Beware of this site

Nick B — Sat, 24 Nov 2007 03:03:05 +0000

Its quite rare to see website attacking visitors but the following site is an exception.

girlhell.org
66.79.184.58
Apr 27 08 - usawarez.net

There is few known threads from the above website

JS/Exploit.ADODB.Stream NAP Trojan
Hidden download.
usawarez - False Image Checksum/corrupted

Fracois Paget from McAfee explain in great details regarding this Stream Attack and their Complete Methods. I’m quite amazed with the analysis. read it all here.

w32.virut.w, PE_VIRUT.A

Nick B — Sun, 11 Nov 2007 11:44:42 +0000

I just download google pack with norton and the first scan hook my fav svn tortoise with w32.virut.w .

Excerpt from Symantec

W32.Virut.A is a virus that infects executable files and opens a back door on TCP port 65520 by connecting to a predefined IRC server.

Netstats

netstat -aob > netstat.log

 TCP USER:1028 78.109.19.140.in.hosting.ua:65520 ESTABLISHED 936
 [winlogon.exe]

The free version of Norton Internet Scan Failed to fixed the virus. :(

Norton Logs

Process:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
Infection:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
 c:\windows\system32\spoolsv.exe
 c:\windows\system32\locator.exe
 c:\windows\system32\alg.exe
 c:\windows\system32\sessmgr.exe
 c:\windows\system32\dllhost.exe
 c:\windows\system32\rsvp.exe
 c:\windows\system32\dmadmin.exe
 c:\windows\system32\msdtc.exe
 c:\windows\system32\cisvc.exe
 c:\windows\system32\wbem\wmiapsrv.exe
 c:\windows\system32\ups.exe
 c:\windows\system32\msiexec.exe
 c:\windows\system32\netdde.exe
 c:\windows\system32\vssvc.exe
 c:\windows\system32\mnmsrvc.exe
 c:\windows\system32\mshta.exe
 c:\windows\system32\userinit.exe
 c:\windows\system32\ieudinit.exe
 c:\windows\inf\unregmp2.exe
 c:\windows\system32\ie4uinit.exe
 c:\windows\system32\rundll32.exe
 c:\windows\system32\regsvr32.exe
 c:\windows\system32\ntsd.exe
 c:\program files\wakoopa\wakoopa.exe
 c:\program files\7-zip\7zfm.exe
 c:\program files\acd systems\acdsee\6.0\acdsee6.exe
 c:\program files\adobe\adobe help center\ahc.exe
 c:\program files\netmeeting\conf.exe
 c:\program files\common files\acd systems\en\devdetect.exe
 c:\program files\windows nt\dialer.exe
 c:\program files\acd systems\fotocanvas\3.0\fotocanvas3.exe
 c:\program files\acd systems\fotoslate\3.0\fotoslate3.exe
 c:\windows\pchealth\helpctr\binaries\helpctr.exe
 c:\program files\hp\digital imaging\unload\hpqapkil.exe
 c:\program files\hp\digital imaging\unload\hpqdia.exe
 c:\program files\hp\digital imaging\unload\hpqdias.exe
 c:\program files\hp\digital imaging\unload\hpqphunl.exe
 c:\program files\hp\digital imaging\unload\hpqpsmon.exe
 c:\program files\hp\digital imaging\unload\hpqunset.exe
 c:\program files\hp\digital imaging\bin\hpqvpswp.exe
 c:\program files\windows nt\hypertrm.exe
 c:\program files\internet explorer\connection wizard\icwconn1.exe
 c:\program files\internet explorer\connection wizard\icwconn2.exe
 c:\program files\internet explorer\iexplore.exe
 c:\program files\adobe\adobe photoshop cs2\imageready.exe
 c:\program files\internet explorer\connection wizard\inetwiz.exe
 c:\program files\internet explorer\connection wizard\isignup.exe
 c:\program files\java\jre1.6.0_02\bin\javaws.exe
 c:\windows\system32\usmt\migwiz.exe
 c:\program files\movie maker\moviemk.exe
 c:\program files\windows media player\mplayer2.exe
 c:\program files\combined community codec pack\mpc\mplayerc.exe
 c:\windows\pchealth\helpctr\binaries\msconfig.exe
 c:\program files\outlook express\msimn.exe
 c:\program files\common files\microsoft shared\msinfo\msinfo32.exe
 c:\program files\messenger\msmsgs.exe
 c:\program files\notepad++\notepad++.exe
 c:\windows\system32\mspaint.exe
 c:\program files\adobe\adobe photoshop cs2\photoshop.exe
 c:\program files\quicktime\pictureviewer.exe
 c:\python25\python.exe
 c:\program files\real\realplayer\realplay.exe
 c:\program files\common files\real\update_ob\rnxproc.exe
 c:\windows\soundman.exe
 c:\program files\tortoisesvn\bin\subwcrev.exe
 c:\program files\outlook express\wab.exe
 c:\program files\outlook express\wabmig.exe
 c:\program files\winrar\winrar.exe
 c:\program files\windows media player\wmplayer.exe
 c:\program files\windows nt\accessories\wordpad.exe
 c:\program files\combined community codec pack\zoom player\zplayer.exe
 c:\windows\system32\logon.scr
Service:
 RpcLocator
 ALG
 RDSessMgr
 COMSysApp
 RSVP
 dmadmin
 MSDTC
 CiSvc
 WmiApSrv
 UPS
 SwPrv
 MSIServer
 NetDDE
 VSS
 mnmsrvc
Browser Cache
Registry:
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit

had to reinstall my windows XP because there is so many hook. I had send a support email to hosting.ua but still got no replied from theme. need to reboot now.

Nov 17 07 , Update

I got reply back from hosting.ua support. below is part of the email

from	abuse@hosting.ua
to	nospam@gmail.com,
date	Nov 13, 2007 5:00 PM
subject	Reply: trojan 78.109.19.140.in.hosting.ua #48879

hide details Nov 13 (3 days ago)	

Reply

======== CUT HERE =========
Your support request was answered:

Created: 11.11.2007 1:28:38
Last Mod: 12.11.2007 1:41:30

Assigned To:
admin(Hosting.UA)

[11.11.2007 1:28:38]
Q: hi,
This is for your attention. I got a trojan in pc it routed back to one of
your hosting at *78.109.19.140.in.hosting.ua *

I hope you can do something about it.

Thank you
-------------------------------------------------------

[13.11.2007 11:00:08]
A: Fixed!

thx
www.Hosting.UA

-------------------------------------------------------
Hosting.UA Administration

Well there is no explaination about the issue from the support staff. hope this site will be closed down for good. Google already blocked and place a warning when you search for the infected URI.

How to safeguard your Windows when cleaning files infected by win32 virus.

Noah Ark — Fri, 26 Oct 2007 10:59:01 +0000

The safest way to clean any kind of windows virus is to work in different environment others than its originating operating system. Try virtual Ubuntu (Debian Linux) with Wubi Installer.
Here’s what wubi-installer.org has to says

Wubi is an unofficial Ubuntu installer for Windows users that will bring you into the Linux world with a single click. Wubi allows you to install and uninstall Ubuntu as any other application. If you heard about Linux and Ubuntu, if you wanted to try them but you were afraid, this is for you.

Wubi is safe - It does not require you to modify the partitions of your PC, or to use a different bootloader.

Wubi is Simple - Just run the installer, no need to burn a CD.

Wubi is Discrete - Wubi keeps most of the files in one folder, and If you do not like, you can simply uninstall it.

Wubi is Free - Wubi (like Ubuntu) is free as in beer and as in freedom. You will get this part later on, the important thing now is that it cost absolutely nothing, it is our gift to you…

Wubi installer.

Wubi wont break your system partition or replaced you windows. You can also installed wubi in any drive and its come with clean Windows uninstaller. You can dowload Wubi at wubi-installer.org or Sourceforge. ~ suggested by ChaosKaizer