1166 replies to this topic

[allanf]

http://joshua.w07.net/Projects/

this is a bad website

delete the whole server

[Lancelot]

so when, Lancelot was the ".htm" or Word document re-uploaded to replace the infected page mentioned in "Post #1"?

I guess you mean, opening topic's first page ( http://www.boot-land...?showtopic=8774 ) to see post #1 is not available due to some viru problems. If it is what you mean, I can quickly open a new topic with post #1 ??

and is there any problem about **downloading (not building) project with winbuilder by using joshua.winbuilder.net/projects (or joshua.w07.net/Projects ) ??

[allanf]

A tutorial also available at joshua.w07.net
written at post 1

can someone confirm if it is clean or not ?

You think that by renaming the site you can fool everyone including google and all the protectors.

Well you fooled me.. I thought you might have actually cleaned it up.

http://www.google.co...s...ects/&hl=en

Advisory provided by
Safe Browsing
Diagnostic page for joshua.winbuilder.net/projects
What is the current listing status for joshua.winbuilder.net/projects?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 90 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-12-01, and the last time suspicious content was found on this site was on 2009-12-01.
Malicious software includes 2 scripting exploit(s), 1 trojan(s), 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 6 domain(s), including domoktov.com/, d-mediagroup.com/, check-your-iq.ru/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including aweleon.com/.

This site was hosted on 1 network(s) including AS30083 (SERVER4YOU).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, joshua.winbuilder.net/projects did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 24 hours ago©2008 Google - Google Home

[dera]

yes, seems both address
joshua.winbuilder.net /Projects
or
joshua.w07.net /Projects
are very problematic

[allanf]

yes, seems both address
joshua.winbuilder.net /Projects
or
joshua.w07.net /Projects
are very problematic

dera

I don't know Kaspersky. Is that a scan of the website, or a scan of your computer?

BTW, I edited some of my language in previous posts. Sorry if it offended anyone.

Regards

[Lancelot]

You think that by renaming the site you can fool everyone including google and all the protectors.

Well you fooled me.. I thought you might have actually cleaned it up.

Link provided by joshua not me....

[Lancelot]

Thanks a lot dera

so I guess best possible way to avoid is providing files from another server.

I create a temporary server for winbuilder here:
apps.winbuilder.net/Win7Rescue_Joshua
http://apps.winbuild...shua/index.html
also added doc file Peter provided
http://apps.winbuild...in7RescuePE.doc

Can you check if they are clean, so we can add a service note to post 1.

[pscEx]

Can you check if they are clean, so we can add a service note to post 1.

Before I uploaded, I checked with virustotal.com:

40 scanners think that the file is clean.

Peter

[Brito]

Hi,

Yesterday I created the http://joshua.w07.net subdomain and moved all files from http://joshua.winbuilder.net to over there.

I was hoping to talk with Joshua but he seems unavailable at the moment.

The web page was infected with some sort of virus, I tried to clean it up as much as possible.

One advice: Please use Kompozer or some other clean HTML editor instead of frontpage or Word for this task.

-------------------

Can someone volunteer to get this server back on shape?

Can we have a new subdomain called http://rescuepe.w07.net with a clean set of files to properly allow this project to work for everyone?

If I don't reply back, please email me (been too busy to follow the forum lately.. )

[dera]

Is that a scan of the website

i don't know either exactly how its web traffic filter works

[Lancelot]

Hi psc,

Sorry for misunderstanding Peter, I was not referring your doc file, It seems this is all about a virus activity on htm files. Since I just updated better to ask virus experts if new server is okey. with doc link i wanted to inform that i updated doc file you provided instead of htm file.


Hi Nuno,

Can someone volunteer to get this server back on shape?

what i tried to do is exactly same with apps.winbuilder.net/Win7Rescue_Joshua

I guess If you can copy all files from apps.winbuilder.net/Win7Rescue_Joshua/ to rescuepe.w07.net/ I feel issue will be totally gone.

[allanf]

@Lancelot

I resented the way you shrugged off the legitimate concerns of a new member corelogic and the concerns of others that corelogic went to the trouble of listing.

I hadn't really been following this thread since a virus/trojan attack from the Win7RescuePE website some time ago. At that time I noted other reports and have been bewildered why they had been ignored.

You were discussing the link to the tutorial on winbuilder.net. Then your buddy comes up with a new "clean" tutorial, and you suddenly announce that the first post had been changed with a link to a tutorial on a completely different server. Why you would suddenly refer back to the first post in a 70+ page thread makes me wonder. I mistakenly assumed you had something to do with it.

Turns out it was Nuno! ... ...

Please accept my apologies.


@dera

That scan showed a pdf in "C:\Documents and Settings....". I thought you might have gone into the website with a clean unprotected computer just to see what you could catch! I've spent most of the day trying to clean mine... 2 files infected so far.

Regards

[Brito]

Sorry for this confusion that I caused last night!

I wanted to get in contact with Joshua but he hasn't replied back yet.

If anyone wants the original HTML file with virus for analysis please do let me know.

-----------------------------

We will create a new subdomain open to a few trusted members on boot land to ensure that we can provide a good project for everyone.

[corelogic]

One advice: Please use Kompozer or some other clean HTML editor instead of frontpage or Word for this task.

I personally used to use MS Notepad, but recently switched to Notepad++. The WYSIWYG editors just leave too much crap in an HTML file.
Link = http://notepad-plus....net/uk/site.htm

[corelogic]

I create a temporary server for winbuilder here:
apps.winbuilder.net/Win7Rescue_Joshua
http://apps.winbuild...shua/index.html
also added doc file Peter provided
http://apps.winbuild...in7RescuePE.doc

Can you check if they are clean, so we can add a service note to post 1.

I downloaded each file from here: http://apps.winbuild...shua/index.html
The files are all clean as of now.

For those investing so much time on the Win7RescuePE build - could I recommend creating MD5 hashes for your files, so we can all see if a file has been tampered?

Free MD5 hash creator (I cannot vouch for the app) here: http://www.pc-tools.net/win32/md5sums/

Then, only allow maintainers to upload the files to the server after scanning the files via VirusTotal. Just a couple suggestions.

[was_jaclaz]

Free MD5 hash creator (I cannot vouch for the app) here: http://www.pc-tools.net/win32/md5sums/

Just for the record, in-house Free MD5 hash creator :
http://www.boot-land...p?showtopic=130
http://nunobrito.eu/...load.php?view.4

jaclaz

[Brito]

I personally used to use MS Notepad, but recently switched to Notepad++. The WYSIWYG editors just leave too much crap in an HTML file.

Anything is better than FrontPage..

[ReD]

To answer to someone about the possibly infected url i gave (http://www.4shared.c...n7RescuePE.html), it's just a word (doc file) i've done that contains the tutorial.

i installed the latest antivirpe then just downloaded it and: it did not said anything about a virus ...

[dera]

That scan showed a pdf in "C:\Documents and Settings...."

yes, that file was downloaded while i tried to access
joshua.winbuilder.net /Projects
or
joshua.w07.net /Projects
don't remember (both address were problematic)
but before this file was downloaded silently the av asked many times to block or not the site
then asked for delete that file

do not know what is the situation now
(now i gave up and don't try anymore)

[corelogic]

To answer to someone about the possibly infected url i gave (http://www.4shared.c...n7RescuePE.html), it's just a word (doc file) i've done that contains the tutorial.

i installed the latest antivirpe then just downloaded it and: it did not said anything about a virus ...

ReD, that was me, corelogic. The infection looked like it was coming from an ad or something else. I just tried again, no problems with the link or downloaded file.

[dera]

currently
apps.winbuilder.net /Win7Rescue_Joshua /index.html
seems ok

(at least currently it does not contain that ominous script code and that link to emilsburger to that php)

[Lancelot]

Hi all,

following Nuno's advice and keeping Joshua's folder structure (and removing suspicious html files), now we have a new Win7RescuePE server (previous one introduced by me on previous post now cancelled).

rescue.w07.net/Projects

also minor modification made on the tutorial document (server name changed to rescue.w07.net/Projects , minor picture fixes)
http://rescue.w07.ne...escuePE_psc.doc
ps: http://rescue.w07.ne...ects/index.html also available , please use winbuilder to download.

I guess everything now clean on rescue.w07.net , I need a last verification by our V-Hunters before putting service note to post #1




@corelogic

I downloaded each file from here: http://apps.winbuild...shua/index.html
The files are all clean as of now.

Thanks for checking

For those investing so much time on the Win7RescuePE build - could I recommend creating MD5 hashes for your files, so we can all see if a file has been tampered?

Free MD5 hash creator (I cannot vouch for the app) here: http://www.pc-tools.net/win32/md5sums/

Then, only allow maintainers to upload the files to the server after scanning the files via VirusTotal. Just a couple suggestions.

When you add rescue.w07.net/Projects to the winbuilder server list (as introduced in tutorial) and download with winbuilder, winbuilder download mechanism checks md5 of files to avoid things, If md5 do not match than winbuilder shows you an error screen and do not download.
the index.html for files on server mostly helps to see what is on server and for pointing specific scripts. It is more proper to download with winbuilder.

[corelogic]

...I need a last verification by our V-Hunters...

I think you just created a new "Group" of members under Boot-Land.net.

[Brito]

What's a v-hunter?

[Lancelot]

Please accept my apologies.

Accepting but in fact accepting is not important. Please keep in mind all we are trying to is helping eachother, being polite with some jokes is better for boot-land spirit.
At old times of "virus" reports, this was all about some new thingies at boot-land which still effects other pages (ex: forum rules), that is the reason I believe joshua ignored the reports. I guess after some time joshua's pages infected by other things too but mixed with the existant problem and than joshua was away for a long while. etc. etc. etc......

Anyway, better to keep a peacefull environment

I think you just created a new "Group" of members under Boot-Land.net.

We have wodoo hunters, We have boxers (and a fight club) , we have American Gladiators, now we have V-Hunter

What's a v-hunter?

Virus Hunter



@all
Since bad news comes very faster than good news, I feel rescue.w07.net is clean
post #1 also modified to avoid av warnings (I guess some members can not read post #1 because of the links to original page, now all changed (original post #1 saved))
A service post added to the end of the post #1

Further:
Well, Win7Rescue users already knows that I am not a Win7RescuePE fan and I do not know Win7RescuePE project very well. In fact I do not have anytime or will to continue joshua's work.
All I am trying to do is helping Joshua, Win7Rescue, Win7Rescue users & fans & newusers .... with getting rid of this annoying virus reports which I hope we now burry to the history.
What I can do more is:
**I can help any trusted (well known) member if s(h)e decides to be an admin of rescue.w07.net server about maintance.
**If no volunteer to be an admin, I can update fixed/updated scripts If they are posted here by well known members (or after their confirmation) (so joshua can follow up what is going on) ps: current project already packed to freeze current state. (please be carelful about selected=false/true state of the script since i would directly upload with incrementing version)

Well that is all I can do for Win7Rescue