101 replies to this topic

[nosirrah]

EstMate has joined malwarebytes.org and it appears that he has the ability to either directly or indirectly have rogue domains registered with Estdomains taken down .

Place all requests for rogue domain takedowns here and he should have them taken care of promptly .

[nosirrah]

These two are current major problems and will cause serious problems for the zlob gang if they were to be taken down .

http://www.antispychecker.com/ <- directly installed by zlob trojan
http://scan.secure-online-antivirus.com/ <- fake scan site that zlob redirectls infected users to

[tashi]

MS AntiVirus Rogue.

Trail:
nine4teen.com
Host: ferlin.ifrance.com
Host: js-perso.ifrance.com
Host: web.ifrance.com
Host: ad.ieurop.net
Host: sfttraff.com
www.Nineteen.com
Host: scanner.msscanneronline.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SFTTRAFF.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti **********@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009

Domain servers in listed order:
ns2.sfttraff.com
ns1.sfttraff.com

-----------------------------------------------------------------
-----------------------------------------------------------------
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: MSSCANNERONLINE.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti **********@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009

[Tigger93]

ANTIVIRUS2008PROXP.COM <- Rogue

[1972vet]

This one is still active:

antivirus777.com = [ 67.228.120.3 ]

(Asked whois.estdomains.com:43 about antivirus777.com)

Registration Service Provided By: ESTDOMAINS INC
Contact: 1.3027224217
Website: http://www.estdomains.com
Domain Name: ANTIVIRUS777.COM
Registrant:
Technocoil
Valeriy Liahov anatolij.ljahov@gmail.com

st. Dimitrova 7/43
Dimitrovgrad
Uljanovskaya oblast 33401
RU
Tel. 790.96581533
Creation Date: 20-Aug-2008
Expiration Date: 20-Aug-2009
Domain servers in listed order:
ns18.zoneedit.com
ns16.zoneedit.com
Administrative Contact:
Technocoil
Valeriy Liahov anatolij.ljahov@gmail.com

st. Dimitrova 7/43
Dimitrovgrad
Uljanovskaya oblast 33401
RU
Tel. 790.96581533
Technical Contact:
Technocoil
Valeriy Liahov anatolij.ljahov@gmail.com

st. Dimitrova 7/43
Dimitrovgrad
Uljanovskaya oblast 33401
RU
Tel. 790.96581533
Billing Contact:
Technocoil
Valeriy Liahov anatolij.ljahov@gmail.com

st. Dimitrova 7/43
Dimitrovgrad
Uljanovskaya oblast 33401
RU
Tel. 790.96581533
Status: ACTIVE

[Suzi]

All the domains listed in this thread:

http://www.malwareby...?showtopic=6136

1. Antispyware2008b.com
2. Antivir--2008.com
3. Antivirus2008proxp.com
4. Directnameservice2008.com
5. Mediatubeforme1.com
6. Onsafepro2008.com
7. Smart-antivirus-2009-buy.com
8. Smart-antivirus-2009.com
9. Smart-antivirus-2009buy.com
10. Smart-antivirus2009-buy.com
11. Smart-antivirus2009.com
12. Smart-antivirus2009buy.com
13. Smartantivirus-2009-buy.com
14. Smartantivirus-2009.com
15. Smartantivirus-2009buy.com
16. Smartantivirus2009-buy.com
17. Smartantivirus2009.com
18. Smartantivirus2009buy.com
19. Traff-drive.com
20. Viruswebprotect2008.com

[estMate]

We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com or you can contact me via e-mail: webcontact_at_estdomains.com

Best regards,
EstDomains Team

[nosirrah]

We will be doing both as it allows people to see that work is (or is not) being done .

Making this public is the point .

EDIT TO ADD :

Case in in point here :

http://www.antispychecker.com/ <- this is a true problem , not just a puff ball rogue site and as I expected still fully functional .

If you want to change people's minds you need to hurt some black hats (their $) , so do have what it takes ?

[estMate]

The fact is that posting in the forum isn't as reasonable because it only takes more time to find and suspend any domains so it'd be much better if everyone just used the ticket system. We can't always monitor forums for such posts. antispychecker.com has already been suspended with us.

[1972vet]

@estMate,
Now that you've posted in this thread, you'll not need to monitor this forum...you'll receive email notifications that something new has been posted here. Does that help?...or should we just abandon this idea?

[nosirrah]

I agree and as I said in my PM to you , this can be your main stop for domains that need to be removed .

I have spread this link around and people will be dumping many problem domains here .

[estMate]

I still prefer tickets, as in this case our 24/7 support deals with them, but in case of a notification the only person who gets an email is me, but anyway, guys, if you want it so much I can't resist =)

[nosirrah]

If you pull the Zlob dll up in memory you can see that its downloader has moved to :

http://ihatemondayand.com/get.php?partner= <- estdomains

which in turn points to :

http://download8.antispycheck.com/downloads/1/asc_2_setup.exe (and many other sub domains of antispycheck.com)

I would like to see a real attack on zlob today , I can feed you domains all day long .


Ihatemondayand.com and antispycheck.com need to be removed .

I will be back with current ZLob start points in a few minutes .

[estMate]

Ihatemondayand.com and antispycheck.com - both suspended

[nosirrah]

estMate, on Sep 8 2008, 09:46 AM, said:

Ihatemondayand.com and antispycheck.com - both suspended

You are going to have to do better than that , I want an ETA and/or proof that the following downloads will stop working :

http://ihatemondayand.com/get.php?partner=
http://download8.antispycheck.com/downloads/1/asc_2_setup.exe

Please feel free to confirm for yourself that these are live still . BTW this is why we are doing this here in public , no one can see a ticket , everyone can try a download and see for themselves .

[GT500]

nosirrah said:

http://ihatemondayand.com/get.php?partner=
http://download8.antispycheck.com/downloads/1/asc_2_setup.exe

I can no longer access either domain.

[nosirrah]

Perfect time for a test , zlob hunting time .

I wonder if its moved or actually killed , place your bets .

[nosirrah]

http://www.intervidd.com/download.php?id=1091


oooooooo , new domain , strike 1

[nosirrah]

While we wait for the next new zlob system32 dll to show up here is the current zlob zones domians export .

1st-tube.com
about-adult.net
antispyware2008a.com
antivirus-scanner.com
antivirus-scanonline.com
best-porncollection.com
bestporntgp.org
bestsoftware.cc
clickruntostartshow.com
codechost.com
codecsystem.com
comeforvidsoft.com
csoftddl.com
downloaditrightnow.com
etds0.net
favoredtube.com
fullscanner.com
getadultaccess.com
getavideonow.com
getqtysoftware.com
ieantivirus.com
malwarebell.com
malwscan.com
maxi-software.com
mega-soft-2008.com
mooncodec.com
movsonline.com
myflydirect.com
onlinevideosoftex.com
opaadownload.com
porntubev20.com
powerantivirus-2009.com
powerantivirus2009.com
pro-scanner.com
ruler-cash.com
s-freeware.com
sex18tube2008.com
sexysoftwaredom.com
shredderscan.com
soft-upgrade-network.com
softbestfree2008.com
software-portal2008
spywareisolator.com
supersoft21freeware.com
surf-scanner.com
the-programsportal.com
tube-viewer.com
veryhodownload.com
virusisolator.com
vsvs6.info
vwwredtube.com
wetsoftwares.com
youjizsite.com
youpornztube.com

[hedgehog]

another one:
totsec2009.com