Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 28 February 2012

Performersoft.com: Downright scareware

It would seem Performersoft.com yet again, want to join the scareware group, this time it seems they're not content with their software doing it - they want their adverts to do it too.


This one popped up whilst I was investigating a site earlier, yet again like the rest, going through ad.yieldmanager.com;

GET /clk?3,eAGdTdtugkAQ.RreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V.IFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe.DfrTdOf10ATDzkAAmswGT0c9K.uVqO44uVrlYT-x9g-aV9uK4BmtEj.TBJm-2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs-z4Ke53sf0MZft.uHJcCzrqdK.WgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE.2uT.OZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3.h0nw==,http%3A%2F%2Fwww.cni67.com%2Fv5%2Flive%2Fias5%2Fe.php%3Fid%3D22269x1942x101%26cb%3D740592 HTTP/1.1
Host: ad.yieldmanager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: pv1="[REMOVED]"

HTTP/1.1 302 Found
Date: Wed, 29 Feb 2012 02:38:03 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=257b3jp7hhglq&b=3&s=91&t=19; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Location: http://www.cni67.com/v5/live/ias5/e.php?id=22269x1942x101&cb=740592
Cache-Control: no-store
Last-Modified: Wed, 29 Feb 2012 02:38:03 GMT
Pragma: no-cache
Age: 0
Connection: keep-alive
Content-Length: 0

------------------------------------------------------------------
GET /v5/live/ias5/e.php?id=22269x1942x101&cb=740592 HTTP/1.1
Host: www.cni67.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: InCauda=[REMOVED]1330481825372245; haproxy-production=ad-srv5; lcc=22269x1942x101; IID=22269x1942x101_1330482052-3628391-[REMOVED]; CPSs=1330482052D3251%2B

HTTP/1.1 302 Found
Date: Wed, 29 Feb 2012 02:38:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: IID=22269x1942x101_1330483083-740592-[REMOVED]; expires=Fri, 30-Mar-2012 02:38:03 GMT; path=/
Set-Cookie: CPSs=1330483083D3251%2B; expires=Wed, 15-Aug-2012 02:38:03 GMT; path=/
Expires: 0
Pragma: no-cache
Cache-Control: no-cache,no-store,max-age=0,s-maxage=0,must-revalidate
Location: http://www.performersoft.com/pcperformer/pprmx-uk.php?dp=22269x1942x101&nbc=1a4fa5-bd2beba2-6e234f8b
Content-Length: 0
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /pcperformer/pprmx-uk.php?dp=22269x1942x101&nbc=1a4fa5-bd2beba2-6e234f8b HTTP/1.1
Host: www.performersoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120131 Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cni67.com/v5/live/ias5/1942.php?VURL=8246640&PriceC=29&PriceT=DYNAMIC&bu=1330482970&CC=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGdTdtugkAQ%2ERreqNmLCIT0Yey6jSnYNmJTfMNlAQGlwlouXy8V%2EIFOZubMnDM5g6kjkYXsUEhiLwyK5dzB1BCL2EQICx05jkNMik1CsGHpYvNlA2Pwlixf3TqAe%2EDfrTdOf10ATDzkAAmswGT0c9K%2EuVqO44uVrlYT%2Dx9g%2DaV9uK4BmtEj%2ETBJm%2D2mHwPH1n2QCewRr3P9oNuQnfJ8XnhbnL4z0bs%2Dz4Ke53sf0MZft%2EuHJcCzrqdK%2EWgUNMKHjKWMnio1O4RVea7LOJZVPRPlaZDuy3QywGWoUKH2HEmjSE%2E2uT%2EOZZQ3RTK3w6bvugYXGuX19XCMNMoiGYfXQt0A3%2Eh0nw%3D%3D%2C
Cookie: VSPUser=1

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Wed, 29 Feb 2012 02:38:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=5
X-Powered-By: PHP/5.2.8
Content-Encoding: gzip

------------------------------------------------------------------


With the advert itself being server from;

Host: www.cni67.com
IP: 184.173.254.61
IP PTR: 184.173.254.61-static.reverse.softlayer.com
ASN: 36351 184.173.192.0/18 SOFTLAYER - SoftLayer Technologies Inc.

Doesn't appear to be anything other than this rubbish on the IP, and they clearly don't want it easily found - absolutely nothing other than an HTTP 403 on the homepage.


Registrant:
Multi-Player Laboratory
Katzenelson 3 Givataim Israel
Givataim ,
IL

Domain name: CNI67.COM

Administrative Contact:
User, Master sharon.hefet@incauda.com
Katzenelson 3 Givataim Israel
Givataim ,
IL
972-54-239027
Technical Contact:
User, Master sharon.hefet@incauda.com
Katzenelson 3 Givataim Israel
Givataim ,
IL
972-54-239027

Registrar of Record: The Planet Internet Services, Inc.
Record last updated on 12-May-2011.
Record expires on 12-May-2012.
Record created on 12-May-2011.

Domain servers in listed order:
NS2.SOFTLAYER.COM 66.228.119.9
NS1.SOFTLAYER.COM 66.228.118.8

Domain status: clientTransferProhibited
clientUpdateProhibited


Registrant:
Avi Cahlon
Arlozorov 21
Ramat Gan, 12345
Israel

Registered through: Go Daddy
Domain Name: INCAUDA.COM
Created on: 09-Dec-06
Expires on: 09-Dec-16
Last Updated on: 03-Apr-11

Administrative Contact:
Cahlon, Avi avicahlon12@yahoo.com
Koresh 11
Tel Aviv, 12345
Israel
+97235608391

Technical Contact:
Cahlon, Avi avicahlon12@yahoo.com
Koresh 11
Tel Aviv, 12345
Israel
+97235608391

Domain servers in listed order:
NS783.WEBSITEWELCOME.COM
NS784.WEBSITEWELCOME.COM


First and foremost lets make this clear - DO NOT CLICK ON THESE ADVERTS - THERE IS NOTHING WRONG WITH YOUR COMPUTER. If you're actually having problems with your computer, there are plenty of forums that will assist you for free;

Alliance of Security Analysis Professionals
http://asap.maddoktor2.com/

As for performersoft.com, all you've done is get yourselves blacklisted - again.

And as for yieldmanager.com, given they've apparently got somewhat of an obsession with not properly checking who they're serving adverts for, or indeed, what adverts they're serving, you can quite safely blacklist them if you've not already (those using hpHosts will already notice they're already blocked).

No comments: