Intervalheheheh - Virus, Please Help

totalsolutions

Extract from http://forums.vnunet.com, Andy Greenwood

"Windows defender picked this up and located a file in the following location:
C:\Windows\System32\

appropriately named: intervalhehehe.rar deleting this stopped the popups. A couple of mins later, I wanted to do a search on google.com and a fake Microsoft site popped up asking me to download some dodgy antivirus software.

At this point I realised the !!!!!!s had changed my host file too. So, popular sites I wanted to visit such as MSN.com, Google, Facebook etc.... The page which would popup would be the dodgy microsoft page.

I run Vista on my laptop, so to XP users and mac I appologise as I dont know how to resolve on these platforms. But if you are on vista, you need to delete all dodgy IP's from this host file. To do this follow this route to your 'hosts' file:

C:\Windows\System32\drivers\etc\

Opening this file with notepad, you will see a list of website addresses and IP addresses too this is what you need to delete as these are the IP addresses your browser defaults to if you type in one of those URL's.

If your pc does not allow you to delete the text in this file and save, this is probably because you need administrator access to the file. To do this, follow the following instruction:

Click: start menu > all programs > accessories > (rightclick) notepad > run as administrator.

Then locate the hosts file again - C:\Windows\System32\drivers\etc\hosts
If no files appear there will be a drop down box, select "All files (*.*)" and 'hosts' will appear in a list.

Open 'hosts' with a double click and you should then be able to delete and save the text in the 'hosts' folder.

Now you should be back to normal!"

wallbash

Better posting than mine:beer:

But the info also works with XP

lucygotit

Cheers I shall try it when I get home from work this evening and post back

lucygotit

Do I just need to clear my host file and then the virus will have gone?
At the moment everything is in English!

lucygotit

How do I delete the host file??? Sorry Im not very computer minded

MikeWhitehead

Ummmm...don't delete the host file lol. Easier just:

Open hosts in notepad. It's located in %systemdrive%\Windows\drivers\etc
Delete all lines other than "127.0.0.1 localhost" and any that you have added personally. If you aren't sure which to delete, post them here (it's ok to post host entries, right?)

All of this is off the top of my head while I watch TV, but there shouldn't be any errors.

Reluctant_spender

Try this host manager, it will allow you to reset your host file to the windows default;

Download HostsXpert.zip

• Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
• Double-click HostsXpert.exe to run the program.
• Click "Make Hosts Writable?" in the upper left corner (Only If available).
• Click "Restore Microsoft's Hosts file" and then click "OK".
• Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

When that is done try this online scanner;

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)

• You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
• Now click Start
• Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
• Click Start (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan
  The Onlinescan will now start and scan your pc (please let it run to completion)
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
• Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  The Scan results will now open in Notepad
• Click into the text area, right-click and chose "select all"
• Right-click again and chose "copy"
• Close Notepad

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.

lucygotit

Reluctant_spender wrote: »

Try this host manager, it will allow you to reset your host file to the windows default;

Download HostsXpert.zip

• Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
• Double-click HostsXpert.exe to run the program.
• Click "Make Hosts Writable?" in the upper left corner (Only If available).
• Click "Restore Microsoft's Hosts file" and then click "OK".
• Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

When that is done try this online scanner;

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)

• You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
• Now click Start
• Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
• Click Start (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan
  The Onlinescan will now start and scan your pc (please let it run to completion)
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
• Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  The Scan results will now open in Notepad
• Click into the text area, right-click and chose "select all"
• Right-click again and chose "copy"
• Close Notepad

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.

I followed the above and this is what it says, don't understand it myself but I'm sure it does to Reluctant_spender


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3679 (20081209)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f6618989fe116e49940b4d11681da110
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-09 11:53:12
# local_time=2008-12-09 11:53:12 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=297528
# found=59
# scan_time=3518
C:\WINDOWS\system32\explore.exe probably unknown NewHeur_PE virus (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\WINDOWS\system32\f3PSSavr.scr Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ruth eyre\My Documents\limey\DJ Q feat MC Bonez - You Wot.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 62E2764753C197596C82552893A0DB35
C:\Program Files\Internet Explorer\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/Adware.FunWeb application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\Program Files\Mozilla Firefox\chrome\m3ffxtbr.jar Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MSN Messenger\riched20.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\MSN Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169333.exe Win32/Adware.Trymedia application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169402.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169403.scr Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169404.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169405.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169406.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169407.SCR Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169408.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169409.EXE Win32/Adware.FunWeb application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169410.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169411.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169412.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169413.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169414.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169415.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169416.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169417.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169418.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169419.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169420.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169421.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169422.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169423.EXE Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169424.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169425.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169426.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169427.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP474\A0169428.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000

~Chameleon~

globalds wrote: »

Kaspersky is a very reliable anti virus software.
If you aren't running any anti virus software I would recomend this one ..It is very cheap at the moment.
http://www.hotukdeals.com/item/288910/kaspersky-internet-security-2009-1u/

It's also FREE if you bank with Barclays :T

http://www.personal.barclays.co.uk/BRC1/jsp/brccontrol?site=pfs&task=homefreegroup&value=10662&target=_self&WT.ac=coukinfvirus

lucygotit

I run the above Eset Onlinescan in Internet explorer and now when I have clicked on Internet Explorer I get a message page from Microsoft Security saying "Alert: Your computer have been attacked by spyware or viruses!
Please download Antispyware to fix and button for me to click
I haven't clicked anything - seems dodgy with how its worded (your computer have!)
What does anyone suggest now??