Am I infecting metafilter with a virus by just asking this question??
October 3, 2011 6:43 AM   Subscribe

Virus removal help! I seem to have a katusha.a infection on our laptop. AVG said it removed it, it came back, now AVG won't run correctly. MalWarebytes doesn't seem to run at all. All the instructions I can find online seem to be "Download OUR awesome virus cleaner!" Can you hope me? Please explain everything to me as if I am a cavewoman. I am considering hitting it with a hammer.

I have Windows XP, and can use the kids' laptop to download stuff if that helps. Do I need to change all my passwords in the world using the other computer?
posted by artychoke to Computers & Internet (16 answers total) 2 users marked this as a favorite
Best answer: People are going to recommend deezil's profile, and it is good. I recommend bleepingcomputer, although individual posts are tailored for individuals. People there will walk you through removal step by step if you post a new thread.

From what I'm seeing looking at that thread, you're going to be way, way ahead if you just nuke it from orbit and reinstall. Use a life-disc to backup any files you need, and format/reinstall.

I say that assuming you aren't really experienced with this kind of thing.

If you want to quickly see if you can be rid of it, get RKill, and run it, then try MalwareBytes or SuperAntiSpyware Portable. If you can complete the scans at that point, it's probably removable---however please note that just running the scans and "fixing" will almost certainly NOT remove the infection completely.
posted by TomMelee at 6:52 AM on October 3, 2011

Pretty much everything that TomMelee said, try bleepingcomputer & rkill first, but yes, you may have to format & reinstall. Good luck!
posted by kellyblah at 7:29 AM on October 3, 2011

I would run a system restore to a date before the virus took effect.
posted by JohnE at 7:45 AM on October 3, 2011

Best answer: Hit up deezil's profile, and drop AVG, they're not as good as they used to be.
posted by Sphinx at 8:09 AM on October 3, 2011

Response by poster: Rkill ran, but it didn't say it'd terminated anything.

Processes terminated by Rkill or while it was running:

Rkill completed on 10/03/2011 at 9:28:11.

AVG still won't run. I redownloaded and repaired and it started the scan then failed. It was saying that Anti-Virus and Identity Protection were disabled. Now only Identity Protection is off, but the Anti-Virus still won't work. It starts to scan and then immediately finishes and says "No Threats." (Sometimes it scans 222 files and then stops.)

I ran rkill another time (a file with a different name from bleeping computer) and it now says it closed the following:
C:\Program Files\AVG\AVG2012\avgdiagex.exe
That looks like it just terminated AVG, right?

If I back up things and then nuke everything, will I be putting the virus back on the clean computer from the backup drive? Bleeping computer gives me instructions to back up everything, but it seems like it's too late to clone the hard drive, right? We have a backup drive, so I know most of the pictures and music will be on there, but I'm not sure if it'll restore the programs. Is it safe to copy files off of the infected computer and then copy them back on after I reformat?

JohnE, I did a system restore last week, which seemed to fix a lot, but it came back. The last few times I tried to system restore, it said that there were no changes to my computer and that the restore failed.

Last week, before all of this started, we had decided to dump AVG and download Windows Security. That seems to be where all the trouble started. MalWareBytes won't even open.
posted by artychoke at 8:14 AM on October 3, 2011

Response by poster: Ahh, and now I'm reading deezil's profile. I think it is answering a bunch of my questions of a moment ago. I will continue reading over there first before updating again.
posted by artychoke at 8:18 AM on October 3, 2011

Best answer: On the bleepingcomputer site they have a tool called combofix. It works wonders and I've cleaned many a system with it.
posted by dgran at 8:19 AM on October 3, 2011

Best answer: System restore is a bad idea. Most modern trojans will infect restore files as well.

Yes, it's too late to clone. Not sure what your "backup drive" system is, is it just copying your documents and music? In that case, you should be fine. You want a full system recovery if you decide to nuke, with either the recovery disc or the recovery partitiion, making sure to not select repair and to format the existing partition before you install.

That bleeping computer thread I linked to covers some issues w/ permissions---it would seem that you've got no permissions on several files, which could mean system files have been replaced with infected versions. It could also just be an effective trojan locking you out. There are instructions in that thread to regain permissions.

If someone brought this system to me for repair (and yes, I have a small business), I believe I would boot into admin account from safe mode w/ networking. Run RKill then ComboFix. Run CCleaner to nuke all temp files and recycle bin. Using CCleaner or Revo Uninstaller, I would check my startup entries (In Revo, that's TOOLS then Startup) and uncheck everything that wasn't important. Then I would run MalwareBytes. Then depending on what the results of that was, I'd reboot into normal mode, and run rkill and MalwareBytes again.
posted by TomMelee at 8:42 AM on October 3, 2011

And for the record, no antivirus that doesn't nag you to DEATH can prevent infections you willingly click on, which typically come in the shape of illicit flash, java, or nasty PDF's. 9 times out of 10, someone's been looking at porn on unreputable websites or clicking stupid crap out of someone else's facebook, e.g. "See who is viewing your profile!" Microsoft Security Essentials should not be the problem, you may have downloaded it from the wrong place though. More likely though, it's not the issue.

You can protect yourself, a few minutes in the beginning will save you a lot of headaches down the road.
posted by TomMelee at 8:45 AM on October 3, 2011

If Malwarebytes won't run, try renaming the .exe to .com and try it.
posted by Obscure Reference at 9:08 AM on October 3, 2011

One thing you need to understand is that most of these virus and malware programs tend to set themselves up to load every time you restart windows. One way to avoid this is to start Windows in Safe Mode with Network Support which only loads the bare essentials to run Windows and let you get out on the Internet.

You can boot to safe mode usually by hitting the F8 key during the time that your monitor first starts displaying words and/images during the start or boot up process.

Your computer may also tell you how to get to safe mode on the boot up screen.

Once you get started in safe mode, you can usually run your antivirus program or redownload Malwarebytes and run that to fix the problem.

This would be a good place to start the process of getting things right on your computer. If this doesn't work, let us know and let us know what is happening when you attempt to fix the problem.
posted by mygoditsbob at 11:49 AM on October 3, 2011

Try this free antivirus:

Another option is booting another OS from CD like Knoppix

posted by yoyo_nyc at 12:10 PM on October 3, 2011 [1 favorite]

Response by poster: YAAAAAAYYYY!! Thank you everyone! ComboFix + Malwarebytes worked. I ran the Combofix, then Malwarebytes. MWB didn't find anything, so I restarted and ran a complete MWB scan again and it still didn't find anything new. I'll keep checking, but everything seems to be working now.

Do I need to change my online passwords? I've entered some passwords lately because I kept thinking AVG had gotten rid of the virus and then it would return. I will keep checking, but it seems better now.
posted by artychoke at 3:11 PM on October 3, 2011

Response by poster: 9 times out of 10, someone's been looking at porn on unreputable websites

Oh, and erm, no porn, but someone MAY have been watching old episodes of Friends on some sketchy websites. Which may be more embarrassing than porn...
posted by artychoke at 3:26 PM on October 3, 2011 [1 favorite]

Best answer: It wouldn't hurt to change them, it never does. Invest the 30 minutes it takes to get LastPass working perfectly for you and never look back.

Be on the lookout for any browser redirects or funny popups or surprise slowdowns.

Also, consider Adblock Plus + Flashblock while you run Chrome or Firefox. Just my 2c.
posted by TomMelee at 4:19 PM on October 3, 2011

PreventionFilter: Run NoScript with Firefox. It's a very minor pain to have to enable a script (or 2 or 3...) the first time you visit a website, but I don't know how people sleep at night without it.
posted by Xoebe at 4:39 PM on October 4, 2011

« Older Kentuckians relocating to San Antonio. All kinds...   |   Egg free for me! Newer »
This thread is closed to new comments.