I am running AVG version 10.0.1410, Virus DB 1522/3951 on Windows XP. A scan turned up 9 copies of Win32/Katusha.A and 20 copies of BackDoor.Generic14.AVBQ (list of Trojan horse paths is below). All copies of Katusha.A have been moved to the Virus Vault, but the copies of the Trojan horse are still showing as "Infected". When I try to remove the unhealed items, a popup displays the warning, "Do you want to force the threat removal? Forced removal can cause system instability or even crash." I have not yet attempted to force the threat removal; should I?
After the initial scan that turned up these threats, all further scans have been automatically aborted seconds in. I have also tried to run scans with Malwarebytes' Anti-Malware and SUPERAntiSpyware free edition, program version 4.54.1000; those scans also aborted and the programs became corrupted such that they would no longer open.
How can I safely remove this malware? Thank you in advance.
On 20 October 2011, while on Internet, I received from AVG a warning message of a virus attack. The virus having been automatically sent to Vault, I started a complete scanning that lasted nearly two hours, identifying 14 occurences of "Win32/Katusha.A", and 2 of "BackDoor.Generic14.AVBQ".
All applications affected by Win32/Katusha.A had been automatically sent to Vault, the Backdoor trojans remaining apparently unaffected. I tried to modify them manually through a slight name alteration. Efficiently, as far as "WINDOWS\system32\services.exe", but I could not find "assembly\GAC_MSIL\Desktop.ini", which might have moved somewhere else...
As occurred to all victims having reported in a forum, my AVG 10 program stopped functioning at that stage, and so was it for other tools installed (Malwarebyte, Iobit ASC); as to Spybot, it seems to have remained operational, yet ineffective. Likewise, all attempts to uninstall/reinstall or to update AVG were unsuccessful, leaving my computer totally unprotected.
Having experienced some booting difficulty, an alteration of the work capacity of my computer due to memory overload, plus an unstable connection on LAN, I can only confirm all warnings: that sort of attack should be taken most seriously, with immediate security measures, such as limiting to a minimum the connections on Internet, and beforehand transferring all sensitive files on an external device (bank information, privacy, classified work files, etc.). If it is not already too late, since it seems that in my case there had been an abnormal activity on LAN, at once...
Since the rescue and recovery program is neutralized as well, the radical solution would be to reformat the hard disk, then reinstall all necessary software. Probably my option for the future, but beforehand I am determined to better understand how so many people could have been affected, in spite of regular maintenance and protective tools. My reason for following your informative advice and trying to prompt an AVG scan with an external support (I tried a USB flash but it kept booting on Windows; I shall try with a booting CD next).
It would indeed be most interesting to get a report on what happened since the original attack. I suspect that such a report should trace the intruder's reaction to my vain attempt to check further with Spybot, and my abortive attempt to clean with Malwarebyte. Also, it should be interesting to know whether the application "WINDOWS\system32\services.exe", which regenerates a clone each time I rename it, is still infected...
On first analysis, Win32/Katusha.A attacks all identifiable protective programs (see my AVG report hereunder), to the effect that they are neutralized (essential applications put to Vault) and cannot be uninstalled properly. Likewise, it affects various tools installed, as well as online applications that could help cure the problem (search device, CD burning, rescue & recovery, online update services, etc.)
As to BackDoor.Generic14.AVBQ, all I can say is that it resulted in some overloading LAN activity in the early stage of the infection. Which prompted me to back-up offline all personal files... and to modify the BIOS setup so that to block the "boot on LAN" priority feature (an irresponsible Lenovo preset!) As it stands today, the level of exchange files is more or less 550 Mo, with a 800 Mo of memory charge, while I keep my laptop idle! Another feature which I noticed is that Internet addresses tend now to be redirected to interface websites.
By the way, does anyone know where the infected "assembly\GAC_MSIL\Desktop.ini" might have migrated, and what its original purpose is? Thanks.
Thank you so much for your prompt reply.
I shall proceed as you advised, then will communicate all possible feedback.
Although not familiar with programmation, I hope this dreadful experience may help understand the behaviour of the beast.
It seems the attack is spreading very rapidly on my system (on a Windows Explorer or a browser prompt, for instance), affecting the Google search engine on Internet, to the extent of substituting the requested page for another one, working as an interface.
In the past hours, I tried many tools, everyone crashing after a while, although I could collect minimal indications (on a casual DOS booting, for instance, until it crashed when asked to delete a BackDoor.Generic...)
Although renamed, Hijackthis was soon recognized when asked to run a scan. I deleted it and reinstalled it time and again, hoping to read anything from its logging, but had no time to do so.
So far, 3 viruses have been identified:
BackDoor.Generic14, the core of the conspiracy;
There may be more, since a similar attack was reported on a forum, with a 4th virus involved. So far, the recognized infection on my system concern over 40 applications, all being exe or ini.
So far 3 web-seach pages substituted themselves in the process of my Google searches on virus definition. The lastest occurence may be indicative:
"spywareremove.com", which has the worse possible WOT reputation (tens of complains of people, some reporting that they had been offered to buy a removal tool that turned out to be a rogue/spyware...)
i have AVG Free 9.0, currently updated. It identified the Backdoor.Generic14.avbq trojan, but did not prevent it. unfortunately it also could not remove the virus, since it had already infected system files.
is this normal functionality? If so, what is the point of having a virus protection software if it can't detect the virus until it's already too late?
this trojan is sufficiently serious that only a complete OS replacement and full disk restore was a satisfactory fix.
@ Jimboat: compassion, mate!
Having run through a number of forums where people reported similar - if not identical - attacks, and considering that most of those computers were duly protected with regularly updated programs (including paid ones, with high reputation), one should be fair with AVG Free...
In my case, AVG 10 properly gave me a warning sign while I was doing some Google search on the net, but was not able to prevent the intrusion. I have been using AVG Free for years in risky out-of-home environments, and it for sure prevented me from a number of catastrophes.
That particular cocktail of viruses is thoroughly programed so that to get into control with as little notice as possible:
opened on booting, Spybot Search & Destroy did not react (in fact, when prompted to scan, it ended up with the "congratulations" page...)
a file of Iobit Advance System Care was infected, so that ignore the malwares
all rescue & recovery points were altered, so that to reproduce the infection
so were the manufacturer's specific files for online system recuperation
moreover, AVG found similar infections on both CD burning programs on my computer, with an evident purpose
although originally untouched, Malwarebytes' AntiMalware collapsed at the start of the scanning process, which indicates a very responsive pest
so did HighJackThis, totally neutralized
As to AVG Free, it worked perfectly, yet just once since it ironically put to Vault two reportedly infected (may be just a virus signature) of its essential files...
As soon as warned, I had started an AVG scan. And that is where I had made a mistake, for not having anticipated the seriousness of the intrusion: I should have modified the parameters so that to have a log report without any action. Instead, all "Katusha" infections were sent to Vault, whereas both Windows system files with "Backdoor" infection could not be cured nor deleted.
@ Dusan Obert
Unfortunately, the light AVG tool failed to prompt a rebooting. Instead, it started a scan and soon collapsed, leaving a neutralized file which cannot be deleted, just like for HighJackThis and the presumably Vault file of AVG when it collapsed.
I managed to get both GMER logs, revealing a number of inaccuracies in the registry, which I shall attempt to cure manually, as well as much rootkit activities. So that I next shall try to remove two identified threats (with TDSSKiller):
Thank you so much for your attention!