Removing the Interval hehehe Virus
I couldn’t find any posts that gave a solution but this seemed to work for a friend.
- Reboot Windows into Safe Mode and perform a virus scan.
- Make sure you have a clean Windows host file located at C:\WINDOWS\system32\drivers\etc. Open the hosts file with Notepad (or some other text editor) and replace all the text in hosts with the text below. Be sure to save the hosts file without an extension. In Notepad this is done by selecting File -> Save As and choosing the “Save as type” to be “All Files.”
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
- Run Spybot – Search & Destroy and Ad-Aware to get rid of any other malware.
- Clear your internet browser’s cache.
- Don’t download and install files from warez sites!
Permalink · Written on: 12-02-08 · 33 Comments »
Thanks a lot!!! Trying to help a friend who installed Winrar from download.com and got this. Trying to help over the internet but will let you know if it helps us too.
December 4th, 2008 at 2:11 pmTHIS solved it
AS above step 2
OPEN notepad & delete all that JUNK in the HOST file
SAVE as
THis GUY solution WORKED
RUN SPYWARE 2
BUT that did it AS ABOVE
THANK Q i had wasted a DAY
JDC
December 4th, 2008 at 3:48 pmHi, I’m have the same virus, but if I follow your steps, when I click on save as as all file types, it says ‘file already exists, do you want to overwrite’
I click yes.
Then it says ‘cannot create the C:\WINDOWS\system32\drivers\etc\hosts file. Make sure the path and file name are correct’
Do you have any ideas of what I could do?
December 4th, 2008 at 7:59 pmThanks.
yes…when you click “save as” you (now) will have 2 hosts files…you did not need to create the .txt file instead:
1. Save As
2. now….CLICK on the origional ‘Hosts’ file
3. Click Save
…now you have replaced the original and NOT made a .txt file that has no effect
December 4th, 2008 at 8:38 pmI just got the virus from dl winrar and im not sure this is an old post or what but im using windows vista and i used restore point and that seem to have worked because nothing has popped up and the browswers seem to work ive check the host file and it seems normal.
December 5th, 2008 at 6:28 amill run my anti-virus in safemode as mentioned earlier just as a precaution
December 5th, 2008 at 6:29 ami hav a problem wen i try to replace the old file it asks this confirmation message, then wen i click yes… it says
” Cannot create the C:\WINDOWS\system32\drivers\etc\hosts file. Make sure the path and file name are correct. ”
Plz help (detailed help)
December 5th, 2008 at 7:21 pmThank you, it worked
December 6th, 2008 at 2:11 pmxP Solution for Intermediate / Advanced Users:
________________________________________________________
1. Restore to last date possible before download of Zipped File
2. Run Anti-Virus in Safe Mode
3. Copy this into Notepad:
************************************
1.
# Copyright (c) 1993-1999 Microsoft Corp.
2.
#
3.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
4.
#
5.
# This file contains the mappings of IP addresses to host names. Each
6.
# entry should be kept on an individual line. The IP address should
7.
# be placed in the first column followed by the corresponding host name.
8.
# The IP address and the host name should be separated by at least one
9.
# space.
10.
#
11.
# Additionally, comments (such as these) may be inserted on individual
12.
# lines or following the machine name denoted by a ‘#’ symbol.
13.
#
14.
# For example:
15.
#
16.
# 102.54.94.97 rhino.acme.com # source server
17.
# 38.25.63.10 x.acme.com # x client host
18.
19.
127.0.0.1 localhost
******************************************************
4. Save this file as an All Files” file (not a .txt file)
on your desktop
5. Delete the following file:
C:\WINDOWS\system32\drivers\etc\host.***
6. Copy the host file you saved onto the desktop into
C:\WINDOWS\system32\drivers\etc
[this is easier for beginners than than the first suggestion at the top of the page, but is essentially the same solution]
7. Reboot
_____________________________________________________
As an FYI Spy Bot Search and Destroy will populate and update the host.*** file with known malicious sites. The issue I have with Spybot is that when installing known good applications (***.exe), every time a Registry change is required it has a pop-up that asks for user acknowledgment. Annoying.
December 6th, 2008 at 4:28 pmYou only get those messages if you run the resident TeaTimer in Spybot S&D. It never hurts to be too safe :]
December 6th, 2008 at 7:32 pm[...] File -> Save As and choosing the “Save as type” to be “All Files.” view plaincopy to clipboardprint? # Copyright (c) 1993-1999 Microsoft [...]
December 7th, 2008 at 10:46 amSo I think I beat it, cause every time I start up Firefox it doesn’t have that crazy chinese lettering, but when I run Spybot S&D, it says its still there, but when I look for it in the system32 folder, I can’t find it, and every time I try to delete it from spybot, says the admin has to do it, but I am the admin and only user on this comp, can someone please give me some advice
thanks.
December 7th, 2008 at 4:04 pmHi Bomby
I am having this same problem, but if you want to run Spybot and have “administrative” rights under Windows Vista, go ahead and go to where the Spybot S&D file is located at in Programs (start window). Instead of clicking through, right (or left click if you set your mouse function that way) and there should be options including “administrative rights” and by doing so you can have administrative rights for running Spybot S&D.
I seem to have resolved the annoying pop up problem, but cannot get onto the Internet and NOT have it direct me to Microsoft Help Center and the fake any spy software website. Does anyone know what is the best way to resolve this? This specifically came up on my virus scan and after I deleted it “fixed it” , it still comes up. Please help. I used Spybot S&D along with aVS.
December 8th, 2008 at 2:23 pmI have been infected by the same virus for the same reason as anyone else, I had Norton Protection running and it does not pick it up – they won’t be getting my subscription.
Is it me or has anyone else noticed that this infection forces your browser to point to a site labelled as Microsoft Security Center. Isn’t it funny that this site proporting to be from MS suggests you download anti malware products from a site called Antispy.com? A little fishy don;t you think? or is it just me?
I ran a whois on antyspy.com but I don’t have a subscription for whois services so I cannot see it, so if anyone out there does have, can you have a look and see who it belongs to and report them to Bill, I reckon they will be mighty peeved about this.
or am i just a little cynical?
Adamski
December 8th, 2008 at 7:26 pmHello,
when I try to change the “Save as Type” to be “All Files” it isn’t there…i don’t know why.
Please Help!
December 8th, 2008 at 9:00 pmHi All
I have found an effective way to get rid of this virus that has been fraudulently attatched to an otherwise trustworthy program.
This will work for windows vista users with system restore only
Go to start and type in the search box “system restore”, if a security window pops up just click continue.
Select the reccomended restore radio button and then click next. then confirm by clicking finish.
Then wait for your computer to go through the restore process.
as soon as it restarts boot up your favourite antivirus and scan for any leftover filed, remove them and enjoy a working pc
Hope this helps.
December 9th, 2008 at 6:45 pmcheers
Ben
Thank You
December 10th, 2008 at 1:22 amAdamski, this is definitely not a coincidence, it’s retarded isnt it? antispyware definitely seems to be a scam that probably hacked into the microsoft site somehow and planted an ad in the middle of a page to make it official. it’s annoying, but this helped. thank you!
December 10th, 2008 at 4:56 pmFollow these steps and you will rid your computer of this basic virus. People are deleting drives, cleans are going on. It just is not needed – do this and thank me later!
1:DO NOT download what it sais to download on the internet explorer.
2:Uninstal the fake winrar
3:In system32 folder theres a exe labled explore.exe, and has a winrar file icon if you try to delete it it wont let you, so open task manager and go to “Processes” and end the prosess tree for “explore.exe”
DO NOT CONFUSE WITH “explorer.exe”, which has an “r”
As soon as youve ended the processes tree delete the “explore.exe” from system32.
4:Empty the recycle bin or shred it if you can
5:Now go to system32/drivers/etc/host
open the host file with notepad
delete everything and save.
6: Reboot, open iexplorer and you’re done. It should be back to normal
I got rid of it without use of anitivirus.
Note: If dosnt work, do a file search for HOSTS, there may upto 3 or 4. Look in them all with note pad, and delete the ones with tons of websites listed. Save as under *all files*.
Reboot: Hey Presto!
December 11th, 2008 at 4:53 pmThanks a tons Mathew…
December 12th, 2008 at 12:33 amI was able to get rid of it finaly
Viva mathew!!!!!!!!!!
December 12th, 2008 at 11:58 pmU kick thier ass
Thanks. U finnally solved the problem. it still would have been easier to download 7zip ahh if only I could
December 13th, 2008 at 10:33 amI think i still have the interval hehehe virus,Internet explorer going nuts chinese writing etc.I cant see a explore.exe but there is iexplore.exe is that dodgy.can anyone help.
December 14th, 2008 at 6:37 amcheers
It will not let me save in the host text. It keeps saying make sure path and filename is correct.
December 14th, 2008 at 9:58 amThanks so much, as I could not get rid of that rotten thing until I was given your solution in the Windows subdirectory. Worked like a charm. This one got past Norton 360…something I will be chatting with them about.
December 14th, 2008 at 7:40 pmthanks sooo much matthew! got rid of the virus in no time!!
December 23rd, 2008 at 4:12 pmThanks for the help. I needed it.
January 4th, 2009 at 10:07 pmThanks. Worked a treat. Now all I have to do is wrap the laptop round the users head until he understands the last point!!!
January 5th, 2009 at 9:27 amThanks Matt,
Your advice written in the NOTE worked perfectly.
Thank a lot.
E
January 8th, 2009 at 4:36 pmFor those of you with the Interval hehe and winrar virus
January 28th, 2009 at 6:55 pmSorry you only got the 1st bit of this – hope this works -
For those of you with the Interval hehe and winrar virus –
January 28th, 2009 at 7:57 pmThe method described does work (Windows /System32 etc. etc.)
However, I also advise editing all references to winrar from the registry. If you are not too sure how to do this, get someone who does, as you can crash your PC if you get it wrong
You will find loads of Refs to it !
When you have completed this and also the Windows /System32 etc. etc -
Shut down the PC and then – either leave it for an hour or so or Pull the power supply lead for 30secs or so – or even do both.
If you just restart immediately you may find that nothing has changed. Leaving you with the impression that all your efforts have been in vain !
Hope this helps —
Roge.
HI.I have got rid of the interval hehehe about a month ago by rewriting the host file.
February 18th, 2009 at 8:12 amwinrar was gone as well at that time but i could see it coming back after few days.
I try to delete by changing the permission,but it’s still there.also tried to fine explore.exe as well but it’s not there.I think the virus is not there anymore but I really wanna get rid of winrar as it’s the one that gave me interval hehe.please help.
if I try to delete it it keeps saying you need permission to use.right clicked and changed the security as well but some how I can’t click on “special permission” if it’s what gives me permission to delete a file..as a administrator.
also changed in control panel as well but doesn’t seem to work..
for those who tried to save it and it did not allow you too that happend to me too so what I did was make a copy of the host file and put it in there then take the origanal host file to my documents and delete all the crap in it then save it and I was able to save it then I pu it back to the ect folder then deletedI made earlier:)
June 30th, 2009 at 5:10 pm