Hi there (I had Put this in a different forum section as well not sure which one fits its criteria appropriately)

Well I accidentally clicked on a link and it installed a worm or something onto my system and it is constantly sending out links to all my contacts on msn messenger.

the link that my friends are receiving is "h t tp://img..image-bucket.us/imgs/DCSwhd...jpg"

(Made it so you cant click on it)

Can anyone please help me with this, I have used spy-bot search and destroy as well as ESET Nod 32 and they have not detected the virus!

Any help is greatly appreciated!!
Thanks.

Do the links get sent out when you're signed in?  Or when you're offline?

I'm only aware of whilst signed in.
Thanks

Go to Start > (in XP click Run) > Type msconfig and press enter. Click the Startup tab.
These are some of the basic processes that run when Windows starts.
Look for any startup items that look suspicious, uncheck them and click OK. Restart your PC when asked.

Once restarted, run Windows Live Messenger and see if the problem continues.

If it does, download AutoRuns. This is a more advanced list and includes everything which runs at startup.
Again, look for anything suspicious which you don't recognise, uncheck them, save, and restart.

If you're unsure about the startup items, you can screenshot[?] them and post it here, we'll take a look.

Here's what I would do (I know you've done a few).

Start your computer and scan it for Viruses. Please make sure your Anti-Virus software is up to date.

Now scan for malware. (Use: http://www.malwarebytes.org - Free.)
> Make sure you clean all infections.

Change your Windows Live Password & Secret question. (Live Password Change.

Then make sure Windows Live Messenger is set not remember your password.

Restart & Sign-In.

---

Avoid clicking on dodgy link sent by contacts, don't give any personal details to websites that are not live.com. Block checkers and smiley websites than want your password are fake.

Always scan all files received by your contacts, even if your close to them. You can tell if they're telling you about something you did and your WLM ID is in the link.

---

Good Luck

Thanks for the replies!
Chrissy - I've already run malwarebytes and it was also unsuccessful. I also changed my password and I think it is still sending (Not exactly sure yet). Edit: It is continually sending out said link.

Chris- went into the msconfig startup menu and there were no out of the ordinary autoruns there. So I downloaded the reccomended and theres so much stuff on there that I have no Idea about, so I posted some screenshots here (Sorry if they are too small or too big, tell me and i will host it at photobucket, but this was quicker)













Ok That is all the of the stuff that is in autorun!
Thanks again your help has been very great!

In the first and the last screenshot there is an application from "Malware Farms" which looks suspicious. Make sure you don't just disable the startup entry, but browse to the folder where it's located and delete the file and everything associated with it.

Ok will do this, I will keep you all informed of my progress!

Thanks!

I Cannot seem to locate the file within the appdata\roaming, however when I type in hvex.exe into search, it comes up with the file, and I click open file location and it isn't in there. So I attempted to delete the file through the searcher, and it says that it cannot be deleted due to it being used elsewhere. I have closed every application and ended every proccess possible (without affecting windows) and it still doesn't let me delete it. Any suggestions?
Thanks

quote:

---

Originally posted by lavey92
it says that it cannot be deleted due to it being used elsewhere

---

Hi there again
I have run into another problem. I have followed your directions Chris and cmd just can't find the file. Here I'll put up some screen shots up of what I had put in, maybe someone can find an error or something!





Thanks a lot for all your help so far, It's greatly appreciated!
And hopefully we can get rid of this little bugger.

You need to type:
cd C:\Users\David\AppData\Roaming\
then
del hvex.exe

cd only opens folders/directories. You was trying to open the .exe file with the cd command, which you can't do.

You may also need to end the hvex.exe process if that's in Task Manager.

It Is continuing to tell me that it is invalid:



Sorry if I'm causing you a headache!
And Chris thanks for the quick replies!

After you move into C:\Users\David\AppData\Roaming\, enter dir which will list the files in that folder.

It must exist because it's in the folder when you tried to delete it using search, before...

You can also try in Task Manager: File > New Task > Enter C:\Users\David\AppData\Roaming\ and click OK, which will bring up that folder in Windows Explorer. Attempt to delete the file.

If no luck, just untick it from AutoRuns, click the save button, close it and restart your computer; see if the virus continues. Run Anti-Malware to double-check.

quote:

---

Originally posted by CookieRevised
All in all, using the CMD prompt isn't the best way to tackly this (unless you're fluent in DOS).

---

There are many reasons why the cmd method will not work

quote:

---

Originally posted by Chris4
After you move into C:\Users\David\AppData\Roaming\, enter dir which will list the files in that folder.

---

Thanks Cookie
I Deleted them from the registry, and when I type hvex.exe into the search bar, nothing comes up. However, approximatley a couple minutes later, I did searched it again and they came up. Although this type they didn't have a little picture next to it only a blank sheet (don't know if it matters). Additionally, they could not be right-clicked on, only left clicked.

I went back into the registry editor and the hvex.exe was back in there, so I deleted it and then they were gone from the search bar. I tried this about 3 times and the same thing happened everytime.

It appears to me that it is replicating itself every time it is deleted?
Thanks.

This could mean a few things:

A) There is another process monitoring the hvex.exe process. You need to find this other process and kill it first using all the same steps as before.

B) Hvex.exe itself has a way to detect when it gets killed and places a copy of itself somewhere else or starts another process when it is closed.

C) Windows does his (in such cases crappy) method of preserving accidental file removals. I'm no expert in Vista, so I can't help you with that. But it involves turning this auto-backup/restore thing off.

---------

For A and B: you could also try to log in to Windows with an account which is not infected (I hope you can sign in as Administrator) and proceed with all the steps as before. So, reboot your computer and try to log in as Admin.

Or you could use MSCONFIG:

1) In MSCONFIG, go to the 'General' tab and choose 'Selective startup'.

2) Untick 'Load startup items'

3) Click 'OK' and reboot

4) execute all the steps listed in previous post.

5) Make sure you also identify that second monitoring process!! And execute the steps listed in previous post for that process too...

6) Reboot

7) Open MSCONFIG, go to the 'General' tab and choose 'Normal startup'.

8) Click 'OK' and reboot

--

The bottom line is that you need to boot up Windows without starting the hvex.exe process (or that other process).

In fact, this should _always_ be done when you're trying to remove malware though. You should _always_ boot up Windows in such a way that only the essential Windows processes are running and nothing, absolutely nothing, else... In Windows XP for example, you can do this by booting up in Safe Mode.

This is an extremely important step which most people forget to take. Even when scanning for malware it is best to take this step because quite a lot of malware has ways to hide themself from anti-virus programs. But they can't hide themselfs if they are not running.....

Thanks for the help.
Just to clarify things up, the hvex.exe process isn't listed in the processes tab of the task manager. So if something else is monitoring it, is there something to look out for? Should I post a screen-shot of all my processes?

Thanks

quote:

---

Originally posted by lavey92
Should I post a screen-shot of all my processes?

---

Thanks for that.
I was fiddling around with unlocker and the registry and I managed to get it to delete. So I will just wait until someone tells me I have sent them a link.

I will keep you guys updated!
And everyone has been a great tonne of help!
xx for you all whether or not its deleted or not!

Well that was unsuccessfull! Still sending out links.......

Here is a screenshot of my processes:



Also you mentioned deleting that file, I cannot locate it anywhere. Could you perhaps make a guess as to where it could be located?
Thanks!

EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

quote:

---

Originally posted by lavey92
EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

---

The 1st rundll32.exe seems a bit suspect. No description or path like the other one has... It's also not something that should just be running in the background.

quote:

---

Originally posted by lavey92
Here is a screenshot of my processes:

---

quote:

---

Originally posted by lavey92
Also you mentioned deleting that file, I cannot locate it anywhere. Could you perhaps make a guess as to where it could be located?

---

quote:

---

Originally posted by lavey92
EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

---

Hi, I googled the virus and found this forum so thought it best to join. I'm also having the same problem with the image-bucket issue and I'm really concerned by it - the concept of some hacker having my password(s). I'm not ususally stupid when it comes to these links but I had a dumb moment.

Today, I even passed it onto another contact because while talking to a mate on msn, obviously, I sent him a youtube link and said something like "check out this song" so he assumed the link was safe but the image-bucket link actually fucking took over my youtube link and put its own in! The weird thing was, it still showed up as the normal link on my computer so it took us a minute to realise the problem.

The other thing I noticed is that it only happened with the first link I sent, after that, when I tried to send the link again, it worked fine (When I tried sending it again, I didn't know the previous one had been the ib link). I don't mean to waste your time but I just felt the need to put that story out there as it's probably something msn needs to take care of.

Basically I just joined up in the hope that someone has/will soon work out how to fix it. Sending annoying links to friends on msn is bad enough as it is but the thought of my whole online set-up now being at risk is really concerning me. From what you guys know, does this sound like a proper virus, or malware? Which do you reckon is more serious?

Hope someone can help me clear this up. Cheers.

Edit: I also scanned my machine with McAfee security scan and it found no threats to my computer but obviously something isn't write if links are being tampered with on msn and that sort of thing. Advice much welcomed and much needed. Thanks.

Follow all the advise given in this thread from the top.

quote:

---

Originally posted by Gooner Mark
as it's probably something msn needs to take care of.

---

Hi There
Thanks for the replies, sorry I haven't been in touch I have been away for the weekend

Here are all of the processes from all users.





currently making a thorough search for that .log file
will update when it finishes!

Images aren't working, lavey92. Please upload to a reliable image hosting website such as imgur or imageshack.

Edit: They're working now.

sorry didnt realise you replied! Here it is!

http://img824.imageshack.us/i/taskman1.jpg/

http://img517.imageshack.us/i/taskman2.jpg/

I havent had much news from my friends via msn about this virus spreading, none of them have said they have recieved it since i got back from my weekend trip.
However, in the search the hvex.exe doesn't come up anymore but when i type in its full previous direction in appdata and roaming, and press enter, the .exe runs itself. So this means it is still there! haha damn thing.

Furthermore, I did thorough searches to find that .log file however no results were found!
Thanks
Dave

The ThreatExpert report for hvex.exe can be found here:

http://www.threatexpert.com/report.aspx?md5=75049...a68cd607615ff12095

If you've unselected it from startup, checked for the log file and keep trying to use Unlocker and remove the exe, you should be fine for now.

Like I suggested before, Anti-Malware should remove this for you if you're unable to do it manually.

quote:

---

Originally posted by lavey92
However, in the search the hvex.exe doesn't come up anymore but when i type in its full previous direction in appdata and roaming, and press enter, the .exe runs itself.

---

It gives me a warning before running it.

I got a full version of malware bytes and it picked it up quickly and it deleted it, now it says that the file does not exist and I havent been sending any links to anybody for the past few days!

So thanks to everybody for your help!
It was greatly Appreciated!

Glad to hear you removed it finally.

lavy .. i got this fucken virus so tell me step by step what i have to do to get rid of it its makes my messenger crazy
plz help

Get the full version of malware bytes. Scan, and remove all threats

Please would be nice

Yeah what chrissy said, in the end thats what removed the virus for me completely!

However, after using allot of the stuff that other people posted on this thread managed to stop it from sending links, but the executable still stayed in my system!

So get malwarebytes full version.