ALERT virus 'intervalhehehe' urgent help needed

Hey sadfart

Yes, bertumx's instructions were what I was leading up to. You shouldn't need winzip or jzip to unzip a zip file; windows has it naturally.

Here are the instructions:

Go to C:\Windows\system32\drivers\etc\, and find a file called hosts. Open this file in notepad, and delete everything under "127.0.0.1 localhost". Save this file, and restart your computer.

Is your problem fixed now?

Best Regards

 

Hi,

I had the same intervalhehehe virus and I have followed the steps on a few forums on how to resolve the issue.

Some people are saying they can't delete the host websites because it says its an invalid path. I had the same problem and I found a way of fixing it. I don't know whether it is a good way, but it worked for me.

Copy the host file and paste it onto the desktop. Then delete everything in the desktop file (the infected host names). Once the desktop file is blank save it. You can then cut the file from the desktop and paste it into the original folder so it overwrites the unable to delete file.

You should now be able to access websites. I would reccommend still checking for viruses though.

(I hope this made sense)

 

Thanks Cdav and other contributors,
Really appreciated all your help, I owe you all a big Pint of Guiness.
I believe the matter is resolved, although just curious do you think it is safe to do my online banking or buy online with my credit card using this computer?

I have copied below the latest path i used which has hopefully sorted me out or at least my computer.

Keep up the good work Cdav and lets hope i don't have to contact you in the near future.

POST
Got this in the same way as everyone else. I am an IT professional but that doesn't mean this will be perfect since it isn't quite my domain!

Anyway, I'll try explain in as simple terms as I know how.

Good news is that I think I am all fixed now.

Most importantly, you should fix this asap. Don't go to your banking sites or use Outlook or anything like that until you are fixed. If you are paranoid then re-install Windows. If like me you want to do a DIY fix then here's how I did it.

First I uninstalled WinRar and deleted the folders. You still get the annoying messages.

Then I downloaded a bunch of anti-malware, making sure that in every instance it came from a pukka site. This means ignoring the "megafilesharezone" type sites offered by Google and going to the vendors site and following only their instructions to valid "mirrors" or download servers. If you are having trouble getting Google to work then this takes you direct to SpyBot S&D:

http://www.safer-networking.org/en/downl...

you can trust me and go straight there (!); use another PC and use a a USB key to transfer them to the infected machine (safe to do in this case as far as I can tell) or if you know another language then my guess is a foreign google such as www.google.fr should bypass the problem (the malware only affects the UK and US Google addresses I think).

Rule 1 is to run these in Safe Mode (reboot, press F8 and then boot windows in "Safe Mode with Networking"). Can't be sure, but the socially inept, friendless, tiny mahood person who designed intervalhehehe seems to have got it to avoid detection in normal Windows mode.

This will take up to an hour or so depending on your machine and the amount of files you have.

For reference, the anti-malware that actually got the stuff was Spybot S&D updated with the latest files. I also ran CCleaner, MV RegClean and Malwarebytes - all of them spotted some things but not necessarily this. I had Trend anti-virus installed but this didn't spot anything.

Run these until the scans come back clean, then reboot into normal mode. You should have no annoying messages now. If you do, then my answer hasn't worked for you.

Once that was done, some smart cookie on the net suggested that if you are still getting Chinese Google/ fake Microsoft site syndrome then your hosts file has been tampered with. If your interested, (which you certainly don't have to be to solve this!) the host file tells your machine that certain requests for URLS by any your browsers should ignore the real site (to do with a service called DNS) and go to wherever the file tells it to - in this case, requests for google and a few other sites are being sent to a malware site or Chinese Google. For me, this was absolutely the case.

For those not familiar with this it is perfectly safe and easy to repair:

Go to C:/Windows/system32/drivers/et c/hosts

Open this in notepad (ignoring system messages telling you that you ought not to play with these files) and delete everything. Then to return to the windows original add this single line and then save:

127.0.0.1 localhost

If you don't trust my reply here check on the web for "windows host file" example and you should find that's OK!

If you see another version of this with lots of text in it don't worry that the descriptive text above the line above isn't there; windows will ignore that since it was for your benefit only. Or add it in, it really doesn't matter.

Note: If you are using a PC which has IIS or Apache or some other reason to have a special hosts file then you may need to reconstruct your host file a little more carefully but then if you are doing that, refer to the documentation for that!

That should return you back to normal.

 

Malwarebytes' Anti-Malware 1.31
Database version: 1482
Windows 5.1.2600 Service Pack 1

12/10/2008 5:09:45 AM
mbam-log-2008-12-10 (05-09-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99061
Time elapsed: 25 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8c875948-9c60-4381-9248-0df180542d53} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\SbHostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vrmon (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\spamblockerutility 4.7.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\spam blocker for ms outlook (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Chris Natividad\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\SpamBlockerUtility.inf (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

 

hello i am still having issue trying to get rid of that virus can some one please help me, i am not very tech savvy and i have done my best to follow everyone's instructions.

thank you for your time and help

 

Hi jeedai555,
i know how you feel, i have copied below the instructions that i could even follow. in order to find the c/windows file right click on start button and then open the windows box from drop down list of files then look for the system 32 folder open it then look for
drivers folder open it and then open the /et c/folder and you will see the hosts folder on the right hand side of the screen. right Click on the host folder and press on the notepad option you will then get a list of files including yahoo, google etc select all and delete them, then paste the following 127.0.0.1 localhost
The above is only a summary of the post below but it is important before you do above you start at rule 1 below.

It worked for me and i have to say i was looking for a number of days for a solution i could follow.

Good luck

Sadfart


POST
Rule 1 is to run these in Safe Mode (reboot, press F8 and then boot windows in "Safe Mode with Networking"). Can't be sure, but the socially inept, friendless, tiny mahood person who designed intervalhehehe seems to have got it to avoid detection in normal Windows mode.

This will take up to an hour or so depending on your machine and the amount of files you have.

For reference, the anti-malware that I used was Spybot S&D updated with the latest files. I also ran Avast anti virus (free Download from internet) and Malwarebytes - all of them spotted some things but not necessarily this.
Run these until the scans come back clean, then reboot into normal mode. You should have no annoying messages now. If you do, then my answer hasn't worked for you.

Once that was done, some smart cookie on the net suggested that if you are still getting Chinese Google/ fake Microsoft site syndrome then your hosts file has been tampered with. If your interested, (which you certainly don't have to be to solve this!) the host file tells your machine that certain requests for URLS by any your browsers should ignore the real site (to do with a service called DNS) and go to wherever the file tells it to - in this case, requests for google and a few other sites are being sent to a malware site or Chinese Google. For me, this was absolutely the case.

For those not familiar with this it is perfectly safe and easy to repair:

Go to C:/Windows/system32/drivers/et c/hosts

Open this in notepad (ignoring system messages telling you that you ought not to play with these files) and delete everything. Then to return to the windows original add this single line and then save:

127.0.0.1 localhost

If you don't trust my reply here check on the web for "windows host file" example and you should find that's OK!

If you see another version of this with lots of text in it don't worry that the descriptive text above the line above isn't there; windows will ignore that since it was for your benefit only. Or add it in, it really doesn't matter.

 

hey sadfart

just followed everything to get out of this annoying situation but when i get to the part where I delete everything in the HOST file and paste the localhost in the file and save, it will not let me save it.......why is this, its the last step and its frustrating me, hope to here from you very soon

cheers

jamiegren

 

Hey, Not sure if you're still checking this but maybe this will help somebody... I got the same thing about an hour ago the same way you did. heres what you do.

ctrl-alt-del and get your task manager running.

End this process "explore"
NOT "explorer".

From there you can scan and more than likely find the file and have it quarantined or deleted. If not, it's in your temp folder.

c:\documents and settings\%username(you)%\local settings\temp\(the culprit file should be something along the lines of IX00 something or another..Delete this file)

once deleted you can go about fixing the host entries intervalhehehe has jacked with.

easiest way is to just search your computer for "hosts" and you will come up with 2 or 3 results..(if you don't wanna search for it then here is the path C:\WINDOWS\system32\drivers\etc )

Hosts
lmhosts
and such

right click the "hosts" file and open with notepad.

select all of the text in there and delete it then save the file.

This last step will fix Internet Explorer to where you can access all your websites now.

NOTE:If you use firefox. Open it and clear all of your private/saved data and your cookies. (this one took me a while to figure out)

After which restart your computer. you should be good to go.

I'll try to check back and see how you fare. Hope this helps others as well.

 

If you cant save over the "hosts" file because of read only right click it press properties uncheck read only than save over it Good luck