Fake Alerts

How do I fix that ? I should also add that my antivirus finds the following...

 

Probably those files are attached to the WinLogon process, so they can't be killed by your AV.
I'd suggest the following:
- Download, update and run SUPERAntiSpyware Free Edition. If it detects the threats, it will kill them.
- Contact the tech support of your AV vendor or go to a site specialized in malware cleaning.

 

Thanks for taking interest. I'll try that.

 

Big thanks. After running SUPERAntiSpyware Free Edition and rebooting, the problem was solved. I no longer get that annoying alert. What a relief.

Unfortunately there's another alert that keeps appearing in my taskbar. Most times when I have just switched on or restarted.

Most times its something to do with my pc having spyware and I should clear here to get software or about errors on my pc which need fixing...

I think it's something to do with this file C:\WINDOWS\SYSTEM32|SOL852.TXT and I'd appreciate it if someone took a look at my thread Here

 

I suggest you use Nod32 v2.70.39, since the latest is not yet stable (for some). Before scanning see these threads first,

Installing NOD32 with Blackspears Extra settings - in no time
Infected ~ Virus / Trojan Detection ~ Dealing with New Samples

Then scan with Rogue Remover Free and Prevx.

I suspect you have a rogueware infection. It is responsible for the other nasties.

If you still have issues/problems, I suggest you post a hijackthis log here.

thanatos

 

Hi Kazek

Yep thats the culprit(here's a manual killshot for it).

If you manually navigate to system32 folder and locate the file SOL852.TXT

Highlight the file and open it.Delete the the lines of code inside and replace with a few letters such as QWERTY.Close the file and allow the changes to the file to be saved.

Next reboot the computer,you will receive a lot of system error reports,don't panic as this is expected but just keep closing them as they appear.

Locate SOL852.TXT file again and this time manually delete the file.
Next up use HJT to fix check only the corresponding 020 entry with SOL852.TXT listed.

Reboot and then SOL852.TXT+ error messages are RIP

 

Had the same problem yesterday on my father-in-law's computer. But there was a very nice aditional collection of malware. I'll follow this steps, cause I couldn't clean it 100% yesterday. (at least it's usable now)
I'll keep the malware evidence, if anyone is interested, PM me.

Malware present:
kernelw.sys rootkit
A LOT of trojans
sol852.txt
bravesentry rogue AS
and some other I don't remember now.

 

Hi HURST

Have you run SAS free from safemode ?

SOL852.TXT will need a manual hack(as in my last post) as i only submitted that file to SAS HQ yesterday and there has'nt been a defs update yet

 

What is this? A spoofed executable?

 

I highlight the file but when I try opening it there's an error message "Access Denied" and Notepad opens a new blank document.

Where do I go from here ?

 

Hi Kazek

This has not occured in my experience before with this file

So next option is a forced delete.

Download Icesword** from here>>>
http://www.majorgeeks.com/Icesword_d5199.html

** Use only as directed as this is a very powerful tool and if miss used can cause severe damage to a PC**

Open(Unzip) IceSword

Look to the lower left of IceSword main gui for file option.Use the explorer tree generated by Icesword to get to System32 folder.Now on the right is a list of files in system32 folder.Locate SOL852.TXT highlight by clicking on that line.Right click and select *Forced delete* Reboot immediately.

 

I did as you said and deleted the file. It's gone now.
Before I deleted the file I was warned to reboot immediately which I did of course. Any particular reason for this.

And IceSword came with the warning: Use at your own Risk. Should I delete it since it doesn't sound so safe.

Thanks a lot by the way. You've really pulled me out of a jam.

And much thanks to lucas who really took interest in my case and helped me out big time.

 

No its not spoofed IMO but it is quirky for sure.Once it is loaded into memory it has a few self defence tricks going down.

You can delete its load value but it will replace it back again within seconds.
O20 - AppInit_DLLs: C:\WINDOWS\System32\sol852.txt

Everytime i have encountered this file(& its previous incarnations) it has been manually deletable but then again it writes itself back to disk in seconds again.

If you isolate the file from the principal infection(AVP) that it travels with then it still has the capacity to act as trojanDownloader or at least this is my experience with this file in the past.

Yet if you can open the .txt file this what you see

Code:

MZ€ 
     ÿÿ  @
      @                                   @   PE  L

             à !

C                         @       
        
     d:
                   
                    ü+  ¸
                                                                                                                  .flat   d*
    ´                 `  à                                                                                                                                                                Sh4  [WƒÇf3ûORï#  º‰  Vê   f3þU‹ÕRU_‹É3σljËÿó3Ïó[‹¿»&  f3Òÿ2X3í‹ó‰É‰Ùf=MZtê   ëç‹é‰Þ3Ý3ØhA  XúR‹éVN^¯ÉPWRXº@-  Ðh    XP‹î3ô3Ü3èPPPÿ‹Àº¼† Ð_XW‹É‰Ë3ë‹ÛÁ1ƒÇƒè…Àñ_ÿç¾èPöbù™Üô,&$œví
}9œÃQàq.&	ÙR´³t?‚›Á›6‘ºCŽ¢ø¼’s-ò·½âŒBŒf€Jë³ÜôoXZãåî\§wÓ–m†ú',/ÐñĈո=J‘:ï“ÕwHö‡S§9„©«‡4û¯âeমͤ肼/%ÒóÆ`‚È™g2£ÅV&´§U°¥möÚÕ+Ø’?ªÚêzéò´0›>^뇤藮žÐ«çËù
»çõ¡>˜ßKˆ ø#—ØØ*¼Iï†äc4wkMo’˜[f{ö×DKÍ-•ÚŽÂ‡´nˆ¦ÕÎ[@nn ÁöñHÜÿØÒKæùÿèy¯@rC„ëm’Ð}O¤×ù%À_&ÂA&zm{qÇËcêÀ ‚§ŸqÎÞ©;ÿ§æH‚µJB¼5û±™N¹ÿ¦øØ0Cù›M]=îØÛ,Oª Ùqz¦(É›ñþêÁtSi*HAÖð¾=袙ºIײGR²M?!ûFµIˆ³s,AÙg”Ýe~S[vzK
±Kã@Â*j{>I,RŽ_Ø{ê§ÍÑ+U±)6–Rt6ÛŽ¤„²H¸«Æÿ–
`Ó2¾¡•{¥Õ‡ÈànP÷˜â\C
¾"# öf>vWý-ò9Çn‰.ºw£ÑYñyäÙ-\íOú\Å0ÛB}åp*ïgÜ»³(›îÚê±Â¦†Ô*˜Ém£éË
'iÜ\ý2hÃó’/ø÷ÔM
žƒeb
§Vg‘oD{qóØ~lÇ›p’¥üÜ÷9?P“Kþ%U}5ñ¯fk$åós~ïã¸$é*eO<ãì1íÿYQ¨ ø@ÿ3ì¶ãÆöMBY4ù·iÒ%¸N%¶ÀÚŽJû¯ø
£©O¢Øß뇮IDJÆZ4‡í_¬Í¿H8³â1(üB‰IþÏy«&;hC}¡@I(5PnŽ_ú\˜;ïGsáZü‚@¯—ó¼õßqZIXÐÌ;‰Mu"L¼årÛ»jÎä_pÕd[dÖBë½wžÙ‘&,Jûg-:Þ÷½”4Š'ËÅ»º¨µÍ”D
á
,g@T+ãJAà³Ò¼?ýÊ{ñŽš5ê*ñaô²[06=ì_*ðÖÃ…Þh6J*þÛ-EÛe¸æ@6 d<LÚÞæyÄ_©´SN•«/ÉÁ±4áòÊdÈS³n®“ŸÙc•êH'WTööÁ7Í—¢½ˆECsq“‚:HT‘xÜ ¶¤ýÌ”›¾*&ÇkKËj‰\‹<Íßmj!m”ŒzËÈzšŽ’ˆÙ
ŒÀý><ÍK$à+CÛc£‚ùãñ9r‚Y¸¸×%Bu¸Ûž
¨t?…£ÉD6J’ë¿®âÀî'U̱.á¾ðžÒÞ²¸04;ç£xË1È+e¥‘ÂIØøKÈ¢©$/sOÎRÿ'ÕVAVx®]x2ÈVyF?‘Ä"û°ywôë
ÀKeËòüS¼Þf$¼3óçA®¨G£+œCï*ÃK¬d±~ÓG5¢ì!R†0hS
Ij\ÎsÐYÔÿbôG©ZÎN{NšŠ`?¸?9´4(¬Š’Tß‹›Œ°©WhK,ç”[ýîEj±
·þæ	Gƒ¾M@ì>÷¬îÜA'Çeˆ=Žo«dâúN†NòÚ	aG…#S§Æ`Ü©„Á!-࢛3)Û͵è-³›¦®!eU¢	v!ê? ÒºZ(ºõ±h•bÔSB,6 ÊXøPc6øn™¤…ùÇ1¡Ÿ€ñQó8÷n…‡3XAÃ*
º_ˆºß\B†ùžÆãJ燇ÙÖ‚½ÀÕ—²?''éªIëìˆß/‘‚Ыz»•=²Í`™:(¹§íø~—蝥©Ë9y÷í|w€òedH‹4ò…ÄÀ¿¢˜G_¨pÊÖ©4LU	Ñüæë'1b‘ê«ï_k·|L–ôò<ïQ¿˜ˆ`
ÍHXþkZÞ¦[	*¤›iºaÏë%Â.F¤dþ*@¢Ð|þ2ào#\
Ș¥Î
á§ûò± ò`Ž÷ºÓY“p,¨080f¿ª*>"K“Îc<ƒ·°©$ÏDý5Z¢ïðW¯ø)fƒ¸š÷{£r“²|çYùHÏïø4f=û
Œý•¶Dò©ËB-?ï?%ÙÖ<>=èWKeDÚ•dò±Î4%
!u]vvŠ³Ñjõ“û;þ;%óäs»¦
`½o“zJ—Üÿow¾ôs-ÿÑæ:…£]– ´ üKSVë~¥»ß‘´Ã’þ~¤¡_Qv¾>&xÝï#\ˆ(n£†#o‡_gwqOéS¦ëY*XÀi2—í™0×vrÒ«Û‚=]ìfÂõ*6jš·“;Ýâ_§¢^ã}k´W؈>ÅrRH|9ÜéoÖ ‘À‚äQ–KNÙLvƒ7eË<8X*J~|Zá
#†àÕ!ÛäN–àZAg¯³*=ËI´f0µƒ`5X½&{e¸HÏ‰Ø lïÑ2ü@RìáxúzçáXö	ꕯ‰
µàcù‚aãGûÎóÐ'ägHd§+íšÐéhO‹š¨~ô[ì”TbϤ«‰ö€+·Fî–Ž(ð7ÉnBçúž…L°?ùóµ-@GZ¹Âb?=ìB©¹]*TT¶áJÒá	jã>o)Òvü'BáÙ/0ç@ ©}l“”¸8 …Àý!¢S"«RLOvåTÄÍ°ÝãÄ°g¨O5jiuFˆÑ
4ó7Zñ^…쥞+9„u—C“|y3*.-Þ´õ¥R%Ò£Ô.iÿƒøZD‡J“r¤—^Ñ~¹ïp1*µPŒ:$Ô
Æhöa¸Ÿ¾Iì¾ã.Œ8ÚŠqã/ƒ»Áû'#®†ØÈu
Ø7”ÿ	YדŽ÷ü	{e_WoÌ6R⩝£~«Ë‹‰¬£¶béÂ~Ò2/ã…½•V”¨ìÌ‚Ñ‚c7ŠFV½Í«§üš3€@tLä4=^ƒfë¢ñóÍrt°T!WoÁÛO Þ}m´¥ž¹õ	Ù°Wkyºglê†H&“™4!·äPé¸à؈\M4›ô
Ö?Ü¿á1Í<I&M_ôíÛ^-û<¯M’ø³ãoækÓBË™ˆš¾Ni©®QK›Òu¾hÓC{ÖK_â^Å"ÒŠçå6Y¦löHúßØt³$¼M)4#—‰NA%<S™\æšaPÅvkh/ZMàh8ižR#¬ž={¹ÒiVì6´åÌ€q©h¤ÌDÅð4Q¦•ks&=ÊŠÐÇIC4’äA%¢3cfм—Ïϳ„åêk§‘ï §Œ-àÍ`ÊCüØ–€?ãI‘ ²ãâ^®—ù$h4²)íüÿ—<À§ÎÕ¿MêW‰
ø?Yu¡’Ñ9ØQЇZþFcKߌBüõ‘×Ìå-“êÙ*¢Ü'.§8¾7Þ6šÛó†õÙ‚FÖükÔÓŽúù”`TÁ›X¶»‚œûq=îŒ_—kú!Z°lËý׌Ü^ŠÔR]²Ap“²híÁݝ2N¦vô‘‚¹!{.RoYÖÝÈ'Çö=q´·dêèïpÊ2|XÍ4ò*	TÞ‘ãÊèÕ«U	£uÎ} ø]yNâC=1}$ß!k\³{>²Mg„[xµdxë{ÿ¯<¡*Ïs	ßÄÁÊs_éLåPÑ#j{^„Úwøa^axÚ³V*FKÓçó±vêѧ*7<*‚é¨Ão ÁÁ“`^IévÞ©³¥ž
R£kE×tAâNÐb¶}W¸³/|5l¼³µyõ
*©²æÈa"Ÿ qˆZŸÛÝ«4ÂB•_ë)y“dÓ˜’È—kÑ3UÉòL¢§„öæ[´GÜÿ!äÍ㟠‘{Ó‘Tˆ¦-9`ú7
)uå‚Y"èPª‚s3rzJÑÙÙ’‘†š_ò†¥·ìdæÔÀŠº¢EA=3Dt
·%Aùo11|Ðïå#Ë2ž¡å'—‡F
ÅÇ¢-«Ä>II¯`p‡ÍtgÀqå--˜«Áæçû%Vò´¸ûÒª”¸8žwèì]Â5u`n¸qòM;#!+TÜ?æZÊ6†bSÖïxaÚÖª5r9\&jcÓH.‹Ò¢'*œ0ö²æ°¡íf>‹5ëðhlù¥od{ÏEŒ|ò˜‡wr9Š½¯%`õç¡Ýÿ™”1¹ªÃªU-Q©Íe¹Îc©´o¹Ü“!u˜3;7¦&mñRŸ”S¾ýËržf¬Ñ›ÆL[Y¨‹¦ÀÑ?*q2âÒÔ@ÃúÝÐW¿-N¼³*X¿ÇiíNá$&rì`C’ºFu´‡€Þ·R¦µ,
ltèŸò…×¹ÙcÕs>{.Ws ’àC½kWPôë"¯Ú…¹hh
*´¢êh¨¡ƒöyÈÿ¨G×›rð€üÞ$ö¿Y‚Á¶7ùÀFçåÚÖHLM¤ÖSܦk'z1ŽkœÒKÖMñݯ¿<õü-ââ´½hq‚Â‡(£‰¿/_“ÿ£@j g>¥qÔ0isšˆ~?3þbPm&™Upå?ôô„®@ej,tz·ƒ„
gdaê"2©³°Î-5InÜ7¼isì×2Ò›¶žûºÕ˜L¢ôûÙ H*éa%
óÓ»™fí06Ê;£–ÌŠ…Þ‹³çeƒŠˆ¼ß5s80
ö”ô]váq*tÖŽV3ü#Ê{oʼn…PÀ*Ó5Ü£oƘ—Æek¡höJÈ.Ÿ,*Ÿá
÷B
¡ŸªéåÔ+ÿ¸ôGª(Œ´®XF··Ú£¸®¦ÏQteʉ!ôµ*ÝTŸ8~T'š¿ÿŠ°!âÞ©kZ}¾
Ã(y+ñNm«µžºJDvðP×ï*×Ôž2„ M±«"lR,CGÊÕk$¢Â¨&÷2#Qì¾d^ç<èÓIV0zËÓ½©·Ç~:ú|®1ÖÊè׉©Ýc¤ßÑÞ
äº2°ˆàêðWwÕ‡†¤!‡7ª”
?JX€Ž^ò\ä´UÃ(ôw—ù
e»Nµ(
ËÄ'kÅ(2è½£qéJ‹É°)ÝQÜ"·|xª¬rm©`µh\îiøgt;·X¸Y¸ºNØI„ß½²F*2ÈÙíRÌLWÓÐz¿èDÀ±Ûe¯Ã`Q‰JFL”,x#W«K¸ØmîWè[EºâçÇ]-7¼«‡‚óÛ—¹…üdÒzÓ-dÂ?Ñ•rÅVªúñobÒ2á2Ö ] E8þr²¸ä,}&QƒÅ?z—¦T÷ ,é¢ØK
ýF‰]ßþRÇÑTiÇèRÏßí:	…àGe9±)7(çJ¹¢ë(ñ" ŽÌ?£@›Emþ‹S>Ú3X'N\¬æ”ÆuGJz cAî“Ù‹öà"§¤‰‘Ôæjí<6U1Žq„'ìý±
·¼ÁÀ`Ýø¿¡ƒÂ“ƒ8&ÜÌÛÆ‡ Cvò®…m´Y„zÑgVšÁ.ÑáÅiñóoOàd8W
G ‚¯`”ÚIRaÞs? ÒÙpÑ›cþžA¥‡CM=t£â
ŒcJkÊtÕÄêŒ9s)FÆ÷3*4€óâ©k7Ф"Α1*§£àZÑ|Ü®†¢
þ!aØÅ0lxuáÆKZûƒó‰eïk+Q4Œ*Ô*5:íK{š´ðQÍìgkmƸ{e¬<v~<›þo
#•R&òÌ/gÿ*»n	&‚šõ<cØdz!Äû(õÛ¹$Îj—`5š;Yó©9ã‚c}ÌO3Å$8Ý
‰8žyQ&YWÞˆ£÷zÛXÍ(Íu–LhSÞ(¶*¥âç†÷ÌP#éÄ#y·À¿`³¡»œ :5G¾~}…]ï³5Àµòšò±[¸¦˜)bu÷dÃO
{‘Àñ—B6ê6é2âz¬ÁÎr˜i½qISÇ®!ÌjÒÎÅDhqq?9«9ÉBW|Õzo‡ãi‰£¨YpxXÚÄ"'¨²‚áÖQ×Å]—Ô8Õ¡2ß
pÆpó
ސԡ¡á†·¿j=¹j*E–¡þ+OÓù±rVØWqÌÿ–ßÝÒ*#GÁo!Øñ&¬gP꺳 ⓐ4ôƒz5O½2u:À]>,*a‚Eä† CôV_ë9\nZ©g©~ÚSŽYÐ|Ô׳c'Ç‘Mÿ2œ
‡ãìÁŸlžÐ=€NZj/rW¦ Jeáh€kÅ‘ÕŽ^Rƒe$%yŸcöMEùÇðJ±ñ»Ä uMßݨ–G»°dŠÆòÙX*@CŸ+èsÌ2G‚Ÿ>ã©=`M˜i²$´?Ê-¥²,Ýn§Á«jíœ\¿&Š^ŒIÔ.€ˆ˜úø'È¢	J¿¸ÜH)DU*e-Gn,:<áhücfü}€›ãØm5Ž²æñ\lJ=&@üý8a°"ò¢
@âüVÊøUE–Y|ÀÜê%ÎH‰æ¨~P¯)¥ÉC»&Ô-ø˜g
äî¼;*m·‰3Ëú]*DEVK¦F¥ÜjmM+Œ‰{ž(pµL 2‹ƒôU	8*WÙÐOqgÕ°»ï^5#ÍA¡íî¦J8`Px…Ç*ܾ@=‚&°YFe¬bÝbbXЀì@š”&æ$
'QCP±ìahIÇ~üà‹~x<þ1
Å¢qµf¥û½Hô1¢D5¯ÈXƒè*Ê…¦º9±v¤
‘Ý c>"Ñöñ’6€iã“ŸOÙÖTæ¶ÿ{èÖ*n'D@\±òN³ˆ°†ÁJ¨p»«7*ÀÒ]Sñî|½¥ì¢Ú6Å}*±_î¬ø”+¯£iéÐxÄïí&åYF¾/¿Hùt1*§u¹õWv„@*—ûÀi3bÆ'×\[æƒejR¾Lò>§Wƒ ÉQ9=*ÏÝ+
é~²¢·Ùž¦ªðn±åVxÀžBAÐøy-ÎÎ’¦cÝ„¥ê•ŠÛ?Íñ`sèÚ5å)flŸBáÎ¥3¤uû)P*ht¡VzmÙ
[Xà"¢~œ¬œ-|ãR½í&ýÂiÉá6“BwfNÑ y[6äˆtBæcG	)*Ç|û$S”6^¢°wcü³^•[| E¿	J”SÅ¡À×wo¬œ«T©,ì_¦ÌZf(,îO«Íg_£#ŠÇËŒŠ`ƒ·÷ç¦oç07´
»33|➽Ɠ^JsŠ©cìxø†¿´^l‘‡ËìKðMO§u^¼¡“{åÔW·O4A¦'c2Ο݂—ôt
æ³nÂÓ´)4	«æ 4RûAQ0‘Æ×KÝ#SE…¨3…ŠÇ!u´³3‡;OÒD‹*c‹ ¢Gž¬ÃEú®Ôõ¤‹(HO0ÊðJµ€·§€×p€×!€wxËúÑ‚,3§£\åÆT”#Š°þcä×°€×°ˆw[i‘Yг)÷p=‘¨PÇ&¿'à*»¿w×°Bª†ˆÓº½pŒG¿Íë7Îó©µA‰&º&àéð|ñ÷°<Ê&ȡƉ	½á°`Ç‚îÖ-9 ×ПWžc½µÁ"*ÉÚ_à°*·Á"€ÉÚr˜·àš kèiË<ÚHjjª€7z(‘¨Pç&¿'à¬
Œ`˳©·.Ö‹üa½q]ѳ(÷°¼^‘=§°€F9áf»gñ_8Ù±h
Ý
{*×ði‹¼
aÏÓ©¶€ ¹œ"ýZ]Ú¼aÂ÷³©ö
‹€½
Š€ÆÑ2ÿWþãžÏ°*g¾cÖÛÒxµÍ=ºèÁáÏ?a÷¯IªÝ3o7ºèßí뜻hqß‘!f¸cðO³ˆ¶
Š€Ç("ñ_°i="Úâo°AÀ°€÷A
À°€÷AŠü¼«œ[iKè(q« #o8ßjš>ì¸ß,,ÚZº‰^\º(¨<̘Ÿ¯,f9Ÿ?Z}ºfØ=±èaÝê†Î®°a
½Z¨ÑÜÍH-?ú蟽Oi+ÛÂÎð–Ûy"ðϯ@÷Ay€X‘S_&ËÓ¯•ÚèŠf»?*½êê=hß<ÛI«¨Güìœ{šØ‘ꦻá¢Ï?c‘_ÑŽtŶc‘_ˆ¸¡ŠœÛzJà°€·A!(Žî}¾a‘\r9Ý.ÈyÑó+öÀŒ›®·
××°€¼È÷×°*&“rÿ>ŽùÍó+÷À	šü¬®¬A	A§N®øL*j°à×°b‹Ï°à×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€wš³œýúèê}Ú³O¶
ŒfŠ²¸œ° ñ©“©Ö*0(¯*ß<˜ª0ÌF¯"*×p*€À@÷–;†ì¡;æ
\ÜÞWS@Ñ{± ‹!ªã×!ª×!®ƒ÷˜2ŸÈ°`¸ÉKœ›ikŽ¨*ý
~0J°nØ‘ó:'(I*א³è¶:îöx§^í$i*°+¯@—!↗蓃Õ!áfFP €Œ!â€Ü6âa½
¿-8¬Ž¨*ý
~0J°.©pŒç¡à×Љñ
‹ñin±ÒXÈ°€ÝÚ2¿Wþb½öAyàX‘_æÈ¡&˯¶ap?î•½aÑß±=Oý¿=º¿«(Ok¼`¥ˆ.ÙO°¢Êf¬n±Ýѳ(öõšù¡8¥ì¨âf¾`àÙÑÒ'W^i‘^Ð2]öŠ‘°
A¨Ãì“zý¶À= ÙÒrWþaШ0Œä§+ì%ŠunñôÀþ_Ö°ÂlWPa½ÜÓã§Lý¡×p.€5ÓŸ
»a!P+Oà÷0àƒè"éç	l6Jƒ.ùO±ÒÅN,          8,  j,  ,-          -  @-                      KERNEL32.DLL          †,  ž,  ¶,  Î,  æ,  þ,      †,  ž,  ¶,  Î,  æ,  þ,        TransactNamedPipe       GetMailslotInfo         GetConsoleMode          SetFileApisToOEM        VDMConsoleOperation     lstrcatA              GDI32.DLL             T-  l-  „-  œ-      T-  l-  „-  œ-        UpdateICMRegKeyA        SetViewportExtEx        OffsetWindowOrgEx       CreateColorSpaceA     

The self defence of the file til now was easily bypassed by editing(corrupting) the malware file on the HD and rebooting the machine.In the following session both its load value and corrupted file could be manually removed to complete the cosmetic kill

 

So the file loaded in memory does not have chance to rewrite itself to the HD.

IceSword is an advanced ARK forensic tool,It has some pretty powerful tricks up its sleeve's but should only be used by folks that know how to use it or under direction of such folks.It can do some pretty cool stuff but if misused it can also do some severe damage to an operating system.

I would uninstall now that it has worked its magic for us

 

I see the MZ magic string, so it's an executable with .txt extension.
Thanks

 

Hi,

I have the same issue with that sol852.txt file. I also could not view it. I tried using the Ice program to delete it, but after deletion and boot up, it'd be there again.

But, in SafeMode, I was able to view the txt file and replace it's content. After that, I rebooted into Normal mode and used the ice program to delete it. That seemed to remove it.

The laptop is still running screwy, so I'm sure I have more malware to find. But wanted to give you guys a heads up another possible method.

Thanks

 

Post a hijackthis log in one of the forums listed here.

thanatos

 

Maybe you could PM fcukdat, he helped me A LOT with a malware infection, which among others had this sol825. I hope he's not too busy....
Then again, posting a HJT log in a specialized forum would be the best move.

 

Thanks for the response guys. I replied to whom you advised.

My original post was meant as a heads up to anyone who was passing by this forums, as I was, for a possible solution to editing the content of the sol852.txt file.

At the end of it all, after successfully removing all the malware (Winter.exe was there too), I somehow managed to remove something by mistake, and locked myself out with a lsass error. So I re-installed windows, retained ownership of the original data files, cleaned up the mess, and the laptop is as good as it used to be, without the viruses.

So thanks guys, the information here, coupled with bits and pieces of other forums, helped a great deal.