You just have to exit all applications (like browser, messenger,
skype...) and delete all files in C:\WINDOWS\Temp\
If any file refuses to be deleted because they are "in use by another
person or program" report here their names.
1) delete files ONLY in directory C:\WINDOWS\Temp\ !!!!!!!
2) this is a temporary directory, no system files in it.
3) to do this just highlight all filenames in directory and delete.
It's a 10 seconds job. If any file(s) refuses to be cancelled skip it
and proceed to cancel the remaining, until only files that refuse to be
cancelled remain. Then report their name here.
Files that were system files in the temp folder:
$67we.$
$$$dqse
$$yt7$$
xsw2
Files that could not be deleted:
msmsc_cLrHULm37faJYsA
msmsc_idsRxUnf7xhuf3
Peflib_Perfada ta_42c.dat
macfee_MV88XuDDC8x5gc2
macfee_ne0vyLumt9ieGIQ
now i dont know if this affects anything but i have two accounts
on my computer. One is my moms and the other is mine.
Also macfee is the name of my virus scanner. everything else i have no
clue about.
Yes I can confirm you got the latest version of a very nasty trojan.
Read this very recent article for more details.
'TrustDefender Labs The nastiest ebanking trojan mebroot just got
nastier' (http://tinyurl.com/n87eq3)
First we must know how did you get it because if we clean it but leave
the door open you may take it again. The "old" version came through
acrobat reader, but the updated versions of the reader do not allow the
trojan to work. You must open acrobat reader and then look in Help-About
and read which version you have. I suspect you have version 7.x or 8.x.
Please post it here ASAP!! In any case update immediately to Reader
version 9.0 or following.
By the way, how did you realize you got the trojan??? How the error
message came on your screen the first time??? You were trying to use a
16 bit game, or a command screen?? Please tell us.
Now, the real problem is that your passwords are now encrypted in the
$$$dqse
$$yt7$$
files. These are the files you should delete.
You should also delete
$67we.$
xsw2
The msmsc, macafee and perflib_perfdata files should be ok.
Later, of course, you should eradicate the trojan.
Unfortunately, in this moment I only know how to cancel the files but
NOT how to eradicate the trojan. It seems that this new version is so
smart it makes all known solutions obsolete.
I will research the web for you and let you know asap.
I also asked trustdefender labs to help me.
Meanwhile do NOT use ebanking or brokerage accounts on that pc if you
can.
You should also go on another pc and change the ebanking passwords (and
maybe email/messenger/whatever passwords) you have typed on the infected
pc since you discovered the trojan.
Do all this ASAP and report back what I asked you please!!
Well. I deleted the xsw2 but the other three couldnt be deleted.
As for the acrobat i couldnt find out where to download the lastest
version so if you could provide a link that would be much appreciated. I
think i had version 7
As for how i found out about all this. I just turned on my computer and
while it was loading the error message popped up saying NVDTM could not
run subsystem c0h. thats not the exact message but thats what it was
basically saying. Ever since then my IE has been shutting down for no
reason at random times. So i researched it and found this. I had most of
the synptoms but none of the files. Until now of course.
Now for the ebanking my mom controls all of that so it cant be done
until she gets home. and i dont know another computer we can change the
passwords from. So that might be trouble.
Also my IE has this feature callled InPrivate browsing. It doesnt save
passwords, login names, or even the urls that you type in. So i was
wondering if using that would help.
About the ebanking my advice is to change access passwords immediately.
This could be a very serious threat to your security and your money. If
your mom has a system where a one-time password is needed (like a small
gizmo the size of a pendrive that generates codes for your access) you
are in better shape but it depends very much on the quality of access
codes and algorithm implemented by your bank so you are never 100% safe.
About IE, I am afraid that feature does not help because the trojan
records everything you type in a browser window on the fly, just as you
type it, so it does not use other software's archive. In fact it records
also the text of your outgoing emails.
In order to clean your pc, as a first step update acrobat reader. Then
we can try to remove the trojan with some software but I am not sure it
will work.
1) disable system restore : Right click on "My computer" icon, choose
"properties", choose the tab "system restore" and click on "disable it
on all drives"
2) go to 'Stealth MBR rootkit' (http://www2.gmer.net/mbr/),
go straight down to the end of page and click on link "mbr.exe" to
download it, save it on the disk in root directory ( that is in C:\)
3) change its name from mbr.exe to mtest.exe because some version of
the trojan recognize mbr and stop it immediately
4) click Start / Run and type "cmd" (without quotes) in the input line,
then click ok
5) a black window appears, type "cd .." (no quotes again) until it
shows you are in C:\> then type "mtest" (no quotes) and enter
6) you will get some message saying you are infected, write it down.
7) Switch off pc.
8 ) Switch your pc on and press the key f8 almost immediately, while a
black screen appears. You will be shown different boot options, and safe
mode is one of them.
9) once in safe mode, click Start / Run and type "cmd" in the input
line, then click "ok"
10) a black window appears, type "cd .." (no quotes again) until it
shows you are in C:\> then type "mtest -f" (no quotes) and enter
11) write down whatever message appears.
12) switch off pc
13) switch on pc in normal way.
14) click Start / Run and type "cmd" in the input line, then click "ok"
15) a black window appears, type "cd .." (no quotes again) until it
shows you are in C:\> then type "mtest" (no quotes) and enter
16) write down whatever message appears.
17) go to C:\WINDOWS\Temp\ and try to cancel those $67we.$, $$$dqse,
$$yt7$$ files.
18) re-enable system restore: Right click on "My computer" icon,
choose "properties", choose the tab "system restore" and click on
"enable it on all drives"
Please report here the messages you got and if you were able to cancel
the files in the end.
Here are the messages i got:
1st message
device: opened successfully
user: MBR read successfully
Kernel: MBR read successfully
copy of MBR has been found in sector 0x06FBFEFE
malicious code @ sector 0x06FBFF01
PE file found in sector at 0x06FBFF17
use mbr.exe -f to fix
2nd message:
this was all the same except at the end after use mbr.exe -f to
fix it also said Original MBR restored
3rd message:
device: opened successfully
user: MBR read successfully
Kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FBFEFE
malicious code @ sector 0x06FBFF01
PE file found in sector at 0x06FBFF17
these are the messages i got.
i was able to delete those three files $67we.$, $$$dq3e, and
$$yt7$$
i really do hope this is the end of it. but those last three
lines of the 3rd message tell me it might not be.
Great news!!
If you were able to cancel those nasty files it means the trojan is no
more active !
Moreover, if you updated acrobat reader you should not get it again.
The fact that mbr keeps giving you a warning signal may happen
sometimes. It happened to me as well. What is really important is that
those files are GONE.
Now change your passwords and you have closed any possible access to
people who might have received your old passwords through the trojan.
Congratulations, I think you're ok now !!!
Just as a matter of precaution, in the coming days check that those
files are NOT there again. It may happen that these trojans stay silent
for a while and then try to install themselves. So if you got it once,
you may well have gotten it 2 or three times, and other copies are still
sleeping in your disk. It is a very low chance, and if you do not see
those files appear again in the next 1 or 2 weeks you are definitely out
of trouble.
Good job!
Re: NTVDM and error C0H 
Linear Mode
