Problem... the design of these sites was stolen and served as winlock drop zone.
cf jsunpack: http://jsunpack.jeek.org/dec/getfile?hash=4ca9/03a571c56f1207e9398a0db5eb3a453b77d5
Even in one of my old 2011 post, here is a screenshots of a domain with the template of SexDerevo.
Malware domains are sometime recycled in porn and months later, exploits and fake scanners are back.
recycling domains is not a new method, example here:
Edit 12 June 2012:After a discution with the owner of PaySitesClub on ICQ, it's appear that they are not involved into these waves of malwares.
PaySiteClub is a legit service, my appologies.
Lord-Freeman showed me some proof that they was not involved but i was a little septic, after some searchs and checks i must admit that i've do a terrible mistake on this affiliate.
Malicious domains used the templates of the PaySitesClub affiliate that a fact.
Criminal used site like katalog-xxx.com and pornox-xxx.com to do malvertising and also one TDS (as far as i remember)
But after a period, the same malicious banners leaded to clean urls of this affiliate (7xtube, SexDerevo)
Now the question is why they used templates of PaySitesClub and why the malicious banners redirected later on original site of the affiliate...
Edit 16 June 2012:
Everything is now more clear, removed screeenshots and links related to the affiliate.