I'm reporting these sites:

Sites hosting DNSChanger/Zlob Malware.

Cernel.net

Thanks to Intercage!
They took down all the sites I reported to them. 13 total!
Even though they haven't sent me a reply yet all these sites are all dead as of today (July 2nd).

Not to be a wet blanket, but I wouldn't extend any credit to Intercage for that. Glancing down the list, those were the actively-used sites some months ago. I haven't seen any of the "end-user" sites sending visitors to any of those for months.

The plus-codec.com and useticket.com sites have already been abandoned by the places I've found that had been using them, too.

http://www.siteadvisor.com/sites/plus-codec.com/summary/

If you check the club-adult.net reference site listed at the very bottom, you can see they're not suffering one bit from the takedown of plus-codec.com because now they're using net-codec.com. In two more days they might be using nasty-sex-codec.com or uber-neato-codec.com, and in six days they'll be on to yet another one.

In the bigger picture, clearly the whole scheme must make boatloads of money I guess there's no shortage of people who'll run these Trojans and then fall for the OMG YOUR COMPUTER IS INFECTED, GIVE US $50 TO FIX IT (LOL) song and dance.

Yeah, I realize that Mech.
Atleast Intercage seems to read their abuse tickets unlike some.
I take my little victories where I can get them.

If you know of new zlob sites hosted on Intercage, let me know.

I'll try to post new actively-used Zlob/DNSChanger domains in the sticky thread as I find them. Some mornings, time might be scarce... I get up, make coffee, log onto Malware Research and AIEEEE there's SIX new ones overnight!! There's barely time (or no time) to get VT results and report them all to SiteAdvisor without being late for work.

_________________
Vista x64 · non-Admin account + Software Restriction Policy · Kaspersky AntiVirus 7 · Windows Firewall · full hardware DEP · 64-bit IE7 PM

Since Inhoster and Cernel are both in Intercage's IP range I am reporting
it all to Intercage now.

Just reported:

getiax.com can be added to the hit list. freeimageheaven.com has reverted to them. Current detection is better than average (although still not great), and it's encouraging to see more heuristic/generic detections.

Oh, and if anyone wants some comic relief, read this: "McAfee continues to be on the lookout for new versions of such threats." Given their dismal detection rates and steadfast ignoring of my WebImmune.net submissions, I'm afraid I don't believe that.

Anyway...

Complete scanning result of "getiaxDOTcom.exe", received in VirusTotal at 07.06.2007, 19:57:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.06.2007 DR/Zlob.Gen
Authentium 4.93.8 07.06.2007 no virus found
Avast 4.7.997.0 07.06.2007 no virus found
AVG 7.5.0.476 07.06.2007 no virus found
BitDefender 7.2 07.06.2007 DeepScan:Generic.Zlob.7.8964AA09
CAT-QuickHeal 9.00 07.06.2007 no virus found
ClamAV devel-20070416 07.06.2007 no virus found
DrWeb 4.33 07.06.2007 Trojan.Popuper
eSafe 7.0.15.0 07.05.2007 no virus found
eTrust-Vet 30.8.3767 07.06.2007 no virus found
Ewido 4.0 07.06.2007 no virus found
FileAdvisor 1 07.06.2007 no virus found
Fortinet 2.91.0.0 07.06.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
F-Secure 6.70.13260.0 07.06.2007 DNSChanger.gen11
Ikarus T3.1.1.8 07.06.2007 no virus found
Kaspersky 4.0.2.24 07.06.2007 Trojan-Downloader.Win32.Zlob.btc
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.06.2007 TrojanDownloader:Win32/Zlob
NOD32v2 2382 07.06.2007 Win32/TrojanDownloader.Zlob.AYP
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.06.2007 no virus found
Sophos 4.19.0 07.06.2007 Mal/Zlob-A
Sunbelt 2.2.907.0 07.06.2007 no virus found
Symantec 10 07.06.2007 Trojan.Zlob
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.06.2007 Trojan.Win32.TrojanDownloader.Zlob.AYP
VirusBuster 4.3.23:9 07.06.2007 no virus found
Webwasher-Gateway 6.0.1 07.06.2007 Trojan.Zlob.Gen


Aditional Information
File size: 70801 bytes
MD5: 0b67a2ea9a1095cf1425bac34979a847
SHA1: 991e8e22759f53b362965acc6efbbdd4f76884ce
packers: BINARYRES, BINARYRES

Here's my latest run, including three more new ones that weren't in use this morning:

axvideosetup.com
basic-codec.com
getiax.com
iaxdownload.com (links are out there, but not working)
iaxobjectdownload.com (new)
installvaxobject.com (new)
popular-ticket.com
videoaxdownload.com (new)

If you'd like a copy of my "patrol route" (URLs I check for live links) I can PM one as a Zip file.

Just had some interesting developments.
I got this message from Intercage / Esthost, in response to my reporting the latest batch of Zlob hosting sites.

I got a reply from the Video Activex Access / Object people on the Intercage ticket system, but I cannot post it
because there was a confidentiality statement attached to the message.

I will however post my reply, which I release without any restrictions.


--------------------------------------------------------

To the Video Activex Object(zlob) people, and whomever else it concerns,

I'm not going to argue with you, whoever you are, about whether or not your
video activex object does what you says it does.
The point is that it is detected as malware by a multitude of antivirus companies.
If it is detected as malware, I learn about it and report it.

If you don't like the fact that it is classified as malware, then you should change your
practices and take up the issue with the antivirus companies themselves.

As you can see, more companies detect your installer from yesterday once I reported it
to them:

Complete scanning result of "setup.exe", received in VirusTotal at 07.10.2007, 02:24:00 (CET).
Antivirus Version Update Result
AntiVir 7.4.0.39 07.09.2007 DR/Dldr.Zlob.bwr
BitDefender 7.2 07.10.2007 Trojan.Downloader.Zlob.AABE
DrWeb 4.33 07.09.2007 Trojan.Popuper
Kaspersky 4.0.2.24 07.10.2007 Trojan-Downloader.Win32.Zlob.bwr
Microsoft 1.2704 07.10.2007 TrojanDownloader:Win32/Zlob
NOD32v2 2386 07.09.2007 Win32/TrojanDownloader.Zlob.AZB
Norman 5.80.02 07.09.2007 DNSChanger.gen10
Sophos 4.19.0 07.06.2007 Mal/Zlob-A
Webwasher-Gateway 6.0.1 07.10.2007 Trojan.Dldr.Zlob.bwr

File size: 70714 bytes
MD5: 242fc1e42b2462000f3cd17ca2aea516


I notice you neglect to mention any of my other assertions about how your software
is detected as malware and the screenshots of the hijackings your software does.
Edit: Screenshots of hijackings I saw.
http://img2.freeimagehosting.net/uploads/06ff74994a.jpg
http://img2.freeimagehosting.net/uploads/44105aae18.jpg
http://img2.freeimagehosting.net/uploads/e9cdf41218.jpg
http://img2.freeimagehosting.net/uploads/711b5db3b0.jpg
http://img2.freeimagehosting.net/uploads/fb04ca3a8e.jpg

Also the fact that your software is extremely hard to remove manually without
assistance from anti-spyware or antivirus software.
A quick search turns of plenty of people pleading for help to remove Video Activex Access.

http://forums.tomcoyote.org/Video_Activex_Access_t80730.html
http://forums.spybot.info/showthread.php?t=15048
http://forums.techguy.org/security/587379-need-some-help-some-viruses.html
http://www.bleepingcomputer.com/forums/topic92282.html

As far as EULA, the FTC has determined that it is not enough to bury the real purpose and activities of your program into pages of EULA text like you have done.
I suggest you read here:
http://www.ftc.gov/opa/2005/10/odysseus.shtm
I quote:
------
The FTC charged that the defendants have an obligation to disclose that their “free” software download caused spyware and adware to be installed on consumers’ computers. But instead, the FTC alleges, they hide their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their Web site. In addition, the FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own “uninstall” tool, it does not work. In fact, it installs additional software, according to the FTC’s complaint.
-------


If you want to be taken seriously and have your software seen as legitimate, you need
to
1) stop hiding your identity
2) stop changing your software constantly to avoid detection
3) stop registering multiple domains constantly and changing your links
4) stop using your software to hijack a users computer in many ways
5) provide clear and detailed disclosure in plain language in your installer about what your software does. (not buried in a EULA)
6) allow your software to be easily and completely uninstalled with ONE entry in the Add/Remove Programs
7) Brand your software clearly with a company name and permanent Website
Distribute your software solely from one website, that has a clear description about
your company and your software, along with instructions on how to remove it.

I challenge you to reply to this on the castlecops website forum thread instead of through
this ISP ticket system. I think the good people of Intercage/Esthost have better things to do than convey this discussion.
The forum thread link is here:
/postitle193662-0-0-.html

Thank you,
Mark
Castlecops MIRT
/c55-MIRT.html

That was a good one!!!!!!

Absolutely Brilliant!
All my support...

GREAT Job!!!!!

Fax

Hello Mark
My name in Anthony and I am project manager for the team, who created this software.
First of all, noone is hiding. That’s why I am here. I will be glad to explain everything and make some changes to our software.
Lets start with EULA. Ok, we will modify it and provide clear and detailed disclosure about what software does and how to uninstall it. Then, we will modify the uninstaller and make it much simpler and easier. Everything will be removable from Add/Remove Programs in Windows.
As for multiple domain names, believe me, we do not own ALL of domain names listed in this topic. They are usually associated with us by mistake. Yes, we do change our links, but this is something we have to do. There are multiple reasons for that. As an example, I can say that sometimes our adware products are used by our affiliates in unfair tactics such as exploits and stuff. We strongly prohibit this and we block any webmaster’s account found breaking our rules. However we can not predict everything and sometimes we have to deal with dumb webmasters that simply cause us some troubles. That is why we have to change our domains and kill old ones with traffic on them, and believe me, this is not something we like to do. Same thing about modifying files. We have to do this for multiple reasons too.
I will ask our team webmaster to create a website with information about our product and we will use that name.

Hope this helps.
I will update you in 1-2 days about changes made.

Thanks for your attention.

Hi Anthony,
I am encouraged to see you post here.
You say that you are not hiding, so I have a few questions for you.

Is there a business entity and name that you and your team work under?
Are you located in the US?
How do your affiliates connect with and correspond with you?

As you say you are not responsible for all the domains listed here, I am curious as to which ones you do own or are connected with.
(Current Live domains)

Are these yours?