Continued Win32/trickbot.ak and Win32/Kryptik.GJRP activity

[Arthur 1]

Hello. We have continued activity on different systems from these two trojans showing up on our ESET Remote Administrator. What is odd (to me) is that activity is showing up on systems that never so much as opened a web browser. ESET is terminating connections and deleting, but the logs are full of this over and over.

 

I've done some searching, but I do not know why systems continue to get reinfected, especially ones that are never logged on or use email / web browser.

 

What is the next step with this? I am not sure if getting boot logs and such from these will do anything, since its various systems doing it, so there has to be something that continues to infect them? Much help would be appreciated. Should we reach out to support?

[Marcos 5,072]

Please provide me with logs as per the instructions that I will send you momentarily via a personal message.

[itman 1,659]

In another recent posting on Win32/Kryptik, he had it on his server. From there it could spread to network devices. So I would concentrate on making sure your server is not infected with it.

[Marcos 5,072]

This is a good example of how disabling the LiveGrid feedback system can negatively affect cleaning capabilities. I've requested a suspicious file from the user's machine and recommended to enable submission of suspicious files. With that enabled, the suspicious file would have already been submitted through LiveGrid and a detection would have been added for proper recognition and cleaning.

[Arthur 1]

To follow up, I ran Windows Update on the infected systems (and all the systems, afterwards) to bring everything up to date, and it appears to have resolved the reinfection issue. Thank you.