The Ethical Hacker Network - Latest posts of: putosusio

kaizen:

I didn't mean to suggest that the Chinese government are responsible. I mentioned the chinese because most of the domains that were resolved were .cn domains.

The webistes I visited were from well know companies, i.e. Microsoft, VMware, Citrix, etc. If I was infected by malware it had to have come from such a website. I would just think that they would know it malware was being served from their website.

I have not googled for the domains that were resolved for fear that the links would take me to their websites and load even more malware onto my system.

tturner:

Really? Who would of thought. You sir, are a genius.

... back to my original topic. I did some more searching on my system and found a suspicious ini file. From the little I can read of the code, it appears to be a config file for a fake anti-virus/malware program. Here is the code in hopes someone here can read it and help me understand more about it:

[Main]
formCaption=Application
MainTB=0=Security status,1=System scan,2=Check for updates,3=Settings,
lStatusHeader=Security status
lStatusL2=Runtime system protection status monitoring. Be sure all the tools marked ON.
lStatusSummary=Security summary:
lStatusL3=Running insecure state, several vulnerabilities are detected
lStatusL4=Last virus scan:
Label7=Last update:
lStatusL5=Last scan results:
lStatusLastUpdate=never
btStatusFirewall=Disable
btStatusAntivirus=Disable
btStatusSpyware=Disable
btStatusAutoUpdate=Enable
btStatusScheduleScan=Enable
btStatusRAM=Enable
labelSSCaption=System scan
labelSS_2=Scan && fix Your computer
labelSS_ScanType=Scan type:
gbScanStat= Last scan summary
gbActiveScan= Scan process
rbQuick=Quick
rbDeep=Deep
rbSelectFolder=Select Folder
rbMemoryScan=Memory Scan
btStart=Start
btStop=Stop
lvFoundItems=0=Threat Name,1=Type,2=Description,3=Threat Level,
btRemoveThreads=Remove Threats
stScanStats1=Objects scanned:
stScanStats3=Threats detected:
stScanStats5=Removed/healed:
stScanStats_eliminate=0
stActiveScan1=Currently scanning:
stActiveScan3=Current object:
stActiveScan2=File System
bSelDir=..
lUpdateInfo0=Please, get {APPNAME} updates from the Internet automatically. To ensure the maximum antivirus protection it is important to keep virus database on your PC up-to-date.
lUpdateHeader=Software update
GroupBox1= Settings
cbUpdate1=Update upon next system start
cbUpdate2=Update immediately
cbUpdate3=Require confirmation
GroupBox2= Database information
stUpdate1=Database version:
stUpdate2=Virus signatures:
cbUpdate4=Restart immediately
cbUpdate5=Complete at next system start
bUpdateSave=Save settings
bUpdateCheck=Check for updates
lSettingsHeader=Settings
lSettingsInfo0=You can customize Your preferences here.
LSettingsInfo1=Changes on this settings will take effect after system restart
GroupBox5= Threats Warning
cbSettings1=Enable
GroupBox6= Additional
cbSettings2=Start with Windows startup
cbSettings3=Disable scheduled scans while running on battery power
bSettingsSave=Save settings
GroupBox3= Compatibility
cbSettings4=Compatibility with self-defense applications
Button1=start
Button2=stop
Button3=blcat
ShowGui=Show {APPNAME} main window
Activatenow1=Activate now
Update1=Update
Options1=Settings
Help1=Help
Contactcustomsupport1=Contact Customer Support
N2=Close
[BrowserDlg]
formCaption={APPNAME} Activation
WebBrowser=TWebBrowser
[CancelScan]
formCaption={APPNAME} - System scan not completed
lInfo=You have not completed Your system analysis. {APPNAME} has detected threats in Your system during the scan. You need to complete System scan and eliminate threats it finds.
bContinue=Continue scan
bRemindLater=Remind Later
[RegistrationWindow]
formCaption={APPNAME} activation
lHeader=Activate {APPNAME}
lHeader2=Make Your PC free from all kinds of threats
lInfo1=Award-winning scan technology
lInfo2=Free updates without limitations
lInfo3=User-friendly complete GUI
lInfo4=24 h / 7 d full support
lInfo5=Full moneyback guarantee
lInfo0=Please, click ìActivate nowî button to proceed with secure purchase of the license for {APPNAME}. As soon as you end activation youíll receive:
lHeader3=Activation is highly recommended:
lHeader4=Registration key:
lHeader6=Visit our website if any problems occur
bConfirmActivation=Confirm Activation
bActivateLater=Activate Later
bActivateNow=Activate Now
[AfterScan]
formCaption={APPNAME}
lHeader=Warning!
lHeader2=Infections on your PC can cause:
lInfo1=Applications wonít start
lInfo2=Unwanted advertising displaying
lInfo3=Loss of Internet communication
lInfo4=Lost documents and settings
lInfo5=Important files have disappeared from Your computer
lInfo6=You need registered version of {APPNAME} to remove these infections.%NEWLINE%Click ìRemove threatsî to activate protection and eliminate these security hazards.
lContinueUnprotected=Continue unprotected
lvFoundItems=0=Threat Name,1=Type,2=Level,3=Description,
bRegisterNow=Remove Threats
[RESOURCESTR]
0=Firewall protection
1=Antivirus protection
2=Spyware protection
3=Scheduled scans
4=Automatic updates
5=RAM protection
6={cnt} infected objects found, {cnt_removed} removed
7=Your system is infected! {cnt} dangerous objects have been found during last system scan. It is strongly recommended to remove them immediately.
8=Donít leave! You may have potentially harmful threats%NEWLINE%on Your computer. Please, register Your copy of product%NEWLINE%and get up-to-date protection against latest spyware.
9=This functional is disabled in the unregistered version.%NEWLINE%To use all the features of the product, You must register now.
10=Are you sure? Without activation Your PC will not be protected against intruders.
11=Are you sure? Your PC will not be protected against intruders
12=Congratulation!%NEWLINE%{APPNAME} completed elimination for dangerous objects from Your computer.
13={APPNAME} Update
14=Virus database is up-to-date
15=Memory / Processes
16=Registration key is invalid
17=File system
18=Now Your system under full protection
19=Show Your order details
20=Your computer might be at risk
21=- {APPNAME} is turned off%NEWLINE%Click this baloon to fix this problem.
22={THREAT} threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click button below to locate and remove this threat now.
23=Start
24=Pause
25=Warning! Removed attack detected!
26={APPNAME} has detected that somebody is trying to stole Your private data remotely via Trojan.Win32.Generic!BT.%NEWLINE%Transfer for Your private data via internet will start in: {SECOND}%NEWLINE%We strongly recommend You to block attack immediately.
27=System Security Pack 2010.78.932 ({APPNAME} Upgrade; KB{KB})
[SecCenter]
formCaption={APPNAME} Protection Center
lRes1=Get latest security information
lRes2=Check for latest updates
lRes3=Get support for security-related issue
lRes4=Get help about security center
lRes5=Change they way Security Center alerts me
Label1=What's new in System to help protect my computer?
Label2=Click "Activate Now" button for suggested actions You can take.
Label3=Internet Options
Label4=Windows Firewall
Label5=Automatic Updates
Label6=Protection Center helps You manage your PC security settings. To help protect Your computer, make sure the all security essentials are marked ON. If the settings are not ON, follow the recommendations.
lVirusProtectionInfo={APPNAME} reports that it is not activated.%NEWLINE%Antivirus software helps protect your computer against viruses and other security thearts.
lVirusProtectionInfo2=We strongly recommend to activate {APPNAME} and get full protection.
Button1=Activate Now
OpenProtectionCenter1=Open Protection Center
ActivateProtection1=Activate Protection
[StartUp_v2]
formCaption={APPNAME}
lHeader=Warning!
lInfo={APPNAME} has detected {cnt} infected objects on your computer during the last system scan.%NEWLINE%The threats found on your computer are very likely to create further problems if not fixed immediately, such as:
lInfo1=System slowdown, crashes and freeze
lInfo2=Hackers can steal your Credit Card details
lInfo3=Your local and online passwords can be stolen
lInfo4=Slow web pages loading and attacks from outside
lInfo5=Privacy violations during Web surfing
lInfo6=You need registered version of {APPNAME} to remove these infections.%NEWLINE%Click ìRemove Nowî to activate protection and eliminate these security hazards.
lContinueUnprotected=continue unprotected
lInfo7=Infecting other computers on your network
bRegisterNow=Remove Now
[InstallNow]
formCaption=Automatic Updates
Label1=System Security Pack Upgrade
Label2=Update
Label3=Details
Button1=Remind Later
Button2=Install
lvUpdItems=0=,
reUpdDetails=TRichEdit

[ThankYouPage]
formCaption={APPNAME}
lHeader={APPNAME} has been successfully activated!
bContinue=OK
mInfo=Thanks for purchasing and registration {APPNAME}.%NEWLINE%%NEWLINE%All the neccessary information will be send to Your email. %NEWLINE%Please, SAVE them into secure location in case you need to reinstall the software.%NEWLINE%Feel free to contact Customer Support Service if You have any questions.%NEWLINE%%NEWLINE%Useful advices from {APPNAME} Team:%NEWLINE%%NEWLINE%- Scan your computer once ot twice a day and remove all the viruses and security threats.%NEWLINE%- Maximal protection of your computer is enabled ONLY if You turn ON all the Security Status services.%NEWLINE%- Do not use {APPNAME} together with other antivirus softwares.%NEWLINE% It may result some software conflicts between them.%NEWLINE%- If you have any question, please, contact Customer Support Service.%NEWLINE%%NEWLINE%Please, press "OK" button and wait while {APPNAME} will eliminate threats. Please, be patient.%NEWLINE%

[UpdateReminder]
formCaption={APPNAME} Critical Update Notification
lHeader=Warning!
lInfo1=Use database version: {db_old}
lHeader2=The {APPNAME} database is out of date
lInfo2=New version available database: {db_new}
lInfo3=Automatic {APPNAME} updates are necessary to protect your computer against viruses, spyware and known system vulnerabilities.
lInfo4=Malicious software is detected on your PC!
bUpdateNow=Update Now
bLater=Remind Me Later
[ActivateReminder]
formCaption={APPNAME}
lHeader=Your still haven't activated {APPNAME}
lInfo1=Choose as option:
lInfo6=If you havenít done this yet we advise you to do it as soon as possible.
bRegisterNow=OK
rbActivation=Activate the product
rbLater=Remind me later
[AttackDetected]
formCaption={APPNAME} - Hacker attack detected
lInfo=Your computer is subjected to hacker attack. {APPNAME} has detected that somebody is trying to transfer Your private data via internet. We strongly recommend you to block attack immediately.
bContinue=Register and prevent theft
bRemindLater=No, thanks
[FirewallWarning]
formCaption=Firewall file transfer detected
lHeader=Warning!
lHeader2=Hidden file transfer to remote host was detected
lInfo1={APPNAME} has detected that somebody is trying to transfer Your private data via internet. We strongly recommend you to block attack immediately.
bUpdateNow=Block attack
bLater=Allow
GroupBox1= Details of the attack
Label1=Remote host transfer IP:
Label2=Remote user computer name:
Label3=User:
Label4=IP-address:
[ThreatDetectWarning]
formCaption=Warning! Threat detected!
lHeader=Warning!
lHeader2=Threat module detected on your PC!
lInfo={THREAT} threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click button below to locate and remove this threat now.
lContinueUnprotected=You are using a trial version.
lRecomPurchase=It is recommended to purchase a commercial version.
bRemoveThreat=Remove Threat
bLater=Ignore
GroupBox1= Details
Label1=Threat name:
Label2=Infected files:
Label3=Alert level:
Label4=Suggestion:
lSuggestion=It is highly recommended to remove this threat from your PC
lAlertLevel=High
lThreatName=Zlob.Porn.Ad
lInfectedFile=1
[NetworkIntrusion]
formCaption=Network intrusion detected!
lHeader=Warning! Network attack detected!
lInfo=Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.
lInfo1=Your computer is being attacked from a remote PC.
lInfo2=Attack from:
lRemoteIP=145.7.151.43:34630
lContinueUnprotected=continue unprotected
Label1=You are using a trial version.
lRecomPurchase=It is recommended to purchase a commercial version.
lvFoundItems=0=Login,1=Password,2=Website URL,
bRegisterNow=Prevent Identity Theft
[BlockAttack]
formCaption=Protection Center Alert
lHeader=To help protect your computer, {APPNAME} has blocked some features of this program
lInfo={APPNAME} has detected unauthorized activity, but unfortunately trial version cannot remove viruses, keyloggers and other treats. Your personal data under serious risk. It is strongly recommended to register Your copy of {APPNAME} and prevent intrusion for future.
lInfo0=Do You want to block this suspicious software?
Label1=Name:
lThreatName=Trojan.Win32.Autoit.agg
Label3=Alert level:
lAlertLevel=High
Label4=Description:
lDescription=It is highly recommended to remove this threat from your PC
bUnblock=Unblock
bLater=Ignore
bRemoveThreat=Remove Threat
[StartUp_v2_1]
formCaption={APPNAME}
lHeader=Warning!
lInfo={APPNAME} has detected {cnt} infected objects on your computer during the last system scan. The threats found on your computer are very likely to create further problems if not fixed immediately, such as:
lInfo1=System slowdown and crash
lInfo2=Hackers can steal your Credit Card details
lInfo3=Your local and online password stolen
lInfo4=Slow web pages loading and browser crashes
lInfo5=Privacy violations during Web surfing
lInfo6=You need registered version of {APPNAME} to remove these infections. Click ìRegister Nowî to activate protection and eliminate these security hazards.
lContinueUnprotected=continue unprotected
lInfo7=Infecting other computers on your network
bRegisterNow=Remove