vvnkpp.exe issue

Discussion in 'Malware Help (A Specialist Will Reply)' started by snarfsmojo, Mar 31, 2005.

  1. snarfsmojo

    snarfsmojo Private E-2

    Hi, i am having massive problems with spyware that i just can't seem to erase. I have went through the sticky notes at the top of this forum (and done all the steps save the symantec security check, it wouldnt run because i am behind a corporate firewall)

    i think i have tracked it down to a specific process. the vvnkpp.exe process. the problem is, i can't find this file on the HD (and yes, i made sure i can see hidden files and system files), AND this process doesnt show up in task manager. I downloaded KillProcess and i can see the process in that, but i can't kill it. I am getting tons of popups, and it appears this process is downloading other spyware *Ezula to be specific* plus there are redirections in my host file that keep on respawning. I can post a HJT log if it would help (i didn't post it because the sticky notes said to wait until asked.) if there is anything else i can tell you to help youhelp me, lemme know...

    Thanks

    Snarfy
     
    snarfsmojo, Mar 31, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 31, 2005
    #2
  3. snarfsmojo

    snarfsmojo Private E-2

    everything was looking great, i thought i'd gotten rid of it, and then 10 minutes later BAM! vvnkpp.exe is back as is nnti.exe (which i believe is related to this all as well) *sigh* here is my log
     

    Attached Files:

    snarfsmojo, Mar 31, 2005
    #3
  4. snarfsmojo

    snarfsmojo Private E-2

    oh hell... i can't remember if i had majorgeeks open when i ran that scan with HJT, so here is a copy of a new scan during which i KNOW it wasn't open
     

    Attached Files:

    snarfsmojo, Mar 31, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download LSP - Fix

    Now run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move aklsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    Now follow the steps below.

    Download but do not run yet: Pocket KillBox just extract it to its own folder for now. We will use it later.

    There has been an outbreak of these O4 lines with KavSvc and the associated randomly named exe file (yours is vvnkpp.exe). I think I found some possibly related (and they may also be randomly named) other associated files that respawn this process. Waiting for answers in other threads to questions I posted. For now try the below steps.
    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\WINDOWS\System32\vvnkpp.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnkpp.exe

    After clicking Fix, exit HJT.

    Now Run Pocket KillBox

    Now, Copy and Paste C:\WINDOWS\System32\vvnkpp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES. But when your system reboots, have it boot into safe mode.

    While in safe mode use Windows Explorer to delete:
    C:\WINDOWS\System32\picsvr <-- the whole folder
    C:\WINDOWS\System32\vvnkpp.exe <--- I'm just double checking. Let me know if you find it here again.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 31, 2005
    #5
  6. snarfsmojo

    snarfsmojo Private E-2

    ok, i did all those things, and it seems to be running fine, buuuut, as you see by the new log, vvknpp.exe is still lurkin out there :( makes me a sad snarfy... any other thoughts?

    ps - when i used killbox, vvnkpp.exe did show up in blue like you said it would, and when i rebooted, the file wasn't there, but the file is never visible when i go to try and view it :( *boggle*
     

    Attached Files:

    snarfsmojo, Mar 31, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have the following set properly, let me know if any were set differently:

    Right Click Start.
    Select Explorer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide extensions for known file types option.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Apply.
    Click OK.
     
    chaslang, Mar 31, 2005
    #7
  8. snarfsmojo

    snarfsmojo Private E-2

    yes, both those options are not checked.
     
    snarfsmojo, Apr 1, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

    2 - Please EXTRACT all the files form RKFILES Tool.Zip Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and also please attach that log.
     
    chaslang, Apr 1, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds