The trick to that program is that it links to a different IP address from where the hacked banner ad resides, so that the signature of the hack is reduced. If they copied the whole program to the hacked banner ad source, it would be easier to detect. (I have been dealing with this for a very long time.) It used to be under xpantivirus.com, but that got changed. I also know that multiple domains reference that same address. I just need one and I can get what I need. I know there are multiple IPs associated with the domain, but I can resolve it and block all those addresses at the router.