W32.BAGLE virus – wintems.exe hldrrr.exe srosa.sys
W32.BAGLE virus – wintems.exe hldrrr.exe srosa.sys
I must say that with all my of experience that one was one of the hardest to remove ..
It disables your current antivirus software, prohibit you from accessing system in safe mode , and changes names each time it starts.
So.. Here are the steps
Go to http://www.majorgeeks.com/GMER_d5198.html and download GMER
Run the tool and when it finds wintems.exe process kill him..
- Run regedit go to HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache and see all entries regarding “C:\WINDOWS\system32\drivers” .
- In Explorer window Go to> tools>folder options>view and select show hidden files
- Browse to your C:\WINDOWS\system32\drivers .. find drivers folder and try to delete all files listed in HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
- Scan your system with panda online scanner (the only one that actually cleans , not only detects
- Install anti virus program, download last updates and do a full scan to your system
Of course there is always an option to reapply service pack or do a reinstall to your system.
The problem is solved !
Thanks to Eran Amir
on February 29th, 2008 at 4:34 am
Miserable me. I followed your instruction but failed with the first step – killing the wintems.exe process. It seems that I have infected a newer version of this disturbing virus. The wintems process deletes gmer.dll (extracted by gmer) so that this program cannot execute. I have also tried to use ProcessExplorer to kill this process but were not successful neither. All I received is “Access denied”. Please help (T-T)
on March 1st, 2008 at 8:20 pm
Happy news.
I have a dual boot machine (Ubuntu and Windows Xp). I boot with Ubuntu (Ubuntu can read my Windows Xp Partition ad sda2).
I:
1. I delete wintems.exe from c:\windows\system\wintems.exe,
2. I do the same for hldrrr.exe e srosa.sys.
3. Then I delete the directory c:\windows\system\drivers\down
4. I restart Windowx XP
5. I delete the registry key
6. Then I can install Avast and make a full scan without problem
If you don’t have a dual boot linux/windows machine, you can use Knoppix.
I hope this can help.
on March 1st, 2008 at 8:22 pm
Happy news.
I have a dual boot machine (Ubuntu and Windows Xp). I boot with Ubuntu (Ubuntu can read my Windows Xp Partition ad sda2).
I do:
o. I start Ubuntu
1. I delete wintems.exe from c:\windows\system\wintems.exe (it was in /media/sda2/windows…)
2. I do the same for hldrrr.exe e srosa.sys.
3. Then I delete the directory c:\windows\system\drivers\down
4. I stop Ubuntu
5. I start Windowx XP
6. I delete the registry key
7. Then I can install Avast and make a full scan without problem
If you don’t have a dual boot linux/windows machine, you can use Knoppix.
I hope this can help.
on March 18th, 2008 at 8:11 am
try renaming gmer.exe to another filename. the dll will create with that name instead. maybe you’ll have more luck
on March 18th, 2008 at 2:12 pm
Richard,
I got infected with virus too. It deletes gmer.dll. renaming gmer.exe didn’t help. I renamed to test.exe as the gmer FAQ suggested. I gmer still expects gmer.dll
. Luckly I have Ubuntu dubal boot. I’ll try the methods above.
on March 18th, 2008 at 7:19 pm
John,
Yes your correct.
I tried my own advice and it didn’t work..
However I have had a lot more success just now using
Combofix
I did rename the downloaded file and this has removed wintems.exe I think successfully
on March 24th, 2008 at 3:09 am
I did all of you guys did. But I still have that shit…
Any ideas??
Thx in advance for posting this solutions that worked with you.
pablo
on April 8th, 2008 at 3:42 pm
i downloaded gmer, at this moment it doesnt work anymore, the wintems kills it at startup.
combofix is killed as soon as its downloaded, it is not possible to copy it on your own system, however if you download it and “save as” a random name/letters, it will work and kill wintems.
After that you have to edit the registry in “HKEY_CURRENT_USER\Software\Microsoft\ Windows\ShellNoRoam\MUICache” and delete the things maktub says.
hope this helps others
good luck with this nasty thing, havent seen one so annoying before.
on April 13th, 2008 at 11:17 pm
I suggest download slax (http://www.slax.org/) boot it from usb or cd and delete all the mentioned files and ALSO all restore folder in “System Volume Information” folder. Otherwise they will be loaded back…
btw..pretty cool thing that slax
on April 24th, 2008 at 2:47 am
Just wanted to say thank you guys so much! My computer was in very sad shape until I tried ComboFix, but now it’s running like a dream. It actually recognizes that it has a sound card now
Thanks again!
on May 21st, 2008 at 5:25 am
This blog link should be the following. It was wrongly type above
Wintems.exe and Hldrrr.exe
on May 30th, 2008 at 9:14 pm
I got infected by this, though it was somewhat stunted, as it wasn’t able to disable avast and commodo.
However, it killed Peerguard 2 and replaced the executable with itself. If I had had it on auto-run, I would have kept infecting myself.
either way, after the trojan rebooted my computer, I set a boot time scan for avast antivirus and rebooted again… Avast removed everything successfully, it seems …so far, saving me the hassle of manual deletion.
It found that all the volume info mentioned here was infected and killed the stuff.
on June 25th, 2008 at 7:44 am
Thank you guys so much. You were really very helpful. In my case, I had VirusScan, AnVir and ThreatFire installed, but only the latter noticed the virus, though it couldn’t fully block it.
The virus rebooted the PC, then infected a couple of service programs to load with Windows.
The thing that worked, was Combofix, when renamed on downloading. Then everything (almost) got cured by Gmer and manually in Regedit – all the keys related to the filenames of the virus files. Then I used Panda to clear the traces.
It won’t show after reboot, but I am not sure as to what it has done and what information destructed or stole. Are there any ideas on that point?
on July 22nd, 2008 at 9:26 am
this is one of the hardest i have ever tried to scrub off my hard drive
this is something i have tried from this forums responses at and modified it slightly.
this method removes the wintems.exe trojan virus from your computer.
this first part is done using linux.
if you have a dual boot machine (Ubuntu and Windows Xp), use linux.
otherwise download knoppix live cd.
here goes:
1) start you computer in linux using Ubuntu or knoppix live CD.
2) mount your ntfs file system using something like:
mount /dev/sdaX /media (x is your ntfs partition)
and delete wintems.exe from c:\windows\system32\wintems.exe (mine was in /media/sda1)
also delete:
rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe
and rm -f /media/WINDOWNS/system32/drivers/srosa.sys.
(it might be slightly different path or case-sensitive)
3. Then I delete the directory c:\windows\system\drivers\down or downld
4. reboot and start Windowx XP
5. I delete the registry key:
# Run regedit go to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
and see all entries regarding “C:\WINDOWS\system32\drivers” .
# In Explorer window Go to> tools>folder options>view and select show hidden files
# Browse to your C:\WINDOWS\system32\drivers ..
find drivers folder and try to delete all files listed in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
7. install Avast or AVG and make a full scan without problem
good luck!
Eran
on August 19th, 2008 at 4:31 pm
Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes.
on September 9th, 2008 at 3:13 pm
guys i tried downloading combofix…after it downloads….it doesnt open…..it says no permission to access or something like that…plz help…..:(
on October 21st, 2008 at 10:37 am
I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help!
on October 28th, 2008 at 6:36 pm
Note: Windows XP 64 bits users, the viruses exe’s are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them.
For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions “DENY for All Users”, also set Read Only.
To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt)
Make folder drivers/down or drivers/downld (was in my case) the same.
This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil.
on November 20th, 2008 at 10:08 pm
Hi guys, excellent work, thanks you life savers!!!!!
I’ve used combo fix – all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem??
Confused!!
on November 26th, 2008 at 3:08 pm
Just to clarify the thing with ComboFix – follow these instructions and you should be sorted:
1) download ComboFix to a DIFFERENT COMPUTER if poss
2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name)
3) copy it to the DESKTOP of the affected computer
It SHOULD work like that – I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it’s very slow and looks like it’s crashed, but wait for the blue console to finish its job.
Nasty little rootkit – I bet the “author” gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his “work”. I suppose about $200-worth, I’ll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations.
on January 6th, 2009 at 6:11 am
To remove shity virus..
Its simple.. download combofix and just click the exe.
It will clean everything all unknown virus other than this..
After testing all others instructions seen in the net..
This made it so simple in 12 mins.
Download it from here…
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
on February 14th, 2010 at 6:43 pm
Thanks, it works for me as well.
jan colen´s last blog ..Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker