Unknkown soldier, or terrorist in my task manager

[Sydney Gondomer]

Top of the day mates.

Put another Lobster on the Barbee!

I'm running Vista Ultimate with 64 bit OS, 3Gb ram, 640 Gb harddrive
and four processors.


I have three instances of this file in my task manager running their
arses off. It says they are indexers. I had to go into administrative
mode to clear them out of task manager I can't find anything about it
online.

"bvllybx.exe"

Does anyone know what it is? And if it is safe?

 

[Sydney Gondomer]

Go to virustotal.com and submit the file in question ( bvllybx.exe ) and
let them check it out.
First do a find for that file so you know where to copy it from.
VirusTotal has a 'Browse' button next to the input blank and you can use
that to show the location and automatically have the file downloaded to
them.
The results are usually in a few minutes.

Mucho thank you's Herr Buffalo Roger Wilco over and out!

 

[Sydney Gondomer]

From: "Sydney Gondomer" <[email protected]>

| Mucho thank you's Herr Buffalo Roger Wilco over and out!

Plaese post the Virus Total report or the URL to the VT report.

S'all right!

 

[Sydney Gondomer]

S'all right!

Well,
I have two of these "bvllybx,exe" files in my taskmanager again after
I had deleted them four days ago.

I did a search on the entire computer and it didn't find the files
anyplace.

So I'm not sure how I can get them to the virus website for testing?
Ok, I found it's location and uploaded it to virustotal.

Even though I tried to remove it I couldn't. It kept saying I needed
administrator rights. I am the administrator and only user of this
Vista Ultimate 64 bit pc?

Here is what it said. Maybe this will help?

File bvllybx.exe received on 08.10.2008 03:56:09 (CET)
Current status: finished
Result: 3/36 (8.34%)
Compact
Print results Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 PUA.Packed.Armadillo
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6019 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.09
Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 -
NOD32v2 3342 2008.08.09 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09
Virus.Win32.FileInfector.gen (suspicious)
Additional information
File size: 1742468 bytes
MD5...: 20386ce4827c118603457dec20fb3e84
SHA1..: 512bbb14511f0ea170030e09fd577535a79fa1f0
SHA256:
cc73e5d59e5d6b5b419391a190eb538013c07ab2d192c160b7beeeaa95b8581c
SHA512:
27a39577dbd2e386b827cd5b94ab2fd537cb3650726c0e95ab29245626acbf3c
0276721df44d6814d3e881eea6b0262b7823f20e1788f7e454361f9025b44090
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x66f000
timedatestamp.....: 0x4886a383 (Wed Jul 23 03:20:35 2008)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
..nkobrh 0x1000 0x21e380 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
..ymeju 0x220000 0xe41c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
..jxhly 0x22f000 0x40000 0x3e000 7.97 5d55c2346725d89275a2d1d944f7406a
..wcka 0x26f000 0x10000 0xd000 7.01 fb9534ec0fe4354b1918d013de500bc9
..njweg 0x27f000 0x20000 0xc000 4.77 0df10b7aa4c4e43b7ee5af9f715d6342
..xuzqah 0x29f000 0x150000 0x144000 8.00
b0ef4e277192ae49b6de9cc3a74f1685
..fitgbj 0x3ef000 0xcf000 0x4000 3.99 daacbfbff3c0d77fcc417087d73c1c5a

( 3 imports )

KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, SetErrorMode, GetCurrentThreadId, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, VirtualProtectEx, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, CloseHandle, GetStartupInfoW, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, WriteProcessMemory, ExitProcess,

FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, GetCommandLineW, GetShortPathNameA, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP,
IsValidCodePage

USER32.dll: GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer, GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow
GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC, SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC, DeleteObject, CreatePalette

( 0 exports )
packers (F-Prot): Armadillo

 

[Sydney Gondomer]

From: "Sydney Gondomer" <[email protected]>


| Well,
| I have two of these "bvllybx,exe" files in my taskmanager again after
| I had deleted them four days ago.

| I did a search on the entire computer and it didn't find the files
| anyplace.

| So I'm not sure how I can get them to the virus website for testing?
| Ok, I found it's location and uploaded it to virustotal.

| Even though I tried to remove it I couldn't. It kept saying I needed
| administrator rights. I am the administrator and only user of this
| Vista Ultimate 64 bit pc?

| Here is what it said. Maybe this will help?

| File bvllybx.exe received on 08.10.2008 03:56:09 (CET)

< snip >

What is the ully qualified path to bvllybx.exe ?

I'm sorry mates. After I uploaded it I went into administrator mode
and was able to delete the entire folder. I wasn't able to back track
and find it.

So I will have to pull up my keylogger and find it that way. Give me
about 15 minutes and I should have the path information for you, but
unless it is in the recycle bin I won't be able to zip it and send it
to you.

 

[Sydney Gondomer]

From: "Sydney Gondomer" <[email protected]>


| Well,
| I have two of these "bvllybx,exe" files in my taskmanager again after
| I had deleted them four days ago.

| I did a search on the entire computer and it didn't find the files
| anyplace.

| So I'm not sure how I can get them to the virus website for testing?
| Ok, I found it's location and uploaded it to virustotal.

| Even though I tried to remove it I couldn't. It kept saying I needed
| administrator rights. I am the administrator and only user of this
| Vista Ultimate 64 bit pc?

| Here is what it said. Maybe this will help?

| File bvllybx.exe received on 08.10.2008 03:56:09 (CET)

< snip >

What is the ully qualified path to bvllybx.exe ?

I can't get my keylogger to activate. So I won't be able to look back
and give you the path.

Now that I think about it, that file, and the folder that went
HJJKLVWEF something weird like that, might well have all been a part
of my "All in one Keylogger" that I installed last week.

When I reinstall it, I will check to see if those files come back. If
they do, then I will know that is what they are.