Hi folks,

Try to start the url multi-virus scan at novirusthanks.org. Cannot connect there. Fiddler says: [Fiddler] Connection to scanner.novirusthanks.org failed.
Exception Text: Een verbindingspoging is mislukt omdat de verbonden party niet correct heeft geantwoord na een bepaalde tijd, of de gemaakte verbinding is mislukt omdat de verbonden host niet heeft geantwoord 91.121.223.25:80
Translated this means: A connection attempt has failed, because connected party did not respond correctly within a given time or a connection established failed because the connected host did not respond etc.
What is the right IP address there. I have checked proxy settings, there were none for the browser. This is annoying, can somebody assist? If I try to load: http://94.23.35.159/ I get: No vhost detected in our web server!

If you see this page this mean you have come here from fraudolent domains that are nothing to do with us and that are not present in the web server configuration of our server. For contact us you can send a mail to webmaster@novirusthanks.org or visit our contacts page.

(C) NoVirusThanks Company Srl Weird because fraudulent is misspelled. Is this a hack? How check this in vista?
Could it be this rogue? http://www.threatexpert.com/report.aspx?md5=9bd3817fa818ed96bddbe8bdf8d8aa40
How to cleanse this…I have attached a freefixer logfile with recent changes included…

polonus

No problems here connecting to novirusthanks.org from work with 3G

Same here…!
asyn

Edit: Some info…

Abfrageergebnisse für scanner.novirusthanks.org:
Typ Daten
A name: scanner.novirusthanks.org
adresse: 91.121.223.25
ttl: 21547

Abfrageergebnisse für 94.23.35.159:
Typ Daten
PTR name: 159.35.23.94.in-addr.arpa
ptrdname: ns205950.ovh.net
ttl: 86154

I can go to novirusthanks no problem, but if I copied the URL number you put in your OP, get the same message.
Time to flush the DNS cache?

jepp, same here…

Hi Tarq57,

Ran the command prompt as admin, flushed the DNScache, but to no avail. This is a DynDNS.com hostname registered probably for a dynamic IP address, currently 91.121.223.25 located in France. Just by chance, are you using software from http://www.novirusthanks.org/ ? It may be that they use the domain novirusthanks.ath.cx as a blackhole or similar. The blachole French address is also spreading koobface. Here the problem is descripted, maybe Logos can have a look here: http://www.siteduzero.com/forum-83-520900-p1-impossible-d-aller-sur-certains-sites-depuis-ma-ligne.html#r4997115

polonus

Using server whois.ripe.net.
Query string: “-V Md4.7 94.23.35.159”

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘94.23.0.0 - 94.23.63.255’

inetnum: 94.23.0.0 - 94.23.63.255
netname: OVH
descr: OVH SAS
descr: Dedicated Servers
descr: http://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered

role: OVH Technical Contact
address: OVH SAS
address: 140, Quai du Sartel
address: 59100 Roubaix
address: France
admin-c: OK217-RIPE
tech-c: GM84-RIPE
nic-hdl: OTC2-RIPE
remarks: ========================================
remarks: support : support@ovh.com
remarks: 0 899 701 761 (france only)
remarks: ========================================
remarks: troubles:
remarks: + network : abuse@ovh.net
remarks: + spam : http://www.spam-rbl.com
remarks: ========================================
remarks: peering : noc@ovh.net
remarks: prefix 213.186.32.0/19
remarks: prefix 213.251.128.0/18
remarks: - FreeIX (1Gbs) 213.228.3.244
remarks: - PariX (1Gbs) 198.32.247.104
remarks: - SfinX (1Gbs) 194.68.129.144
remarks: ========================================
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered

person: Octave Klaba
address: OVH SAS
address: 140, quai du sartel
address: 59100 Roubaix
address: France
phone: +33 3 20 20 09 57
fax-no: +33 3 20 20 09 58
nic-hdl: OK217-RIPE
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
source: RIPE # Filtered

% Information related to ‘94.23.0.0/16AS16276’

route: 94.23.0.0/16
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
source: RIPE # Filtered

Just by chance, are you using software from http://www.novirusthanks.org/

Hi forum friends,

Host: scanner.novirusthanks.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:KjeZ27j0yrUJ:www.hackforums.net/showthread.php%3Ftid%3D48979+&cd=6&hl=en&ct=clnk
Cookie: __utma=257451540.1929276595.1275515018.1275515018.1275515018.1; __utmz=257451540.1275515018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Fiddler gets: HTTP/1.1 502 Fiddler - Connection Failed
Content-Type: text/html
Connection: close
Timestamp: 15:18:05.531

polonus

I checked with DrWeb where I was going in the browser:

Checking: htxp://scanner.novirusthanks.org/js/prototype.js
File size: 123.18 KB
File MD5: 95e19b059e209ecf7467d34508f4fdae

htxp://scanner.novirusthanks.org/js/prototype.js - Ok

Checking: htxp://scanner.novirusthanks.org/js/scriptaculous.js?load=effects,builder
File size: 2654 bytes
File MD5: 75d1aca2ecf6b32922afd4eb9a146558

htxp://scanner.novirusthanks.org/js/scriptaculous.js?load=effects,builder - Ok

Checking: htxp://scanner.novirusthanks.org/js/jquery-1.3.2.min.js
File size: 55.91 KB
File MD5: bb381e2d19d8eace86b34d20759491a5

htxp://scanner.novirusthanks.org/js/jquery-1.3.2.min.js - Ok

Checking: htxp://pagead2.googlesyndication.com/pagead/show_ads.js
File size: 40.16 KB
File MD5: 431f2c0214820a467f7bba7814f4cbeb

htxp://pagead2.googlesyndication.com/pagead/show_ads.js - Ok

Checking: htxp://scanner.novirusthanks.org/js/tabcontent.js
File size: 8081 bytes
File MD5: 9d39d27fc812403f70908b2dc8389219

htxp://scanner.novirusthanks.org/js/tabcontent.js - Ok

Checking: htxp://scanner.novirusthanks.org/#
Engine version: 5.0.2.3300
Total virus-finding records: 1415478
File size: 8564 bytes
File MD5: df11b73365930757468e4e04ea2f0cff

htxp://scanner.novirusthanks.org/# - archive HTML

htxp://scanner.novirusthanks.org/#/Script.0 - Ok
htxp://scanner.novirusthanks.org/#/Script.1 - Ok
htxp://scanner.novirusthanks.org/#/Script.2 - Ok
htxp://scanner.novirusthanks.org/#/Script.3 - Ok
htxp://scanner.novirusthanks.org/#/Script.4 - Ok
htxp://scanner.novirusthanks.org/# - Ok

Still not sure what is the matter here?

polonus

Hope you can isolate it anyway…
asyn

Hi Asyn,

There is a report here:
14 * * * 99999 ms [+99999ms]

[Unknown]	[Unknown - Firewall did not respond]	 -1 miles [+0] 0 miles [+0] 	 	 	 

15 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]	 -1 miles [+0] 0 miles [+0] 	 	 	 

16 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]	 -1 miles [+0] 0 miles [+0] 	 	 	 

17 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]

[4 hops with no response:
assuming we hit a firewall
that blocks pings] -1 miles [+0]
18
19
20

Analysis:
Number of hops: 17

Last hop responding to ICMP: 13, UDP: 13, TCP: 0.

There appears to be a firewall at (hop 14) that blocks ICMP (ping) packets.

There appears to be a firewall at (hop 14) that blocks unwanted UDP packets.

There appears to be a firewall at 174.133.202.225 (hop 1) that blocks unwanted TCP packets.

polonus

Hi malware fighters,
was reported:

WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

google.com.s9a1.psmtp.com claims to be invalid hostname ‘Postini’:
220 Postini ESMTP 226 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
google.com.s9b1.psmtp.com claims to be invalid hostname ‘Postini’:
220 Postini ESMTP 252 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
google.com.s9b2.psmtp.com claims to be invalid hostname ‘Postini’:
220 Postini ESMTP 214 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
google.com.s9a2.psmtp.com claims to be invalid hostname ‘Postini’:
220 Postini ESMTP 166 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.

polonus

Trying to go to the real IP:
Traceroute to 94.23.35.159
Hop T1 T2 T3 Best Graph IP Hostname Dist TTL Ctry Time
1 4 1 * 0.7 ms

70.86.70.33 AS21844

THEPLANET-AS 21.46.5646.static.theplanet.com. 255 US Unknown: 832a447f
2 0 0 * 0.7 ms [+0ms]

70.87.254.25 AS21844

THEPLANET-AS po104.dsr01.dllstx5.theplanet.com. 0 miles [+0] 254 US Unix: 14:54:37. 64
3 1 1 * 0.7 ms [+0ms]

70.85.127.105 AS21844

THEPLANET-AS po51.dsr01.dllstx3.theplanet.com. 0 miles [+0] 250 US Unix: 14:54:37. 95
4 0 0 * 0.7 ms [+0ms]

70.87.255.33 AS21844

THEPLANET-AS 21.ff.5746.static.theplanet.com. 0 miles [+0] 61 US [Router did not respond]
5 1 1 * 1.0 ms [+0ms]

4.71.122.1 AS3356

Level3 te-3-4.car4.Dallas1.Level3.net. 0 miles [+0] 251 US Unix: 14:54:37.156
6 1 1 * 1.0 ms [+0ms]

4.68.111.166 AS3356

Level3 opentransit-level3-te3-1-dallas1.level3.net. 0 miles [+0] 250 US [Router did not respond]
7 * * * 99999 ms [+99999ms]

[Unknown]	[Unknown - Firewall did not respond]	 0 miles [+0] 	 	 	 

8 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]	 0 miles [+0] 	 	 	 

9 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]	 0 miles [+0] 	 	 	 

10 * * * 99999 ms [+0ms]

[Unknown]	[Unknown - Firewall did not respond]

[4 hops with no response:
assuming we hit a firewall
that blocks pings] 0 miles [+0]
11
12
13
14
15

polonus

Huh…!!? What a mess…
asyn

Hi essexboy,

Well I could solve the issue myself, by going to google.fr, I gave in the main site there and there the link brought me back to the scanner, and all works fine. Took me some while to find this solution. It can be a lesson for others,

Damian

I can remove the remainder of the ask bar if you wish - but I can see nothing untoward there

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010-02-06 01:47:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\mysz\AppData\Roaming\mozilla\Firefox\Profiles\syue97pt.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Hi essexboy,

You are an eminent eliminator. Good I could solve the blackhole url issue me, myself and I with the help of Google.fr.
““Black holing” en France ca n’est pas si facile…”
I consider the case now as resolved, gained some new insights here. Re: http://spoofer.csail.mit.edu/summary.php
Thanks for the assist, my good friend, good hunt and may your online time be safe and secure, is the wish of,

polonus

Hi polonus,

just received your email now, thank you for reporting the problem in the service. Due to some recent attacks on this service, we had to set a more strict rule in the IPS and this could generate some false postive that could have caused the ban of IP Addresses of legit users. This is the possible cause of your connection problem with the service scanner.novirusthanks.org. If this problem happens again, send us an email and I will fix the problem

91.121.223.25 is the IP Address of one of our servers where is hosted scanner.novirusthanks.org.