Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Help disinfecting a trojan (Trojan.Win32.Genome.yucx)

Posted on 2012-04-03
13
974 Views
Last Modified: 2013-11-22
As of last night the computers on my network all seem to be infected with Trojan.Win32.Genome.yucx.

Nothing I'm finding online via Google searches is giving me any information.  I have Kaspersky Enterprise Space Security and it is detecting and notifying us of Trojan.Win32.Genome.yucx, but its not disinfecting/quarantining/deleting it.

It appears this trojan is downloading other viruses (for example in this screenshot there's a file c:\windows\system32\qjtgicnv.t).
A few other alerts we've been getting related to this same trojan is:
Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:15:17 PM (GMT-05:00)
file C:\WINDOWS\system32\rhmpa.w: detected Trojan program 'Trojan.Win32.Genome.yucx'.

Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:23:51 PM (GMT-05:00)
file C:\WINDOWS\system32\qjtgicnv.t: detected Trojan program 'Trojan.Win32.Genome.yucx'.

and on and on.

The root cause appears to be the trojan, but we're not finding any steps on removing it.  Any help would be greatly appreciated.

0
Comment
Question by:matpancha
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 37803044
Looks to me like kapersky wants you to click on OK, so it can reboot and disinfect the active threats.
0
 

Author Comment

by:matpancha
ID: 37803083
Clicking okay disinfects the latest virus which the trojan appears to be downloading - but doesn't disinfect the active trojan.

The infected file (the actual virus) is different in each scan Kaspersky does but still no disinfection of the trojan itself.

Guess I should have mentioned we are continually having end users click 'ok' to go through disinfection - BUT this is only disinfecting the latest virus that the trojan is putting on the end user system - in time (ranging from minutes to a couple hours) the same end users will have a different virus get picked up by the Trojan Program (see screenshot and list of virus notifications - just a sampling).
0
 
LVL 32

Expert Comment

by:willcomp
ID: 37803172
Try the instructions here for malware removal on one of your client PCs. It does appear to be more of a spyware type infection. http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6550-2012-Malware-Variants.html
0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 15

Expert Comment

by:Perarduaadastra
ID: 37803368
I've found that using a range of different tools from different vendors is often the only way of nailing this kind of problem (short of a format and a Windows re-install).

Eventually the malware that is actually spawning the threats being picked up by your virus scanner will be caught, but it may take so long that the aforesaid format and re-install would take much less time.

As every computer on your network is infected, the re-install option is impractical unless, quite literally, all else fails.

Have you tried Combofix from sUBs? It doesn't fix everything, but it is a very effective tool against quite a number of threats, and on XP installations it runs a rootkit check as well.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 37803448
ComboFix is an excellent tool; however, I recommend using it only if the steps in my link are not completely successful. That's especially true on a networked PC.
0
 

Author Comment

by:matpancha
ID: 37803893
Thanks for all your suggestions - I'm working with Kaspersky support now, fingers crossed.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37805697
Unless your systems are pretty badly out of date on OS and application patches and MS updates, I would be surprised if this is a valid infection.
It is a pretty old variant and any anti-malware protection should have blocked it.

Can you check to see if these reports started happening shortly after a Kaspersky update? There are (too) often false positives on old malware signatures following a new dat file update.

Since you can see the actual file being targeted, upload it to one of the on-line virus scanners and have it scanned.

My personal favorite is "Jotti":
http://virusscan.jotti.org/en

The site is fairly self-explanatory, but let me know if you need more help.
0
 

Author Comment

by:matpancha
ID: 37805771
youngv - that is what I'm thinking as well.

We have everything updates on schedule via WSUS and I've confirmed that systems are up to date.

AV is through Kaspersky and managed via Kaspersky Server which is up to date.  I haven't checked to see if there was an update coinciding the alert notification spike but will look into this.

I've also ran a scan using GMER (suggestion on a few sites) and its scan is returning:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-03 18:19:53
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff                      
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff (not active ControlSet)  

From what I'm reading the BTHPORT is related to Bluetooth.
I've checked this on 2 systems I know are infected but given its BTHPORT I'm not sure that this is related to the problem I'm having.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37805829
matpancha,
A couple of our top experts use GMER and I know it is an excellent product, but I do not use it myself.

In the comment at http:#a37803172 willcomp links to an EE Article that discusses (among other things) using TDSSKILLER.
If you will go through that article and post the logs from all of the scanners/tools mentioned, I am sure that willcomp can get you squared away.

It will probably be best if you isolate any boxes showing as infected and run through all of the steps on one system, just to see the results.

I am going to be off-line for a few hours, but you are in good hands with willcomp.
0
 

Accepted Solution

by:
matpancha earned 0 total points
ID: 37829014
Seems to be contained by doing the following (with help from Kaspersky support - specifically one rep - Bill Konner)

1) upgrade to Kaspersky System Center instead of Admin Kit.
2) upgrade all AV on all machines to KAV 8.0, and Kaspersky Endpoint Security on servers.
3) run kido killer (http://support.kaspersky.com/faq?chapter=207803878&print=true&qid=208282686)
4) run MS patches (listed on URL above)

repeat on all machines on network (workstation and server).
0
 
LVL 32

Expert Comment

by:willcomp
ID: 37830019
"no one else provided the solution" -- I didn't see any indication that you even tried what we suggested. Glad that you got it resolved, but don't label proposed solutions as ineffective if they were not tried.
0
 

Author Closing Comment

by:matpancha
ID: 37848002
no one else provided the solution.  we ended up with it after stumbling upon the rep at Kaspersky who knew the fix - and after sifting through a week worth or reps who kept us running in circles.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question