Comments on: W32.BAGLE virus – wintems.exe hldrrr.exe srosa.sys http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html News, guides, and tips to antivirus programmes, scripts, and security Sat, 04 Feb 2012 01:39:11 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Udi http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-48 Udi Wed, 23 Jun 2010 20:44:00 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-48 Thanks so much for your help - it worked for me Thanks so much for your help – it worked for me

]]> By: jan colen http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-47 jan colen Sun, 14 Feb 2010 18:43:02 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-47 Thanks, it works for me as well. .-= jan colen´s last blog ..<a href="http://virusverwijderen.hildiid.com/9/virus-verwijderen/" rel="nofollow">Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker</a> =-. Thanks, it works for me as well.
.-= jan colen´s last blog ..Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker =-.

]]> By: Dj http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-46 Dj Tue, 06 Jan 2009 06:11:14 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-46 To remove shity virus.. Its simple.. download combofix and just click the exe. It will clean everything all unknown virus other than this.. After testing all others instructions seen in the net.. This made it so simple in 12 mins. Download it from here... http://www.bleepingcomputer.com/combofix/how-to-use-combofix To remove shity virus..

Its simple.. download combofix and just click the exe.

It will clean everything all unknown virus other than this..

After testing all others instructions seen in the net..

This made it so simple in 12 mins.

Download it from here…
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

]]> By: nigel http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-45 nigel Wed, 26 Nov 2008 15:08:28 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-45 Just to clarify the thing with ComboFix - follow these instructions and you should be sorted: 1) download ComboFix to a DIFFERENT COMPUTER if poss 2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name) 3) copy it to the DESKTOP of the affected computer It SHOULD work like that - I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it's very slow and looks like it's crashed, but wait for the blue console to finish its job. Nasty little rootkit - I bet the "author" gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his "work". I suppose about $200-worth, I'll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations. Just to clarify the thing with ComboFix – follow these instructions and you should be sorted:

1) download ComboFix to a DIFFERENT COMPUTER if poss
2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name)
3) copy it to the DESKTOP of the affected computer

It SHOULD work like that – I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it’s very slow and looks like it’s crashed, but wait for the blue console to finish its job.

Nasty little rootkit – I bet the “author” gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his “work”. I suppose about $200-worth, I’ll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations.

]]> By: Stu http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-44 Stu Thu, 20 Nov 2008 22:08:57 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-44 Hi guys, excellent work, thanks you life savers!!!!! I've used combo fix - all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem?? Confused!! :) Hi guys, excellent work, thanks you life savers!!!!!
I’ve used combo fix – all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem??
Confused!! :)

]]> By: Alfred R. Baudisch http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-43 Alfred R. Baudisch Tue, 28 Oct 2008 18:36:12 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-43 Note: Windows XP 64 bits users, the viruses exe's are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them. For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions "DENY for All Users", also set Read Only. To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt) Make folder drivers/down or drivers/downld (was in my case) the same. This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil. :) Note: Windows XP 64 bits users, the viruses exe’s are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them.

For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions “DENY for All Users”, also set Read Only.
To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt)

Make folder drivers/down or drivers/downld (was in my case) the same.

This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil. :)

]]> By: virginia http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-42 virginia Tue, 21 Oct 2008 10:37:19 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-42 I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help! I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help!

]]> By: nightshade http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-41 nightshade Tue, 09 Sep 2008 15:13:14 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-41 guys i tried downloading combofix...after it downloads....it doesnt open.....it says no permission to access or something like that...plz help.....:( guys i tried downloading combofix…after it downloads….it doesnt open…..it says no permission to access or something like that…plz help…..:(

]]> By: Mike http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-40 Mike Tue, 19 Aug 2008 16:31:02 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-40 Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes. Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes.

]]> By: Eran Amir http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html#comment-39 Eran Amir Tue, 22 Jul 2008 09:26:09 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-39 this is one of the hardest i have ever tried to scrub off my hard drive this is something i have tried from this forums responses at and modified it slightly. this method removes the wintems.exe trojan virus from your computer. this first part is done using linux. if you have a dual boot machine (Ubuntu and Windows Xp), use linux. otherwise download knoppix live cd. here goes: 1) start you computer in linux using Ubuntu or knoppix live CD. 2) mount your ntfs file system using something like: mount /dev/sdaX /media (x is your ntfs partition) and delete wintems.exe from c:windowssystem32wintems.exe (mine was in /media/sda1) also delete: rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe and rm -f /media/WINDOWNS/system32/drivers/srosa.sys. (it might be slightly different path or case-sensitive) 3. Then I delete the directory c:windowssystemdriversdown or downld 4. reboot and start Windowx XP 5. I delete the registry key: # Run regedit go to: HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache and see all entries regarding "C:WINDOWSsystem32drivers" . # In Explorer window Go to> tools>folder options>view and select show hidden files # Browse to your C:WINDOWSsystem32drivers .. find drivers folder and try to delete all files listed in: HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache 7. install Avast or AVG and make a full scan without problem good luck! Eran this is one of the hardest i have ever tried to scrub off my hard drive
this is something i have tried from this forums responses at and modified it slightly.
this method removes the wintems.exe trojan virus from your computer.

this first part is done using linux.
if you have a dual boot machine (Ubuntu and Windows Xp), use linux.
otherwise download knoppix live cd.

here goes:

1) start you computer in linux using Ubuntu or knoppix live CD.
2) mount your ntfs file system using something like:
mount /dev/sdaX /media (x is your ntfs partition)
and delete wintems.exe from c:windowssystem32wintems.exe (mine was in /media/sda1)
also delete:
rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe
and rm -f /media/WINDOWNS/system32/drivers/srosa.sys.
(it might be slightly different path or case-sensitive)
3. Then I delete the directory c:windowssystemdriversdown or downld

4. reboot and start Windowx XP
5. I delete the registry key:

# Run regedit go to:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache

and see all entries regarding “C:WINDOWSsystem32drivers” .
# In Explorer window Go to> tools>folder options>view and select show hidden files
# Browse to your C:WINDOWSsystem32drivers ..
find drivers folder and try to delete all files listed in:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache

7. install Avast or AVG and make a full scan without problem

good luck!

Eran

]]>