> > The worst part is: if a 2008 virus can enter a fully protected, fully
> > patched windows xp... there should be some other 0-day exploit in the
> > wild.
>
> Actually, the real "worst" part is that you thought your system was
> "fully protected" when it very clearly wasn't even marginally protected.
There have been several computers (mine 2 were fully patched and with
1 or 2 anti-malware) that were infected at about the same time in
Italy with the same malware (symptoms are the same).
Of course they were SUPPOSED to be protected... and infact I'm
cooperating with my av vendor to try to understand HOW they got
infected, if by a 0-day exploit or by a "hole" in my setup....
I am afraid we have a very serious threat developing.
My configuration: XP (english) with SP3 and many security patches, no
automatic update.
Firefox 3.0.7, english.
NO peer-to-peer or ftp done ever.
HP Compaq nx7400, laptop october 2006.
Windows firewall: off
Hardware firewall : US Robotics wireless maxg router: ON.
Wired connection, cable.
Antivirus/protection software : None. I never download anything from
unknown sources and/or open spam. Only open attachments from known
senders. NEVER got a virus or malware in 15 years of internet. I have
been working in the pc business for 20+years, do all checking/cleaning
myself.
I usually shop on ebay, use yahoo mail and hotmail and have a couple of
bank e-accounts with one time password generator.
Location : Italy and Eastern Europe.
Symptoms: Around April 1st my pc froze a couple of times. Not unusual
with XP.
Around April 16th a blue screen of death. Unusual, so I reset and
decided to investigate.
Tried to open command. Got the following "ntvdm has encountered a
system error c0h. Choose 'Close' to terminate the application Close or
Ignore".
Could not type in the "command" window.
Tried to open cmd instead, worked fine.
Search on web, found VERY FEW links to c0h error, mostly from Italy and
Czech republic. Now I am close to Czech and open a lot of Italian
webpages (I am Italian), especially news AND banking. Scary.
Checked unusal activities on Task Manager. None.
Checked Services.msc. Nothing.
Checked Control Panel/ Add-remove programs. Nothing.
Checked unusual network traffic. None.
Checked msconfig. Nothing unusual.
Checked C:\WINDOWS\Temp\
Found following files (HIDDEN!) rg4sfay, ydf8dk, xsw2 .
You can open these with notepad only, not cancel or rename because they
are "in use by another person or program".
Downloaded process explorer from microsoft
'Process Explorer'
(http://technet.microsoft.com/en-us/s.../bb896653.aspx)
checked for open file handles (in the listbox below) , found
file references to \WINDOWS\TEMP\rg4sfay and ydf8dk, NOT xsw2.
found strange file references to\Device\NamedPipe\!win$ .
I disconnected immediately and used another pc.
Now the scary part.
Opened rg4sfay (approx 224kbytes): it contained ALL password I used and
all form input I made in the last 2 weeks, including ALL my sent email
messages and one time passwords for e-banking.
NOTE: Although it contained data until April 16st, the file shows to
have been last modified on April 1st.
Opened ydf8dk, could not identify anything.
Looks like it is a Mebroot/Sinowal/MBR/Torpig variant SO FAR UNDETECTED
and very difficult to find for non-experts!!. Please check your PCs!.
Found this article
'TrustDefender Labs New Mebroot/Sinowal/MBR/Torpig variant in the wild
- virtually undetected and more dangerous than ever'
(http://tinyurl.com/dhgvu2)
where is said that
"In fact I haven’t seen a single Antivirus Engine so far that can
detect that Torpig is active." as of April 4th.
Some people say it may come through browser when you open an acrobat
file.
Found 2 possible solutions today but I am so scared I did not use them
yet.
'|MG| Dr.Web CureIT 5.00.2 (4.16..2009)'
(http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html)
'Boot.Mebroot : Virus Solution and Removal'
(http://www.precisesecurity.com/threats/bootmebroot/)
Anyone tried already the previous solutions? Any more idea?
Ok tried DrWeb Cureitt, worked 30 minutes, quarantined 2 files, problem
persisted.
BUT!!!
Solution is very easy!!
1) disable system restore (just in case)
2) clean up c:/windows/prefetch (just in case again)
3) go to 'Stealth MBR rootkit' (http://www2.gmer.net/mbr/) , download
the .exe at bottom of page and run it 3 times as described FROM SAFE
MODE of course.
4) restart and enable system restore.
now you can delete the 2 files and process explorer shows nothing
suspicious!!!
As a bonus, after deleting prefetch my pc starts faster, in half time
as before!!!!
Found the mbr solution in an Italian forum
'Guida alla rimozione MASTER BOOT RECORD ROOTKIT - MBR ROOTKIT -
Hardware Upgrade Forum'
(http://www.hwupgrade.it/forum/showthread.php?t=1715546)
looks like in Italy there are many similar cases.
Bye all! I am very happy!
Sorry to trouble you on this but I'm a bit of a laymen when it comes to working with computers....(I know enough to get into trouble). I've had the exact same problems you describe (just started around 5/19) and would like to fix....tried all virus scans including Mcafee & spybot, but nothing is found/fixed that I can understand-problem persists-can't run any older 16bit ms dos programs.
I just need a bit more step by step instructions in response to the last posting (below)- if someone can answer my questions, that would be great and Thanks for this! (underline & bolded below):
Ok tried DrWeb Cureitt, worked 30 minutes, quarantined 2 files, problem
persisted.- What is this? Do I need to run this first?
BUT!!!
Solution is very easy!!
1) disable system restore (just in case)- where is the easiest place to go to do this? 2) clean up c:/windows/prefetch (just in case again)
3) go to 'Stealth MBR rootkit' (Stealth MBR rootkit) , download
the .exe at bottom of page and run it 3 times as described FROM SAFE
MODE of course. What is the easiest way to get into "safe mode?"
4) restart and enable system restore.
now you can delete the 2 files and process explorer shows nothing
suspicious!!! How do I find the 2 files to delete- is that from the scan in step 1? Would my Sbybot have already isolated??
As a bonus, after deleting prefetch my pc starts faster, in half time
as before!!!!
Hi Howardo
____________________
Ok tried DrWeb Cureitt, worked 30 minutes, quarantined 2 files,
problem
persisted.- _*What_is_this?__Do_I_need_to_run_this_first*?_
NO, skip it
____________________
1) disable system restore (just in case)- *where is the easiest place
to go to do this? *
Right click on "My computer" icon, choose "properties", choose the tab
"system restore" and click on "disable it on all drives"
____________________
*_What_is_the_easiest_way_to_get_into_\"safe_mode? \"_*
Switch off pc.
Switch your pc on and press the key f8 almost immediately, while a
black screen appears. You will be shown different boot options, and safe
mode is one of them.
____________________
_*How_do_I_find_the_2_files_to_delete-_is_that_from_the_scan_in_step_1?__Would_my_Sbybot
_have_already_isolated??*_
No, just go to C:\WINDOWS\Temp\
Delete following files rg4sfay, ydf8dk, xsw2.
If you do not see them it may be because they are "hidden"
While in C:\WINDOWS\Temp\ open "Tools", "Folder Options", click on
tha tab View and click on "Show hidden files and folders".
_____________________
At the end, enable system restore using the same procedure as before.
Let me know if ok
good luck
ppp64-
Thanks for helping out. I tried everything you suggested, but none of the files you named (rg4sfay, ydf8dk or xsw2) were in the windows temp files to delete (and yes, I did look in hidden files as well). Still getting the same error message:
Under 16bit windows subsystem:
NTVDM has encountered a System Error
NTVD has encountered a system error at c0h. Choose close to terminate the application.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
A couple of comments:
1- I'm a bit concerned because a bunch of websites say this mbr.exe is a virus or threat of some kind all on it's own (great, what have I done?)
2- Assuming it's not, it says that it did detect an infection and to use mbr.exe -f to fix. How does one do that? Is that another program somewhere to download?? Is it already in mbr.exe?
3- Thanks for your patience.....I'm starting to go crazy with this error
Anything you can do to help would be greatly appreciated...Thanks!
Howardo
PPR64-
I finally figured out how to use MBR and fixed the error message. I also used the "notebook rg4sfay" look up and saw all of my passwords (also found junk doing this for the other two files)-SHOCKING! I still can't find the darn files to delete them! They don't come up on searches, manual or automated, or in hidden files. Where/how can I locate the darn things to delete them?
Thanks
HO
Hi,
sorry for the delay.
Glad to hear you are making progress!!
I confirm that if you downloaded MBR from their site it is safe. Many
people say that xyz file or program is a virus without any knowledge, so
do not worry. Also, some anti-virus programs give a false positive
reading on MBR and GMER so do not worry.
I have one question for you: error messages appeared when you tried to
run "command" or "cmd"??
The files containing your passwords should be in C:\WINDOWS\Temp\, but
maybe you have a different version of the trojan.
In any case they should definitely come out with a search in hidden
files, maybe you did not activate the right option. Now that you have
stopped the trojan, those files can (MUST!) be cancelled so make another
search in C: (just right click on the C: icon if you have it on desktop
or use the search option on top if you are in explorer) and be SURE that
you activate all the "more advanced options" like search in system
folders, in subfolders and search for hidden files!!
Let me know.
I am having the very same problelms but i can not locate these files.
I've checked to make sure that i can see the hidden files and i have
done several searches and still nothing. What should i do??
Hi!
My best guess is that you have a newer version of the trojan which may
use different file names. Close all your applications and go check the
C:\WINDOWS\Temp\ directory again, try to clean it, and if any file(s)
refuses to be cancelled that could be it.
This is just a first step because I do NOT know if newer versions use
other directories.
Let me know your results.
Re: IT'S A VIRUS 
Linear Mode
