VBS:Malware-gen makes system folder

Hello,

Used a Clients Flash drive to load some powerpoint files on two machines, both with Avast 4.8 Pro.
On re-boot, Avast picks up Malware gen in user temp folder - “msupdate”. did a few boot scans and
cleaned up temp files. Seems to have gone away. Does not reappear on re-boot anymore.

However Drives C: and E: now have a hidden system folder called CCA3. These contain 2 files and 1 folder with an executable call asx3.exe. These cannot be seen but the properties report that content.

On re-boot a personalizing pop settings comes up and runs that executable. I think because I have killed off the virus, this does nothing.But how can I get rid of this autorun pop up and the hidden folders? If I am right at looking at them as part of the virus install process.

Any help will be appreciated. Thanks

Windows XP SP2 2gig ram …

Welcome Palendrome

Your client’s system is infected and now your system is as well due mainly to the fact I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Download Flash Disinfector:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

@ken

WOT scorecard for precisesecurity.com : http://www.mywot.com/en/scorecard/precisesecurity.com

nmb

Thanks for the welcome.

Oddly enough I have had this machine ( 1 of 6) set to notify me against better judgement. and strangely, the file AVAST picks up
as a sample of Malware is called msupdate. Did install sp3 on another machine a while back and immediately lost firewire support
and windows installer went so bad I had to get help from an MS tech!
Auto updates seem to be a good way of filling up the registry!.
Sure you are right though - there seems to be a horrible amount of virus activity.

The malware has returned by the way ( i have disabled system restore) - seems it has a hook to the net because if i
disable network connections it does not seem to re-appear.

Is the flash disinfector tool just related to fixing the removable drive or does it fix the infected machine?

Will check out the links

Many thanks

Paul

Thanks for your input I ran the stuff you suggested and seem to have killed the beast.

The system did have a couple of insecure versions of Flash Player 9. Adobe Reader and a
bunch of sun java versions. Tried to switch those off in the the java control panel but they just
came back on so will have a go at uninstalling the older ones…

MBAM found and removed 4 Trojan infections located as expected in that system Directory CCA3 or whatever.
this contained the desktop ini that was running the bad stuff.

Those were the only ones it seems, which shows that AVAST has been doing its job!

Thanks for your support

Paul