1,105,395 Community Members

vvk virus appears in safe mode can't remove

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hey guys there is some kind of greek virus named vvk that says any website I visit is dangerous and keeps on asking me to give private information saying I have 56 infections.

I can't follow any of the readme first guidlines because the virus appears in safe mode also and I can't get to any website to download anything. It won't even let me run malwarebytes. I can update malwarebytes but it never restarts after the update. I tried canceling the process in the manager but it starts up automatically.

I use task manager to discover that vvk is located in my temporary folder and it even has its own special icon. I am not sure how this happened.

Please help me with this problem. Thank you very much.

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 


Please help me with this problem. Thank you very much.

What is your OS?

-- Can you open a command prompt and do this:
Type or copy and paste tasklist >> %systemdrive%\peek.txt ENTER

Please post the peek.txt - it should be C:\peek.txt.

We'll see if there are other running processes we need to shut down.

Cheers :)
PP

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thank you. Vista 64.

I will try this when I get home. The infected computer is the only one I have so I can only read/reply here when I am using someone else's computer. Because of this please feel free to post further steps in case I can or can't because I have to go to someone else's house to read/reply to the forum.

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

Thank you. Vista 64.

I will try this when I get home. The infected computer is the only one I have so I can only read/reply here when I am using someone else's computer. Because of this please feel free to post further steps in case I can or can't because I have to go to someone else's house to read/reply to the forum.

Ideally, we'd like to get MBAM to run and see where that leaves us. Even if you cannot update it, run it anyway. If it won't run, we can try to remove the processes that are blocking it.

You should also try running rkill to see if that will then allow MBAM to run.

Let us know where you stand. I'll try to check back as time permits.

PP:)

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Okay great. Quick question. How can i send the peek.txt to you guys if it always blocks my internet. Is it safe to put it on a keydrive and transfer it to another computer and post it here or will it infect the keydrive and the other computer as well?

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

oh and one more thing I already know that MBAM is being blocked and how would i get rkill on the computer... i would have to transfer it via a usbdrive huh

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

oh and one more thing I already know that MBAM is being blocked and how would i get rkill on the computer... i would have to transfer it via a usbdrive huh

Flashdrive is best for the logs - you could burn any tools onto a CD, if necessary.
But for now, a flashdrive will suffice for RKILL and the process list.

PP:)

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Okay. We have some huge problems. I tried running Rkill from the thumbdrive and when I do it just pops up with a vista home security 2012 firewall alert. It does the same thing if i try to install mbam from the thumbdrive or run mbam from the harddrive. I also pressed window + r to bring up the cmd and i put in the script you gave me for the peek.txt and the same thing happens a window that says "vista home security 2012 firewall alert" comes up with the option to activate or continue without it.

More bad news. I couldn't get the comp to run safe mode. I select safe mode and it never comes up. It will say safe mode in all 4 corners after loading processes then it just asks me which version of vista to run again. (for some reason when you start this comp up it always asks you if you want to launch windows vista or windows vista ultimate)

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

okay this is really strange. I couldnt run anything but i tried a second time. It's like the virus gave up I was able to run rkill and malwarebytes. I accidentally ran rkill twice and it found nothing. I ran the old version of malwarebytes on accident and it found a problem and killed it. I updated malwarebytes to the current version and it found a rootkit problem or something and killed it. The virus appears gone. The rkill log and both mbam logs are below.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/09/2011 at 17:05:43.
Operating System: Windows (TM) Vista Ultimate


Processes terminated by Rkill or while it was running:

Processes terminated by Rkill or while it was running:

Rkill completed on 12/09/2011 at 17:05:45.


Rkill completed on 12/09/2011 at 17:05:52.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

12/9/2011 5:20:13 PM
mbam-log-2011-12-09 (17-20-13).txt

Scan type: Quick scan
Objects scanned: 268995
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Joshua Sykora\AppData\Local\vvk.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(Nomalicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8344

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

12/9/2011 5:35:34 PM
mbam-log-2011-12-09 (17-35-29).txt

Scan type: Quick scan
Objects scanned: 273643
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\joshua sykora\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.

Member Avatar
Yoda123
Light Poster
29 posts since Dec 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I think it's gone. Thanks so much. I have no clue why safe mode wouldn't start and why i had to run rkill like 5 times to get it to work or why malwarebytes took like 3 tries before it even ran.

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

I think it's gone. Thanks so much. I have no clue why safe mode wouldn't start and why i had to run rkill like 5 times to get it to work or why malwarebytes took like 3 tries before it even ran.

Could be a combination of factors, not the least being the malware involved did not want you to be able to run the tools. Sometimes rkill needs to be run multiple times.
Back 6-7 years ago when we didn't have all these nifty tools to work with, we'd have users killing running processes manually and then racing to get the malware removed before the processes could start again... Fun times :)

-- You should remove that last detection by MBAM or just flush your temp files. (use ATF-Cleaner from the Read Me First Sticky) Flush your system restore points while you are at it.

I strongly suggest you run an online scan:

http://www.eset.com/us/online-scanner/

Make sure that comes back clean as well.

Let us know if you have any further issues.

Cheers :)
PP

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: