Hi, we are seeing lots of infections of Tupym.A and Tupym.A! at our company. The two identified files that Forefront Client Security detects and cleans are system_3.exe and autorun.ini, located on the user desktop. These are not removed by FCS, despite them being detected and receiving a 'successfully cleaned' message. Definitions are up to date.
The only way I am able to remove this is to use MalwareBytes Anti-Malware which detects the same two files, and also a reg key @ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Yahoo Messengger (Forefront is not detecting this). Unfortunately because so many machines are infected, as soon as the machine connects again to an infected share, it is infected again.
I have submitted the malicious files to Microsoft already in case they have evolved or changed but have been told the latest definitions will remove these files. Is anyone else seeing this issue? At the moment it is a big problem for us, as it is infecting and spreading via NTFS shares, and we are unable to manually clean the machines quickly enough.