Comments on: W32.BAGLE virus – wintems.exe hldrrr.exe srosa.sys http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html Common IT solutions. AD | Messaging | Virtualization | Storage | Security Tue, 23 Feb 2010 19:52:58 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: jan colen http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-17396 jan colen Sun, 14 Feb 2010 18:43:02 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-17396 Thanks, it works for me as well. .-= jan colen´s last blog ..<a href="http://virusverwijderen.hildiid.com/9/virus-verwijderen/" rel="nofollow">Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker</a> =-. Thanks, it works for me as well.
jan colen´s last blog ..Virus Verwijderen – Met De Juist Gereedschap Gaat Het Makkelijker My ComLuv Profile

]]> By: Dj http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-2200 Dj Tue, 06 Jan 2009 06:11:14 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-2200 To remove shity virus.. Its simple.. download combofix and just click the exe. It will clean everything all unknown virus other than this.. After testing all others instructions seen in the net.. This made it so simple in 12 mins. Download it from here... http://www.bleepingcomputer.com/combofix/how-to-use-combofix To remove shity virus..

Its simple.. download combofix and just click the exe.

It will clean everything all unknown virus other than this..

After testing all others instructions seen in the net..

This made it so simple in 12 mins.

Download it from here…
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

]]> By: nigel http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-1974 nigel Wed, 26 Nov 2008 15:08:28 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-1974 Just to clarify the thing with ComboFix - follow these instructions and you should be sorted: 1) download ComboFix to a DIFFERENT COMPUTER if poss 2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name) 3) copy it to the DESKTOP of the affected computer It SHOULD work like that - I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it's very slow and looks like it's crashed, but wait for the blue console to finish its job. Nasty little rootkit - I bet the "author" gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his "work". I suppose about $200-worth, I'll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations. Just to clarify the thing with ComboFix – follow these instructions and you should be sorted:

1) download ComboFix to a DIFFERENT COMPUTER if poss
2) rename it to, say, lkjhlkhjlhjk.exe, or you may prefer yteyteryt.exe (i.e. any old name)
3) copy it to the DESKTOP of the affected computer

It SHOULD work like that – I had the same trouble as others in getting it to run, the rootkit kept killing it, but this worked, though it’s very slow and looks like it’s crashed, but wait for the blue console to finish its job.

Nasty little rootkit – I bet the “author” gets a nice little jolly, perhaps even of a sexual nature, reading all this and seeing how much time we have wasted eliminating his “work”. I suppose about $200-worth, I’ll take a check, thanks. Yes, if you are reading this, you are VERY VERY CLEVER, congratulations.

]]> By: Stu http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-1927 Stu Thu, 20 Nov 2008 22:08:57 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-1927 Hi guys, excellent work, thanks you life savers!!!!! I've used combo fix - all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem?? Confused!! :) Hi guys, excellent work, thanks you life savers!!!!!
I’ve used combo fix – all good, my question is, now what?? Can I have step by step guide to really kill this thing, its all a bit confusing, should i now run that gmr thing or manually delete wintems files?? any file saying wintem??
Confused!! :)

]]> By: Alfred R. Baudisch http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-1571 Alfred R. Baudisch Tue, 28 Oct 2008 18:36:12 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-1571 Note: Windows XP 64 bits users, the viruses exe's are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them. For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions "DENY for All Users", also set Read Only. To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt) Make folder drivers/down or drivers/downld (was in my case) the same. This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil. :) Note: Windows XP 64 bits users, the viruses exe’s are in folder: windows/SysWOW64 and windows/SysWOW64/Drivers. I just removed them.

For all users: after deleting, create empty files named wintems.exe hldrrr.exe srosa.sys and change permissions “DENY for All Users”, also set Read Only.
To create the blank files: (right click inside the folder, New, text document and type the names (blah.exe). make sure you can edit file extensions, otherwise the files will be wintems.exe.txt)

Make folder drivers/down or drivers/downld (was in my case) the same.

This way if there stills some stuff from the virus, you will fake the files, and they wont be accessible by the little evil. :)

]]> By: virginia http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-1382 virginia Tue, 21 Oct 2008 10:37:19 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-1382 I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help! I am having the same problem as you nightshade, a black box pops up with administrator saying there is already a program of that name there please please please help!

]]> By: nightshade http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-582 nightshade Tue, 09 Sep 2008 15:13:14 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-582 guys i tried downloading combofix...after it downloads....it doesnt open.....it says no permission to access or something like that...plz help.....:( guys i tried downloading combofix…after it downloads….it doesnt open…..it says no permission to access or something like that…plz help…..:(

]]> By: Mike http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-114 Mike Tue, 19 Aug 2008 16:31:02 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-114 Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes. Thanks Eran, that did the trick for me on a Vaio, but I had to boot Knoppix with a few cheatcodes.

]]> By: Eran Amir http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-63 Eran Amir Tue, 22 Jul 2008 09:26:09 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-63 this is one of the hardest i have ever tried to scrub off my hard drive this is something i have tried from this forums responses at and modified it slightly. this method removes the wintems.exe trojan virus from your computer. this first part is done using linux. if you have a dual boot machine (Ubuntu and Windows Xp), use linux. otherwise download knoppix live cd. here goes: 1) start you computer in linux using Ubuntu or knoppix live CD. 2) mount your ntfs file system using something like: mount /dev/sdaX /media (x is your ntfs partition) and delete wintems.exe from c:\windows\system32\wintems.exe (mine was in /media/sda1) also delete: rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe and rm -f /media/WINDOWNS/system32/drivers/srosa.sys. (it might be slightly different path or case-sensitive) 3. Then I delete the directory c:\windows\system\drivers\down or downld 4. reboot and start Windowx XP 5. I delete the registry key: # Run regedit go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache and see all entries regarding "C:\WINDOWS\system32\drivers" . # In Explorer window Go to> tools>folder options>view and select show hidden files # Browse to your C:\WINDOWS\system32\drivers .. find drivers folder and try to delete all files listed in: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache 7. install Avast or AVG and make a full scan without problem good luck! Eran this is one of the hardest i have ever tried to scrub off my hard drive
this is something i have tried from this forums responses at and modified it slightly.
this method removes the wintems.exe trojan virus from your computer.

this first part is done using linux.
if you have a dual boot machine (Ubuntu and Windows Xp), use linux.
otherwise download knoppix live cd.

here goes:

1) start you computer in linux using Ubuntu or knoppix live CD.
2) mount your ntfs file system using something like:
mount /dev/sdaX /media (x is your ntfs partition)
and delete wintems.exe from c:\windows\system32\wintems.exe (mine was in /media/sda1)
also delete:
rm -f /media/WINDOWNS/system32/drivers/hldrrr.exe
and rm -f /media/WINDOWNS/system32/drivers/srosa.sys.
(it might be slightly different path or case-sensitive)
3. Then I delete the directory c:\windows\system\drivers\down or downld

4. reboot and start Windowx XP
5. I delete the registry key:

# Run regedit go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

and see all entries regarding “C:\WINDOWS\system32\drivers” .
# In Explorer window Go to> tools>folder options>view and select show hidden files
# Browse to your C:\WINDOWS\system32\drivers ..
find drivers folder and try to delete all files listed in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

7. install Avast or AVG and make a full scan without problem

good luck!

Eran

]]> By: Serge http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html/comment-page-1#comment-37 Serge Wed, 25 Jun 2008 07:44:00 +0000 http://www.kreslavsky.com/2008/02/wintemsexe-hldrrrexe-srosasys/#comment-37 Thank you guys so much. You were really very helpful. In my case, I had VirusScan, AnVir and ThreatFire installed, but only the latter noticed the virus, though it couldn't fully block it. <br/><br/>The virus rebooted the PC, then infected a couple of service programs to load with Windows. <br/><br/>The thing that worked, was <b>Combofix</b>, when renamed on downloading. Then everything (almost) got cured by Gmer and manually in Regedit - all the keys related to the filenames of the virus files. Then I used Panda to clear the traces. <br/><br/>It won't show after reboot, but I am not sure as to what it has done and what information destructed or stole. Are there any ideas on that point? Thank you guys so much. You were really very helpful. In my case, I had VirusScan, AnVir and ThreatFire installed, but only the latter noticed the virus, though it couldn’t fully block it.

The virus rebooted the PC, then infected a couple of service programs to load with Windows.

The thing that worked, was Combofix, when renamed on downloading. Then everything (almost) got cured by Gmer and manually in Regedit – all the keys related to the filenames of the virus files. Then I used Panda to clear the traces.

It won’t show after reboot, but I am not sure as to what it has done and what information destructed or stole. Are there any ideas on that point?

]]>