I just download google pack with norton and the first scan hook my fav svn tortoise with w32.virut.w .

Excerpt from Symantec

W32.Virut.A is a virus that infects executable files and opens a back door on TCP port 65520 by connecting to a predefined IRC server.

Netstats

netstat -aob > netstat.log

 TCP USER:1028 78.109.19.140.in.hosting.ua:65520 ESTABLISHED 936
 [winlogon.exe]

The free version of Norton Internet Scan Failed to fixed the virus. :(

Norton Logs

Process:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
Infection:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
 c:\windows\system32\spoolsv.exe
 c:\windows\system32\locator.exe
 c:\windows\system32\alg.exe
 c:\windows\system32\sessmgr.exe
 c:\windows\system32\dllhost.exe
 c:\windows\system32\rsvp.exe
 c:\windows\system32\dmadmin.exe
 c:\windows\system32\msdtc.exe
 c:\windows\system32\cisvc.exe
 c:\windows\system32\wbem\wmiapsrv.exe
 c:\windows\system32\ups.exe
 c:\windows\system32\msiexec.exe
 c:\windows\system32\netdde.exe
 c:\windows\system32\vssvc.exe
 c:\windows\system32\mnmsrvc.exe
 c:\windows\system32\mshta.exe
 c:\windows\system32\userinit.exe
 c:\windows\system32\ieudinit.exe
 c:\windows\inf\unregmp2.exe
 c:\windows\system32\ie4uinit.exe
 c:\windows\system32\rundll32.exe
 c:\windows\system32\regsvr32.exe
 c:\windows\system32\ntsd.exe
 c:\program files\wakoopa\wakoopa.exe
 c:\program files\7-zip\7zfm.exe
 c:\program files\acd systems\acdsee\6.0\acdsee6.exe
 c:\program files\adobe\adobe help center\ahc.exe
 c:\program files\netmeeting\conf.exe
 c:\program files\common files\acd systems\en\devdetect.exe
 c:\program files\windows nt\dialer.exe
 c:\program files\acd systems\fotocanvas\3.0\fotocanvas3.exe
 c:\program files\acd systems\fotoslate\3.0\fotoslate3.exe
 c:\windows\pchealth\helpctr\binaries\helpctr.exe
 c:\program files\hp\digital imaging\unload\hpqapkil.exe
 c:\program files\hp\digital imaging\unload\hpqdia.exe
 c:\program files\hp\digital imaging\unload\hpqdias.exe
 c:\program files\hp\digital imaging\unload\hpqphunl.exe
 c:\program files\hp\digital imaging\unload\hpqpsmon.exe
 c:\program files\hp\digital imaging\unload\hpqunset.exe
 c:\program files\hp\digital imaging\bin\hpqvpswp.exe
 c:\program files\windows nt\hypertrm.exe
 c:\program files\internet explorer\connection wizard\icwconn1.exe
 c:\program files\internet explorer\connection wizard\icwconn2.exe
 c:\program files\internet explorer\iexplore.exe
 c:\program files\adobe\adobe photoshop cs2\imageready.exe
 c:\program files\internet explorer\connection wizard\inetwiz.exe
 c:\program files\internet explorer\connection wizard\isignup.exe
 c:\program files\java\jre1.6.0_02\bin\javaws.exe
 c:\windows\system32\usmt\migwiz.exe
 c:\program files\movie maker\moviemk.exe
 c:\program files\windows media player\mplayer2.exe
 c:\program files\combined community codec pack\mpc\mplayerc.exe
 c:\windows\pchealth\helpctr\binaries\msconfig.exe
 c:\program files\outlook express\msimn.exe
 c:\program files\common files\microsoft shared\msinfo\msinfo32.exe
 c:\program files\messenger\msmsgs.exe
 c:\program files\notepad++\notepad++.exe
 c:\windows\system32\mspaint.exe
 c:\program files\adobe\adobe photoshop cs2\photoshop.exe
 c:\program files\quicktime\pictureviewer.exe
 c:\python25\python.exe
 c:\program files\real\realplayer\realplay.exe
 c:\program files\common files\real\update_ob\rnxproc.exe
 c:\windows\soundman.exe
 c:\program files\tortoisesvn\bin\subwcrev.exe
 c:\program files\outlook express\wab.exe
 c:\program files\outlook express\wabmig.exe
 c:\program files\winrar\winrar.exe
 c:\program files\windows media player\wmplayer.exe
 c:\program files\windows nt\accessories\wordpad.exe
 c:\program files\combined community codec pack\zoom player\zplayer.exe
 c:\windows\system32\logon.scr
Service:
 RpcLocator
 ALG
 RDSessMgr
 COMSysApp
 RSVP
 dmadmin
 MSDTC
 CiSvc
 WmiApSrv
 UPS
 SwPrv
 MSIServer
 NetDDE
 VSS
 mnmsrvc
Browser Cache
Registry:
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit

had to reinstall my windows XP because there is so many hook. I had send a support email to hosting.ua but still got no replied from theme. need to reboot now.

Nov 17 07 , Update

I got reply back from hosting.ua support. below is part of the email

from	abuse@hosting.ua
to	nospam@gmail.com,
date	Nov 13, 2007 5:00 PM
subject	Reply: trojan 78.109.19.140.in.hosting.ua #48879

hide details Nov 13 (3 days ago)	

Reply

======== CUT HERE =========
Your support request was answered:

Created: 11.11.2007 1:28:38
Last Mod: 12.11.2007 1:41:30

Assigned To:
admin(Hosting.UA)

[11.11.2007 1:28:38]
Q: hi,
This is for your attention. I got a trojan in pc it routed back to one of
your hosting at *78.109.19.140.in.hosting.ua *

I hope you can do something about it.

Thank you
-------------------------------------------------------

[13.11.2007 11:00:08]
A: Fixed!

thx
www.Hosting.UA

-------------------------------------------------------
Hosting.UA Administration

Well there is no explaination about the issue from the support staff.  hope this site will be closed down for good. Google already blocked and place a warning when you search for the infected URI.