The IPs in this case, is;
209.126.131.87
ASN: 10439 209.126.128.0/17 CARINET - CariNet, Inc.
7install.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC
91.214.201.126
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM
unsecuredconnection.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
91.214.201.148
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM
brosertie.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
198.199.65.137
ASN: 46652 198.199.64.0/20 SERVERSTACK-ASN - ServerStack, Inc.
alwaysdownloads.com - Admin / 14E08F8D78D1412A945F67F34DC204D5.PROTECT@WHOISGUARD.COM ENOM, INC.
8.29.133.130
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC
freegiveawayoffers.com - Admin / ADMIN@SLHOST.COM ENOM, INC.
8.29.133.189
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC
javainstalls.com - Admin / ADMIN@SLHOST.COM ENOM, INC.
184.105.178.69
ASN: 6939 184.104.0.0/15 HURRICANE - Hurricane Electric, Inc
yesdownloads.com - Admin / support@383media.com GODADDY.COM, LLC
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com
141.101.125.155
ASN: 13335 141.101.125.0/24 CLOUDFLARENET - CloudFlare, Inc.
getsoftfree.com Admin / 806AB1DA379142F7A89D556D1FB6E33E.PROTECT@WHOISGUARD.COM ENOM, INC.
If you have a gander through the domains, you'll no doubt notice the likes of "AVG" being impersonated, but there's also another one - cerberav.us, impersonating cerberav.com (Spanish AV company).
Funny thing is, the companies involved in the use of the fake Flash/Java etc deception, are still trying to convince me that they're not doing anything wrong. On that subject, iLivid, are STILL not responding, and still using things like this;
As you've no doubt already guessed, AirInstaller, who I wrote about previously, are still using the very same tactics. For example;
hxxp://trkur.com/trk?o=7945&p=71676
-> hxxp://globalpromotions.kidsclothingstore.org/?sov=226078602&hid=fvjnhjjfnffphfhr&noflu=noflu&id=XNSX.71676%3A%3APEERFLY%3A%3AUK%3A%3A29%3A%3A7945
--> hxxp://globalpromotions.kidsclothingstore.org/AIRAdobeRS2filenameGB.html
globalpromotions.kidsclothingstore.org in case you're wondering, is housed at;
208.87.34.151 - 208-87-34-151.securehost.com - 15146 - 15146 208.87.32.0/21 CABLEBAHAMAS - Cable Bahamas
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.
Not surprisingly, some of the companies have resorted to trying to block me seeing the sites on their IPs (they're about as successful at this, as the skiddies, and a few hosts/ASNs have been - not realising I've got far more than one or two IPs at my disposal - woops!).
If you see any more fake Flash, Java, Chrome, Firefox, Windows, Skype etc etc etc sites, please do feel free to either drop me an email, or drop by the hpHosts forums.
Posts
6 comments:
Uch, I can't believe I left my last name on my previous comment.
It was the automatic pilot, in the modus that I was writing a personal message.
Could you please remove it? :)
Marsha,
Happy to help, thanks for stopping by.
Given the way it works, it's likely you've got it loading with the browser itself.
You can use the following to get rid of it;
http://malwarebytes.org
You'll find me there as well if you need assistance (username: MysteryFCM)
I can remove the entire comment, but unfortunately, Blogger doesn't allow us to edit user comments.
Thanks for your fast response :)
I hope you don't mind I deleted the comment, since it wasn't editable.
I have scanned with Malwarebytes, but it hasn't found anything either.
I did find something interesting though.
I thought it was a response only in the instant key, but what happens is that instant key reforms the URL to http://https://icloud.com, probably because you can't bind secure sites to it.
When I open this exact address in any browser (IE,Chrome) on different computers here (Win7/Win8), even on old ones that haven't been used since last year, AND my iPhone, this URL redirects to the mentioned website.
These computers/iPhone are not all on the same DNS.
This makes me think that the infection might not be on my particular system, but this is some 'hijack' online..
It shows a partially dutch website so I'm not sure if you would have the same results on that URL (but maybe you do if it's altered based on where you come from), but I am gonna ask around on local forums if they experience the same.
Thanks again and keep up the good work!
Thanks for letting me know.
Please also consider dropping by the helpdesk (tell them I sent you), and they'll identify and assist in removal;
support AT malwarebytes DOT co DOT uk
Post a Comment