VBS:Malware-gen ... autorun.inf keeps creating itself in USB drives..

Hey there, I’m new to these boards and I really need help getting rid of this problem. Everytime I plug in a flash drive or anything in a USB slot, the file autorun.inf keeps coming up. Deleting it won’t get rid of it as the virus just makes a new autorun.inf file. I really need help, I’ve done a boot-time scan and found a few things, corrected them, but still havent been able to get rid of this problem.

Here is the details of the autorun.inf file from the virus chest.

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: autorun.inf
FileID: 20
Virus Description: VBS:Malware-gen

Can anyone help me get rid of this? Thanks

I also had a variant of this nasty one - I think it was called nhatquanlan - do a google search, it will help in getting rid of it. It makes all files into folders, hides folder options in explorer and is particularly difficult to get rid of. I was in limited account mode so it could not alter the registry or install itself, but my/shared documents folders’ all got hit and I had to manually delete all the nonsense it created. A friend (from whose usb drive I got it) running in admin mode, simply could not get back and had to re-install the OS.

I am surprised that despite having avast! updated, you got this one. Use tweakxp to turn off auto play for all removable drives.

Maybe others will have more suggestions or point out if I am wrong about what you have.

Maybe this helps:

[*] Download Flash Drive Disinfector and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
[*] Wait until it has finished scanning and then exit the program.
[*] Reboot your computer when done.
[*] Note: Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder… it will help protect your drives from future infection.

it could be a new variant of Kavo/Tavo/s00l infection… have you noticed any warning from the antirootkit module?

the same thing keeps happening to me!

Then take the action suggested by Tech as that is a preventative measure to preven autorun.inf files being created in the future.

Contained in the autorun.inf file are commands to run other files and this is the true payload.

Using notepad, can you post the contents of the aurorun.inf file ?

Then you could see if the files that it mentions are actually on your system.
Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT (see below).

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page. If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.