info on vrvagld*.*

[rookieatit]

Hello

after looking at my system I have found a file in the c:\windows
\system32 called vrvagldjay.exe
I have searched the internet and have not been able to find any
information on this file.
I have removed it from registry by searhing the whole regitry and
deleting the key.
also removed it from the startup config utility msconfig.
manually deleted the file from the directory.
restarted the computer and now I have a new file called
vrvagldajey.exe
has anyone heard of the file before?
my concern is that around the same time this file was loaded when I
open live messenger it send a pic file in a zip format.
please do not insult my intelligence by sending me to spyware sites
like regcleaner and the lot.
If you have a valid idea of what this file is please let me know.

 

[R. McCarty]

Right Click the File, take Properties - from the details box click
( if it exists ) the Version (TAB) and examine the information it
provides.

 

[David H. Lipman]

From: <[email protected]>

| Hello
|
| after looking at my system I have found a file in the c:\windows
| \system32 called vrvagldjay.exe
| I have searched the internet and have not been able to find any
| information on this file.
| I have removed it from registry by searhing the whole regitry and
| deleting the key.
| also removed it from the startup config utility msconfig.
| manually deleted the file from the directory.
| restarted the computer and now I have a new file called
| vrvagldajey.exe
| has anyone heard of the file before?
| my concern is that around the same time this file was loaded when I
| open live messenger it send a pic file in a zip format.
| please do not insult my intelligence by sending me to spyware sites
| like regcleaner and the lot.
| If you have a valid idea of what this file is please let me know.

Sounds like malware...


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[V Green]

Sounds like Vundo virus or some variant.

Check here:

http://vundofix.atribune.org/

 

[David H. Lipman]

From: "V Green" <[email protected]>

| Sounds like Vundo virus or some variant.
|
| Check here:
|
| http://vundofix.atribune.org/
|

Vundo is a Trojan and not a virus.

 

[V Green]

From: "V Green" <[email protected]>

| Sounds like Vundo virus or some variant.
|
| Check here:
|
| http://vundofix.atribune.org/
|

Vundo is a Trojan and not a virus.

I accept that, but -

it's fairly pointless nit picking. The "victim" won't
care one way or the other.

 

[David H. Lipman]

From: "V Green" <[email protected]>


|
| I accept that, but -
|
| it's fairly pointless nit picking. The "victim" won't
| care one way or the other.
|

That doesn't matter. Calling it a virus elevates it significance.
The Vundo doesn't self replicate and thus should not be called a virus.

 

[V Green]

From: "V Green" <[email protected]>


|
| I accept that, but -
|
| it's fairly pointless nit picking. The "victim" won't
| care one way or the other.
|

That doesn't matter. Calling it a virus elevates it significance.
The Vundo doesn't self replicate and thus should not be called a virus.

Oh, my. More nit picking.

Have you ever actually experienced this miserable SOB?

I have, and I can tell you that is is FAR more invasive and
difficult to remove than any virus I have encountered. A/V packages
all SAW it, but did little to stop it, simply informing me that it
was there. Even VundoFix didn't get it all, but the forum board
there contained enough info for me to remove it manually.

It came in via a Java applet that's used by almost everybody on
eBay to do a "slide show" of images of the stuff they're selling.
Sun has since patched the JVM to fix this but the sheer numbers
of folk who use eBay would cause this "insignificant" (in your opinion)
thing to spread in such a manner that it likely wound up on as many machines
(or more) as any self-respecting "significant" virus.

 

[David H. Lipman]

From: "V Green" <[email protected]>

< snip >

|
| Oh, my. More nit picking.
|
| Have you ever actually experienced this miserable SOB?

Since it first cane out. I even wrote a utility for it but Atri's utility is better.
I have wathing this tRojan ant morphed version for quite some time.


|
| I have, and I can tell you that is is FAR more invasive and
| difficult to remove than any virus I have encountered. A/V packages
| all SAW it, but did little to stop it, simply informing me that it
| was there. Even VundoFix didn't get it all, but the forum board
| there contained enough info for me to remove it manually.

You got a newer variant. It now can use RootKit and other techniques to hide as well as
peer utilities to keep itself on the OS as aself preservation technique.

| It came in via a Java applet that's used by almost everybody on
| eBay to do a "slide show" of images of the stuff they're selling.
| Sun has since patched the JVM to fix this but the sheer numbers
| of folk who use eBay would cause this "insignificant" (in your opinion)
| thing to spread in such a manner that it likely wound up on as many machines
| (or more) as any self-respecting "significant" virus.
|

Yeah. I know all about the infection vector using Java exploitation.