Shoutbox

Hi there again
I have run into another problem. I have followed your directions Chris and cmd just can't find the file. Here I'll put up some screen shots up of what I had put in, maybe someone can find an error or something!





Thanks a lot for all your help so far, It's greatly appreciated!
And hopefully we can get rid of this little bugger.

You need to type:
cd C:\Users\David\AppData\Roaming\
then
del hvex.exe

cd only opens folders/directories. You was trying to open the .exe file with the cd command, which you can't do.

You may also need to end the hvex.exe process if that's in Task Manager.

It Is continuing to tell me that it is invalid:



Sorry if I'm causing you a headache!
And Chris thanks for the quick replies!

After you move into C:\Users\David\AppData\Roaming\, enter dir which will list the files in that folder.

It must exist because it's in the folder when you tried to delete it using search, before...

You can also try in Task Manager: File > New Task > Enter C:\Users\David\AppData\Roaming\ and click OK, which will bring up that folder in Windows Explorer. Attempt to delete the file.

If no luck, just untick it from AutoRuns, click the save button, close it and restart your computer; see if the virus continues. Run Anti-Malware to double-check.

quote:

---

Originally posted by CookieRevised
All in all, using the CMD prompt isn't the best way to tackly this (unless you're fluent in DOS).

---

Fair enough, was just a method which worked fine for me recently to delete a file which was "being used by another process", so thought I'd give give it a try here. Unlocker does the same thing, like you mentioned.

There are many reasons why the cmd method will not work

quote:

---

Originally posted by Chris4
After you move into C:\Users\David\AppData\Roaming\, enter dir which will list the files in that folder.

---

If del said the file can't be found then dir will certainly not do any good.

The file might be hidden for starters. (although in that case del should have worked if it was just hidden - though there are other file attributes which might prevent the file from being deleted)...

All in all, using the CMD prompt isn't the best way to tackle this (unless you're fluent in DOS).

----------

Note about AutoRuns:

1) Don't untick an entry if you want to permanently remove it. Instead choose "Delete" from the right-click context menu.
Unticking an entry will simply remove the entry from that registry key, but a backup will still be saved by AutoRuns.

2) "Save" will export the current list, it will not remove any entries at all.

3) Autoruns will only show the entry for the current logged in user. There are also entries for the Administrator for example. You can switch between the user by going to the User menu and selecting the appropiate user. What you remove in one user account might still exist in another user account (eg: admin account).

----------

Note about hvex.exe:

Judging from your screenshots, the hvex.exe tool was made in Visual Basic (it has that typcial default VB form icon). This is a very big indicator of something fishy.

If it is indeed some malware made in VB, chances are very high that it wont be detected by any anti-malware program.

This because such malwares are typcially made by so called script-kiddies and there are 1001 variations of such stuff (and anybody can make it). In fact, it probably doesn't do anything out of the ordinary, code-wise that is. In comparisson: WLM itself does far more "dangerous" and "suspecious" coding stuff. The difference is that WLM doesn't do things you do not want and doesn't try to hide it (ok, bugs set aside ). Hvex.exe probably also doesn't have any virus-like behaviour, which is spreading and infecting other files and people. It simply spams your contacts with links (and tries to infect them indirectly in that way). It is unfortunatly a very common IM-malware method these days...

All in all, it is "normal" that it wont be detected by any anti-malware or anti-virus tools though, unfortunatly.

----------

What you can try instead:

1) Go to your Task Manager and kill every hvex.exe process

2) Ope AutoRuns and find that hvex.exe entry again.

3) Right click on that entry and choose "Jump to"

4) In the Registry Editor which popped up, delete the hvex.exe entry which is shown (right click on it and choose "Delete" or "Remove".)

5) Click on the very top of the registry tree (you can quickly go there by pressing the 'Home' button on your keyboard)

6) Search for any other hvex.exe string in your registry (Press 'CTRL'+'F' to open the Search dialog) and remove every entry you've found.

7) Download and install the tool called Unlocker

8) Open your Windows Search and enter hvex.exe (just like you did here).

9) Right click on the found entries and choose "Unlocker"

10) In the Unlocker dialog, choose "Unlock all" if you can

11) Attempt to remove the files directly from the Windows Search dialog (just like you did here)

12) Uninstall Unlocker again. Or at least, remove the UnlockerAssistant from your Run registry key (you could again use AutoRuns for this) as this is not really needed.

Thanks Cookie
I Deleted them from the registry, and when I type hvex.exe into the search bar, nothing comes up. However, approximatley a couple minutes later, I did searched it again and they came up. Although this type they didn't have a little picture next to it only a blank sheet (don't know if it matters). Additionally, they could not be right-clicked on, only left clicked.

I went back into the registry editor and the hvex.exe was back in there, so I deleted it and then they were gone from the search bar. I tried this about 3 times and the same thing happened everytime.

It appears to me that it is replicating itself every time it is deleted?
Thanks.

This could mean a few things:

A) There is another process monitoring the hvex.exe process. You need to find this other process and kill it first using all the same steps as before.

B) Hvex.exe itself has a way to detect when it gets killed and places a copy of itself somewhere else or starts another process when it is closed.

C) Windows does his (in such cases crappy) method of preserving accidental file removals. I'm no expert in Vista, so I can't help you with that. But it involves turning this auto-backup/restore thing off.

---------

For A and B: you could also try to log in to Windows with an account which is not infected (I hope you can sign in as Administrator) and proceed with all the steps as before. So, reboot your computer and try to log in as Admin.

Or you could use MSCONFIG:

1) In MSCONFIG, go to the 'General' tab and choose 'Selective startup'.

2) Untick 'Load startup items'

3) Click 'OK' and reboot

4) execute all the steps listed in previous post.

5) Make sure you also identify that second monitoring process!! And execute the steps listed in previous post for that process too...

6) Reboot

7) Open MSCONFIG, go to the 'General' tab and choose 'Normal startup'.

8) Click 'OK' and reboot

--

The bottom line is that you need to boot up Windows without starting the hvex.exe process (or that other process).

In fact, this should _always_ be done when you're trying to remove malware though. You should _always_ boot up Windows in such a way that only the essential Windows processes are running and nothing, absolutely nothing, else... In Windows XP for example, you can do this by booting up in Safe Mode.

This is an extremely important step which most people forget to take. Even when scanning for malware it is best to take this step because quite a lot of malware has ways to hide themself from anti-virus programs. But they can't hide themselfs if they are not running.....

Thanks for the help.
Just to clarify things up, the hvex.exe process isn't listed in the processes tab of the task manager. So if something else is monitoring it, is there something to look out for? Should I post a screen-shot of all my processes?

Thanks

quote:

---

Originally posted by lavey92
Should I post a screen-shot of all my processes?

---

Absolutely.

But

1) Make sure you enlarge the columns widths so the entire entry names can be seen!!

2) Also enable the columns 'Username' and 'Image Path Name'. You can do this in the menu 'View' > 'Select columns...' (or see here for instructions)

3) Sort the list on 'Username' (click on its column header)

----------

In regards to hvex.exe:

After some quick checking I can say that hvex.exe is a malware for sure. It is created in Visual Basic 6 as I suspected before.

It probably copies itself with random names. But there is one file which it uses which is always the same name: Bff17DCdk0.log

This is one of the files created by hvex.exe. However, it is not a textual log file like the name might let you think, it is actually a DLL file used by hvex.exe (maybe a copy of itself?). So, remove this file too.

hvex.exe also does some things in your Temporary Windows Files (TEMP). Probably copying itself to here in order to monitor itself.

Thanks for that.
I was fiddling around with unlocker and the registry and I managed to get it to delete. So I will just wait until someone tells me I have sent them a link.

I will keep you guys updated!
And everyone has been a great tonne of help!
xx for you all whether or not its deleted or not!