[Verbal]

Hi,

Look out, the domain videosfarmer.com is now launching a trojan "tidy_last_validated.html" detected as VBS/Psyme.

Today the page layout has totally changed to just a bunch of big thumbs that all link to nimbleguide.com and launches a trojan when the page loads.

I've been trading w/ him for about a week since he signed up, and he was consistently sending me double the traffic back (my return stayed around 46%), which should have been my first clue. I thought he must've just been a nice guy, since he checked out here and on cheater hell... nope.

Plus, he is using Joker as a registrar - which is now becoming a big red flag for me.

[Verbal]

Looks like the same guy runs wickedthumbs.com, which is also registered at Joker.

I just went to wickedthumbs.com and it looks identical to videosfarmer.com and also launches the same virus.

[Verbal]

Wait.. hang on.

Now they are both have reverted back to showing their clean TGP pages like before with no trojans.

Something weird is going on here.

Good thing I took screenshots of both domains how they looked before when they popped up the trojan virus alert.

[rhino]

Pretty sure you're seeing a rather creative use of .htaccess... & mod rewrite

Type-ins get one presentation, trades get another

Had the same issues with several trades that all had the joker.com registration, looked good in trade stats & weren't in any blacklists or marked as bad trades... end result got burnt pretty badly, so now their IP range is in my firewall iptable.

Protect-X's new reverse DNS will help while checking trades, maybe could be extended to report NS info as well? (Unfortunately it's still somewhat easy to get 1 IP per domain from some underused ISP that's willing to offer it at a premium price... and some cheat networks have deep pockets with lots of $.

Rhino

[max]

[Verbal]

Hi max, I'll upload screenshots in a minute since I don't think I can attach them to my post.

You are right that both TGP's look normal right now, however, videosfarmer.com has still been sending me (apparently legit) hits for the last 24 hours even though I have blacklisted and removed his trade.

I also still appear in his toplist at the bottom (#15 - CuddleBunny) though I've sent him zero traffic for the last 24-32 odd hours.

Finally, I have spoken with one of my good traders, and he confirmed he was receiving extremely great prod from this guy too (he was trading with wickedthumbs.com and I was trading with videosfarmer.com). This guy was consistently sending me back double the traffic I was sending him no matter how much I forced.

As they say... if it sounds too good to be true....

[Verbal]

Here are screenshots I took on the morning of 7/25/07.

On the wickedthumbs.com one I actually had just closed my virus alert pop-up window, but you can see the two domains look(ed) the same.


videosfarmer.com screenshot
All these thumbnails linked to nimbleguide.com
ie: http:// nimbleguide.com/gangbang.html?6278


wickedthumbs.com screenshot
All these thumbnails linked to adsnavigator.com
ie: http:// adsnavigator.com/gangbang.html?6278 (<- possibly an affiliate ref code?)

[xwild]

This is good news! I do No need to be Mean, Just that i been telling Protect-x for a couple of days about that site/registerer.

Please review all the sites he has an post them here so he can be Expose.

What is the DNS number where he is Mainly Located so we can band it.

Please advise and thank you!

Your Amigo Xwild.

[max]

Just noticed
nimbleguide.com
adsnavigator.com
have the same template and thumbs like videosfarmer.com and wickedthumbs.com on your screenshots.
Moved to ban list.

[Verbal]

Yeah xwild, I'm no longer going to trade with sites using the Joker registrar.

Also, not sure if this guy uses the same name for all his trades, but he signed up under me under the username "rowan".

Those are the only two domains I know of at the moment, so keep an eye out for this guy!

Peace,

Verbal
http://www.cuddlebunny.net/

[Verbal]

Hi guys,

I was just checking trades and found another TGP pulling the same bullshit (it's probably the same guy):

hornymaniac.com screenshot
all links go to nimbleguide.com as well

Has anyone else seen the template in the screenshot anywhere? I'm on my home computer now so I'm pretty sure it's not just my work machine being corupt or something.


hornymaniac.com whois info:

domain: hornymaniac.com
owner: Peter Fischer
email: Whois Privacy and Spam Prevention by DomainTools.com
address: Dr. Otto Neuratgasse 1/7
city: Wien
state: --
postal-code: A-1220
country: AU
phone: +431.984838350
admin-c: CCOM-1070508 Whois Privacy and Spam Prevention by DomainTools.com
tech-c: CCOM-1070508 Whois Privacy and Spam Prevention by DomainTools.com
billing-c: CCOM-1070508 Whois Privacy and Spam Prevention by DomainTools.com
nserver: a.ns.joker.com 69.39.224.27
nserver: b.ns.joker.com 159.25.97.69
nserver: c.ns.joker.com 207.44.185.10
status: lock
created: 2007-07-05 10:49:56 UTC
modified: 2007-07-05 10:59:58 UTC
expires: 2008-07-05 10:49:56 UTC

contact-hdl: CCOM-1070508
person: Peter Fischer
email: Whois Privacy and Spam Prevention by DomainTools.com
address: Dr. Otto Neuratgasse 1/7
city: Wien
state: --
postal-code: A-1220
country: AU
phone: +431.984838350

source: joker.com live whois service
query-time: 0.040968
db-updated: 2007-07-28 16:12:08

[xwild]

that is good news Verbal
unfortunetly allot of bad webmaster change their identity to start trading again.
Just keep and eye out for bad websites.

I used mcaffee in all my pcs to detect bad sites with trojans and spuware.

It does and excellent job for me.

[max]

another joker site in a basket.

[Verbal]

Found another one.. this is getting ridiculous.

nudeswishes.com screenshot

Can anyone confirm?


EDIT: I just refreshed that domain and it looks like a normal TGP again... very sneaky.

[Verbal]

more:
mpegsarena.com screenshot

and

reallycurves.com

I'm just going to stop taking screenshots now. The point is beware of TGP's on Joker registrar.