Script not detected

Hi Avasters,

I’m running Windows 7 with Avast (Free) 8.0.1497 and latest definitions.

I found something strange on my external USB flash drive that has been used in various PC’s (trusted and non-trusted). WIth the option to view hidden files on, I can see all my 1st level directories (folders) on the flash were hidden and ‘something’ had created a shortcut to each of them that was visible.

The folder shortcut executed the following code:
C:\windows\system32\cmd.exe /c start zdlgyuuxzz.vbs&start explorer brochure&exit (WHERE my folder name was brochure)

The flash drive has the zdlgyuuxzz.vbs file stored in the root. I couldn’t find any info about the file / virus (or other) that put it there via web search etc. I can only assume the file name is randomly generated.

I have attached the file, but renamed it to be a text file so I can upload it here. I’m no coder, so can’t make sense of it, beyond the fact that the it may have done some basic encryption that is undone and then the script executed.

Anyway to the point - Avast did not detect any problems with my flash drive after doing a scan. Nor did malware bytes for that matter. Is this something that could / should be picked up? I get that the script could have been something intentional that I or someone else may have created to achieve something, thus may be no-where near the ‘it is a virus’ defintion.

I’m just wondering if anyone has any clues what the script does AND where I might have picked it up (e.g there is a virus or malware that creates the script & infects the drive). I’m yet to do a full Virus scan on my PC but perhaps the next step for me (after deleting the shortcuts and unhiding the hidden directories.)

Thanks
Martin

Edit: removed attached malware

Hello,
in this file is start of malicious visual basic script obfuscated with Base64 encoding.
However this script is not complete and it doesnt do anything.

Other versions of this scripts infects computer, create shortcuts and download other malware from internet so virus scan would be a wise step.

Thank you for this file.

Hi @pritchardmartin

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

script scan …

VirusTotal
https://www.virustotal.com/nb/file/f2927021674fb41909b7acf74cf2f35e911b7b6778bf184591eaf6843a41a879/analysis/1379058543/

Thankyou so much everyone.
It’s great that is an active community of gurus out there to help out.
I’ll download the suggested software and scan and clean-up the mess.

Cheers
Martin

Hi! i have the same issue but im using windows 8.

I’ve read your conversation and followed the instructions.

As you’ve said that allscan.txt should be attached,so im attaching my allscan.txt

im hoping that this issue will be resolved soon coz im tired of searching things on the internet how to resolve this.

here’s my attachement. Thank YOU! :slight_smile:

what you should do is start Your own topic ( Next time :wink: ) …as helping multiple users in same topic is chaos
removal expert are notified

It may take some hours before the removers arrive, depending on time zone…and they are volunteers so are not online 24/7

while waiting, attach OTL diagnostic log http://forum.avast.com/index.php?topic=53253.0

Thank you very much Argus! You helped me a lot with the suggestion to use MCShield! All itens that were transformed in shortcuts returned to the normal. :slight_smile: