Shoutbox

Well that was unsuccessfull! Still sending out links.......

Here is a screenshot of my processes:



Also you mentioned deleting that file, I cannot locate it anywhere. Could you perhaps make a guess as to where it could be located?
Thanks!

EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

quote:

---

Originally posted by lavey92
EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

---

Sure, worth a try. Thought there might be a chance the virus was inside Messenger's program files, or modified an existing program file, but probably unlikely.

I can't really see anything out of the ordinary, possibly apart from taskeng.exe which is the Task Scheduler. It may be worth going to Start > typing Task Scheduler > enter. See if there's any suspicious tasks.

Process Explorer can be used as an advanced Task Manager, which may help.

Also try my suggestion before of Anti-Malware.

The 1st rundll32.exe seems a bit suspect. No description or path like the other one has... It's also not something that should just be running in the background.

quote:

---

Originally posted by lavey92
Here is a screenshot of my processes:

---

You're not showing all processes. Click on "Show processes for all users"

quote:

---

Originally posted by lavey92
Also you mentioned deleting that file, I cannot locate it anywhere. Could you perhaps make a guess as to where it could be located?

---

Search for it using Windows Search...

Note on using search for stuff like this: make absolutely sure you are searching "all files" and including "system and hidden" files. These settings are _not_ enabled by default. So make sure they are enabled first.

quote:

---

Originally posted by lavey92
EDIT: Will perhaps deleting and reinstalling windows live messenger help with the problem?

---

No, it wont help at all.

The malware and WLM are two different programs/processes. The malware probably doesn't care what Messenger is installed either. And by uninstalling WLM you don't uninstall or remove the malware; you wouldn't even touch it. So:

1) You would still be infected if you uninstall WLM. Eventhough the malware might (note: 'might' - because it could be using other ways to send links) stop sending links to your contacts.

Note: since your are infected with this malware on your computer, it might be possible that this malware now also knows your login and password, and even has sent it to some unknown 'hacker'. And because you are infected, it is dead easy for the malware to detect if you have changed your password; it would simply take your latest used login and password you use for signin into Messenger....

2) As soon as you install WLM again, everything will be back like it was before...  aka: malware sending links.

Hi, I googled the virus and found this forum so thought it best to join. I'm also having the same problem with the image-bucket issue and I'm really concerned by it - the concept of some hacker having my password(s). I'm not ususally stupid when it comes to these links but I had a dumb moment.

Today, I even passed it onto another contact because while talking to a mate on msn, obviously, I sent him a youtube link and said something like "check out this song" so he assumed the link was safe but the image-bucket link actually fucking took over my youtube link and put its own in! The weird thing was, it still showed up as the normal link on my computer so it took us a minute to realise the problem.

The other thing I noticed is that it only happened with the first link I sent, after that, when I tried to send the link again, it worked fine (When I tried sending it again, I didn't know the previous one had been the ib link). I don't mean to waste your time but I just felt the need to put that story out there as it's probably something msn needs to take care of.

Basically I just joined up in the hope that someone has/will soon work out how to fix it. Sending annoying links to friends on msn is bad enough as it is but the thought of my whole online set-up now being at risk is really concerning me. From what you guys know, does this sound like a proper virus, or malware? Which do you reckon is more serious?

Hope someone can help me clear this up. Cheers.

Edit: I also scanned my machine with McAfee security scan and it found no threats to my computer but obviously something isn't write if links are being tampered with on msn and that sort of thing. Advice much welcomed and much needed. Thanks.

Follow all the advise given in this thread from the top.

quote:

---

Originally posted by Gooner Mark
as it's probably something msn needs to take care of.

---

MS can't do much about this sort of things other than blocking all outgoing image-bucket links (which many other people might not like). But this doesn't prevent malware from infecting you and doesn't prevent malware using other kind of free image services or url services.

Bottom line is to never download/install stuff you don't know, certainly not stuff you find on random sites or even stuff send my known people via email or IMs.

Configuring your browser correctly and understanding how things work might also help a great deal. eg: a properly configured browser shows you a "execute this file Y/N?" confirmation dialog prior to executing a so called "image". This should alarm you that something isn't right. If the file was truely an image, the image would simply show in your browser, without a "file will be executed" dialog.

Hi There
Thanks for the replies, sorry I haven't been in touch I have been away for the weekend

Here are all of the processes from all users.





currently making a thorough search for that .log file
will update when it finishes!

Images aren't working, lavey92. Please upload to a reliable image hosting website such as imgur or imageshack.

Edit: They're working now.

sorry didnt realise you replied! Here it is!

http://img824.imageshack.us/i/taskman1.jpg/

http://img517.imageshack.us/i/taskman2.jpg/

I havent had much news from my friends via msn about this virus spreading, none of them have said they have recieved it since i got back from my weekend trip.
However, in the search the hvex.exe doesn't come up anymore but when i type in its full previous direction in appdata and roaming, and press enter, the .exe runs itself. So this means it is still there! haha damn thing.

Furthermore, I did thorough searches to find that .log file however no results were found!
Thanks
Dave

The ThreatExpert report for hvex.exe can be found here:

http://www.threatexpert.com/report.aspx?md5=75049...a68cd607615ff12095

If you've unselected it from startup, checked for the log file and keep trying to use Unlocker and remove the exe, you should be fine for now.

Like I suggested before, Anti-Malware should remove this for you if you're unable to do it manually.