W32.BAGLE virus – wintems.exe hldrrr.exe srosa.sys
I must say that with all my of experience that one was one of the hardest to remove ..
It disables your current antivirus software, prohibit you from accessing system in safe mode , and changes names each time it starts.
So.. Here are the steps
Go to http://www.majorgeeks.com/GMER_d5198.html and download GMER
Run the tool and when it finds wintems.exe process kill him..
- Run regedit go to HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache and see all entries regarding “C:WINDOWSsystem32drivers” .
- In Explorer window Go to> tools>folder options>view and select show hidden files
- Browse to your C:WINDOWSsystem32drivers .. find drivers folder and try to delete all files listed in HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
- Scan your system with panda online scanner (the only one that actually cleans , not only detects
- Install anti virus program, download last updates and do a full scan to your system
Of course there is always an option to reapply service pack or do a reinstall to your system.
The problem is solved !
Thanks to Eran Amir
You may also like -
Remove Virusheat.com trojanVirus Heat is a Trojan.Win32 . More or less, it does degrade performance of computers and generate annoying pop up witch send you to ... 
Online Virus Scan SitesList of available Online Virus Scanners. McAfee FreeScan by McAfee Symantec Security Check by Symantec Housecall by Trend Micro Trend Micro Anti-Spyware for the ... 
Fix Windows Vista Networking with netsh commandWindows Vista Winsock TCP/IP stack settings may get corrupted, causing multiple errors and questions with Internet connectivity. Winsock or Windows sockets configuration coruption can ... 
Manual Uninstall of Symantec ProductsList of all manual uninstall resources at SymantecNorton SystemWorksHow to uninstall Norton SystemWorks manuallyNorton AntiVirusHow to uninstall Norton AntiVirus 2000 manually when installed under ... 
Miserable me. I followed your instruction but failed with the first step – killing the wintems.exe process. It seems that I have infected a newer version of this disturbing virus. The wintems process deletes gmer.dll (extracted by gmer) so that this program cannot execute. I have also tried to use ProcessExplorer to kill this process but were not successful neither. All I received is “Access denied”. Please help (T-T)
Happy news.
I have a dual boot machine (Ubuntu and Windows Xp). I boot with Ubuntu (Ubuntu can read my Windows Xp Partition ad sda2).
I:
1. I delete wintems.exe from c:windowssystemwintems.exe,
2. I do the same for hldrrr.exe e srosa.sys.
3. Then I delete the directory c:windowssystemdriversdown
4. I restart Windowx XP
5. I delete the registry key
6. Then I can install Avast and make a full scan without problem
If you don’t have a dual boot linux/windows machine, you can use Knoppix.
I hope this can help.
Happy news.
I have a dual boot machine (Ubuntu and Windows Xp). I boot with Ubuntu (Ubuntu can read my Windows Xp Partition ad sda2).
I do:
o. I start Ubuntu
1. I delete wintems.exe from c:windowssystemwintems.exe (it was in /media/sda2/windows…)
2. I do the same for hldrrr.exe e srosa.sys.
3. Then I delete the directory c:windowssystemdriversdown
4. I stop Ubuntu
5. I start Windowx XP
6. I delete the registry key
7. Then I can install Avast and make a full scan without problem
If you don’t have a dual boot linux/windows machine, you can use Knoppix.
I hope this can help.
try renaming gmer.exe to another filename. the dll will create with that name instead. maybe you’ll have more luck
Richard,
I got infected with virus too. It deletes gmer.dll. renaming gmer.exe didn’t help. I renamed to test.exe as the gmer FAQ suggested. I gmer still expects gmer.dll
. Luckly I have Ubuntu dubal boot. I’ll try the methods above.
John,
Yes your correct.
I tried my own advice and it didn’t work..
However I have had a lot more success just now using
Combofix
I did rename the downloaded file and this has removed wintems.exe I think successfully
I did all of you guys did. But I still have that shit…
Any ideas??
Thx in advance for posting this solutions that worked with you.
pablo
i downloaded gmer, at this moment it doesnt work anymore, the wintems kills it at startup.
combofix is killed as soon as its downloaded, it is not possible to copy it on your own system, however if you download it and “save as” a random name/letters, it will work and kill wintems.
After that you have to edit the registry in “HKEY_CURRENT_USERSoftwareMicrosoft WindowsShellNoRoamMUICache” and delete the things maktub says.
hope this helps others
good luck with this nasty thing, havent seen one so annoying before.
I suggest download slax (http://www.slax.org/) boot it from usb or cd and delete all the mentioned files and ALSO all restore folder in “System Volume Information” folder. Otherwise they will be loaded back…
btw..pretty cool thing that slax
Just wanted to say thank you guys so much! My computer was in very sad shape until I tried ComboFix, but now it’s running like a dream. It actually recognizes that it has a sound card now
Thanks again!
This blog link should be the following. It was wrongly type above
Wintems.exe and Hldrrr.exe
I got infected by this, though it was somewhat stunted, as it wasn’t able to disable avast and commodo.
However, it killed Peerguard 2 and replaced the executable with itself. If I had had it on auto-run, I would have kept infecting myself.
either way, after the trojan rebooted my computer, I set a boot time scan for avast antivirus and rebooted again… Avast removed everything successfully, it seems …so far, saving me the hassle of manual deletion.
It found that all the volume info mentioned here was infected and killed the stuff.
Thank you guys so much. You were really very helpful. In my case, I had VirusScan, AnVir and ThreatFire installed, but only the latter noticed the virus, though it couldn’t fully block it.
The virus rebooted the PC, then infected a couple of service programs to load with Windows.
The thing that worked, was Combofix, when renamed on downloading. Then everything (almost) got cured by Gmer and manually in Regedit – all the keys related to the filenames of the virus files. Then I used Panda to clear the traces.
It won’t show after reboot, but I am not sure as to what it has done and what information destructed or stole. Are there any ideas on that point?
this is one of the hardest i have ever tried to scrub off my hard drive
this is something i have tried from this forums responses at and modified it slightly.
this method removes the wintems.exe trojan virus from your computer.
this first part is done using linux.
if you have a dual boot machine (Ubuntu and Windows Xp), use linux.
otherwise download knoppix live cd.
here goes:
1) start you computer in linux using Ubuntu or knoppix live CD.
2) mount your ntfs file system using something like:
mount /dev/sdaX /media (x is your ntfs partition)
and delete wintems.exe from c:windowssystem32wintems.exe (mine was in /media/sda1)
also delete:
rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe
and rm -f /media/WINDOWNS/system32/drivers/srosa.sys.
(it might be slightly different path or case-sensitive)
3. Then I delete the directory c:windowssystemdriversdown or downld
4. reboot and start Windowx XP
5. I delete the registry key:
# Run regedit go to:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
and see all entries regarding “C:WINDOWSsystem32drivers” .
# In Explorer window Go to> tools>folder options>view and select show hidden files
# Browse to your C:WINDOWSsystem32drivers ..
find drivers folder and try to delete all files listed in:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
7. install Avast or AVG and make a full scan without problem
good luck!
Eran
Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes.
guys i tried downloading combofix…after it downloads….it doesnt open…..it says no permission to access or something like that…plz help…..:(
I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help!
Note: Windows XP 64 bits users, the viruses exe’s are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them.
For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions “DENY for All Users”, also set Read Only.
To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt)
Make folder drivers/down or drivers/downld (was in my case) the same.
This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil.
Hi guys, excellent work, thanks you life savers!!!!!
I’ve used combo fix – all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem??
Confused!!
Just to clarify the thing with ComboFix – follow these instructions and you should be sorted:
1) download ComboFix to a DIFFERENT COMPUTER if poss
2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name)
3) copy it to the DESKTOP of the affected computer
It SHOULD work like that – I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it’s very slow and looks like it’s crashed, but wait for the blue console to finish its job.
Nasty little rootkit – I bet the “author” gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his “work”. I suppose about $200-worth, I’ll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations.
To remove shity virus..
Its simple.. download combofix and just click the exe.
It will clean everything all unknown virus other than this..
After testing all others instructions seen in the net..
This made it so simple in 12 mins.
Download it from here…
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks, it works for me as well.
.-= jan colen´s last blog ..Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker =-.
Thanks so much for your help – it worked for me