Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Installed WINRAR now infected w/ intervalhehehe

  • This topic is locked This topic is locked
2 replies to this topic

#1 Jeff C

Jeff C

  • Members
  • 1 posts
  • Local time:06:44 AM

Posted 26 December 2008 - 12:02 AM


I installed winrar from cnet and now I am infected with intervalhehehe. Any help would be much appreciated. BTW i canot attach the attach.txt no browse button.


DDS (Version 1.1.0) - NTFSx86
Run by Jeff at 23:52:20.81 on 25/12/2008
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.74 [GMT -5:00]

AV: Norton Security Online *On-access scanning enabled* (Updated)
FW: Norton Security Online *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\SecurityStatusSDK\SSDK02.exe
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\GPM8LDB0\WinRAR[1].exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\KEGCGPFS\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Creative Mouse Software] c:\program files\creative\shared files\cids\CTStray.exe
mRun: [Creative Mouse Software 1] c:\program files\creative\input devices\mouse\CTPoint.exe
mRun: [Creative Keyboard Software 1] c:\program files\creative\input devices\keyboard\CTType.exe
mRun: [explore] c:\windows\system32\explore.exe
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\jeff\locals~1\temp\ixp000.tmp\"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
TCP: {11E32533-5778-44A0-B79A-5A7D7D13811A} =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R Iprip;Iprip; []
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-28 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-28 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-28 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-28 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081225.024\NAVENG.SYS [2008-12-25 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081225.024\NAVEX15.SYS [2008-12-25 876112]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-28 1251720]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2007-8-28 23888]

=============== Created Last 30 ================

2008-12-25 23:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-25 23:06 <DIR> --d----- c:\program files\Crawler
2008-12-25 23:06 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2008-12-25 23:06 <DIR> --d----- c:\docume~1\jeff\applic~1\Spyware Terminator
2008-12-25 23:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2008-12-25 23:05 <DIR> --d----- c:\program files\Spyware Terminator
2008-12-22 22:28 41,984 -------- c:\windows\Ctregrun.exe
2008-12-22 22:06 <DIR> --d----- c:\program files\Creative
2008-12-18 21:41 61,440 a------- c:\windows\system32\explore.exe
2008-12-14 15:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-04 15:12 267,112 a------- c:\windows\system32\xactengine2_9.dll
2008-12-04 15:10 <DIR> --d----- c:\windows\Logs
2008-12-04 15:09 <DIR> --d-h--- c:\windows\msdownld.tmp
2008-12-04 15:09 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2008-12-04 15:09 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-12-04 15:09 60,273 a------- c:\windows\system32\pthreadGC2.dll
2008-12-04 15:09 <DIR> --d----- c:\program files\ffdshow
2008-12-04 14:44 <DIR> --d----- c:\program files\Utherverse Digital Inc

==================== Find3M ====================

2008-10-28 14:45 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-28 14:45 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-28 14:45 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-28 14:45 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-06-04 12:35 256 a------- c:\documents and settings\jeff\pool.bin

============= FINISH: 23:53:02.87 ===============

BC AdBot (Login to Remove)


#2 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:44 AM

Posted 06 January 2009 - 05:57 PM

Hello Jeff C,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:44 AM

Posted 23 January 2009 - 04:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users