Problem in browser cannot go to http://scanner.novirusthanks.org/

[polonus]

Hi folks,

Try to start the url multi-virus scan at novirusthanks.org. Cannot connect there. Fiddler says: [Fiddler] Connection to scanner.novirusthanks.org failed.
Exception Text: Een verbindingspoging is mislukt omdat de verbonden party niet correct heeft geantwoord na een bepaalde tijd, of de gemaakte verbinding is mislukt omdat de verbonden host niet heeft geantwoord 91.121.223.25:80
Translated this means: A connection attempt has failed, because connected party did not respond correctly within a given time or a connection established failed because the connected host did not respond etc.
What is the right IP address there. I have checked proxy settings, there were none for the browser. This is annoying, can somebody assist? If I try to load: http://94.23.35.159/ I get: No vhost detected in our web server!

If you see this page this mean you have come here from fraudolent domains that are nothing to do with us and that are not present in the web server configuration of our server. For contact us you can send a mail to webmaster@novirusthanks.org or visit our contacts page.

(C) NoVirusThanks Company Srl  Weird because fraudulent is misspelled. Is this a hack? How check this in vista?
Could it be this rogue? http://www.threatexpert.com/report.aspx?md5=9bd3817fa818ed96bddbe8bdf8d8aa40
How to cleanse this...I have attached a freefixer logfile with recent changes included...

polonus

[Pondus]

No problems here connecting to novirusthanks.org from work with 3G

[Asyn]

No problems here connecting to novirusthanks.org from work with 3G

Same here..!
asyn

Edit: Some info...

Abfrageergebnisse für scanner.novirusthanks.org:
Typ    Daten
A    name: scanner.novirusthanks.org
adresse: 91.121.223.25
ttl: 21547

Abfrageergebnisse für 94.23.35.159:
Typ    Daten
PTR    name: 159.35.23.94.in-addr.arpa
ptrdname: ns205950.ovh.net
ttl: 86154

[Tarq57]

I can go to novirusthanks no problem, but if I copied the URL number you put in your OP, get the same message.
Time to flush the DNS cache?

[Pondus]

I can go to novirusthanks no problem, but if I copied the URL number you put in your OP, get the same message.
Time to flush the DNS cache?

jepp, same here.....

[polonus]

Hi Tarq57,

Ran the command prompt as admin, flushed the DNScache, but to no avail. This is a DynDNS.com hostname registered probably for a dynamic IP address, currently 91.121.223.25 located in France. Just by chance, are you using software from http://www.novirusthanks.org/ ? It may be that they use the domain novirusthanks.ath.cx as a blackhole or similar. The blachole French address is also spreading koobface. Here the problem is descripted, maybe Logos can have a look here: http://www.siteduzero.com/forum-83-520900-p1-impossible-d-aller-sur-certains-sites-depuis-ma-ligne.html#r4997115

polonus

[Asyn]

Using server whois.ripe.net.
Query string: "-V Md4.7 94.23.35.159"

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '94.23.0.0 - 94.23.63.255'

inetnum:        94.23.0.0 - 94.23.63.255
netname:        OVH
descr:          OVH SAS
descr:          Dedicated Servers
descr:          http://www.ovh.com
country:        FR
admin-c:        OK217-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered

role:           OVH Technical Contact
address:        OVH SAS
address:        140, Quai du Sartel
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
nic-hdl:        OTC2-RIPE
remarks:        ========================================
remarks:        support : support@ovh.com
remarks:        0 899 701 761 (france only)
remarks:        ========================================
remarks:        troubles:
remarks:        + network : abuse@ovh.net
remarks:        + spam    : http://www.spam-rbl.com
remarks:        ========================================
remarks:        peering : noc@ovh.net
remarks:        prefix 213.186.32.0/19
remarks:        prefix 213.251.128.0/18
remarks:        - FreeIX (1Gbs) 213.228.3.244
remarks:        - PariX (1Gbs) 198.32.247.104
remarks:        - SfinX (1Gbs) 194.68.129.144
remarks:        ========================================
abuse-mailbox:  abuse@ovh.net
mnt-by:         OVH-MNT
source:         RIPE # Filtered

person:         Octave Klaba
address:        OVH SAS
address:        140, quai du sartel
address:        59100 Roubaix
address:        France
phone:          +33 3 20 20 09 57
fax-no:         +33 3 20 20 09 58
nic-hdl:        OK217-RIPE
abuse-mailbox:  abuse@ovh.net
mnt-by:         OVH-MNT
source:         RIPE # Filtered

% Information related to '94.23.0.0/16AS16276'

route:          94.23.0.0/16
descr:          OVH ISP
descr:          Paris, France
origin:         AS16276
mnt-by:         OVH-MNT
source:         RIPE # Filtered

[Tarq57]

Just by chance, are you using software from http://www.novirusthanks.org/ 

No, never even heard of them till now.

[polonus]

Hi forum friends,

Host: scanner.novirusthanks.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:KjeZ27j0yrUJ:www.hackforums.net/showthread.php%3Ftid%3D48979+&cd=6&hl=en&ct=clnk
Cookie: __utma=257451540.1929276595.1275515018.1275515018.1275515018.1; __utmz=257451540.1275515018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


Fiddler gets: HTTP/1.1 502 Fiddler - Connection Failed
Content-Type: text/html
Connection: close
Timestamp: 15:18:05.531

polonus

[polonus]

I checked with DrWeb where I was going in the browser:

Checking: htxp://scanner.novirusthanks.org/js/prototype.js
File size: 123.18 KB
File MD5: 95e19b059e209ecf7467d34508f4fdae

htxp://scanner.novirusthanks.org/js/prototype.js - Ok


Checking: htxp://scanner.novirusthanks.org/js/scriptaculous.js?load=effects,builder
File size: 2654 bytes
File MD5: 75d1aca2ecf6b32922afd4eb9a146558

htxp://scanner.novirusthanks.org/js/scriptaculous.js?load=effects,builder - Ok

Checking: htxp://scanner.novirusthanks.org/js/jquery-1.3.2.min.js
File size: 55.91 KB
File MD5: bb381e2d19d8eace86b34d20759491a5

htxp://scanner.novirusthanks.org/js/jquery-1.3.2.min.js - Ok

Checking: htxp://pagead2.googlesyndication.com/pagead/show_ads.js
File size: 40.16 KB
File MD5: 431f2c0214820a467f7bba7814f4cbeb

htxp://pagead2.googlesyndication.com/pagead/show_ads.js - Ok

Checking: htxp://scanner.novirusthanks.org/js/tabcontent.js
File size: 8081 bytes
File MD5: 9d39d27fc812403f70908b2dc8389219

htxp://scanner.novirusthanks.org/js/tabcontent.js - Ok

Checking: htxp://scanner.novirusthanks.org/#
Engine version: 5.0.2.3300
Total virus-finding records: 1415478
File size: 8564 bytes
File MD5: df11b73365930757468e4e04ea2f0cff

htxp://scanner.novirusthanks.org/# - archive HTML
>htxp://scanner.novirusthanks.org/#/Script.0 - Ok
>htxp://scanner.novirusthanks.org/#/Script.1 - Ok
>htxp://scanner.novirusthanks.org/#/Script.2 - Ok
>htxp://scanner.novirusthanks.org/#/Script.3 - Ok
>htxp://scanner.novirusthanks.org/#/Script.4 - Ok
htxp://scanner.novirusthanks.org/# - Ok

Still not sure what is the matter here?

polonus

[Asyn]

Still not sure what is the matter here?
polonus

Hope you can isolate it anyway...
asyn

[polonus]

Hi Asyn,

There is a report here:
14   *   *   *   99999 ms [+99999ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    -1 miles [+0] 0 miles [+0]            
15   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    -1 miles [+0] 0 miles [+0]            
16   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    -1 miles [+0] 0 miles [+0]            
17   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]
[4 hops with no response:
assuming we hit a firewall
that blocks pings]    -1 miles [+0]            
18                                           
19                                           
20                                           



Analysis:
Number of hops: 17

Last hop responding to ICMP: 13, UDP: 13, TCP: 0.

There appears to be a firewall at  (hop 14) that blocks ICMP (ping) packets.

There appears to be a firewall at  (hop 14) that blocks unwanted UDP packets.

There appears to be a firewall at 174.133.202.225 (hop 1) that blocks unwanted TCP packets.

polonus

[polonus]

Hi malware fighters,
was reported:

WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

google.com.s9a1.psmtp.com claims to be invalid hostname 'Postini': <br />   220 Postini ESMTP 226 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements. <br />google.com.s9b1.psmtp.com claims to be invalid hostname 'Postini': <br />   220 Postini ESMTP 252 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements. <br />google.com.s9b2.psmtp.com claims to be invalid hostname 'Postini': <br />   220 Postini ESMTP 214 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements. <br />google.com.s9a2.psmtp.com claims to be invalid hostname 'Postini': <br />   220 Postini ESMTP 166 y6_27_0c6 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements. <br />

polonus

[polonus]

Trying to go to the real IP:
Traceroute to 94.23.35.159
Hop   T1   T2   T3   Best   Graph   IP   Hostname   Dist   TTL   Ctry   Time
1   4   1   *   0.7 ms    
    
   70.86.70.33 AS21844
THEPLANET-AS    21.46.5646.static.theplanet.com.       255   US   Unknown: 832a447f
2   0   0   *   0.7 ms [+0ms]   
    
   70.87.254.25 AS21844
THEPLANET-AS    po104.dsr01.dllstx5.theplanet.com.    0 miles [+0]    254   US   Unix: 14:54:37. 64
3   1   1   *   0.7 ms [+0ms]   
    
   70.85.127.105 AS21844
THEPLANET-AS    po51.dsr01.dllstx3.theplanet.com.    0 miles [+0]    250   US   Unix: 14:54:37. 95
4   0   0   *   0.7 ms [+0ms]   
    
   70.87.255.33 AS21844
THEPLANET-AS    21.ff.5746.static.theplanet.com.    0 miles [+0]    61   US   [Router did not respond]
5   1   1   *   1.0 ms [+0ms]   
    
   4.71.122.1 AS3356
Level3    te-3-4.car4.Dallas1.Level3.net.    0 miles [+0]    251   US   Unix: 14:54:37.156
6   1   1   *   1.0 ms [+0ms]   
    
   4.68.111.166 AS3356
Level3    opentransit-level3-te3-1-dallas1.level3.net.    0 miles [+0]    250   US   [Router did not respond]
7   *   *   *   99999 ms [+99999ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    0 miles [+0]            
8   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    0 miles [+0]            
9   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]    0 miles [+0]            
10   *   *   *   99999 ms [+0ms]   
    
   [Unknown]   [Unknown - Firewall did not respond]
[4 hops with no response:
assuming we hit a firewall
that blocks pings]    0 miles [+0]            
11                                           
12                                           
13                                           
14                                           
15                                           

polonus

[Asyn]

Huh..!!? What a mess..
asyn