The following domains are currently in use:
Registrant details are familiar and fake:
JamesNorthone James Northone email@example.com +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 1180
Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 126.96.36.199/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.