Intro
This is a list of some of the sites that claim to have malware scanners, registry fixers, antivirus software but in fact install malware on your system. Or they advertise their services through popup message and ask money to stop them from popping up. (Sounds like a protection scheme used by the mafia.)
How to avoid
Make sure to read Disabling Messenger Service in Windows XP from the Microsoft website if you run XP and get popup messages. (If you get them while running a firewall you did NOT configure your firewall correctly!)
Do not install any software from these sites! If you installed software from these sites then make sure you get a respectable tool kit and start cleaning your system as soon as possible.
Make sure you install some sort of firewall and stop anything but the real network traffic you need. Anyone installing a network firewall should make it very restrictive. Including a restrictive policy on outbound traffic! (Just because it comes from your network does not make it safe.)
Do not buy or install software you can not find in comparitive charts on test/magazines sites. If in doubt: Go out and verify the makers are respectable first. (Do not follow their links but use a common search engine instead to find online reviews.) But never buy or try software unless you can be 200% sure of the source.
Samples
I studied one of these sites and disarmed it. It will perform a complete show pushing there product based on a scare tactic. Are you willing to trust online scanners after this?
- Fake online spyware scanner: Just a nice show with annoying popups.
- Fake result: This image is shown as a popup of the results of the scan.
- Fake shopping card: Here is a shopping card if you continue on the site. But wait. It is not a form of any sort. Just an image to make it look trustworthy.
The list of malware related domains
WARNING: This list is neither authoritative nor complete! Use with common sense.
32sys.com ==> revenuedirect.com (formerly: redirects to buylicensekey.com) alertmonitor.org ==> MALWARE software with totaly fake scanner online. buylicensekey.com == Obscure site only used to push malware (It runs some sort of affiliation program hidden on the server) cardquery.com == Listed broker for scanandrepair.com (They may very well be legitimate!) clean32.com ==> MALWARE software (formerly: redirects to buylicensekey.com) cleanregpro.com ==> redirects to registrycleaner.basicurl.com (formerly: redirects to registryrinse.com) cleanthepc.com == portal site pushed in popup message cleanthepc.net ==> redirects to thespywaredetective.com cleanthispc.com ==> redirects to regfresh.com clearthispc.com == portal site pushed in popup messages (Site is now taken down) correctreg.com ==> redirected to registrydoc.com (Site is now taken down) criticalregistryfix.com ==> redirects to registrydoc.com data32.com ==> redirects to buylicensekey.com dlpatch.com ==> points to msoftware.info doctorcleaner.com == MALWARE software drivecleaner.com == MALWARE software dvdaccess.net == MALWARE codec dvdsmovies.net == MALWARE codec edit32.com ==> redirects via clickbank.net to doctorcleaner.com evidenceeraser.com == MALWARE software findadultsex.com ==> redirects to dvdaccess.net fix64.com ==> redirects to buylicensekey.com fixingreg.com ==> redirects to registryupdate.com fixms.net ==> redirects to registryupdate.com fixpcreg.com ==> redirects to registrydoc.com fixpcregistry.com ==> redirects to registrydoc.com fixreg32.com ==> redirects to registryupdate.com fixreg32.net ==> redirects to registryupdate.com fixregnow.net ==> redirected to registryupdate.com (Domain is now for sale) fixregs.com ==> redirects to registrydoc.com (previously: registryrinse.com) fixthereg.net ==> redirected to registryupdate.com (Domain is now for sale) fixwin32.com ==> redirects to buylicensekey.com (previously: doctorcleaner.com) freshreg.com == MALWARE software funpornsite.com ==> redirects to dvdaccess.net (previously: playercodec.net) guardregistry.com ==> redirects to registrydoc.com helpfixpc.com ==> redirects to registryupdate.com intcodec.com == portal site, was: MALWARE codec key32.com ==> redirects to buylicensekey.com liveregupdate.com ==> redirects to registrydoc.com microregistrycleaner.com ==> redirects via branchsoftware.com to registrycleanerxp.com movscodec.com == portal site, was: MALWARE codec msdow.com ==> redirects to buylicensekey.com msoftware.info == Extorsion software. Anyone can fix their machine by following the Microsoft advisory. msreg.com ==> redirects to registryupdate.com msregistryupdate.com ==> redirects via branchsoftware.com to registrycleanerxp.com msrepair.net ==> redirects to registrytuner.net mswinload.com == Website removed myregfixer.com ==> domain for sale, redirected to registryupdate.com patchreg.com ==> redirects to registrydoc.com pcodec.com == no website, was: MALWARE codec pcregistryfix.com == domain registration expired! playercodec.com == portal site, was: MALWARE codec playercodec.net == MALWARE codec pornissex.com ==> redirects to dvdaccess.net powerof3x.com ==> redirects to wmvassistant.com protectionupdate.com ==> redirects to evidenceeraser.com refhesxp.com ==> redirects to freshreg.com reg2k.com ==> empty site, redirected to doctorcleaner.com reg64.com ==> redirects to buylicensekey.com regfixit.com ==> redirects to registryupdate.com regdoc32.com == taken down regdocpro.com ==> redirects to registrysweeper.net regdoctor32.com ==> redirects to registryrinse.com regdoctorpro.com ==> redirects to registrydoc.com regfix.info ==> redirects to registrycare.com regfix2k.com ==> redirects to doctorcleaner.com regfixed.net ==> redirects to registryupdate.com regfixit.com ==> redirects to registryupdate.com registryalert.com ==> redirects to registryupdate.com registryalert.net ==> redirects to registryupdate.com registrycare.com == MALWARE software registrycleanerxp.com == MALWARE software (Claiming a response on 2005-09-03 while the domain was only given out on 2005-09-12!) registrydoc.com == MALWARE software registryhelpdesk.com == no website, just a domain used by registryupdate.com registryrepairxp.com ==> redirects to registrycleanerxp.com registryrinse.com == MALWARE software registrysweeper.net ==> download from filekicker.net registrytuner.net == MALWARE software registryupdate.com == MALWARE software regpro32.com ==> redirects to registryrinse.com regproscan.com ==> redirects to registryupdate.com regproscan.net ==> redirects to registryupdate.com regrinsepro.com ==> redirects to registryrinse.com regscan32.com ==> redirects to doctorcleaner.com regscanpro.com ==> redirects to registrydoc.com regscans.com ==> redirects to registryrinse.com regsys32.com ==> redirects to buylicensekey.com regsupdate.com ==> redirects to registrydoc.com regupdate.net ==> redirects to registryupdate.com regupdating.com ==> redirects to registryupdate.com regwinclean.com ==> redirects to registryrinse.com (used to be: registrydoc.com) regwinpro.com ==> redirects to registryrinse.com regxp.net ==> redirects to registryupdate.com repairmyxp.com ==> redirects to evidenceeraser.com saferegclean.com ==> redirects to registryrinse.com scan32.com ==> redirects to doctorcleaner.com scanandrepair.com == MALWARE software scanpcnow.com ==> redirects to registryrinse.com scanregnow.net ==> redirects to registrydoc.com set32.com ==> redirects to buylicensekey.com stopsign2.com ==> redirects to registrydoc.com sys32.com ==> Suspicious portal site! (Did you notice the pop-under screen?) sys32win.com ==> redirects via clickbank.net to doctorcleaner.com sysdow.com ==> redirects to buylicensekey.com systemscan.org ==> redirects to scanandrepair.com teenporntop.com ==> redirects to dvdaccess.net the32fix.com ==> redirects to doctorcleaner.com thespywaredetective.com == MALWARE software tocleanpc.com ==> redirects to tofixreg.com tofixreg.com == MALWARE software updateregistry.com ==> redirects to registrydoc.com updatethereg.com ==> redirects to registryupdate.com updatewinreg.com ==> redirects to registrydoc.com vcodecdownload.com == domain does not exist vcodecget.com == apache server on windows vcodec.com == removed vids-access.com == MALWARE codec videosaccess.net == MALWARE codec videosgalleries.com ==> redirects to pcodec.com virus-scanonline.net == Advertisement through SPAM viruscleanser.com ==> parked domain (formerly: redirects via clickbank.net to noadware.net) wfix32.com ==> redirects to doctorcleaner.com winantivirus.com == MALWARE software win32fix.com ==> redirects to buylicensekey.com (previously: doctorcleaner.com) win32win.com ==> redirects to doctorcleaner.com wincleaner32.com ==> redirects to doctorcleaner.com windowspopupcleaner.com ==> redirects via branchsoftware.com to registrycleanerxp.com windowspopuprepair.com ==> redirects to registrycleanerxp.com windowsregistrypatch.com ==> redirects via branchsoftware.com to registrycleanerxp.com winmediacodec.com == MALWARE codec winregistrycleaner.com ==> redirects to registrycleanerxp.com winregsite.com ==> redirects to freshreg.com winscan32.com ==> redirects to doctorcleaner.com wmvassistant.com == MALWARE codec wreg32.com ==> redirects to doctorcleaner.com xpreg32.com ==> redirects to buylicensekey.com xpsysfix.com ==> redirects to doctorcleaner.com xxxadultgold.com ==> redirects to playercodec.net
The list of suspicious domains
The list below contains entries that have not been investigated properly. We advise some caution here.
amaena.com == empty now errordoctor.com ? It looks legit but needs further investigation filekicker.net ? It looks legit but needs further investigation fixregnow.com ? It looks like a portal but needs further investigation patchupdate.info ==> redirects to techsoftware.org pccleaner32.com == domain not found regfresh.com ? suspect under investigation registryalert.com ? It looks legit but needs further investigation techsoftware.org ? It looks legit but selling software to install Microsoft patches is questionable at best.
The list of cleared domains
The list below contains investigated entries that seems to be genuine. They may have been reported initialy as malware suspects but all research seems to indicate this is in effect genuine software.
noadware.net == After some serious fact finding there seems no evidence this party is spreading malware. Some troublesome partners have spoilt there name in the past and it remains hard to get rid of a bad reputation. pctools.com == They seem to use the Kaspersky AV engine from what I can test. I find it unlikely at this moment they are involved in malware spreading. vicodec.com == Seems to be pointing to a regular CODEC site.
This list is gathered from reports by visitors and some honeypots I have out there. It does not involve any rocket science. Just a netcat (nc) listening on UDP/1026 writing to a daily file will catch plenty of these fake sites.
If you notice an unlisted site with malware claiming to be a scanner or cleaner feel free to drop me a note.
All sites will be fed to the URL blocking list of 
(And all sites are in my googleads blacklist.)
DNS blacklisting is done by feeding the domain names into the URI Blacklist.
If we take into account that these messages can be spoofed very easily we can not trust the source address too much. But present sources seem to indicate that most sources converge to a single network operator: CNCGroup [AS4837]
The following networks are implied:
60.11.0.0/16 [AS4837] (CNC Group CHINA169 Heilongjiang Province Network) 61.138.128.0/18 [AS4837] (CNC Group CHINA169 Jilin Province Network) 202.97.192.0/18 [AS4837] (CNC Group CHINA169 Heilongjiang Province Network) 218.10.0.0/16 [AS4837] (CNC Group CHINA169 Heilongjiang Province Network) 221.6.0.0/16 [AS4837] (CNC Group CHINA169 Jiangsu Province Network) 221.208.0.0/14 [AS4837] (CNC Group CHINA169 Heilongjiang Province Network)
Another source which is on and off for the past months is FAST COLOCATION SERVICES (204.16.208.0/22) You may have seen them also in the top 10 network on SANS.