Go Premium for a chance to win a PS4. Enter to Win


Help disinfecting a trojan (Trojan.Win32.Genome.yucx)

Posted on 2012-04-03
Medium Priority
Last Modified: 2013-11-22
As of last night the computers on my network all seem to be infected with Trojan.Win32.Genome.yucx.

Nothing I'm finding online via Google searches is giving me any information.  I have Kaspersky Enterprise Space Security and it is detecting and notifying us of Trojan.Win32.Genome.yucx, but its not disinfecting/quarantining/deleting it.

It appears this trojan is downloading other viruses (for example in this screenshot there's a file c:\windows\system32\qjtgicnv.t).
A few other alerts we've been getting related to this same trojan is:
Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:15:17 PM (GMT-05:00)
file C:\WINDOWS\system32\rhmpa.w: detected Trojan program 'Trojan.Win32.Genome.yucx'.

Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:23:51 PM (GMT-05:00)
file C:\WINDOWS\system32\qjtgicnv.t: detected Trojan program 'Trojan.Win32.Genome.yucx'.

and on and on.

The root cause appears to be the trojan, but we're not finding any steps on removing it.  Any help would be greatly appreciated.

Question by:matpancha
  • 5
  • 3
  • 2
  • +2
LVL 17

Expert Comment

ID: 37803044
Looks to me like kapersky wants you to click on OK, so it can reboot and disinfect the active threats.

Author Comment

ID: 37803083
Clicking okay disinfects the latest virus which the trojan appears to be downloading - but doesn't disinfect the active trojan.

The infected file (the actual virus) is different in each scan Kaspersky does but still no disinfection of the trojan itself.

Guess I should have mentioned we are continually having end users click 'ok' to go through disinfection - BUT this is only disinfecting the latest virus that the trojan is putting on the end user system - in time (ranging from minutes to a couple hours) the same end users will have a different virus get picked up by the Trojan Program (see screenshot and list of virus notifications - just a sampling).
LVL 32

Expert Comment

ID: 37803172
Try the instructions here for malware removal on one of your client PCs. It does appear to be more of a spyware type infection. http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6550-2012-Malware-Variants.html
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 15

Expert Comment

ID: 37803368
I've found that using a range of different tools from different vendors is often the only way of nailing this kind of problem (short of a format and a Windows re-install).

Eventually the malware that is actually spawning the threats being picked up by your virus scanner will be caught, but it may take so long that the aforesaid format and re-install would take much less time.

As every computer on your network is infected, the re-install option is impractical unless, quite literally, all else fails.

Have you tried Combofix from sUBs? It doesn't fix everything, but it is a very effective tool against quite a number of threats, and on XP installations it runs a rootkit check as well.
LVL 32

Expert Comment

ID: 37803448
ComboFix is an excellent tool; however, I recommend using it only if the steps in my link are not completely successful. That's especially true on a networked PC.

Author Comment

ID: 37803893
Thanks for all your suggestions - I'm working with Kaspersky support now, fingers crossed.
LVL 38

Expert Comment

ID: 37805697
Unless your systems are pretty badly out of date on OS and application patches and MS updates, I would be surprised if this is a valid infection.
It is a pretty old variant and any anti-malware protection should have blocked it.

Can you check to see if these reports started happening shortly after a Kaspersky update? There are (too) often false positives on old malware signatures following a new dat file update.

Since you can see the actual file being targeted, upload it to one of the on-line virus scanners and have it scanned.

My personal favorite is "Jotti":

The site is fairly self-explanatory, but let me know if you need more help.

Author Comment

ID: 37805771
youngv - that is what I'm thinking as well.

We have everything updates on schedule via WSUS and I've confirmed that systems are up to date.

AV is through Kaspersky and managed via Kaspersky Server which is up to date.  I haven't checked to see if there was an update coinciding the alert notification spike but will look into this.

I've also ran a scan using GMER (suggestion on a few sites) and its scan is returning:

GMER - http://www.gmer.net
Rootkit scan 2012-04-03 18:19:53
Windows 6.1.7601 Service Pack 1
Running: gmer.exe

---- Registry - GMER 1.0.15 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff                      
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff (not active ControlSet)  

From what I'm reading the BTHPORT is related to Bluetooth.
I've checked this on 2 systems I know are infected but given its BTHPORT I'm not sure that this is related to the problem I'm having.
LVL 38

Expert Comment

ID: 37805829
A couple of our top experts use GMER and I know it is an excellent product, but I do not use it myself.

In the comment at http:#a37803172 willcomp links to an EE Article that discusses (among other things) using TDSSKILLER.
If you will go through that article and post the logs from all of the scanners/tools mentioned, I am sure that willcomp can get you squared away.

It will probably be best if you isolate any boxes showing as infected and run through all of the steps on one system, just to see the results.

I am going to be off-line for a few hours, but you are in good hands with willcomp.

Accepted Solution

matpancha earned 0 total points
ID: 37829014
Seems to be contained by doing the following (with help from Kaspersky support - specifically one rep - Bill Konner)

1) upgrade to Kaspersky System Center instead of Admin Kit.
2) upgrade all AV on all machines to KAV 8.0, and Kaspersky Endpoint Security on servers.
3) run kido killer (http://support.kaspersky.com/faq?chapter=207803878&print=true&qid=208282686)
4) run MS patches (listed on URL above)

repeat on all machines on network (workstation and server).
LVL 32

Expert Comment

ID: 37830019
"no one else provided the solution" -- I didn't see any indication that you even tried what we suggested. Glad that you got it resolved, but don't label proposed solutions as ineffective if they were not tried.

Author Closing Comment

ID: 37848002
no one else provided the solution.  we ended up with it after stumbling upon the rep at Kaspersky who knew the fix - and after sifting through a week worth or reps who kept us running in circles.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question