Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 28 February 2012

Performersoft.com: Downright scareware

It would seem Performersoft.com yet again, want to join the scareware group, this time it seems they're not content with their software doing it - they want their adverts to do it too.


This one popped up whilst I was investigating a site earlier, yet again like the rest, going through ad.yieldmanager.com;

GET /clk?3,eAGdTdtugkAQ.RreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V.IFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe.DfrTdOf10ATDzkAAmswGT0c9K.uVqO44uVrlYT-x9g-aV9uK4BmtEj.TBJm-2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs-z4Ke53sf0MZft.uHJcCzrqdK.WgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE.2uT.OZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3.h0nw==,http%3A%2F%2Fwww.cni67.com%2Fv5%2Flive%2Fias5%2Fe.php%3Fid%3D22269x1942x101%26cb%3D740592 HTTP/1.1
Host: ad.yieldmanager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: pv1="[REMOVED]"

HTTP/1.1 302 Found
Date: Wed, 29 Feb 2012 02:38:03 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=257b3jp7hhglq&b=3&s=91&t=19; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Location: http://www.cni67.com/v5/live/ias5/e.php?id=22269x1942x101&cb=740592
Cache-Control: no-store
Last-Modified: Wed, 29 Feb 2012 02:38:03 GMT
Pragma: no-cache
Age: 0
Connection: keep-alive
Content-Length: 0

------------------------------------------------------------------
GET /v5/live/ias5/e.php?id=22269x1942x101&cb=740592 HTTP/1.1
Host: www.cni67.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: InCauda=[REMOVED]1330481825372245; haproxy-production=ad-srv5; lcc=22269x1942x101; IID=22269x1942x101_1330482052-3628391-[REMOVED]; CPSs=1330482052D3251%2B

HTTP/1.1 302 Found
Date: Wed, 29 Feb 2012 02:38:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: IID=22269x1942x101_1330483083-740592-[REMOVED]; expires=Fri, 30-Mar-2012 02:38:03 GMT; path=/
Set-Cookie: CPSs=1330483083D3251%2B; expires=Wed, 15-Aug-2012 02:38:03 GMT; path=/
Expires: 0
Pragma: no-cache
Cache-Control: no-cache,no-store,max-age=0,s-maxage=0,must-revalidate
Location: http://www.performersoft.com/pcperformer/pprmx-uk.php?dp=22269x1942x101&nbc=1a4fa5-bd2beba2-6e234f8b
Content-Length: 0
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /pcperformer/pprmx-uk.php?dp=22269x1942x101&nbc=1a4fa5-bd2beba2-6e234f8b HTTP/1.1
Host: www.performersoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: VSPUser=1

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Wed, 29 Feb 2012 02:38:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=5
X-Powered-By: PHP/5.2.8
Content-Encoding: gzip

------------------------------------------------------------------


With the advert itself being server from;

Host: www.cni67.com
IP: 184.173.254.61
IP PTR: 184.173.254.61-static.reverse.softlayer.com
ASN: 36351 184.173.192.0/18 SOFTLAYER - SoftLayer Technologies Inc.

Doesn't appear to be anything other than this rubbish on the IP, and they clearly don't want it easily found - absolutely nothing other than an HTTP 403 on the homepage.


Registrant:
Multi-Player Laboratory
Katzenelson 3 Givataim Israel
Givataim ,
IL

Domain name: CNI67.COM

Administrative Contact:
User, Master sharon.hefet@incauda.com
Katzenelson 3 Givataim Israel
Givataim ,
IL
972-54-239027
Technical Contact:
User, Master sharon.hefet@incauda.com
Katzenelson 3 Givataim Israel
Givataim ,
IL
972-54-239027

Registrar of Record: The Planet Internet Services, Inc.
Record last updated on 12-May-2011.
Record expires on 12-May-2012.
Record created on 12-May-2011.

Domain servers in listed order:
NS2.SOFTLAYER.COM 66.228.119.9
NS1.SOFTLAYER.COM 66.228.118.8

Domain status: clientTransferProhibited
clientUpdateProhibited


Registrant:
Avi Cahlon
Arlozorov 21
Ramat Gan, 12345
Israel

Registered through: Go Daddy
Domain Name: INCAUDA.COM
Created on: 09-Dec-06
Expires on: 09-Dec-16
Last Updated on: 03-Apr-11

Administrative Contact:
Cahlon, Avi avicahlon12@yahoo.com
Koresh 11
Tel Aviv, 12345
Israel
+97235608391

Technical Contact:
Cahlon, Avi avicahlon12@yahoo.com
Koresh 11
Tel Aviv, 12345
Israel
+97235608391

Domain servers in listed order:
NS783.WEBSITEWELCOME.COM
NS784.WEBSITEWELCOME.COM


First and foremost lets make this clear - DO NOT CLICK ON THESE ADVERTS - THERE IS NOTHING WRONG WITH YOUR COMPUTER. If you're actually having problems with your computer, there are plenty of forums that will assist you for free;

Alliance of Security Analysis Professionals
http://asap.maddoktor2.com/

As for performersoft.com, all you've done is get yourselves blacklisted - again.

And as for yieldmanager.com, given they've apparently got somewhat of an obsession with not properly checking who they're serving adverts for, or indeed, what adverts they're serving, you can quite safely blacklist them if you've not already (those using hpHosts will already notice they're already blocked).

Tuesday 21 February 2012

Info: Outlook Export

For those wanting to use Outlook Export on Windows 7 or other 64 bit systems, if you've got Outlook installed, you'll need this, as the other installer Microsoft provides, won't work (won't install with Outlook 2007 present);

http://www.microsoft.com/download/en/details.aspx?id=3671

I'd strongly recommend you close Outlook prior to installing this (crashes Outlook otherwise), and prepare for a patience demand - no idea why but it takes forever just for UAC to ask for consent to install it (and the installer provided is just a self-extracting cab, the actual MSI is extracted, not auto-run, so lob it in a temp folder, then you can run the MSI).

Once installed, the headers will be displayed in the exported items again.

As an aside, I've identified what caused the issue with folders failing to display - I thought it was multiple accounts that was the cause - it isn't - turns out the cause is actually the presence of the archives folder that Outlook creates when archiving is turned on.

Friday 10 February 2012

hpHosts: Updated February 10th 2012

The hpHOSTS Hosts file has been updated. There is now a total of 254,257 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 10/02/2012 17:30
  2. Last Verified: 10/02/2012 04:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday 8 February 2012

R.I.P. Donna Buenaventura

I'm sorry to report, my friend Donna, MCP, MCTS and previous MVP awardee for a number of years, passed away December 13th.

Donna ran her blog at msmvps.com, and wrote for Brighthub, as well as being an administrator at Calendar of Updates, a damn good researcher, and a very good friend to alot of people, including myself.

Donna, you'll be greatly missed darlin'.

Monday 6 February 2012

ALERT: Liberty Reserve 419'er

Ever get the feeling they're not really trying any more? This one came into my inbox today, and it's a standard 419'er along the lines of "give us money and we'll give you double for doing absolutely nothing" - hint: You'll lose your money!!

============================================
Please note that in all e-mails from Liberty Reserve we will:
Always address you by your first name.
Never send you any links or attached files.
Never ask you to send us your password and/or login PIN.
============================================

Dear Members,

Liberty Reserve has made considerable progress and improvement, it has become the leading e-currency and its services are being improved continuously.

Recently we have estabilished a very important relation with leading Forex traders from Costa Rica and we decided to give a special offer to you:

GET 200% LR MONEY RETURN IN 5 DAYS !!!!

Example:

You deposit $100 we return $200

You deposit $1000 we return $2000

You deposit $5000 we return $10000

This opportunity will not last long, so you must react quickly.

Deposits are accepted until February 15.2012 00:00 (GMT).

One unit in this special program is worth 100 US dollars. The minimal deposit is 1 unit ($100), while the maximum deposit is 1000 units ($100000) per member.

You need to make a spend to: Liberty Reserve account U1209005 -https://sci.libertyreserve.com/?lr_acc=U1209005

The 200% payout will be made back to your LR account in 5 days.

The payout is AUTOMATICAL, GUARANTEED and there is NO RISK from losing your funds.

This is a TIME LIMITED ONE-TIME OFFER and you must ACT NOW!

Please DO NOT reply to this e mail.

For information and support please use our contact form in the help section of our web site.

Thank you.

2002 - 2011 Liberty Reserve S.A. All rights reserved.


Another hint if you've not worked it out - this has NOT come from Liberty Reserve. As much as I despise them (and Western Union), not even they are daft enough to engage in phishing scams such as this.

It actually originated from Iran;

Return-Path: <no_reply@libertyreserve.com>
Delivered-To: ceo@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 9.71
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.71 tagged_above=-9999 required=1.3
tests=[ACT_NOW_CAPS=2.211, BAYES_00=-1.9, FH_FROMEML_NOTLD=1.082,
FS_LARGE_PERCENT2=1.96, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001,
MPART_ALT_DIFF=0.79, ONE_TIME=0.714, RCVD_IN_BRBL_LASTEXT=1.449,
RDNS_NONE=0.793, RISK_FREE=0.001, SPF_FAIL=0.001,
SPF_HELO_PASS=-0.001, SUBJ_ALL_CAPS=1.506, TO_NO_BRKTS_PCNT=0.001]
autolearn=no
Received: from server144.dnslake.com (unknown [62.193.15.160])
by mail4.emailconfig.com (Postfix) with ESMTP id 1711739814F
for <ceo@it-mate.co.uk>; Mon, 6 Feb 2012 22:52:19 +0000 (GMT)
Received: (qmail 32531 invoked from network); 7 Feb 2012 02:20:43 +0330
Content-Type: multipart/alternative;
boundary="===============4901855315610602507=="
MIME-Version: 1.0
Subject: [SPAM] =?iso-8859-1?q?GUARANTEED_200=25_MONEY_IN_5_DAYS_!!!?=
From: =?iso-8859-1?q?no=5Freply=40libertyreserve=2Ecom?=
Message-Id: <20120206225221.1711739814F@mail4.emailconfig.com>
Date: Mon, 6 Feb 2012 22:52:19 +0000 (GMT)
To: undisclosed-recipients:;


There's over 150 sites on the IP it originated from. Whether or not they're involved (i.e. directly or because they've been compromised), is something I'll be investigating.

In the meantime, if you receive this, or anything resembling it - delete it!

Saturday 4 February 2012

HostNOC/Burst: What do you get if you cross a researcher with a very annoying hosting company?

Answer: A very annoyed researcher.

This has been an on-going issue with HostNOC/Burst for well over a year. If you happen to find more than 10 abuse cases on HostNOC/Burst IP space, and dare to report it - you'll get this;

Hello,
Your ticket has not been entered into the ticket system due to more than 10 tickets from your email address in 24 hours have been submitted.
Please wait and try again.

Do not reply to this email.

Thanks,
BurstNet Technologies Ticket Daemon


The problem of course, is that you can't send them all in one ticket either - they'll refuse to deal with it if you do that (I know, I've tried - and argued several times with them, on the phone about this very issue).

Of course, if they didn't have so much abuse on their network - there wouldn't be so much to find and report. But alas, I digress.

References

Dear HostNOC - your servers are attacking a friend!
http://hphosts.blogspot.com/2011/12/dear-hostnoc-your-servers-are-attacking.html

Part 10: Renos on the move (previously: Interserver, malware, and the Scottish weather)
http://hphosts.blogspot.com/2011/07/part-10-renos-on-move-previously.html

When is a 24 hour warning not a 24 hour warning? (aka HostNOC/Burst finally suspend Renos server)
http://hphosts.blogspot.com/2011/07/when-is-24-hour-warning-not-24-hour.html

Info: Telephone scammers still coming to a phone near you!
http://hphosts.blogspot.com/2011/03/info-telephone-scammers-still-coming-to.html

Thursday 2 February 2012

Alert: 77.95.227.57, how do I love thee? Let me count the 754 ways

Monitoring for new badness, I came across a handful of domains housed on 77.95.227.57. A quick dig later, and I had me a list of 754 URLs, each leading to badness your machine could do without.

hxxp://hqhamstertube.biz/files/57
hxxp://hqhamstertube.co/files/57
hxxp://hqhamstertube.eu/files/57
hxxp://hqhamstertube.info/files/57
hxxp://hqhamstertube.net/files/57
hxxp://hqhamstertube.biz/files/98
hxxp://hqhamstertube.co/files/98
hxxp://hqhamstertube.eu/files/98
hxxp://hqhamstertube.info/files/98
hxxp://hqhamstertube.net/files/98
hxxp://hqhamstertube.biz/files/34
hxxp://hqhamstertube.biz/files/51
hxxp://hqhamstertube.biz/files/63
hxxp://hqhamstertube.co/files/34
hxxp://hqhamstertube.co/files/51
hxxp://hqhamstertube.co/files/63
hxxp://hqhamstertube.eu/files/34
hxxp://hqhamstertube.eu/files/51
hxxp://hqhamstertube.eu/files/63
hxxp://hqhamstertube.info/files/34
hxxp://hqhamstertube.info/files/51
hxxp://hqhamstertube.info/files/63
hxxp://hqhamstertube.net/files/34
hxxp://hqhamstertube.net/files/51
hxxp://hqhamstertube.net/files/63
hxxp://hqhamstertube.org/files/34
hxxp://hqhamstertube.org/files/43
hxxp://hqhamstertube.biz/files/26
hxxp://hqhamstertube.biz/files/30
hxxp://hqhamstertube.biz/files/32
hxxp://hqhamstertube.biz/files/43
hxxp://hqhamstertube.biz/files/50
hxxp://hqhamstertube.biz/files/52
hxxp://hqhamstertube.biz/files/53
hxxp://hqhamstertube.biz/files/59
hxxp://hqhamstertube.biz/files/62
hxxp://hqhamstertube.co/files/26
hxxp://hqhamstertube.co/files/30
hxxp://hqhamstertube.co/files/32
hxxp://hqhamstertube.co/files/43
hxxp://hqhamstertube.co/files/50
hxxp://hqhamstertube.co/files/52
hxxp://hqhamstertube.co/files/53
hxxp://hqhamstertube.co/files/59
hxxp://hqhamstertube.co/files/62
hxxp://hqhamstertube.eu/files/26
hxxp://hqhamstertube.eu/files/30
hxxp://hqhamstertube.eu/files/32
hxxp://hqhamstertube.eu/files/43
hxxp://hqhamstertube.eu/files/50
hxxp://hqhamstertube.eu/files/52
hxxp://hqhamstertube.eu/files/53
hxxp://hqhamstertube.eu/files/59
hxxp://hqhamstertube.eu/files/62
hxxp://hqhamstertube.info/files/26
hxxp://hqhamstertube.info/files/30
hxxp://hqhamstertube.info/files/32
hxxp://hqhamstertube.info/files/43
hxxp://hqhamstertube.info/files/50
hxxp://hqhamstertube.info/files/52
hxxp://hqhamstertube.info/files/53
hxxp://hqhamstertube.info/files/59
hxxp://hqhamstertube.info/files/62
hxxp://hqhamstertube.net/files/26
hxxp://hqhamstertube.net/files/30
hxxp://hqhamstertube.net/files/32
hxxp://hqhamstertube.net/files/43
hxxp://hqhamstertube.net/files/50
hxxp://hqhamstertube.net/files/52
hxxp://hqhamstertube.net/files/53
hxxp://hqhamstertube.net/files/59
hxxp://hqhamstertube.net/files/62
hxxp://hqhamstertube.org/files/26
hxxp://hqhamstertube.org/files/30
hxxp://hqhamstertube.org/files/32
hxxp://hqhamstertube.biz/files/23
hxxp://hqhamstertube.biz/files/24
hxxp://hqhamstertube.biz/files/28
hxxp://hqhamstertube.biz/files/38
hxxp://hqhamstertube.biz/files/54
hxxp://hqhamstertube.biz/files/55
hxxp://hqhamstertube.biz/files/58
hxxp://hqhamstertube.biz/files/60
hxxp://hqhamstertube.biz/files/61
hxxp://hqhamstertube.co/files/23
hxxp://hqhamstertube.co/files/24
hxxp://hqhamstertube.co/files/28
hxxp://hqhamstertube.co/files/38
hxxp://hqhamstertube.co/files/54
hxxp://hqhamstertube.co/files/55
hxxp://hqhamstertube.co/files/58
hxxp://hqhamstertube.co/files/60
hxxp://hqhamstertube.co/files/61
hxxp://hqhamstertube.eu/files/23
hxxp://hqhamstertube.eu/files/24
hxxp://hqhamstertube.eu/files/28
hxxp://hqhamstertube.eu/files/38
hxxp://hqhamstertube.eu/files/54
hxxp://hqhamstertube.eu/files/55
hxxp://hqhamstertube.eu/files/58
hxxp://hqhamstertube.eu/files/60
hxxp://hqhamstertube.eu/files/61
hxxp://hqhamstertube.info/files/23
hxxp://hqhamstertube.info/files/24
hxxp://hqhamstertube.info/files/28
hxxp://hqhamstertube.info/files/38
hxxp://hqhamstertube.info/files/54
hxxp://hqhamstertube.info/files/55
hxxp://hqhamstertube.info/files/58
hxxp://hqhamstertube.info/files/60
hxxp://hqhamstertube.info/files/61
hxxp://hqhamstertube.net/files/23
hxxp://hqhamstertube.net/files/24
hxxp://hqhamstertube.net/files/28
hxxp://hqhamstertube.net/files/38
hxxp://hqhamstertube.net/files/54
hxxp://hqhamstertube.net/files/55
hxxp://hqhamstertube.net/files/58
hxxp://hqhamstertube.net/files/60
hxxp://hqhamstertube.net/files/61
hxxp://hqhamstertube.org/files/23
hxxp://hqhamstertube.org/files/24
hxxp://hqhamstertube.org/files/28
hxxp://hqhamstertube.org/files/38
hxxp://hqhamstertube.org/files/47
hxxp://hqhamstertube.biz/files/47
hxxp://hqhamstertube.co/files/47
hxxp://hqhamstertube.eu/files/47
hxxp://hqhamstertube.info/files/47
hxxp://hqhamstertube.net/files/47
hxxp://hqhamstertube.biz/files/48
hxxp://hqhamstertube.co/files/48
hxxp://hqhamstertube.eu/files/48
hxxp://hqhamstertube.info/files/48
hxxp://hqhamstertube.net/files/48
hxxp://hqhamstertube.biz/files/27
hxxp://hqhamstertube.co/files/27
hxxp://hqhamstertube.eu/files/27
hxxp://hqhamstertube.info/files/27
hxxp://hqhamstertube.net/files/27
hxxp://hqhamstertube.org/files/27
hxxp://hqhamstertube.biz/files/35
hxxp://hqhamstertube.biz/files/64
hxxp://hqhamstertube.biz/files/68
hxxp://hqhamstertube.biz/files/70
hxxp://hqhamstertube.biz/files/72
hxxp://hqhamstertube.biz/files/74
hxxp://hqhamstertube.biz/files/76
hxxp://hqhamstertube.biz/files/78
hxxp://hqhamstertube.biz/files/82
hxxp://hqhamstertube.biz/files/83
hxxp://hqhamstertube.biz/files/86
hxxp://hqhamstertube.biz/files/88
hxxp://hqhamstertube.biz/files/90
hxxp://hqhamstertube.co/files/35
hxxp://hqhamstertube.co/files/64
hxxp://hqhamstertube.co/files/68
hxxp://hqhamstertube.co/files/70
hxxp://hqhamstertube.co/files/72
hxxp://hqhamstertube.co/files/74
hxxp://hqhamstertube.co/files/76
hxxp://hqhamstertube.co/files/78
hxxp://hqhamstertube.co/files/82
hxxp://hqhamstertube.co/files/83
hxxp://hqhamstertube.co/files/86
hxxp://hqhamstertube.co/files/88
hxxp://hqhamstertube.co/files/90
hxxp://hqhamstertube.eu/files/35
hxxp://hqhamstertube.eu/files/64
hxxp://hqhamstertube.eu/files/68
hxxp://hqhamstertube.eu/files/70
hxxp://hqhamstertube.eu/files/72
hxxp://hqhamstertube.eu/files/74
hxxp://hqhamstertube.eu/files/76
hxxp://hqhamstertube.eu/files/78
hxxp://hqhamstertube.eu/files/82
hxxp://hqhamstertube.eu/files/83
hxxp://hqhamstertube.eu/files/86
hxxp://hqhamstertube.eu/files/88
hxxp://hqhamstertube.eu/files/90
hxxp://hqhamstertube.info/files/35
hxxp://hqhamstertube.info/files/64
hxxp://hqhamstertube.info/files/68
hxxp://hqhamstertube.info/files/70
hxxp://hqhamstertube.info/files/72
hxxp://hqhamstertube.info/files/74
hxxp://hqhamstertube.info/files/76
hxxp://hqhamstertube.info/files/78
hxxp://hqhamstertube.info/files/82
hxxp://hqhamstertube.info/files/83
hxxp://hqhamstertube.info/files/86
hxxp://hqhamstertube.info/files/88
hxxp://hqhamstertube.info/files/90
hxxp://hqhamstertube.net/files/35
hxxp://hqhamstertube.net/files/64
hxxp://hqhamstertube.net/files/68
hxxp://hqhamstertube.net/files/70
hxxp://hqhamstertube.net/files/72
hxxp://hqhamstertube.net/files/74
hxxp://hqhamstertube.net/files/76
hxxp://hqhamstertube.net/files/78
hxxp://hqhamstertube.net/files/82
hxxp://hqhamstertube.net/files/83
hxxp://hqhamstertube.net/files/86
hxxp://hqhamstertube.net/files/88
hxxp://hqhamstertube.net/files/90
hxxp://hqhamstertube.org/files/35
hxxp://hqhamstertube.biz/files/18
hxxp://hqhamstertube.co/files/18
hxxp://hqhamstertube.eu/files/18
hxxp://hqhamstertube.info/files/18
hxxp://hqhamstertube.net/files/18
hxxp://hqhamstertube.org/files/18
hxxp://hqhamstertube.biz/files/19
hxxp://hqhamstertube.biz/files/36
hxxp://hqhamstertube.biz/files/65
hxxp://hqhamstertube.biz/files/69
hxxp://hqhamstertube.biz/files/71
hxxp://hqhamstertube.biz/files/73
hxxp://hqhamstertube.biz/files/75
hxxp://hqhamstertube.biz/files/77
hxxp://hqhamstertube.biz/files/79
hxxp://hqhamstertube.biz/files/84
hxxp://hqhamstertube.biz/files/85
hxxp://hqhamstertube.biz/files/87
hxxp://hqhamstertube.biz/files/89
hxxp://hqhamstertube.biz/files/91
hxxp://hqhamstertube.biz/files/99
hxxp://hqhamstertube.co/files/19
hxxp://hqhamstertube.co/files/36
hxxp://hqhamstertube.co/files/65
hxxp://hqhamstertube.co/files/69
hxxp://hqhamstertube.co/files/71
hxxp://hqhamstertube.co/files/73
hxxp://hqhamstertube.co/files/75
hxxp://hqhamstertube.co/files/77
hxxp://hqhamstertube.co/files/79
hxxp://hqhamstertube.co/files/84
hxxp://hqhamstertube.co/files/85
hxxp://hqhamstertube.co/files/87
hxxp://hqhamstertube.co/files/89
hxxp://hqhamstertube.co/files/91
hxxp://hqhamstertube.co/files/99
hxxp://hqhamstertube.eu/files/19
hxxp://hqhamstertube.eu/files/36
hxxp://hqhamstertube.eu/files/65
hxxp://hqhamstertube.eu/files/69
hxxp://hqhamstertube.eu/files/71
hxxp://hqhamstertube.eu/files/73
hxxp://hqhamstertube.eu/files/75
hxxp://hqhamstertube.eu/files/77
hxxp://hqhamstertube.eu/files/79
hxxp://hqhamstertube.eu/files/84
hxxp://hqhamstertube.eu/files/85
hxxp://hqhamstertube.eu/files/87
hxxp://hqhamstertube.eu/files/89
hxxp://hqhamstertube.eu/files/91
hxxp://hqhamstertube.eu/files/99
hxxp://hqhamstertube.info/files/19
hxxp://hqhamstertube.info/files/36
hxxp://hqhamstertube.info/files/65
hxxp://hqhamstertube.info/files/69
hxxp://hqhamstertube.info/files/71
hxxp://hqhamstertube.info/files/73
hxxp://hqhamstertube.info/files/75
hxxp://hqhamstertube.info/files/77
hxxp://hqhamstertube.info/files/79
hxxp://hqhamstertube.info/files/84
hxxp://hqhamstertube.info/files/85
hxxp://hqhamstertube.info/files/87
hxxp://hqhamstertube.info/files/89
hxxp://hqhamstertube.info/files/91
hxxp://hqhamstertube.info/files/99
hxxp://hqhamstertube.net/files/19
hxxp://hqhamstertube.net/files/36
hxxp://hqhamstertube.net/files/65
hxxp://hqhamstertube.net/files/69
hxxp://hqhamstertube.net/files/71
hxxp://hqhamstertube.net/files/73
hxxp://hqhamstertube.net/files/75
hxxp://hqhamstertube.net/files/77
hxxp://hqhamstertube.net/files/79
hxxp://hqhamstertube.net/files/84
hxxp://hqhamstertube.net/files/85
hxxp://hqhamstertube.net/files/87
hxxp://hqhamstertube.net/files/89
hxxp://hqhamstertube.net/files/91
hxxp://hqhamstertube.net/files/99
hxxp://hqhamstertube.org/files/19
hxxp://hqhamstertube.org/files/36
hxxp://hqhamstertube.biz/files/96
hxxp://hqhamstertube.co/files/96
hxxp://hqhamstertube.eu/files/96
hxxp://hqhamstertube.info/files/96
hxxp://hqhamstertube.net/files/96
hxxp://hqhamstertube.org/files/44
hxxp://hqhamstertube.biz/files/44
hxxp://hqhamstertube.co/files/44
hxxp://hqhamstertube.eu/files/44
hxxp://hqhamstertube.info/files/44
hxxp://hqhamstertube.net/files/44
hxxp://hqhamstertube.biz/files/17
hxxp://hqhamstertube.co/files/17
hxxp://hqhamstertube.eu/files/17
hxxp://hqhamstertube.info/files/17
hxxp://hqhamstertube.net/files/17
hxxp://hqhamstertube.org/files/17
hxxp://hqhamstertube.org/files/48
hxxp://hqhamstertube.org/files/50
hxxp://hqhamstertube.org/files/51
hxxp://hqhamstertube.org/files/52
hxxp://hqhamstertube.org/files/53
hxxp://hqhamstertube.org/files/54
hxxp://hqhamstertube.org/files/55
hxxp://hqhamstertube.org/files/57
hxxp://hqhamstertube.org/files/58
hxxp://hqhamstertube.org/files/59
hxxp://hqhamstertube.org/files/60
hxxp://hqhamstertube.org/files/61
hxxp://hqhamstertube.org/files/62
hxxp://hqhamstertube.org/files/63
hxxp://hqhamstertube.org/files/64
hxxp://hqhamstertube.org/files/65
hxxp://hqhamstertube.org/files/68
hxxp://hqhamstertube.org/files/69
hxxp://hqhamstertube.org/files/70
hxxp://hqhamstertube.org/files/71
hxxp://hqhamstertube.org/files/72
hxxp://hqhamstertube.org/files/73
hxxp://hqhamstertube.org/files/74
hxxp://hqhamstertube.org/files/75
hxxp://hqhamstertube.org/files/76
hxxp://hqhamstertube.org/files/77
hxxp://hqhamstertube.org/files/78
hxxp://hqhamstertube.org/files/79
hxxp://hqhamstertube.org/files/82
hxxp://hqhamstertube.org/files/83
hxxp://hqhamstertube.org/files/84
hxxp://hqhamstertube.org/files/85
hxxp://hqhamstertube.org/files/86
hxxp://hqhamstertube.org/files/87
hxxp://hqhamstertube.org/files/88
hxxp://hqhamstertube.org/files/89
hxxp://hqhamstertube.org/files/90
hxxp://hqhamstertube.org/files/91
hxxp://hqhamstertube.org/files/96
hxxp://hqhamstertube.org/files/98
hxxp://hqhamstertube.org/files/99
hxxp://mediaexeclick.biz/files/17
hxxp://mediaexeclick.biz/files/18
hxxp://mediaexeclick.biz/files/19
hxxp://mediaexeclick.biz/files/23
hxxp://mediaexeclick.biz/files/24
hxxp://mediaexeclick.biz/files/26
hxxp://mediaexeclick.biz/files/27
hxxp://mediaexeclick.biz/files/28
hxxp://mediaexeclick.biz/files/30
hxxp://mediaexeclick.biz/files/32
hxxp://mediaexeclick.biz/files/34
hxxp://mediaexeclick.biz/files/35
hxxp://mediaexeclick.biz/files/36
hxxp://mediaexeclick.biz/files/38
hxxp://mediaexeclick.biz/files/43
hxxp://mediaexeclick.biz/files/44
hxxp://mediaexeclick.biz/files/47
hxxp://mediaexeclick.biz/files/48
hxxp://mediaexeclick.biz/files/50
hxxp://mediaexeclick.biz/files/51
hxxp://mediaexeclick.biz/files/52
hxxp://mediaexeclick.biz/files/53
hxxp://mediaexeclick.biz/files/54
hxxp://mediaexeclick.biz/files/55
hxxp://mediaexeclick.biz/files/57
hxxp://mediaexeclick.biz/files/58
hxxp://mediaexeclick.biz/files/59
hxxp://mediaexeclick.biz/files/60
hxxp://mediaexeclick.biz/files/61
hxxp://mediaexeclick.biz/files/62
hxxp://mediaexeclick.biz/files/63
hxxp://mediaexeclick.biz/files/64
hxxp://mediaexeclick.biz/files/65
hxxp://mediaexeclick.biz/files/68
hxxp://mediaexeclick.biz/files/69
hxxp://mediaexeclick.biz/files/70
hxxp://mediaexeclick.biz/files/71
hxxp://mediaexeclick.biz/files/72
hxxp://mediaexeclick.biz/files/73
hxxp://mediaexeclick.biz/files/74
hxxp://mediaexeclick.biz/files/75
hxxp://mediaexeclick.biz/files/76
hxxp://mediaexeclick.biz/files/77
hxxp://mediaexeclick.biz/files/78
hxxp://mediaexeclick.biz/files/79
hxxp://mediaexeclick.biz/files/82
hxxp://mediaexeclick.biz/files/83
hxxp://mediaexeclick.biz/files/84
hxxp://mediaexeclick.biz/files/85
hxxp://mediaexeclick.biz/files/86
hxxp://mediaexeclick.biz/files/87
hxxp://mediaexeclick.biz/files/88
hxxp://mediaexeclick.biz/files/89
hxxp://mediaexeclick.biz/files/90
hxxp://mediaexeclick.biz/files/91
hxxp://mediaexeclick.biz/files/96
hxxp://mediaexeclick.biz/files/98
hxxp://mediaexeclick.biz/files/99
hxxp://mediaexeclick.com/files/17
hxxp://mediaexeclick.com/files/18
hxxp://mediaexeclick.com/files/19
hxxp://mediaexeclick.com/files/23
hxxp://mediaexeclick.com/files/24
hxxp://mediaexeclick.com/files/26
hxxp://mediaexeclick.com/files/27
hxxp://mediaexeclick.com/files/28
hxxp://mediaexeclick.com/files/30
hxxp://mediaexeclick.com/files/32
hxxp://mediaexeclick.com/files/34
hxxp://mediaexeclick.com/files/35
hxxp://mediaexeclick.com/files/36
hxxp://mediaexeclick.com/files/38
hxxp://mediaexeclick.com/files/43
hxxp://mediaexeclick.com/files/44
hxxp://mediaexeclick.com/files/47
hxxp://mediaexeclick.com/files/48
hxxp://mediaexeclick.com/files/50
hxxp://mediaexeclick.com/files/51
hxxp://mediaexeclick.com/files/52
hxxp://mediaexeclick.com/files/53
hxxp://mediaexeclick.com/files/54
hxxp://mediaexeclick.com/files/55
hxxp://mediaexeclick.com/files/57
hxxp://mediaexeclick.com/files/58
hxxp://mediaexeclick.com/files/59
hxxp://mediaexeclick.com/files/60
hxxp://mediaexeclick.com/files/61
hxxp://mediaexeclick.com/files/62
hxxp://mediaexeclick.com/files/63
hxxp://mediaexeclick.com/files/64
hxxp://mediaexeclick.com/files/65
hxxp://mediaexeclick.com/files/68
hxxp://mediaexeclick.com/files/69
hxxp://mediaexeclick.com/files/70
hxxp://mediaexeclick.com/files/71
hxxp://mediaexeclick.com/files/72
hxxp://mediaexeclick.com/files/73
hxxp://mediaexeclick.com/files/74
hxxp://mediaexeclick.com/files/75
hxxp://mediaexeclick.com/files/76
hxxp://mediaexeclick.com/files/77
hxxp://mediaexeclick.com/files/78
hxxp://mediaexeclick.com/files/79
hxxp://mediaexeclick.com/files/82
hxxp://mediaexeclick.com/files/83
hxxp://mediaexeclick.com/files/84
hxxp://mediaexeclick.com/files/85
hxxp://mediaexeclick.com/files/86
hxxp://mediaexeclick.com/files/87
hxxp://mediaexeclick.com/files/88
hxxp://mediaexeclick.com/files/89
hxxp://mediaexeclick.com/files/90
hxxp://mediaexeclick.com/files/91
hxxp://mediaexeclick.com/files/96
hxxp://mediaexeclick.com/files/98
hxxp://mediaexeclick.com/files/99
hxxp://mediaexeclick.eu/files/17
hxxp://mediaexeclick.eu/files/18
hxxp://mediaexeclick.eu/files/19
hxxp://mediaexeclick.eu/files/23
hxxp://mediaexeclick.eu/files/24
hxxp://mediaexeclick.eu/files/26
hxxp://mediaexeclick.eu/files/27
hxxp://mediaexeclick.eu/files/28
hxxp://mediaexeclick.eu/files/30
hxxp://mediaexeclick.eu/files/32
hxxp://mediaexeclick.eu/files/34
hxxp://mediaexeclick.eu/files/35
hxxp://mediaexeclick.eu/files/36
hxxp://mediaexeclick.eu/files/38
hxxp://mediaexeclick.eu/files/43
hxxp://mediaexeclick.eu/files/44
hxxp://mediaexeclick.eu/files/47
hxxp://mediaexeclick.eu/files/48
hxxp://mediaexeclick.eu/files/50
hxxp://mediaexeclick.eu/files/51
hxxp://mediaexeclick.eu/files/52
hxxp://mediaexeclick.eu/files/53
hxxp://mediaexeclick.eu/files/54
hxxp://mediaexeclick.eu/files/55
hxxp://mediaexeclick.eu/files/57
hxxp://mediaexeclick.eu/files/58
hxxp://mediaexeclick.eu/files/59
hxxp://mediaexeclick.eu/files/60
hxxp://mediaexeclick.eu/files/61
hxxp://mediaexeclick.eu/files/62
hxxp://mediaexeclick.eu/files/63
hxxp://mediaexeclick.eu/files/64
hxxp://mediaexeclick.eu/files/65
hxxp://mediaexeclick.eu/files/68
hxxp://mediaexeclick.eu/files/69
hxxp://mediaexeclick.eu/files/70
hxxp://mediaexeclick.eu/files/71
hxxp://mediaexeclick.eu/files/72
hxxp://mediaexeclick.eu/files/73
hxxp://mediaexeclick.eu/files/74
hxxp://mediaexeclick.eu/files/75
hxxp://mediaexeclick.eu/files/76
hxxp://mediaexeclick.eu/files/77
hxxp://mediaexeclick.eu/files/78
hxxp://mediaexeclick.eu/files/79
hxxp://mediaexeclick.eu/files/82
hxxp://mediaexeclick.eu/files/83
hxxp://mediaexeclick.eu/files/84
hxxp://mediaexeclick.eu/files/85
hxxp://mediaexeclick.eu/files/86
hxxp://mediaexeclick.eu/files/87
hxxp://mediaexeclick.eu/files/88
hxxp://mediaexeclick.eu/files/89
hxxp://mediaexeclick.eu/files/90
hxxp://mediaexeclick.eu/files/91
hxxp://mediaexeclick.eu/files/96
hxxp://mediaexeclick.eu/files/98
hxxp://mediaexeclick.eu/files/99
hxxp://mediaexeclick.info/files/17
hxxp://mediaexeclick.info/files/18
hxxp://mediaexeclick.info/files/19
hxxp://mediaexeclick.info/files/23
hxxp://mediaexeclick.info/files/24
hxxp://mediaexeclick.info/files/26
hxxp://mediaexeclick.info/files/27
hxxp://mediaexeclick.info/files/28
hxxp://mediaexeclick.info/files/30
hxxp://mediaexeclick.info/files/32
hxxp://mediaexeclick.info/files/34
hxxp://mediaexeclick.info/files/35
hxxp://mediaexeclick.info/files/36
hxxp://mediaexeclick.info/files/38
hxxp://mediaexeclick.info/files/43
hxxp://mediaexeclick.info/files/44
hxxp://mediaexeclick.info/files/47
hxxp://mediaexeclick.info/files/48
hxxp://mediaexeclick.info/files/50
hxxp://mediaexeclick.info/files/51
hxxp://mediaexeclick.info/files/52
hxxp://mediaexeclick.info/files/53
hxxp://mediaexeclick.info/files/54
hxxp://mediaexeclick.info/files/55
hxxp://mediaexeclick.info/files/57
hxxp://mediaexeclick.info/files/58
hxxp://mediaexeclick.info/files/59
hxxp://mediaexeclick.info/files/60
hxxp://mediaexeclick.info/files/61
hxxp://mediaexeclick.info/files/62
hxxp://mediaexeclick.info/files/63
hxxp://mediaexeclick.info/files/64
hxxp://mediaexeclick.info/files/65
hxxp://mediaexeclick.info/files/68
hxxp://mediaexeclick.info/files/69
hxxp://mediaexeclick.info/files/70
hxxp://mediaexeclick.info/files/71
hxxp://mediaexeclick.info/files/72
hxxp://mediaexeclick.info/files/73
hxxp://mediaexeclick.info/files/74
hxxp://mediaexeclick.info/files/75
hxxp://mediaexeclick.info/files/76
hxxp://mediaexeclick.info/files/77
hxxp://mediaexeclick.info/files/78
hxxp://mediaexeclick.info/files/79
hxxp://mediaexeclick.info/files/82
hxxp://mediaexeclick.info/files/83
hxxp://mediaexeclick.info/files/84
hxxp://mediaexeclick.info/files/85
hxxp://mediaexeclick.info/files/86
hxxp://mediaexeclick.info/files/87
hxxp://mediaexeclick.info/files/88
hxxp://mediaexeclick.info/files/89
hxxp://mediaexeclick.info/files/90
hxxp://mediaexeclick.info/files/91
hxxp://mediaexeclick.info/files/96
hxxp://mediaexeclick.info/files/98
hxxp://mediaexeclick.info/files/99
hxxp://mediaexeclick.net/files/17
hxxp://mediaexeclick.net/files/18
hxxp://mediaexeclick.net/files/19
hxxp://mediaexeclick.net/files/23
hxxp://mediaexeclick.net/files/24
hxxp://mediaexeclick.net/files/26
hxxp://mediaexeclick.net/files/27
hxxp://mediaexeclick.net/files/28
hxxp://mediaexeclick.net/files/30
hxxp://mediaexeclick.net/files/32
hxxp://mediaexeclick.net/files/34
hxxp://mediaexeclick.net/files/35
hxxp://mediaexeclick.net/files/36
hxxp://mediaexeclick.net/files/38
hxxp://mediaexeclick.net/files/43
hxxp://mediaexeclick.net/files/44
hxxp://mediaexeclick.net/files/47
hxxp://mediaexeclick.net/files/48
hxxp://mediaexeclick.net/files/50
hxxp://mediaexeclick.net/files/51
hxxp://mediaexeclick.net/files/52
hxxp://mediaexeclick.net/files/53
hxxp://mediaexeclick.net/files/54
hxxp://mediaexeclick.net/files/55
hxxp://mediaexeclick.net/files/57
hxxp://mediaexeclick.net/files/58
hxxp://mediaexeclick.net/files/59
hxxp://mediaexeclick.net/files/60
hxxp://mediaexeclick.net/files/61
hxxp://mediaexeclick.net/files/62
hxxp://mediaexeclick.net/files/63
hxxp://mediaexeclick.net/files/64
hxxp://mediaexeclick.net/files/65
hxxp://mediaexeclick.net/files/68
hxxp://mediaexeclick.net/files/69
hxxp://mediaexeclick.net/files/70
hxxp://mediaexeclick.net/files/71
hxxp://mediaexeclick.net/files/72
hxxp://mediaexeclick.net/files/73
hxxp://mediaexeclick.net/files/74
hxxp://mediaexeclick.net/files/75
hxxp://mediaexeclick.net/files/76
hxxp://mediaexeclick.net/files/77
hxxp://mediaexeclick.net/files/78
hxxp://mediaexeclick.net/files/79
hxxp://mediaexeclick.net/files/82
hxxp://mediaexeclick.net/files/83
hxxp://mediaexeclick.net/files/84
hxxp://mediaexeclick.net/files/85
hxxp://mediaexeclick.net/files/86
hxxp://mediaexeclick.net/files/87
hxxp://mediaexeclick.net/files/88
hxxp://mediaexeclick.net/files/89
hxxp://mediaexeclick.net/files/90
hxxp://mediaexeclick.net/files/91
hxxp://mediaexeclick.net/files/96
hxxp://mediaexeclick.net/files/98
hxxp://mediaexeclick.net/files/99
hxxp://mediaexeclick.org/files/17
hxxp://mediaexeclick.org/files/18
hxxp://mediaexeclick.org/files/19
hxxp://mediaexeclick.org/files/23
hxxp://mediaexeclick.org/files/24
hxxp://mediaexeclick.org/files/26
hxxp://mediaexeclick.org/files/27
hxxp://mediaexeclick.org/files/28
hxxp://mediaexeclick.org/files/30
hxxp://mediaexeclick.org/files/32
hxxp://mediaexeclick.org/files/34
hxxp://mediaexeclick.org/files/35
hxxp://mediaexeclick.org/files/36
hxxp://mediaexeclick.org/files/38
hxxp://mediaexeclick.org/files/43
hxxp://mediaexeclick.org/files/44
hxxp://mediaexeclick.org/files/47
hxxp://mediaexeclick.org/files/48
hxxp://mediaexeclick.org/files/50
hxxp://mediaexeclick.org/files/51
hxxp://mediaexeclick.org/files/52
hxxp://mediaexeclick.org/files/53
hxxp://mediaexeclick.org/files/54
hxxp://mediaexeclick.org/files/55
hxxp://mediaexeclick.org/files/57
hxxp://mediaexeclick.org/files/58
hxxp://mediaexeclick.org/files/59
hxxp://mediaexeclick.org/files/60
hxxp://mediaexeclick.org/files/61
hxxp://mediaexeclick.org/files/62
hxxp://mediaexeclick.org/files/63
hxxp://mediaexeclick.org/files/64
hxxp://mediaexeclick.org/files/65
hxxp://mediaexeclick.org/files/68
hxxp://mediaexeclick.org/files/69
hxxp://mediaexeclick.org/files/70
hxxp://mediaexeclick.org/files/71
hxxp://mediaexeclick.org/files/72
hxxp://mediaexeclick.org/files/73
hxxp://mediaexeclick.org/files/74
hxxp://mediaexeclick.org/files/75
hxxp://mediaexeclick.org/files/76
hxxp://mediaexeclick.org/files/77
hxxp://mediaexeclick.org/files/78
hxxp://mediaexeclick.org/files/79
hxxp://mediaexeclick.org/files/82
hxxp://mediaexeclick.org/files/83
hxxp://mediaexeclick.org/files/84
hxxp://mediaexeclick.org/files/85
hxxp://mediaexeclick.org/files/86
hxxp://mediaexeclick.org/files/87
hxxp://mediaexeclick.org/files/88
hxxp://mediaexeclick.org/files/89
hxxp://mediaexeclick.org/files/90
hxxp://mediaexeclick.org/files/91
hxxp://mediaexeclick.org/files/96
hxxp://mediaexeclick.org/files/98
hxxp://mediaexeclick.org/files/99
hxxp://mixpornotube.com/files/17
hxxp://mixpornotube.com/files/18
hxxp://mixpornotube.com/files/19
hxxp://mixpornotube.com/files/23
hxxp://mixpornotube.com/files/24
hxxp://mixpornotube.com/files/26
hxxp://mixpornotube.com/files/27
hxxp://mixpornotube.com/files/28
hxxp://mixpornotube.com/files/30
hxxp://mixpornotube.com/files/32
hxxp://mixpornotube.com/files/34
hxxp://mixpornotube.com/files/35
hxxp://mixpornotube.com/files/36
hxxp://mixpornotube.com/files/38
hxxp://mixpornotube.com/files/43
hxxp://mixpornotube.com/files/44
hxxp://mixpornotube.com/files/47
hxxp://mixpornotube.com/files/48
hxxp://mixpornotube.com/files/50
hxxp://mixpornotube.com/files/51
hxxp://mixpornotube.com/files/52
hxxp://mixpornotube.com/files/53
hxxp://mixpornotube.com/files/54
hxxp://mixpornotube.com/files/55
hxxp://mixpornotube.com/files/57
hxxp://mixpornotube.com/files/58
hxxp://mixpornotube.com/files/59
hxxp://mixpornotube.com/files/60
hxxp://mixpornotube.com/files/61
hxxp://mixpornotube.com/files/62
hxxp://mixpornotube.com/files/63
hxxp://mixpornotube.com/files/64
hxxp://mixpornotube.com/files/65
hxxp://mixpornotube.com/files/68
hxxp://mixpornotube.com/files/69
hxxp://mixpornotube.com/files/70
hxxp://mixpornotube.com/files/71
hxxp://mixpornotube.com/files/72
hxxp://mixpornotube.com/files/73
hxxp://mixpornotube.com/files/74
hxxp://mixpornotube.com/files/75
hxxp://mixpornotube.com/files/76
hxxp://mixpornotube.com/files/77
hxxp://mixpornotube.com/files/78
hxxp://mixpornotube.com/files/79
hxxp://mixpornotube.com/files/82
hxxp://mixpornotube.com/files/83
hxxp://mixpornotube.com/files/84
hxxp://mixpornotube.com/files/85
hxxp://mixpornotube.com/files/86
hxxp://mixpornotube.com/files/87
hxxp://mixpornotube.com/files/88
hxxp://mixpornotube.com/files/89
hxxp://mixpornotube.com/files/90
hxxp://mixpornotube.com/files/91
hxxp://mixpornotube.com/files/96
hxxp://mixpornotube.com/files/99
hxxp://mixpornotube.com/files/98


Though there's 754 URLs, there's actually only a handful of unique MD5s (58).

The IP itself, belongs to Netherlands based, Snel Internet Services B.V. (they're a customer of AS42267 77.95.224.0/21 SHIRYO-AS Shiryo Networks B.V., and have the entire 77.95.224.0/22).

The domains;

Domain    Registrant    Registrar
--------------------------------------------------------------------------
hqhamstertube.biz    Heinz Schneglberger / igorenko92@mail.ru    REGISTER.COM
hqhamstertube.co    Heinz Schneglberger / igorenko92@mail.ru    REGISTER.COM
hqhamstertube.eu    NOT DISCLOSED!    EURID
hqhamstertube.info    Heinz Schneglberger / igorenko92@mail.ru    Register.com, Inc. (R140-LRMS)
hqhamstertube.net    Heinz Schneglberger / igorenko92@mail.ru    Register.com
hqhamstertube.org    Heinz Schneglberger / igorenko92@mail.ru    Register.com, Inc. (R71-LROR)
mediaexeclick.biz    Domain Discreet / 39ceaceb0a16121f02a83971e9354757@domaindiscreet.com    REGISTER.COM
mediaexeclick.com    Domain Discreet Privacy Service / 39ceceb20a16121f25bf99776102faef@domaindiscreet.com    Register.com
mediaexeclick.com    Domain Discreet Privacy Service / 39ceceb20a16121f25bf99776102faef@domaindiscreet.com    Register.com
mediaexeclick.eu    NOT DISCLOSED!    EURID
mediaexeclick.info    Domain Discreet / 39cef73b0a16121e02acfbf3df45520c@domaindiscreet.com    Register.com, Inc. (R140-LRMS)
mediaexeclick.net    Domain Discreet Privacy Service / 39cf099a0a16121f10aa299aa1dfc681@domaindiscreet.com    Register.com
mediaexeclick.org    Domain Discreet / 39cf223a0a16121f19fe98cae8822fdb@domaindiscreet.com    Register.com, Inc. (R71-LROR)
mediaexeclick.org    Domain Discreet / 39cf223a0a16121f19fe98cae8822fdb@domaindiscreet.com    Register.com, Inc. (R71-LROR)
mixpornotube.com    Heinz Schneglberger / igorenko92@mail.ru    Register.com


They've been reported, but in the meantime, you'll want to put a block on the IP.

Malwarebytes users will be pleased to know, the files are already detected.

Wednesday 1 February 2012

Crimeware friendly registrars: NameCheap

Crimeware friendly has a certain connotation to it, that most registrars tend to want to avoid. In NameCheap' case however, it seems they quite like it - or at least, put money above all else, including their reputation.

I've been sending reports for years, and the majority of registrars and hosts, tend to deal with them quickly, or in some cases - eventually. Not NameCheap - all reports result in a reply along the lines of the following (the latest one to come in - I've removed the domain name and ticket ID so it doesn't tip the owner off);

Hello,

Thank you for your email regarding the domain name {REMOVED}. While the domain name does have Namecheap.com as the registrar, we do not own the domain name mentioned in your complaint. We are simply the registrar that the registrant purchased the domain name from.

Please be advised to contact company that provides hosting services for the domain and ask them to assist you with the issue. You could also contact the domain owner directly regarding the issue. Contact details assigned to the domain can be found in the Whois database.

Thank you.


------------------
Regards,
Stas T.
Customer Support

*Visit http://www.namecheap.com/status.aspx for up-to-date service status


Ticket Details

________________________________

Ticket ID: {REMOVED}
Department: Domains -- Legal and Abuse
Type: Issue
Status: Closed
Priority: High

Support Center: https://support.namecheap.com/index.php?/default_import


Other variations I've gotten include;

Hello,

Thank you for your email regarding the domain name {REMOVED}. While the domain name does have Namecheap.com as the registrar, we do not have the ability to oversee what data are being transmitted through its site. We do not own the domain name mentioned in your complaint, we are simply the registrar that the registrant purchased the domain name from.

The issue would need to be addressed through the hosting provider to see if any of their terms of service have been violated, and would need to be addressed with the domain registrant as they should be the individual that would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance. Here are the contact details of the company that owns {REMOVED} IP Address which is currently assigned to the domain: {REMOVED}

While I understand your issue, we are not in a position where we can make determination of validity of your statements. If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov/ctf.aspx . You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can.


Funny thing is - NameCheap Hosting is completely the opposite, and do suspend accounts.

Well NameCheap, as myself and others have pointed out to you, as an ICANN accredited registrar, you have an obligation under the UDRP Policy, to take action on reports - NOT to claim your customers actions aren't your responsibility.

By refusing to suspend domains reported to you, you are in direct violation of your contractual obligation to follow ICANN’s UDRP policy, which requires you (as well as all other accredited registrars) to suspend domains housing and/or leading to, malicious/illegal content.

You can view ICANN’s UDRP Policy here:
http://www.icann.org/en/dndr/udrp/policy.htm

"By applying to register a domain name, or by asking us to maintain or renew a domain name registration, you hereby represent and warrant to us that…(c) you are not registering the domain name for an unlawful purpose; and (d) you will not knowingly use the domain name in violation of any applicable laws or regulations"

Alert: Pinball Publisher still using highly misleading marketing

This time, they're mis-using Real, makers of RealPlayer (knew the RIP thing was rubbish - made me smile, but always skeptical - Zango pulled the same trick but are still going with their ZangoCash rubbish). Wonder if the FTC are ever going to do anything about this (though they took their time dealing with Zango, so I'm not hopeful).



Domains involved this time;

dllapp.info
install.freedownloadsoft.net
cfgi.5millionfriends.com
origin-ics.5millionfriends.com

Ad servers involved:

content.yieldmanager.edgesuite.net
ad.harrenmedianetwork.com

URLs:

http://content.yieldmanager.edgesuite.net/atoms/65/b8/d1/ef/65b8d1ef656651831047915fc5e78af9.png

http://ad.harrenmedianetwork.com/clk?3,eAGlj9tOg0AQhp-GOyTsoQIhXmwFmlIOooum3BiybAERaGAj2Kfv1uLh3slMZuabP38yANk6Mi1ZJisw4ysT2QCtkIWtQ5EjVbdtG2IDAHBBKn7YNfeJP-9Kkq6HkVyj.giSZfxq-2VpCEmI69zozF-Ixyfzr.Ifc-iV31ZbQsqrU6.NfkzT9Y.v5rmJX9IpdlwY0Me3bLMXIfXewydQRaetHlCGMxrVEXXniK7b7PePO1WthDgqiCjQk5kXWpUPA-9aXtR5x8XUD43G-lbeRqEgKXgVn0euIKc-DHnLFXgr0VifLsiA5mzpEo2cibrvJIKGCTCGZ9mTbss=,

http://www.dllapp.info/RealPlayer/player/?ref=234080

http://install.freedownloadsoft.net/installer/zcdownload/f0da0f17da534f8a35f2bfeeaed18190a2864fedc3460bf9b20850d39f463d7b7e7f5a3d69:96cb91b16b82e852b58e8a0863000d85/?lp=http%3A%2F%2Fwww.dllapp.info%2FRealPlayer%2Fplayer%2F%3Fref%3D234080&ref=234080

http://cfgi.5millionfriends.com/gi.aspx?chid=234080&cid=1440500&con=n&v.method=software&ix=gplappbundler&v.installerName=RealSetup.exe

http://origin-ics.fivemillionfriends.com/IC/GPLAppBundler68/32050/0/e7d5f950-2f93-4fc0-8467-e45e7ad6a21b/RealSetup.exe


I'd say I wonder why the ad networks are allowing this, but that's an easy one - there's money involved. Seems to win over common sense.

Oh and whilst I'd never recommend it anyway (bloated pile of rubbish), RealPlayer can be found at;

http://www.real.com/realplayer

References

Be careful searching for Top Gear episodes
http://hphosts.blogspot.com/2011/07/be-careful-searching-for-top-gear.html

RIP: Zango/Pinball Publisher Corp
http://hphosts.blogspot.com/2011/05/rip-zangopinball-publisher-corp.html

Pinball Publisher Corp: Hotbar.com deceptive installation.. again
http://blog.dynamoo.com/2010/07/hotbarcom-deceptive-installation-again.html

Pinball Publisher Network: Yet more blackhat SEO goodness
http://hphosts.blogspot.com/2010/03/pinball-publisher-network-yet-more.html

Pinball Publisher Network: The ghost of Zango toolbar has a Facebook fan page
http://sunbeltblog.blogspot.com/2010/01/ghost-of-zango-toolbar-has-facebook-fan.html

Google + Blackhat SEO + "Teen Porn" = SeekMo
http://hphosts.blogspot.com/2009/12/google-blackhat-seo-teen-porn-seekmo.html