- Unresolved Namess Sale -

[pcproffenno]

Quote:

Originally Posted by liberator

Adaware, and other spyware detectors, will not remove keyloggers unless they are very obvious.

I can guarantee you that both Ad-Aware and SpyBot is updated daily with information on all thinkable versions of different keyloggers and how to detect them. If your (updated) AdAware/SpyBot application can't detect the keylogger, neither can Symantec products or any other antivirus application. Removing virii/spyware/malware/trojans is part of what I do for a living.

[tonyfloyd]

so....Stian...we are ok if we run Ad-Aware from time to time?

[pcproffenno]

Quote:

Originally Posted by tonyfloyd

so....Stian...we are ok if we run Ad-Aware from time to time?

First run AdAware in safe mode without networking (Full System Scan, not "Smart Scan"), remove any malware if detected. Restart in safe mode, run SpyBot and let it scan through. Remove any malware detected, if any.

This should keep this shit off your computers. Of course there is no guarantee, but if you at the same time have a good firewall and live antivirus-service running, then you should be pretty safe.

[FuseFX]

@kamloops - I removed your live link. However, what language is the above content in?

[JMJ]

Luckily I have been out of the game while a lot of this was going on and it appears that it has been going on since '06. I'm sure that all of you have realized that this guy isn't 16 years old. If he was that would have made him 14 when he started. Anyway just a tad bit of input. I think there is a issue with this using someone else's whois info. In the past couple of months I've received transfer requests myself on names I've never owned. And I might add they were pretty decent names. I've likely dumped the emails by now but going to look back through them and do little digging if I can.

Also as far as package drop-off. It is very common in these types of scams to have packages dropped off at locations that aren't associated with the scammer. It's assumed this is an apartment complex. Well if you think about it many apartment complexes have empty apartments. The delivery guy isn't likely to know this so he/she just drops the package off. Scammer knows the delivery time so he/she just sits and waits. This sort of thing also happens at empty houses.

And like others have stated we need to consider what we are doing when making transactions. There have been several people that have stated they "thought" it seemed fishy but went ahead any way. Maybe it's just because I'm not big on fish but when something smells fishy to me I don't eat it. There should be no reason why someone can't divulge their information.

And last but not least and I hate to be the one to say this. But how long has the appraisal scams been going on? As long as I can remember. The "feds" have done nothing as far as I can tell about that. Or maybe appraisal scams and domain scam is one in the same? Either way this person is very domain savvy and it wouldn't surprise me in the least if it turns out to be someone among us and like someone else said maybe even here at this very moment under another name. From my experience with a crooked individual in the past. He portrayed himself as an upstanding citizen but he did what he had to do to support his lavish and drug addicted lifestyle and that generally involved screwing people over. Funny thing about this fact is he was involved with one of these names.

[Kamloops]

I dont know what laugauge it is, wish I did, one of the files is in english.

And there is some very private info in there logged, Id and passwords for web based email accounts on Yahoo and Aol

I tried one and it worked. Plus there was enough info to steal domains.
Its easy to see how these guys are stealing them now!


Not sure what I should do with this info, wish I could figure out how I got into the root to get those files as there was so much more there as well. Maybe enought to nail these guys!

I think it is turkish, using the whois info for the site I found this about the guy

xremotex@hotmail.com

Age: 22
Gender: Male
Location: istanbul, Turkey

[TheLegendaryJP]

From what I have been told there are sites that have a main goal of hacking and selling yahoo/hotmail etc accounts. Almost a game to them but when they couple it with domaining we see the results. Can they target a email, they must and so where there is a will there is a way. Someone told me they find old files on an old email and use that info ? I am not the best tech guy so it is all mumbojumbo to me.

[theinvestor]

Quote:

Originally Posted by TheLegendaryJP

From what I have been told there are sites that have a main goal of hacking and selling yahoo/hotmail etc accounts. Almost a game to them but when they couple it with domaining we see the results. Can they target a email, they must and so where there is a will there is a way. Someone told me they find old files on an old email and use that info ? I am not the best tech guy so it is all mumbojumbo to me.

The most common way i know of JP is usually by phishing. They send you an email and try to get you to login with your username and password. If you do so it is forwarded to their address. If you fall for it, there goes your email account.

[pcproffenno]

Quote:

Originally Posted by Kamloops

I dont know what laugauge it is, wish I did, one of the files is in english.

And there is some very private info in there logged, Id and passwords for web based email accounts on Yahoo and Aol

I tried one and it worked. Plus there was enough info to steal domains.
Its easy to see how these guys are stealing them now!


Not sure what I should do with this info, wish I could figure out how I got into the root to get those files as there was so much more there as well. Maybe enought to nail these guys!

I think it is turkish, using the whois info for the site I found this about the guy

xremotex@hotmail.com

Age: 22
Gender: Male
Location: istanbul, Turkey

Dude, be careful. What you are reading is keylogs from other victims computers.

[liberator]

I was unaware of that pcproffenno thanks for the info

Anyone who visited the link I'm in the middle of decrypting the javascript, visited with a secure browser no js no flash no actionscript, search for a file named jpeg.exe,not sure if there are valid exe's with this name thats just what he's named one file, that is one mentioned early. I'll update you as I get more decrypted.

Cheers,

Jay

[Kamloops]

Quote:

Originally Posted by pcproffenno

Dude, be careful. What you are reading is keylogs from other victims computers.

I just want to do the right thing. If it can help nail these guys or save someone else from been a victim I will do what I can.

I am not the type to just sit back and do nothing.

Quote:

Originally Posted by liberator

I was unaware of that pcproffenno thanks for the info

Anyone who visited the link I'm in the middle of decrypting the javascript, visited with a secure browser no js no flash no actionscript, search for a file named jpeg.exe,not sure if there are valid exe's with this name thats just what he's named one file, that is one mentioned early. I'll update you as I get more decrypted.

Cheers,

Jay

hey when I was in the root I saw that file jpeg.exe and others. Kool I hope you find out more, I really want to know what it did or tried to do.

[liberator]

Looks like it uses activex to download jpeg.exe to your computer. It uses GetSpecialFolder(2) which points to a temporary internet folder. Then uses ShellExecute execute the file!

If you viewed the page with javascript, most likely need activex on as well, search for jpeg.exe located in a temp internet folder. I don't know what happends after it is executed as I'm not downloading the file.

Hope that helps

Jay

[copper]

Damn, that's exact same pm I got.
Guess I wasn't the only one.

Quote:

Originally Posted by Kamloops

Not sure where to post this -

I recieved a PM over at the other Forum and it wants you to go to a site, DOT NOT GO THERE

Do not go to hxxp://www.istnight.com.

I believe it will install a keylogger on your machine! I somehow got into the root of the site and was able to look at all the files, I downloaded a couple of TXT files named MK-keylog.txt and REG-160-keylog.txt. The contents of those files are information logged which looks like conversations with Tech Support at Register.com
They may have installed a keylogger there?

This is really bad, I am not sure if I have it installed on my machine but as soon as I went to that site I knew something was not right as it just says wait 10 seconds, I stopped it right away and then somehow got into the root, so I snooped around there.

This must be how the domains are been stolen! If anyone wants the TXT files let me know.

And if you have an idea on how I can check to see if I have a keylogger intstalled please PM me.

I see the member is Banned now.

This is the PM from a Member -

Atech
Banned
Trader Rating: (0)
Join Date: Mar 2008

domains about
your domains with 450$ for me
okay ?
my list hxxp://www.istnight.com look at , 16k$ ..

[Kamloops]

Quote:

Originally Posted by copper

Damn, that's exact same pm I got.
Guess I wasn't the only one.

Did you get that PM here? Or over on the other domain forum.

Who was it from? Did you go to the site?

[calif.bob]

Quote:

Originally Posted by tekz999

We are making this part of history!
This has to be one of the biggest flame war on the dnf!
610 replies and 17,025 views!

This isn't a "flame war" -- this is a community coming together to expose a domain scammer as well as the other conspirators in this fraud.

All the information on this thread has been indexed by Google and will more than likely reside there for generations to come.

It's amazing what the Internet can do. It's even more amazing what a mis-guided 16-year old could do with a little help from his friends.

[Kamloops]

I dont think I got infected. I did install this which the reviews seem good
http://www.snoopfree.com/PrivacyShield.htm

Will detect any keyloggers

[copper]

Quote:

Originally Posted by Kamloops

Did you get that PM here? Or over on the other domain forum.

Who was it from? Did you go to the site?

On other forum.
sent from Atech
I did go to the site.
I got off the site as soon as I see "loading" or whatever it said.

I am going to have to scan my notebook.

[Kamloops]

Quote:

Originally Posted by copper

On other forum.
sent from Atech
I did go to the site.
I got off the site as soon as I see "loading" or whatever it said.

I am going to have to scan my notebook.

Look for that jpeg.exe file

[Downloads]

Quote:

Originally Posted by pcproffenno

I can guarantee you that both Ad-Aware and SpyBot is updated daily with information on all thinkable versions of different keyloggers and how to detect them. If your (updated) AdAware/SpyBot application can't detect the keylogger, neither can Symantec products or any other antivirus application. Removing virii/spyware/malware/trojans is part of what I do for a living.

Agree, my only other tip would be that if you suspect a virus and it hasn't been detected, some trojans will attack the anti-virus software and disable it so to speak. Thus when running it, it will appear that your system has no virus.

You can always uninstall your anti-virus software and reinstall it to avoid these issues. Just depends how intelligent the virus is that you have.

Always disconnect from source like someone else said and then start installing and running checks.

I personally like Zone Alarm (seems to use less system resources than Norton), Firewall, Antivirus, Spyware protection, email protection, instant messenger protection. You get what you pay for really.

[calif.bob]

Quote:

Originally Posted by Kamloops

I dont know what laugauge it is, wish I did, one of the files is in english.

And there is some very private info in there logged, Id and passwords for web based email accounts on Yahoo and Aol

I tried one and it worked. Plus there was enough info to steal domains.
Its easy to see how these guys are stealing them now!


Not sure what I should do with this info, wish I could figure out how I got into the root to get those files as there was so much more there as well. Maybe enought to nail these guys!

I think it is turkish, using the whois info for the site I found this about the guy

xremotex@hotmail.com

Age: 22
Gender: Male
Location: istanbul, Turkey

I ran the email address, xremotex@hotmail.com, through RapLeaf.com and found a photo of the user who's online identity is OGUZHAN at Hi5. He is a 22 year old male, which we knew, with a birthday of March 16th.

Up until this huge thread, I have never heard of Hi5.com however several of the known alleged conspirators have accounts there. I will look into this further to see if they are at all linked together.

CB