Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Katusha.a & Associated Trojan
Page 1 of 5 1234››
October 15, 2011 20:06 Katusha.a & Associated Trojan #176967
Top
heresiarchs

Avatar

Novice
Join Date: 15.10.2011
Posts: 2
I am running AVG version 10.0.1410, Virus DB 1522/3951 on Windows XP. A scan turned up 9 copies of Win32/Katusha.A and 20 copies of BackDoor.Generic14.AVBQ (list of Trojan horse paths is below). All copies of Katusha.A have been moved to the Virus Vault, but the copies of the Trojan horse are still showing as "Infected". When I try to remove the unhealed items, a popup displays the warning, "Do you want to force the threat removal? Forced removal can cause system instability or even crash." I have not yet attempted to force the threat removal; should I?

After the initial scan that turned up these threats, all further scans have been automatically aborted seconds in. I have also tried to run scans with Malwarebytes' Anti-Malware and SUPERAntiSpyware free edition, program version 4.54.1000; those scans also aborted and the programs became corrupted such that they would no longer open.

How can I safely remove this malware? Thank you in advance.

Paths for Trojan horse BackDoor.Generic14.AVBQ:
C:\WINDOWS\system32\svchost.exe (1804)
C:\WINDOWS\system32\svchost.exe (1308)
C:\WINDOWS\system32\spoolsv.exe (1680)
C:\WINDOWS\system32\lsass.exe (972)
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
C:\Program Files\Java\jre6\bin\jqs.exe (248)
C:\Program Files\iTunes\iTunesHelper.exe (3992)
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (1820)
C:\Program Files\Bonjour\mDNSResponder.exe (1972)
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (668)
C:\Program Files\AVG\AVG10\avgwdsvc.exe (1940)
October 16, 2011 00:24 Re: Katusha.a & Associated Trojan #177007
Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
@ heresiarchs

As a first step, scan your computer with updated AVG Rescue CD. To update the AVG Rescue CD have a look @ this link http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=170938#post_170938. You can also update from within the program http://www.avg.com/ww-en/226386#net_update.

Afterwards, update your AVG, perform full system scan and provide us with results if there is still anything detected.

We will also need both GMER outputs.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
October 21, 2011 12:44 Re: Katusha.a & Associated Trojan #177947
Top
f3promo

Avatar

Novice
Join Date: 21.10.2011
Posts: 11
BACKDOOR.GENERIC14.AVBQ & WIN32/KATUSHA.A..

Hi!
On 20 October 2011, while on Internet, I received from AVG a warning message of a virus attack. The virus having been automatically sent to Vault, I started a complete scanning that lasted nearly two hours, identifying 14 occurences of "Win32/Katusha.A", and 2 of "BackDoor.Generic14.AVBQ".

All applications affected by Win32/Katusha.A had been automatically sent to Vault, the Backdoor trojans remaining apparently unaffected. I tried to modify them manually through a slight name alteration. Efficiently, as far as "WINDOWS\system32\services.exe", but I could not find "assembly\GAC_MSIL\Desktop.ini", which might have moved somewhere else...

As occurred to all victims having reported in a forum, my AVG 10 program stopped functioning at that stage, and so was it for other tools installed (Malwarebyte, Iobit ASC); as to Spybot, it seems to have remained operational, yet ineffective. Likewise, all attempts to uninstall/reinstall or to update AVG were unsuccessful, leaving my computer totally unprotected.

Having experienced some booting difficulty, an alteration of the work capacity of my computer due to memory overload, plus an unstable connection on LAN, I can only confirm all warnings: that sort of attack should be taken most seriously, with immediate security measures, such as limiting to a minimum the connections on Internet, and beforehand transferring all sensitive files on an external device (bank information, privacy, classified work files, etc.). If it is not already too late, since it seems that in my case there had been an abnormal activity on LAN, at once...

Since the rescue and recovery program is neutralized as well, the radical solution would be to reformat the hard disk, then reinstall all necessary software. Probably my option for the future, but beforehand I am determined to better understand how so many people could have been affected, in spite of regular maintenance and protective tools. My reason for following your informative advice and trying to prompt an AVG scan with an external support (I tried a USB flash but it kept booting on Windows; I shall try with a booting CD next).

It would indeed be most interesting to get a report on what happened since the original attack. I suspect that such a report should trace the intruder's reaction to my vain attempt to check further with Spybot, and my abortive attempt to clean with Malwarebyte. Also, it should be interesting to know whether the application "WINDOWS\system32\services.exe", which regenerates a clone each time I rename it, is still infected...

On first analysis, Win32/Katusha.A attacks all identifiable protective programs (see my AVG report hereunder), to the effect that they are neutralized (essential applications put to Vault) and cannot be uninstalled properly. Likewise, it affects various tools installed, as well as online applications that could help cure the problem (search device, CD burning, rescue & recovery, online update services, etc.)

As to BackDoor.Generic14.AVBQ, all I can say is that it resulted in some overloading LAN activity in the early stage of the infection. Which prompted me to back-up offline all personal files... and to modify the BIOS setup so that to block the "boot on LAN" priority feature (an irresponsible Lenovo preset!) As it stands today, the level of exchange files is more or less 550 Mo, with a 800 Mo of memory charge, while I keep my laptop idle! Another feature which I noticed is that Internet addresses tend now to be redirected to interface websites.

By the way, does anyone know where the infected "assembly\GAC_MSIL\Desktop.ini" might have migrated, and what its original purpose is? Thanks.

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe_Virus identified Win32/Katusha.A
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe_Virus identified Win32/Katusha.A
C:\Program Files\Lenovo\System Update\SUService.exe_Virus identified Win32/Katusha.A
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe_Virus identified Win32/Katusha.A
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe_Virus identified Win32/Katusha.A
C:\Program Files\Java\jre6\bin\jqs.exe_Virus identified Win32/Katusha.A
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe_Virus identified Win32/Katusha.A
C:\Program Files\Fichiers communs\Lenovo\tvt_reg_monitor_svc.exe_Virus identified Win32/Katusha.A
C:\Program Files\Fichiers communs\Lenovo\Scheduler\tvtsched.exe_Virus identified Win32/Katusha.A
C:\Program Files\Fichiers communs\Lenovo\Logger\logmon.exe_Virus identified Win32/Katusha.A
C:\Program Files\CDBurnerXP\NMSAccessU.exe_Virus identified Win32/Katusha.A
C:\Program Files\Canon\CAL\CALMAIN.exe_Virus identified Win32/Katusha.A
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe_Virus identified Win32/Katusha.A
C:\Program Files\AVG\AVG10\avgchsvx.exe_Virus identified Win32/Katusha.A
C:\WINDOWS\system32\services.exe (1672)_Trojan horse BackDoor.Generic14.AVBQ
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini_Trojan horse BackDoor.Generic14.
AVBQ
October 21, 2011 14:46 Re: Katusha.a & Associated Trojan #177968
Top
Dusan Obert

Avatar

Administrator
Join Date: 12.8.2009
Posts: 1595
Hello f3promo,

Please try to download and run specialized remover tool.
Tool should reboot computer and attempt to remove infection prior to OS boot.

Afterwards, attempt to fully reinstall AVG. If you're not sure about 32 or 64 bit on your system have a look @ this link http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=140471#post_140471.

If the AVG still does not work, scan your computer with updated Rescue CD as described above.
Then provide us with both both GMER outputs.

Thank you

EDIT BIG AL 43.. 32/64 bit info added.
___________________AVG TeamHow-To articles | FAQ | Free Support
October 22, 2011 11:07 Re: Katusha.a & Associated Trojan #178042
Top
f3promo

Avatar

Novice
Join Date: 21.10.2011
Posts: 11
BackDoor.Generic unequal battle..

Hi!

Thank you so much for your prompt reply.
I shall proceed as you advised, then will communicate all possible feedback.
Although not familiar with programmation, I hope this dreadful experience may help understand the behaviour of the beast.

It seems the attack is spreading very rapidly on my system (on a Windows Explorer or a browser prompt, for instance), affecting the Google search engine on Internet, to the extent of substituting the requested page for another one, working as an interface.

In the past hours, I tried many tools, everyone crashing after a while, although I could collect minimal indications (on a casual DOS booting, for instance, until it crashed when asked to delete a BackDoor.Generic...)

Although renamed, Hijackthis was soon recognized when asked to run a scan. I deleted it and reinstalled it time and again, hoping to read anything from its logging, but had no time to do so.

So far, 3 viruses have been identified:
BackDoor.Generic14, the core of the conspiracy;
Win32:Katusha.A
Win32:Tiny-AMB [Rtk]

There may be more, since a similar attack was reported on a forum, with a 4th virus involved. So far, the recognized infection on my system concern over 40 applications, all being exe or ini.

Thanks!
October 22, 2011 11:12 Re: Katusha.a & Associated Trojan #178043
Top
f3promo

Avatar

Novice
Join Date: 21.10.2011
Posts: 11
... I did a mistake, as far as the title of my previous post.
Sorry for that!
October 22, 2011 11:38 Re: Katusha.a & Associated Trojan #178045
Top
f3promo

Avatar

Novice
Join Date: 21.10.2011
Posts: 11
Just a warning to forum members:

So far 3 web-seach pages substituted themselves in the process of my Google searches on virus definition. The lastest occurence may be indicative:
"spywareremove.com", which has the worse possible WOT reputation (tens of complains of people, some reporting that they had been offered to buy a removal tool that turned out to be a rogue/spyware...)
October 22, 2011 13:13 Re: Katusha.a & Associated Trojan #178053
Top
Jimboat

Avatar

Novice
Join Date: 25.10.2010
Posts: 15
AVG Didn't Prevent Backdoor.Generic14 Trojan..

i have AVG Free 9.0, currently updated. It identified the Backdoor.Generic14.avbq trojan, but did not prevent it. unfortunately it also could not remove the virus, since it had already infected system files.

is this normal functionality? If so, what is the point of having a virus protection software if it can't detect the virus until it's already too late?

this trojan is sufficiently serious that only a complete OS replacement and full disk restore was a satisfactory fix.
October 22, 2011 13:30 Re: Katusha.a & Associated Trojan #178055
Top
Jimboat

Avatar

Novice
Join Date: 25.10.2010
Posts: 15
Backdoor.Generic14.avbq trojan..

I have exactly same problems. I am anxious to hear of your solution, if possible.
October 23, 2011 22:02 Re: Katusha.a & Associated Trojan #178204
Top
f3promo

Avatar

Novice
Join Date: 21.10.2011
Posts: 11
@ Jimboat: compassion, mate!
Having run through a number of forums where people reported similar - if not identical - attacks, and considering that most of those computers were duly protected with regularly updated programs (including paid ones, with high reputation), one should be fair with AVG Free...
In my case, AVG 10 properly gave me a warning sign while I was doing some Google search on the net, but was not able to prevent the intrusion. I have been using AVG Free for years in risky out-of-home environments, and it for sure prevented me from a number of catastrophes.
That particular cocktail of viruses is thoroughly programed so that to get into control with as little notice as possible:
opened on booting, Spybot Search & Destroy did not react (in fact, when prompted to scan, it ended up with the "congratulations" page...)
a file of Iobit Advance System Care was infected, so that ignore the malwares
all rescue & recovery points were altered, so that to reproduce the infection
so were the manufacturer's specific files for online system recuperation
moreover, AVG found similar infections on both CD burning programs on my computer, with an evident purpose
although originally untouched, Malwarebytes' AntiMalware collapsed at the start of the scanning process, which indicates a very responsive pest
so did HighJackThis, totally neutralized
As to AVG Free, it worked perfectly, yet just once since it ironically put to Vault two reportedly infected (may be just a virus signature) of its essential files...
As soon as warned, I had started an AVG scan. And that is where I had made a mistake, for not having anticipated the seriousness of the intrusion: I should have modified the parameters so that to have a log report without any action. Instead, all "Katusha" infections were sent to Vault, whereas both Windows system files with "Backdoor" infection could not be cured nor deleted.

@ Dusan Obert
Unfortunately, the light AVG tool failed to prompt a rebooting. Instead, it started a scan and soon collapsed, leaving a neutralized file which cannot be deleted, just like for HighJackThis and the presumably Vault file of AVG when it collapsed.
I managed to get both GMER logs, revealing a number of inaccuracies in the registry, which I shall attempt to cure manually, as well as much rootkit activities. So that I next shall try to remove two identified threats (with TDSSKiller):
C:\WINDOWS\4034094749:1654230031.exe (Rootkit.Win32.PMax.gen)
C:\WINDOWS\system32\DRIVERS\avgtdix.sys (Rootkit.Win32.ZAccess.g)
Thank you so much for your attention!
Page 1 of 5 1234››