it's white-listed)

2. Trojan horse BackDoor.Generic15.CGSY - obhect is c:\Windows\assembly\GAC_32\Desktop.ini (AVG says "infected")

3. Trojan horse Generic29.ANPX - object is c:\Windows\assembly\GAC_64\Desktop.ini (AVG says "infected")

In addition to AVG's warnings, I'm also periodically getting random windows/sites opening in Chrome when I'm trying to go somewhere else. Good times.

Can someone please help? I'm desperate. Many, many thanks.

LOGS IN TWO POSTS, ONE HERE, ONE BELOW. THANKS.

 

Thanks so much for your help. Quick question: Hitman Pro found C:\Windows\system32\services.exe (which I am to delete, right?), but not anything called "services.exe - Virus". Should I proceed with deleting the regular services.exe file mentioned above? And does it matter if it has next to it the notations "WRP" and "952"?

I will await your reply before I go ahead and delete anything.

Many thanks,
J.

 

Sorry for the delay! Okay, so first and most important, my machine appears to be running without problems right now, at least so far.

1. Hitman Pro is finding no threats at all.

2. I had to run Rogue Killer a couple of times, because I appear to have stopped it prematurely at one point, and I'm attaching the logs below. The results were a little odd:

a. Did not find [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

b. Found 2 copies of [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND ---- I wasn't sure if they were both to be deleted, so I deleted neither for the moment. Should I?

c. Did not find [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

d. Did not find [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

e. Did not find [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

f. Under Files, I found only one file, but it says "REMOVED" -- I'm attaching a picture -- should I also delete?

3. I'm attaching the MGlogs result.

Again, I think my system's working all right, but I'd love to get your opinion about what else I might need to do.

Many thanks.

 

Hi, I have attached a .txt of the command prompt results. Even though the first command failed, it looks like the second succeeded. Is that right?

If so, three final things:

1) Thank you so much. I'm amazed and grateful that you volunteer your time and expertise to help people in what seem to them like maddening and impossible jams.

2) For the first time in this process, my AVG shield has detected a threat related to MGtools.exe. I've attached a picture of the threat alert. I've had AVG remove it, which it says it did successfully. But should I still be concerned about it, and if so, what do you recommend?

3) Finally, any sense of what the virus I got actually does? In particular, should I worry about it having harvested any personal data, passwords, etc.?

Again, thanks a million, and I'll await your reply.