Solved

Help disinfecting a trojan (Trojan.Win32.Genome.yucx)

Posted on 2012-04-03
13
966 Views
Last Modified: 2013-11-22
As of last night the computers on my network all seem to be infected with Trojan.Win32.Genome.yucx.

Nothing I'm finding online via Google searches is giving me any information.  I have Kaspersky Enterprise Space Security and it is detecting and notifying us of Trojan.Win32.Genome.yucx, but its not disinfecting/quarantining/deleting it.

It appears this trojan is downloading other viruses (for example in this screenshot there's a file c:\windows\system32\qjtgicnv.t).
A few other alerts we've been getting related to this same trojan is:
Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:15:17 PM (GMT-05:00)
file C:\WINDOWS\system32\rhmpa.w: detected Trojan program 'Trojan.Win32.Genome.yucx'.

Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:23:51 PM (GMT-05:00)
file C:\WINDOWS\system32\qjtgicnv.t: detected Trojan program 'Trojan.Win32.Genome.yucx'.

and on and on.

The root cause appears to be the trojan, but we're not finding any steps on removing it.  Any help would be greatly appreciated.

0
Comment
Question by:matpancha
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 17

Expert Comment

by:pjam
Comment Utility
Looks to me like kapersky wants you to click on OK, so it can reboot and disinfect the active threats.
0
 

Author Comment

by:matpancha
Comment Utility
Clicking okay disinfects the latest virus which the trojan appears to be downloading - but doesn't disinfect the active trojan.

The infected file (the actual virus) is different in each scan Kaspersky does but still no disinfection of the trojan itself.

Guess I should have mentioned we are continually having end users click 'ok' to go through disinfection - BUT this is only disinfecting the latest virus that the trojan is putting on the end user system - in time (ranging from minutes to a couple hours) the same end users will have a different virus get picked up by the Trojan Program (see screenshot and list of virus notifications - just a sampling).
0
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
Try the instructions here for malware removal on one of your client PCs. It does appear to be more of a spyware type infection. http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6550-2012-Malware-Variants.html
0
 
LVL 15

Expert Comment

by:Perarduaadastra
Comment Utility
I've found that using a range of different tools from different vendors is often the only way of nailing this kind of problem (short of a format and a Windows re-install).

Eventually the malware that is actually spawning the threats being picked up by your virus scanner will be caught, but it may take so long that the aforesaid format and re-install would take much less time.

As every computer on your network is infected, the re-install option is impractical unless, quite literally, all else fails.

Have you tried Combofix from sUBs? It doesn't fix everything, but it is a very effective tool against quite a number of threats, and on XP installations it runs a rootkit check as well.
0
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
ComboFix is an excellent tool; however, I recommend using it only if the steps in my link are not completely successful. That's especially true on a networked PC.
0
 

Author Comment

by:matpancha
Comment Utility
Thanks for all your suggestions - I'm working with Kaspersky support now, fingers crossed.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:younghv
Comment Utility
Unless your systems are pretty badly out of date on OS and application patches and MS updates, I would be surprised if this is a valid infection.
It is a pretty old variant and any anti-malware protection should have blocked it.

Can you check to see if these reports started happening shortly after a Kaspersky update? There are (too) often false positives on old malware signatures following a new dat file update.

Since you can see the actual file being targeted, upload it to one of the on-line virus scanners and have it scanned.

My personal favorite is "Jotti":
http://virusscan.jotti.org/en

The site is fairly self-explanatory, but let me know if you need more help.
0
 

Author Comment

by:matpancha
Comment Utility
youngv - that is what I'm thinking as well.

We have everything updates on schedule via WSUS and I've confirmed that systems are up to date.

AV is through Kaspersky and managed via Kaspersky Server which is up to date.  I haven't checked to see if there was an update coinciding the alert notification spike but will look into this.

I've also ran a scan using GMER (suggestion on a few sites) and its scan is returning:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-03 18:19:53
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff                      
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff (not active ControlSet)  

From what I'm reading the BTHPORT is related to Bluetooth.
I've checked this on 2 systems I know are infected but given its BTHPORT I'm not sure that this is related to the problem I'm having.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
matpancha,
A couple of our top experts use GMER and I know it is an excellent product, but I do not use it myself.

In the comment at http:#a37803172 willcomp links to an EE Article that discusses (among other things) using TDSSKILLER.
If you will go through that article and post the logs from all of the scanners/tools mentioned, I am sure that willcomp can get you squared away.

It will probably be best if you isolate any boxes showing as infected and run through all of the steps on one system, just to see the results.

I am going to be off-line for a few hours, but you are in good hands with willcomp.
0
 

Accepted Solution

by:
matpancha earned 0 total points
Comment Utility
Seems to be contained by doing the following (with help from Kaspersky support - specifically one rep - Bill Konner)

1) upgrade to Kaspersky System Center instead of Admin Kit.
2) upgrade all AV on all machines to KAV 8.0, and Kaspersky Endpoint Security on servers.
3) run kido killer (http://support.kaspersky.com/faq?chapter=207803878&print=true&qid=208282686)
4) run MS patches (listed on URL above)

repeat on all machines on network (workstation and server).
0
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
"no one else provided the solution" -- I didn't see any indication that you even tried what we suggested. Glad that you got it resolved, but don't label proposed solutions as ineffective if they were not tried.
0
 

Author Closing Comment

by:matpancha
Comment Utility
no one else provided the solution.  we ended up with it after stumbling upon the rep at Kaspersky who knew the fix - and after sifting through a week worth or reps who kept us running in circles.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p) Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now