How to remove VVS from infected systems

What kind of malware is VVS?

VVS is a Python‑based information‑stealing malware. It primarily targets Discord data and information saved in web browsers. The VVS stealer utilizes PyArmor to obfuscate its code, making analysis more difficult and enabling it to evade detection by security tools. If VVS is noticed on a device, it should be eliminated immediately.

More about VVS

VVS has been observed being sold as malware‑as‑a‑service (MaaS). Pricing is advertised at €10 for a week, €20 for a month, €40 for three months, €90 for one year, and €199 for a lifetime subscription. The developers promote and distribute the malware primarily through Telegram.

One of the main targets of VVS is the Discord application, which is commonly used for messaging and communities. The malware can steal Discord tokens, which act like keys that keep a user logged in without needing a password. By obtaining these tokens, attackers can take over accounts and access messages, servers, and private information.

Also, the malware uses stolen Discord login tokens to ask Discord's systems for detailed account information. Once it has access, it can find out whether the user has Discord Nitro and if any payment methods are linked to the account. It can also collect personal details like the username, email address, phone number, and user ID.

Additionally, it gathers information about friends, servers (guilds), security settings, such as MFA, and even technical details, including the user's IP address and computer name. Also, VVS allows threat actors to hijack active sessions. It first closes Discord, then adds a hidden malicious script inside Discord's files.

This script enables the attacker to remain in the app even after restarts and observe the user's actions, such as changing passwords or adding payment details. Furthermore, VVS can steal information from web browsers.

Browser Information Harvesting

The targeted web browsers are 7Star, Amigo, Brave, CentBrowser, Chrome, Discord, Edge, Epic Privacy Browser, Iridium, Kometa, Lightcord, Mozilla Firefox, Opera, Orbitum, Sputnik, Torch, Uran, Vivaldi, and Yandex. VVS steals cookies, passwords, autofill data, and browsing history from these browsers.

With this information, attackers can access online accounts, impersonate the victim, gather personal details, and more. It is important to note that hijacked accounts can also be used to make fraudulent purchases and transactions, spread malware (and scams), and for other malicious purposes.

Additional capabilities

Moreover, VVS is designed to run automatically every time the computer starts. It does this by placing a copy of itself in the Windows Startup folder, which is designed to launch programs when the system boots. As a result, the malware remains active even after reboots.

It is also known that VVS utilizes a built-in Windows function to display a pop-up claiming a serious error has occurred and that the computer needs to be restarted. The pop‑up forces the user to interact with it before continuing, making it seem legitimate. The fake error is likely used to distract the user and make the malware's activity seem like a normal system issue. Lastly, VVS can take screenshots of the infected device's desktop.

Conclusion

In conclusion, VVS is an information‑stealing malware designed for long‑term access. It focuses on Discord and web browsers to steal account credentials, personal data, and financial information while remaining hidden from the user. Its presence on the system can lead to identity theft, monetary loss, account hijacking, and other negative outcomes.

More examples of stealers are SantaStealer, Eternidade, and PhantomStealer.

How did VVS infiltrate my computer?

Cybercriminals often distribute malware by tricking users into opening infected files, including malicious executables, scripts, or documents such as Word, Excel, and PDF files. They utilize various channels to deliver malware, including peer-to-peer networks, infected USB drives, third-party downloaders, and fraudulent or compromised websites.

Additionally, infections may happen through deceptive emails with malicious links or attachments, deceptive advertisements (or similar content on unreliable or compromised sites), tech support scams, or vulnerabilities in outdated and unpatched software.

How to avoid installation of malware?

Always keep your operating system and applications up to date. Run regular scans using trusted security software. Download programs from official websites or reliable app stores, and avoid pirated software, cracks, or keygens.

Be cautious with unexpected or suspicious emails and messages from unknown sources, and never open attachments or click on links found in them. Avoid interacting with pop-ups, ads, buttons, or links on untrustworthy websites, and do not allow such sites to send notifications. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

VVS promoted on Telegram:

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is VVS?
• STEP 1. Manual removal of VVS malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with VVS malware, should I format my storage device to get rid of it?

Typically, formatting is not required, as malware such as VVS can be safely removed through proper cleanup using a tool like Combo Cleaner.

What are the biggest issues that malware can cause?

Malware infiltration can lead to stolen personal data, financial loss, account hijacking, system crashes, and additional infections.

What is the purpose of VVS malware?

The purpose of VVS malware is to steal sensitive information from Discord and web browsers. It can also capture screenshots.

How did a malware infiltrate my computer?

Cybercriminals spread malware by tricking users into opening infected files or clicking malicious links. Common delivery methods include USB drives, P2P networks, fake websites, phishing emails, deceptive ads, tech support scams, and exploiting unpatched software vulnerabilities.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove nearly all known malware. However, advanced malware often hides deep within the system, so performing a full system scan is essential.