Fake Alerts

Discussion in 'malware problems & news' started by kazek, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. kazek

    kazek Registered Member

    Joined:
    Oct 2, 2007
    Posts:
    14
    How do I fix that ? I should also add that my antivirus finds the following...

     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Probably those files are attached to the WinLogon process, so they can't be killed by your AV.
    I'd suggest the following:
    - Download, update and run SUPERAntiSpyware Free Edition. If it detects the threats, it will kill them.
    - Contact the tech support of your AV vendor or go to a site specialized in malware cleaning.
     
  3. kazek

    kazek Registered Member

    Joined:
    Oct 2, 2007
    Posts:
    14
    Thanks for taking interest. I'll try that.
     
  4. kazek

    kazek Registered Member

    Joined:
    Oct 2, 2007
    Posts:
    14
    Big thanks. After running SUPERAntiSpyware Free Edition and rebooting, the problem was solved. I no longer get that annoying alert. What a relief.

    Unfortunately there's another alert that keeps appearing in my taskbar. Most times when I have just switched on or restarted.

    Most times its something to do with my pc having spyware and I should clear here to get software or about errors on my pc which need fixing...

    I think it's something to do with this file C:\WINDOWS\SYSTEM32|SOL852.TXT and I'd appreciate it if someone took a look at my thread Here
     
  5. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Kazek

    Yep thats the culprit(here's a manual killshot for it).

    If you manually navigate to system32 folder and locate the file SOL852.TXT

    Highlight the file and open it.Delete the the lines of code inside and replace with a few letters such as QWERTY.Close the file and allow the changes to the file to be saved.

    Next reboot the computer,you will receive a lot of system error reports,don't panic as this is expected but just keep closing them as they appear.

    Locate SOL852.TXT file again and this time manually delete the file.
    Next up use HJT to fix check only the corresponding 020 entry with SOL852.TXT listed.

    Reboot and then SOL852.TXT+ error messages are RIP:thumb:
     
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Had the same problem yesterday on my father-in-law's computer. But there was a very nice aditional collection of malware. I'll follow this steps, cause I couldn't clean it 100% yesterday. (at least it's usable now)
    I'll keep the malware evidence, if anyone is interested, PM me.

    Malware present:
    kernelw.sys rootkit
    A LOT of trojans
    sol852.txt
    bravesentry rogue AS
    and some other I don't remember now.
     
  8. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi HURST

    Have you run SAS free from safemode ?

    SOL852.TXT will need a manual hack(as in my last post) as i only submitted that file to SAS HQ yesterday and there has'nt been a defs update yet;)
     
    Last edited: Dec 9, 2007
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    What is this? A spoofed executable?
     
  10. kazek

    kazek Registered Member

    Joined:
    Oct 2, 2007
    Posts:
    14
    I highlight the file but when I try opening it there's an error message "Access Denied" and Notepad opens a new blank document.

    Where do I go from here ?
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Kazek

    This has not occured in my experience before with this fileo_O

    So next option is a forced delete.

    Download Icesword** from here>>>
    http://www.majorgeeks.com/Icesword_d5199.html

    ** Use only as directed as this is a very powerful tool and if miss used can cause severe damage to a PC**

    Open(Unzip) IceSword

    Look to the lower left of IceSword main gui for file option.Use the explorer tree generated by Icesword to get to System32 folder.Now on the right is a list of files in system32 folder.Locate SOL852.TXT highlight by clicking on that line.Right click and select *Forced delete* Reboot immediately.
     
    Last edited: Dec 9, 2007
  12. kazek

    kazek Registered Member

    Joined:
    Oct 2, 2007
    Posts:
    14
    I did as you said and deleted the file. It's gone now.
    Before I deleted the file I was warned to reboot immediately which I did of course. Any particular reason for this.

    And IceSword came with the warning: Use at your own Risk. Should I delete it since it doesn't sound so safe.

    Thanks a lot by the way. You've really pulled me out of a jam.

    And much thanks to lucas who really took interest in my case and helped me out big time.
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    No its not spoofed IMO but it is quirky for sure.Once it is loaded into memory it has a few self defence tricks going down.

    You can delete its load value but it will replace it back again within seconds.
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sol852.txt

    Everytime i have encountered this file(& its previous incarnations) it has been manually deletable but then again it writes itself back to disk in seconds again.

    If you isolate the file from the principal infection(AVP) that it travels with then it still has the capacity to act as trojanDownloader or at least this is my experience with this file in the past.

    Yet if you can open the .txt file this what you see

    Code:
    MZ€      ÿÿ  @      @                                   @   PE  L             à !C                         @               
         d:                                       ü+  ¸                                                                                                                  .flat   d*    ´                 `  à                                                                                                                                                                Sh4  [WƒÇf3ûORï#  º‰  Vê   f3þU‹ÕRU_‹É3σljËÿó3Ïó[‹¿»&  f3Òÿ2X3í‹ó‰É‰Ùf=MZtê   ëç‹é‰Þ3Ý3ØhA  XúR‹éVN^¯ÉPWRXº@-  Ðh    XP‹î3ô3Ü3èPPPÿ‹Àº¼† Ð_XW‹É‰Ë3ë‹ÛÁ1ƒÇƒè…Àñ_ÿç¾èPöbù™Üô,&$œví
    }9œÃQàq.&	ÙR´³t?‚›Á›6‘ºCŽ¢ø¼’s-ò·½âŒBŒf€Jë³ÜôoXZãåî\§wÓ–m†ú',/ÐñĈո=J‘:ï“ÕwHö‡S§9„©«‡4û¯âeমͤ肼/%ÒóÆ`‚È™g2£ÅV&´§U°¥möÚÕ+Ø’?ªÚêzéò´0›>^뇤藮žÐ«çËù»çõ¡>˜ßKˆ ø#—ØØ*¼Iï†äc4wkMo’˜[f{ö×DKÍ-•ÚŽÂ‡´nˆ¦ÕÎ[@nn ÁöñHÜÿØÒKæùÿèy¯@rC„ëm’Ð}O¤×ù%À_&ÂA&zm{qÇËcêÀ ‚§ŸqÎÞ©;ÿ§æH‚µJB¼5û±™N¹ÿ¦øØ0Cù›M]=îØÛ,Oª Ùqz¦(É›ñþêÁtSi*HAÖð¾=袙ºIײGR²M?!ûFµIˆ³s,AÙg”Ýe~S[vzK
    ±Kã@Â*j{>I,RŽ_Ø{ê§ÍÑ+U±)6–Rt6ÛŽ¤„²H¸«Æÿ–
    `Ó2¾¡•{¥Õ‡ÈànP÷˜â\C
    ¾"# öf>vWý-ò9Çn‰.ºw£ÑYñyäÙ-\íOú\Å0ÛB}åp*ïgÜ»³(›îÚê±Â¦†Ô*˜Ém£éË
    'iÜ\ý2hÃó’/ø÷ÔM
    žƒeb§Vg‘oD{qóØ~lÇ›p’¥üÜ÷9?P“Kþ%U}5ñ¯fk$åós~ïã¸$é*eO<ãì1íÿYQ¨ ø@ÿ3ì¶ãÆöMBY4ù·iÒ%¸N%¶ÀÚŽJû¯ø
    £©O¢Øß뇮IDJÆZ4‡í_¬Í¿H8³â1(üB‰IþÏy«&;hC}¡@I(5PnŽ_ú\˜;ïGsáZü‚@¯—ó¼õßqZIXÐÌ;‰Mu"L¼årÛ»jÎä_pÕd[dÖBë½wžÙ‘&,Jûg-:Þ÷½”4Š'ËÅ»º¨µÍ”D
    á
    ,g@T+ãJAà³Ò¼?ýÊ{ñŽš5ê*ñaô²[06=ì_*ðÖÃ…Þh6J*þÛ-EÛe¸æ@6 d<LÚÞæyÄ_©´SN•«/ÉÁ±4áòÊdÈS³n®“ŸÙc•êH'WTööÁ7Í—¢½ˆECsq“‚:HT‘xÜ ¶¤ýÌ”›¾*&ÇkKËj‰\‹<Íßmj!m”ŒzËÈzšŽ’ˆÙŒÀý><ÍK$à+CÛc£‚ùãñ9r‚Y¸¸×%Bu¸Ûž
    ¨t?…£ÉD6J’ë¿®âÀî'U̱.á¾ðžÒÞ²¸04;ç£xË1È+e¥‘ÂIØøKÈ¢©$/sOÎRÿ'ÕVAVx®]x2ÈVyF?‘Ä"û°ywôëÀKeËòüS¼Þf$¼3óçA®¨G£+œCï*ÃK¬d±~ÓG5¢ì!R†0hS
    Ij\ÎsÐYÔÿbôG©ZÎN{NšŠ`?¸?9´4(¬Š’Tß‹›Œ°©WhK,ç”[ýîEj±
    ·þæ	Gƒ¾M@ì>÷¬îÜA'Çeˆ=Žo«dâúN†NòÚ	aG…#S§Æ`Ü©„Á!-࢛3)Û͵è-³›¦®!eU¢	v!ê? ÒºZ(ºõ±h•bÔSB,6 ÊXøPc6øn™¤…ùÇ1¡Ÿ€ñQó8÷n…‡3XAÃ*
    º_ˆºß\B†ùžÆãJ燇ÙÖ‚½ÀÕ—²?''éªIëìˆß/‘‚Ыz»•=²Í`™:(¹§íø~—蝥©Ë9y÷í|w€òedH‹4ò…ÄÀ¿¢˜G_¨pÊÖ©4LU	Ñüæë'1b‘ê«ï_k·|L–ôò<ïQ¿˜ˆ`
    ÍHXþkZÞ¦[	*¤›iºaÏë%Â.F¤dþ*@¢Ð|þ2ào#\
    Ș¥Îá§ûò± ò`Ž÷ºÓY“p,¨080f¿ª*>"K“Îc<ƒ·°©$ÏDý5Z¢ïðW¯ø)fƒ¸š÷{£r“²|çYùHÏïø4f=û
    Œý•¶Dò©ËB-?ï?%ÙÖ<>=èWKeDÚ•dò±Î4%
    !u]vvŠ³Ñjõ“û;þ;%óäs»¦`½o“zJ—Üÿow¾ôs-ÿÑæ:…£]– ´ üKSVë~¥»ß‘´Ã’þ~¤¡_Qv¾>&xÝï#\ˆ(n£†#o‡_gwqOéS¦ëY*XÀi2—í™0×vrÒ«Û‚=]ìfÂõ*6jš·“;Ýâ_§¢^ã}k´W؈>ÅrRH|9ÜéoÖ ‘À‚äQ–KNÙLvƒ7eË<8X*J~|Zá
    #†àÕ!ÛäN–àZAg¯³*=ËI´f0µƒ`5X½&{e¸HÏ‰Ø lïÑ2ü@RìáxúzçáXö	ꕯ‰
    µàcù‚aãGûÎóÐ'ägHd§+íšÐéhO‹š¨~ô[ì”TbϤ«‰ö€+·Fî–Ž(ð7ÉnBçúž…L°?ùóµ-@GZ¹Âb?=ìB©¹]*TT¶áJÒá	jã>o)Òvü'BáÙ/0ç@ ©}l“”¸8 …Àý!¢S"«RLOvåTÄÍ°ÝãÄ°g¨O5jiuFˆÑ
    4ó7Zñ^…쥞+9„u—C“|y3*.-Þ´õ¥R%Ò£Ô.iÿƒøZD‡J“r¤—^Ñ~¹ïp1*µPŒ:$Ô
    Æhöa¸Ÿ¾Iì¾ã.Œ8ÚŠqã/ƒ»Áû'#®†ØÈu
    Ø7”ÿ	YדŽ÷ü	{e_WoÌ6R⩝£~«Ë‹‰¬£¶béÂ~Ò2/ã…½•V”¨ìÌ‚Ñ‚c7ŠFV½Í«§üš3€@tLä4=^ƒfë¢ñóÍrt°T!WoÁÛO Þ}m´¥ž¹õ	Ù°Wkyºglê†H&“™4!·äPé¸à؈\M4›ô
    Ö?Ü¿á1Í<I&M_ôíÛ^-û<¯M’ø³ãoækÓBË™ˆš¾Ni©®QK›Òu¾hÓC{ÖK_â^Å"ÒŠçå6Y¦löHúßØt³$¼M)4#—‰NA%<S™\æšaPÅvkh/ZMàh8ižR#¬ž={¹ÒiVì6´åÌ€q©h¤ÌDÅð4Q¦•ks&=ÊŠÐÇIC4’äA%¢3cfм—Ïϳ„åêk§‘ï §Œ-àÍ`ÊCüØ–€?ãI‘ ²ãâ^®—ù$h4²)íüÿ—<À§ÎÕ¿MêW‰
    ø?Yu¡’Ñ9ØQЇZþFcKߌBüõ‘×Ìå-“êÙ*¢Ü'.§8¾7Þ6šÛó†õÙ‚FÖükÔÓŽúù”`TÁ›X¶»‚œûq=îŒ_—kú!Z°lËý׌Ü^ŠÔR]²Ap“²híÁݝ2N¦vô‘‚¹!{.RoYÖÝÈ'Çö=q´·dêèïpÊ2|XÍ4ò*	TÞ‘ãÊèÕ«U	£uÎ} ø]yNâC=1}$ß!k\³{>²Mg„[xµdxë{ÿ¯<¡*Ïs	ßÄÁÊs_éLåPÑ#j{^„Úwøa^axÚ³V*FKÓçó±vêѧ*7<*‚é¨Ão ÁÁ“`^IévÞ©³¥ž
    R£kE×tAâNÐb¶}W¸³/|5l¼³µyõ
    *©²æÈa"Ÿ qˆZŸÛÝ«4ÂB•_ë)y“dÓ˜’È—kÑ3UÉòL¢§„öæ[´GÜÿ!äÍ㟠‘{Ó‘Tˆ¦-9`ú7
    )uå‚Y"èPª‚s3rzJÑÙÙ’‘†š_ò†¥·ìdæÔÀŠº¢EA=3Dt
    ·%Aùo11|Ðïå#Ë2ž¡å'—‡F
    ÅÇ¢-«Ä>II¯`p‡ÍtgÀqå--˜«Áæçû%Vò´¸ûÒª”¸8žwèì]Â5u`n¸qòM;#!+TÜ?æZÊ6†bSÖïxaÚÖª5r9\&jcÓH.‹Ò¢'*œ0ö²æ°¡íf>‹5ëðhlù¥od{ÏEŒ|ò˜‡wr9Š½¯%`õç¡Ýÿ™”1¹ªÃªU-Q©Íe¹Îc©´o¹Ü“!u˜3;7¦&mñRŸ”S¾ýËržf¬Ñ›ÆL[Y¨‹¦ÀÑ?*q2âÒÔ@ÃúÝÐW¿-N¼³*X¿ÇiíNá$&rì`C’ºFu´‡€Þ·R¦µ,
    ltèŸò…×¹ÙcÕs>{.Ws ’àC½kWPôë"¯Ú…¹hh
    *´¢êh¨¡ƒöyÈÿ¨G×›rð€üÞ$ö¿Y‚Á¶7ùÀFçåÚÖHLM¤ÖSܦk'z1ŽkœÒKÖMñݯ¿<õü-ââ´½hq‚Â‡(£‰¿/_“ÿ£@j g>¥qÔ0isšˆ~?3þbPm&™Upå?ôô„®@ej,tz·ƒ„
    gdaê"2©³°Î-5InÜ7¼isì×2Ò›¶žûºÕ˜L¢ôûÙ H*éa%
    óÓ»™fí06Ê;£–ÌŠ…Þ‹³çeƒŠˆ¼ß5s80
    ö”ô]váq*tÖŽV3ü#Ê{oʼn…PÀ*Ó5Ü£oƘ—Æek¡höJÈ.Ÿ,*Ÿá
    ÷B
    ¡ŸªéåÔ+ÿ¸ôGª(Œ´®XF··Ú£¸®¦ÏQteʉ!ôµ*ÝTŸ8~T'š¿ÿŠ°!âÞ©kZ}¾Ã(y+ñNm«µžºJDvðP×ï*×Ôž2„ M±«"lR,CGÊÕk$¢Â¨&÷2#Qì¾d^ç<èÓIV0zËÓ½©·Ç~:ú|®1ÖÊè׉©Ýc¤ßÑÞ
    äº2°ˆàêðWwÕ‡†¤!‡7ª”?JX€Ž^ò\ä´UÃ(ôw—ù
    e»Nµ(ËÄ'kÅ(2è½£qéJ‹É°)ÝQÜ"·|xª¬rm©`µh\îiøgt;·X¸Y¸ºNØI„ß½²F*2ÈÙíRÌLWÓÐz¿èDÀ±Ûe¯Ã`Q‰JFL”,x#W«K¸ØmîWè[EºâçÇ]-7¼«‡‚óÛ—¹…üdÒzÓ-dÂ?Ñ•rÅVªúñobÒ2á2Ö ] E8þr²¸ä,}&QƒÅ?z—¦T÷ ,é¢ØKýF‰]ßþRÇÑTiÇèRÏßí:	…àGe9±)7(çJ¹¢ë(ñ" ŽÌ?£@›Emþ‹S>Ú3X'N\¬æ”ÆuGJz cAî“Ù‹öà"§¤‰‘Ôæjí<6U1Žq„'ìý±·¼ÁÀ`Ýø¿¡ƒÂ“ƒ8&ÜÌÛÆ‡ Cvò®…m´Y„zÑgVšÁ.ÑáÅiñóoOàd8W
    G ‚¯`”ÚIRaÞs? ÒÙpÑ›cþžA¥‡CM=t£âŒcJkÊtÕÄêŒ9s)FÆ÷3*4€óâ©k7Ф"Α1*§£àZÑ|Ü®†¢
    þ!aØÅ0lxuáÆKZûƒó‰eïk+Q4Œ*Ô*5:íK{š´ðQÍìgkmƸ{e¬<v~<›þo#•R&òÌ/gÿ*»n	&‚šõ<cØdz!Äû(õÛ¹$Îj—`5š;Yó©9ã‚c}ÌO3Å$8Ý
    ‰8žyQ&YWÞˆ£÷zÛXÍ(Íu–LhSÞ(¶*¥âç†÷ÌP#éÄ#y·À¿`³¡»œ :5G¾~}…]ï³5Àµòšò±[¸¦˜)bu÷dÃO
    {‘Àñ—B6ê6é2âz¬ÁÎr˜i½qISÇ®!ÌjÒÎÅDhqq?9«9ÉBW|Õzo‡ãi‰£¨YpxXÚÄ"'¨²‚áÖQ×Å]—Ô8Õ¡2ßpÆpó
    ސԡ¡á†·¿j=¹j*E–¡þ+OÓù±rVØWqÌÿ–ßÝÒ*#GÁo!Øñ&¬gP꺳 ⓐ4ôƒz5O½2u:À]>,*a‚Eä† CôV_ë9\nZ©g©~ÚSŽYÐ|Ô׳c'Ç‘Mÿ2œ‡ãìÁŸlžÐ=€NZj/rW¦ Jeáh€kÅ‘ÕŽ^Rƒe$%yŸcöMEùÇðJ±ñ»Ä uMßݨ–G»°dŠÆòÙX*@CŸ+èsÌ2G‚Ÿ>ã©=`M˜i²$´?Ê-¥²,Ýn§Á«jíœ\¿&Š^ŒIÔ.€ˆ˜úø'È¢	J¿¸ÜH)DU*e-Gn,:<áhücfü}€›ãØm5Ž²æñ\lJ=&@üý8a°"ò¢
    @âüVÊøUE–Y|ÀÜê%ÎH‰æ¨~P¯)¥ÉC»&Ô-ø˜gäî¼;*m·‰3Ëú]*DEVK¦F¥ÜjmM+Œ‰{ž(pµL 2‹ƒôU	8*WÙÐOqgÕ°»ï^5#ÍA¡íî¦J8`Px…Ç*ܾ@=‚&°YFe¬bÝbbXЀì@š”&æ$
    'QCP±ìahIÇ~üà‹~x<þ1
    Å¢qµf¥û½Hô1¢D5¯ÈXƒè*Ê…¦º9±v¤‘Ý c>"Ñöñ’6€iã“ŸOÙÖTæ¶ÿ{èÖ*n'D@\±òN³ˆ°†ÁJ¨p»«7*ÀÒ]Sñî|½¥ì¢Ú6Å}*±_î¬ø”+¯£iéÐxÄïí&åYF¾/¿Hùt1*§u¹õWv„@*—ûÀi3bÆ'×\[æƒejR¾Lò>§Wƒ ÉQ9=*ÏÝ+é~²¢·Ùž¦ªðn±åVxÀžBAÐøy-ÎÎ’¦cÝ„¥ê•ŠÛ?Íñ`sèÚ5å)flŸBáÎ¥3¤uû)P*ht¡VzmÙ
    [Xà"¢~œ¬œ-|ãR½í&ýÂiÉá6“BwfNÑ y[6äˆtBæcG	)*Ç|û$S”6^¢°wcü³^•[| E¿	J”SÅ¡À×wo¬œ«T©,ì_¦ÌZf(,îO«Íg_£#ŠÇËŒŠ`ƒ·÷ç¦oç07´»33|➽Ɠ^JsŠ©cìxø†¿´^l‘‡ËìKðMO§u^¼¡“{åÔW·O4A¦'c2Ο݂—ôt
    æ³nÂÓ´)4	«æ 4RûAQ0‘Æ×KÝ#SE…¨3…ŠÇ!u´³3‡;OÒD‹*c‹ ¢Gž¬ÃEú®Ôõ¤‹(HO0ÊðJµ€·§€×p€×!€wxËúÑ‚,3§£\åÆT”#Š°þcä×°€×°ˆw[i‘Yг)÷p=‘¨PÇ&¿'à*»¿w×°Bª†ˆÓº½pŒG¿Íë7Îó©µA‰&º&àéð|ñ÷°<Ê&ȡƉ	½á°`Ç‚îÖ-9 ×ПWžc½µÁ"*ÉÚ_à°*·Á"€ÉÚr˜·àš kèiË<ÚHjjª€7z(‘¨Pç&¿'ଌ`˳©·.Ö‹üa½q]ѳ(÷°¼^‘=§°€F9áf»gñ_8Ù±h
    Ý
    {*×ði‹¼aÏÓ©¶€ ¹œ"ýZ]Ú¼aÂ÷³©ö‹€½Š€ÆÑ2ÿWþãžÏ°*g¾cÖÛÒxµÍ=ºèÁáÏ?a÷¯IªÝ3o7ºèßí뜻hqß‘!f¸cðO³ˆ¶Š€Ç("ñ_°i="Úâo°AÀ°€÷A
    À°€÷AŠü¼«œ[iKè(q« #o8ßjš>ì¸ß,,ÚZº‰^\º(¨<̘Ÿ¯,f9Ÿ?Z}ºfØ=±èaÝê†Î®°a
    ½Z¨ÑÜÍH-?ú蟽Oi+ÛÂÎð–Ûy"ðϯ@÷Ay€X‘S_&ËÓ¯•ÚèŠf»?*½êê=hß<ÛI«¨Güìœ{šØ‘ꦻá¢Ï?c‘_ÑŽtŶc‘_ˆ¸¡ŠœÛzJà°€·A!(Žî}¾a‘\r9Ý.ÈyÑó+öÀŒ›®·
    ××°€¼È÷×°*&“rÿ>ŽùÍó+÷À	šü¬®¬A	A§N®øL*j°à×°b‹Ï°à×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€×°€wš³œýúèê}Ú³O¶ŒfŠ²¸œ° ñ©“©Ö*0(¯*ß<˜ª0ÌF¯"*×p*€À@÷–;†ì¡;æ
    \ÜÞWS@Ñ{± ‹!ªã×!ª×!®ƒ÷˜2ŸÈ°`¸ÉKœ›ikŽ¨*ý~0J°nØ‘ó:'(I*א³è¶:îöx§^í$i*°+¯@—!↗蓃Õ!áfFP €Œ!â€Ü6âa½¿-8¬Ž¨*ý~0J°.©pŒç¡à×Љñ‹ñin±ÒXÈ°€ÝÚ2¿Wþb½öAyàX‘_æÈ¡&˯¶ap?î•½aÑß±=Oý¿=º¿«(Ok¼`¥ˆ.ÙO°¢Êf¬n±Ýѳ(öõšù¡8¥ì¨âf¾`àÙÑÒ'W^i‘^Ð2]öŠ‘°
    A¨Ãì“zý¶À= ÙÒrWþaШ0Œä§+ì%ŠunñôÀþ_Ö°ÂlWPa½ÜÓã§Lý¡×p.€5ÓŸ»a!P+Oà÷0àƒè"éç	l6Jƒ.ùO±ÒÅN,          8,  j,  ,-          -  @-                      KERNEL32.DLL          †,  ž,  ¶,  Î,  æ,  þ,      †,  ž,  ¶,  Î,  æ,  þ,        TransactNamedPipe       GetMailslotInfo         GetConsoleMode          SetFileApisToOEM        VDMConsoleOperation     lstrcatA              GDI32.DLL             T-  l-  „-  œ-      T-  l-  „-  œ-        UpdateICMRegKeyA        SetViewportExtEx        OffsetWindowOrgEx       CreateColorSpaceA     
    The self defence of the file til now was easily bypassed by editing(corrupting) the malware file on the HD and rebooting the machine.In the following session both its load value and corrupted file could be manually removed to complete the cosmetic kill:thumb:
     
    Last edited: Dec 9, 2007
  14. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    So the file loaded in memory does not have chance to rewrite itself to the HD.

    IceSword is an advanced ARK forensic tool,It has some pretty powerful tricks up its sleeve's but should only be used by folks that know how to use it or under direction of such folks.It can do some pretty cool stuff but if misused it can also do some severe damage to an operating system.

    I would uninstall now that it has worked its magic for us:thumb:
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I see the MZ magic string, so it's an executable with .txt extension.
    Thanks :)
     
  16. Vmscon

    Vmscon Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    2
    Hi,

    I have the same issue with that sol852.txt file. I also could not view it. I tried using the Ice program to delete it, but after deletion and boot up, it'd be there again.

    But, in SafeMode, I was able to view the txt file and replace it's content. After that, I rebooted into Normal mode and used the ice program to delete it. That seemed to remove it.

    The laptop is still running screwy, so I'm sure I have more malware to find. But wanted to give you guys a heads up another possible method.

    Thanks
     
  17. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Post a hijackthis log in one of the forums listed here.

    thanatos
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Maybe you could PM fcukdat, he helped me A LOT with a malware infection, which among others had this sol825. I hope he's not too busy....:D
    Then again, posting a HJT log in a specialized forum would be the best move.
     
  19. Vmscon

    Vmscon Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    2
    Thanks for the response guys. I replied to whom you advised.

    My original post was meant as a heads up to anyone who was passing by this forums, as I was, for a possible solution to editing the content of the sol852.txt file.

    At the end of it all, after successfully removing all the malware (Winter.exe was there too), I somehow managed to remove something by mistake, and locked myself out with a lsass error. So I re-installed windows, retained ownership of the original data files, cleaned up the mess, and the laptop is as good as it used to be, without the viruses.

    So thanks guys, the information here, coupled with bits and pieces of other forums, helped a great deal.
     
Loading...
Thread Status:
Not open for further replies.