Help disinfecting a trojan (Trojan.Win32.Genome.yucx)

As of last night the computers on my network all seem to be infected with Trojan.Win32.Genome.yucx.

Nothing I'm finding online via Google searches is giving me any information.  I have Kaspersky Enterprise Space Security and it is detecting and notifying us of Trojan.Win32.Genome.yucx, but its not disinfecting/quarantining/deleting it.

It appears this trojan is downloading other viruses (for example in this screenshot there's a file c:\windows\system32\qjtgicnv.t).
A few other alerts we've been getting related to this same trojan is:
Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:15:17 PM (GMT-05:00)
file C:\WINDOWS\system32\rhmpa.w: detected Trojan program 'Trojan.Win32.Genome.yucx'.

Event Infected objects detected happened on computer xxxxxxxxx in the domain xxxxxxx on Tuesday, April 03, 2012 2:23:51 PM (GMT-05:00)
file C:\WINDOWS\system32\qjtgicnv.t: detected Trojan program 'Trojan.Win32.Genome.yucx'.

and on and on.

The root cause appears to be the trojan, but we're not finding any steps on removing it.  Any help would be greatly appreciated.

matpanchaAsked:
Who is Participating?
 
matpanchaAuthor Commented:
Seems to be contained by doing the following (with help from Kaspersky support - specifically one rep - Bill Konner)

1) upgrade to Kaspersky System Center instead of Admin Kit.
2) upgrade all AV on all machines to KAV 8.0, and Kaspersky Endpoint Security on servers.
3) run kido killer (http://support.kaspersky.com/faq?chapter=207803878&print=true&qid=208282686)
4) run MS patches (listed on URL above)

repeat on all machines on network (workstation and server).
0
 
pjamCommented:
Looks to me like kapersky wants you to click on OK, so it can reboot and disinfect the active threats.
0
 
matpanchaAuthor Commented:
Clicking okay disinfects the latest virus which the trojan appears to be downloading - but doesn't disinfect the active trojan.

The infected file (the actual virus) is different in each scan Kaspersky does but still no disinfection of the trojan itself.

Guess I should have mentioned we are continually having end users click 'ok' to go through disinfection - BUT this is only disinfecting the latest virus that the trojan is putting on the end user system - in time (ranging from minutes to a couple hours) the same end users will have a different virus get picked up by the Trojan Program (see screenshot and list of virus notifications - just a sampling).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
willcompCommented:
Try the instructions here for malware removal on one of your client PCs. It does appear to be more of a spyware type infection. http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6550-2012-Malware-Variants.html
0
 
PerarduaadastraCommented:
I've found that using a range of different tools from different vendors is often the only way of nailing this kind of problem (short of a format and a Windows re-install).

Eventually the malware that is actually spawning the threats being picked up by your virus scanner will be caught, but it may take so long that the aforesaid format and re-install would take much less time.

As every computer on your network is infected, the re-install option is impractical unless, quite literally, all else fails.

Have you tried Combofix from sUBs? It doesn't fix everything, but it is a very effective tool against quite a number of threats, and on XP installations it runs a rootkit check as well.
0
 
willcompCommented:
ComboFix is an excellent tool; however, I recommend using it only if the steps in my link are not completely successful. That's especially true on a networked PC.
0
 
matpanchaAuthor Commented:
Thanks for all your suggestions - I'm working with Kaspersky support now, fingers crossed.
0
 
younghvCommented:
Unless your systems are pretty badly out of date on OS and application patches and MS updates, I would be surprised if this is a valid infection.
It is a pretty old variant and any anti-malware protection should have blocked it.

Can you check to see if these reports started happening shortly after a Kaspersky update? There are (too) often false positives on old malware signatures following a new dat file update.

Since you can see the actual file being targeted, upload it to one of the on-line virus scanners and have it scanned.

My personal favorite is "Jotti":
http://virusscan.jotti.org/en

The site is fairly self-explanatory, but let me know if you need more help.
0
 
matpanchaAuthor Commented:
youngv - that is what I'm thinking as well.

We have everything updates on schedule via WSUS and I've confirmed that systems are up to date.

AV is through Kaspersky and managed via Kaspersky Server which is up to date.  I haven't checked to see if there was an update coinciding the alert notification spike but will look into this.

I've also ran a scan using GMER (suggestion on a few sites) and its scan is returning:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-03 18:19:53
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff                      
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9f2c9ff (not active ControlSet)  

From what I'm reading the BTHPORT is related to Bluetooth.
I've checked this on 2 systems I know are infected but given its BTHPORT I'm not sure that this is related to the problem I'm having.
0
 
younghvCommented:
matpancha,
A couple of our top experts use GMER and I know it is an excellent product, but I do not use it myself.

In the comment at http:#a37803172 willcomp links to an EE Article that discusses (among other things) using TDSSKILLER.
If you will go through that article and post the logs from all of the scanners/tools mentioned, I am sure that willcomp can get you squared away.

It will probably be best if you isolate any boxes showing as infected and run through all of the steps on one system, just to see the results.

I am going to be off-line for a few hours, but you are in good hands with willcomp.
0
 
willcompCommented:
"no one else provided the solution" -- I didn't see any indication that you even tried what we suggested. Glad that you got it resolved, but don't label proposed solutions as ineffective if they were not tried.
0
 
matpanchaAuthor Commented:
no one else provided the solution.  we ended up with it after stumbling upon the rep at Kaspersky who knew the fix - and after sifting through a week worth or reps who kept us running in circles.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.