ppp64-
Thanks for helping out. I tried everything you suggested, but none of
the files you named (rg4sfay, ydf8dk or xsw2) were in the windows temp
files to delete (and yes, I did look in hidden files as well). Still
getting the same error message:
Under 16bit windows subsystem:
NTVDM has encountered a System Error
NTVD has encountered a system error at c0h. Choose close to terminate
the application.

Here is what the MBR program came up with:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, 'GMER -
Rootkit Detector and Remover' (http://www.gmer.net)

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


A couple of comments:
1- I'm a bit concerned because a bunch of websites say this mbr.exe is
a virus or threat of some kind all on it's own (great, what have I
done?)
2- Assuming it's not, it says that it did detect an infection and to
use mbr.exe -f to fix. How does one do that? Is that another program
somewhere to download?? Is it already in mbr.exe?
3- Thanks for your patience.....I'm starting to go crazy with this
error

Anything you can do to help would be greatly appreciated...Thanks!
Howardo

PPR64-
I finally figured out how to use MBR and fixed the error message. I
also used the "notebook rg4sfay" look up and saw all of my passwords
(also found junk doing this for the other two files)-SHOCKING! I still
can't find the darn files to delete them! They don't come up on
searches, manual or automated, or in hidden files. Where/how can I
locate the darn things to delete them?
Thanks
HO

Hi,
sorry for the delay.
Glad to hear you are making progress!!
I confirm that if you downloaded MBR from their site it is safe. Many people say that xyz file or program is a virus without any knowledge, so do not worry. Also, some anti-virus programs give a false positive reading on MBR and GMER so do not worry.
I have one question for you: error messages appeared when you tried to run "command" or "cmd"??
The files containing your passwords should be in C:\WINDOWS\Temp\, but maybe you have a different version of the trojan.
In any case they should definitely come out with a search in hidden files, maybe you did not activate the right option. Now that you have stopped the trojan, those files can (MUST!) be cancelled so make another search in C: (just right click on the C: icon if you have it on desktop or use the search option on top if you are in explorer) and be SURE that you activate all the "more advanced options" like search in system folders, in subfolders and search for hidden files!!
Let me know.

I am having the very same problelms but i can not locate these files. I've checked to make sure that i can see the hidden files and i have done several searches and still nothing. What should i do??

Hi!
My best guess is that you have a newer version of the trojan which may use different file names. Close all your applications and go check the C:\WINDOWS\Temp\ directory again, try to clean it, and if any file(s) refuses to be cancelled that could be it.
This is just a first step because I do NOT know if newer versions use other directories.
Let me know your results.

I dont know how to clean it. im not bad with computers but theres alot i dont know. So how do i clean it?

You just have to exit all applications (like browser, messenger, skype...) and delete all files in C:\WINDOWS\Temp\
If any file refuses to be deleted because they are "in use by another person or program" report here their names.

Omg i have to delete every single file that i can. What if it says its a system file? Should i delete that also?

1) delete files ONLY in directory C:\WINDOWS\Temp\ !!!!!!!
2) this is a temporary directory, no system files in it.
3) to do this just highlight all filenames in directory and delete. It's a 10 seconds job. If any file(s) refuses to be cancelled skip it and proceed to cancel the remaining, until only files that refuse to be cancelled remain. Then report their name here.

Yes I can confirm you got the latest version of a very nasty trojan. Read this very recent article for more details.

TrustDefender Labs The nastiest ebanking trojan mebroot just got nastier

First we must know how did you get it because if we clean it but leave the door open you may take it again. The "old" version came through acrobat reader, but the updated versions of the reader do not allow the trojan to work. You must open acrobat reader and then look in Help-About and read which version you have. I suspect you have version 7.x or 8.x. Please post it here ASAP!! In any case update immediately to Reader version 9.0 or following.
By the way, how did you realize you got the trojan??? How the error message came on your screen the first time??? You were trying to use a 16 bit game, or a command screen?? Please tell us.

Now, the real problem is that your passwords are now encrypted in the

$$$dq3e (not dqse as you wrote)
$$yt7$$

files. These are the files you should delete.
You should also delete

$67we.$
xsw2

The msmsc, macafee and perflib_perfdata files should be ok.

Later, of course, you should eradicate the trojan.

Unfortunately, in this moment I only know how to cancel the files but NOT how to eradicate the trojan. It seems that this new version is so smart it makes all known solutions obsolete.
I will research the web for you and let you know asap.
I also asked trustdefender labs to help me.
Meanwhile do NOT use ebanking or brokerage accounts on that pc if you can.
You should also go on another pc and change the ebanking passwords (and maybe email/messenger/whatever passwords) you have typed on the infected pc since you discovered the trojan.
Do all this ASAP and report back what I asked you please!!

Well. I deleted the xsw2 but the other three couldnt be deleted.

As for the acrobat i couldnt find out where to download the lastest version so if you could provide a link that would be much appreciated. I think i had version 7

As for how i found out about all this. I just turned on my computer and while it was loading the error message popped up saying NVDTM could not run subsystem c0h. thats not the exact message but thats what it was basically saying. Ever since then my IE has been shutting down for no reason at random times. So i researched it and found this. I had most of the synptoms but none of the files. Until now of course.

Now for the ebanking my mom controls all of that so it cant be done until she gets home. and i dont know another computer we can change the passwords from. So that might be trouble.

Also my IE has this feature callled InPrivate browsing. It doesnt save passwords, login names, or even the urls that you type in. So i was wondering if using that would help.

If you have old acrobat reader then almost certainly that is where the problem came from. Download it here

Adobe - Adobe Reader download - All versions

if you have xp, otherwise here

Adobe - Adobe Reader download - All versions

About the ebanking my advice is to change access passwords immediately. This could be a very serious threat to your security and your money. If your mom has a system where a one-time password is needed (like a small gizmo the size of a pendrive that generates codes for your access) you are in better shape but it depends very much on the quality of access codes and algorithm implemented by your bank so you are never 100% safe.

About IE, I am afraid that feature does not help because the trojan records everything you type in a browser window on the fly, just as you type it, so it does not use other software's archive. In fact it records also the text of your outgoing emails.

In order to clean your pc, as a first step update acrobat reader. Then we can try to remove the trojan with some software but I am not sure it will work.

1) disable system restore : Right click on "My computer" icon, choose "properties", choose the tab "system restore" and click on "disable it on all drives"
2) go to Stealth MBR rootkit,
go straight down to the end of page and click on link "mbr.exe" to download it, save it on the disk in root directory ( that is in C:\)
3) change its name from mbr.exe to mtest.exe because some version of the trojan recognize mbr and stop it immediately
4) click Start / Run and type "cmd" (without quotes) in the input line, then click ok
5) a black window appears, type "cd .." (no quotes again) until it shows you are in C:\> then type "mtest" (no quotes) and enter
6) you will get some message saying you are infected, write it down.
7) Switch off pc.
8 ) Switch your pc on and press the key f8 almost immediately, while a black screen appears. You will be shown different boot options, and safe mode is one of them.
9) once in safe mode, click Start / Run and type "cmd" in the input line, then click "ok"
10) a black window appears, type "cd .." (no quotes again) until it shows you are in C:\> then type "mtest -f" (no quotes) and enter
11) write down whatever message appears.
12) switch off pc
13) switch on pc in normal way.
14) click Start / Run and type "cmd" in the input line, then click "ok"
15) a black window appears, type "cd .." (no quotes again) until it shows you are in C:\> then type "mtest" (no quotes) and enter
16) write down whatever message appears.
17) go to C:\WINDOWS\Temp\ and try to cancel those $67we.$, $$$dqse, $$yt7$$ files.
18) re-enable system restore: Right click on "My computer" icon, choose "properties", choose the tab "system restore" and click on "enable it on all drives"


Please report here the messages you got and if you were able to cancel the files in the end.

Great news!!
If you were able to cancel those nasty files it means the trojan is no more active !
Moreover, if you updated acrobat reader you should not get it again.
The fact that mbr keeps giving you a warning signal may happen sometimes. It happened to me as well. What is really important is that those files are GONE.
Now change your passwords and you have closed any possible access to people who might have received your old passwords through the trojan.
Congratulations, I think you're ok now !!!
Just as a matter of precaution, in the coming days check that those files are NOT there again. It may happen that these trojans stay silent for a while and then try to install themselves. So if you got it once, you may well have gotten it 2 or three times, and other copies are still sleeping in your disk. It is a very low chance, and if you do not see those files appear again in the next 1 or 2 weeks you are definitely out of trouble.
Good job!