How to eliminate Valak malware from your computer
Written by Tomas Meskauskas on (updated)
What is Valak?
Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).
Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).
JScript files that are executed on infected machines through Valak might install other malicious (or even legitimate) software. Cyber criminals often use malware like Valak to infect systems with ransomware, cryptocurrency miners, remote access Trojans (RATs) or other Trojans (e.g. information stealers), etc.
Ransomware encrypts files and generates ransom messages. This malware prevents victims from accessing their files and forces them to purchase decryption software and/or keys. Cryptocurrency miners are programs that use computer hardware (such as the CPU, GPU) to mine cryptocurrency by solving mathematical problems.
In summary, cyber criminals employ infected computers to mine cryptocurrency for their own benefit. Infected computers consume more electricity and operate at reduced capacity (or do not respond at all). Mining processes can also cause hardware overheating, unexpected shutdowns (that could lead to loss of unsaved data), and other issues.
RATs are programs that allow cyber criminals to control infected machines remotely. Usually, software of this type is used to download and execute other (often malicious) files, access the microphone and webcam, log keystrokes, take screenshots, record the screen, and perform other such tasks.
In most cases, RATs are used to infect systems with other malware or steal sensitive information, which can then be misused to generate revenue. Information stealers are malicious programs that collect personal, confidential data. For example, login credentials, credit card details, data from various messaging apps, and other information of this kind.
A computer infected with Valak is therefore likely to become infected with other malware, thereby leading to other serious problems. For example, users might become victims of identity theft, suffer monetary loss, lose important data, lose access to personal accounts, experience problems relating browsing safety, online privacy, etc.
| Name | Valak virus |
| Threat Type | Trojan, password-stealing virus, banking malware, spyware. |
| Detection Names (Si.exe) | AVG (FileRepMalware), BitDefender (Trojan.GenericKD.32840092), ESET-NOD32 (A Variant Of Win32/GenKryptik.EARL), Kaspersky (Trojan.MSIL.VBSMeter.c), Full List (VirusTotal). |
| Malicious Process Name(s) | Rreedid Evenin (its name might vary). |
| Payload | Valak downloads and executes JScript, which can then distribute/install other malware. |
| Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Distribution methods | Ursnif (also known as Gozi), Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. |
| Damage | Stolen passwords and banking information, identity theft, the victim's computer added to a botnet. |
| Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
More examples of malware that share similarities with Valak include HimeraLoader, AbSent-Loader and sLoad. Commonly, programs of this type are used to spread other malware. As mentioned, Valak can achieve this by executing downloaded JScript files.
Typically, users install malicious software inadvertently when they are deceived. In any case, if Valak or other malware is installed on the computer, eliminate it immediately.
How did Valak infiltrate my computer?
Research shows that cyber criminals attempt to infect computers with Valak through spam campaigns. They send emails that contain malicious Microsoft Office documents and try to deceive recipients into opening them. When opened with MS Office version 2010 or later, the documents demand permission to enable content (macros commands).
If allowed, they then infiltrate Valak malware. Note that MS Office versions developed before 2010 do not include this 'Protected View' mode, and thus malicious documents opened with them infect systems immediately without asking any permissions.
Additionally, in some cases, Valak is installed on computers through Gozi (a.k.a. Ursnif ), other malicious program, however, this happens only when the computer is already infected with another malicious program.
How to avoid installation of malware
Do not download or install software through third party downloaders, installers, from unofficial web sites, Peer-to-Peer networks (e.g., torrent clients, eMule), free file hosting pages, or other channels of this kind. Commonly, such channels are used to distribute malware.
All software should be downloaded from official websites and via direct download links. Furthermore, installed software must be updated via implemented functions/tools that are designed by official developers. Do not open attachments or web links in irrelevant emails that are received from unknown, suspicious addresses.
Software should NEVER be activated through unofficial activation ('cracking') tools - this is illegal and often causes installation of high-risk malware. Regularly scan the computer for threats with reputable anti-spyware or antivirus software and keep the program up to date.
If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.
Malicious attachment distributing Valak ("NISSAN.doc"):
Another attachment distributing Valak ("files 04.28.2020.doc"):
Malicious Valak process running in Task Manager as "Treedid Evenin" (its name might vary):
Yet another malicious MS Word document ("Datei_05.26.2020.doc") designed to spread Valak Trojan:
Update 10 June 2020 - Cyber criminals have recently updated Valak malware, which is now capable of stealing Microsoft Outlook login credentials. Being able to gain access to victims' emails, cyber criminals can easily steal many accounts on various websites, social networks, and so on using the 'password recovery' feature.
This can eventually lead to actual identity theft, since criminals can easily misuse the account(s) to generate revenue by purchasing items, asking colleagues/friends to lend money, stealing business emails, etc.
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically.
To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.
Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button.
In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.
These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.
Outstanding!
▼ Show Discussion