Hard to Kill Malware: Wintems.exe, Hldrrr.exe and Random Number.exe
January 3rd, 2008 by Andrew Chen
My laptop infected a vicious malware recently. The first symptoms I saw infecting this malware was that my anti virus software became disable. I was using spybot and Norton on my laptop and some executable files of spybot and Norton were deleted secretly. I tried to reinstall spybot and Norton but I could not do so.
I was thinking probably the only way to get rid of the malware or virus was to do a clean installation of the whole system. But I have decided to spend sometime to look into it. I thought there must be something running on the system to delete the anti virus program. I checked windows task manager. I did fine some weird processes. Wintems.exe was one of them and there was a process named with random number like 2348787.exe. I did a search and found 2348787.exe in a folder in the system directory,”c:\window\system32\drivers\down”. In fact I found tens of random number.exe executables under that folder. The malware kept cloning itself. Really scary!!
I killed the two processes in task manger and deleted that directory and wintems.exe. But I still could not install the anti virus software. When I did the above experiment again the result was the same. I ran a process scanner and all processes running were good. I was not the only one experienced that and I found on the internet that if malware use rootkit to hook to the system it will get notified whenever files are created. The malware then can look at the name of the file created and if it is in its database of anti virus executables it will delete it. Really scary!!!
I download a rootkit detecting tools and found that hldrrr.exe was the process to delete my anti virus executables and it uses a driver srosa.sys. This process somehow can hide itself from being viewed in taskmanger. Even more vicious was that after you deleted hldrrrr.exe and srosay.sys it will re-appear. I spend a long time to find out the pattern of how they re-appear. It turns out that whenever I open internet explorer these two file are created and then wintems.exe and the random number executable will be re-created again.
In order to find which process create hldrrr.exe and srosa.sys I used a process monitor to see which process created them but whenever I open internet explorer I got a pop up box saying I have a monitoring software running and I need to close it in order for program to continue running. The pop up box title was named “Themida”. I ran process monitor on a clean system and IE didn’t give me that pop up box. So I Google “Themida” and found it is a company providing anti cracking technology. However its technology was used by malware writer to package malware and virus so that they can by pass any analysis and anti virus program.
Finally I decided to uninstall all the IE tool bars because they may be the only components IE will initialize at start. That was working. After I removed all IE tool bars I didn’t see hldrrr.exe and srosa.sys again. Hopefully they don’t come back anymore.
Related Posts:
(6 votes, average: 5 out of 5)
Loading ...
Hello,
I have the same problem, but even worse:
srosa.sys even crashes my W2K3 Box with a bluescreen after logging in ….
but I don’t have ANY toolbars or the like installed ?!
any idea’s ? thank in advanced !
regards,
Mark
Were you able to restart the server? Were you able to delete srosa.sys in save mode and all related registry key?
Safe Mode = blue screen
With BartPE and a lot of trying around & cleaning up the registry i deleted srosa.sys & hldrrr.exe & C:\windows\system32\drivers\down with loads of .exe files. But now I have a messy server….. with a lot of services not starting and straaange errors
Hi, I have the same issue that Mark has and I spent 19 (nineteen) hours with Symantec tech support and no resolution. I even showed your page but they dismissed it. If you don’t mind can you keep me in the loop if you find a solution?
I am heading towards rebooting the system…
I have read all previous comments
Thanks all
This is my way to get rid of evil:
1.Turn off system restore
2.Delete all startup entries including your antivirus and security software with a registry startup manager software or directly from registry itself.
3.Delete registry entries of the virus: hkcu/software/FirstRRRun, and other keys mentioned above.
4.Go to control panel > System > Hardware tab > device manager then click “view” then “show hidden devices” go to Non-plug and play drivers right click on Megadrv3 and uninstall it.
5.Restart the windows but boot from CD with Command prompt recovery console (you can use a bootable Microsoft windows XP CD)
6.Delete hldrrr.exe, hidr.exe, srosa.sys, and down folder with command prompt from directory: system32\drivers
7.Boot windows normally, don’t start any program and don’t waste time, go to system32\drivers and create blank files named hldrrr.exe, hidr.exe, srosa.sys and change their attribute to “Read Only”
8.Go to control panel > Folder Options > click “View” tab, uncheck “use simple file sharing” then return to drivers folder and right click your own created blank files select properties, security tab, check deny access for all users the OKoK
That is all it!
You can also create an inaccessible “down” folder in drivers directory and similar fake registry keys using properties > security > deny permission
Uninstall your unnecessary junk security software, update or re-install antivirus and firewall and ENJOY LIVING!
As Alireza Peyman said here I get rid of the virus.
But instead of turn on PC in safe mode I used UBCD for WIN XP for making the files and deleting registry entries.
After I rebooted my PC in normal mode I uninstalled my AV software and after that I reinstall it.
Some of the Win XP services like automatic updates,windows defender,firewall,security center and others (you will see them disabled on Computer Management -> Services) must be set to Automatic and Started.
To be sure rescan the registry to find any of these keys : hldrrr.exe, hidr.exe, srosa.sys and delete all.
I have no longer the virus.
Thanks !
My computer got infected two days ago and I started searching info. This thread helped me to understand what was going on, but I believe I found what caused it in my case. Hope it helps somebody else.
I am 99% sure that I got it from a free version of a rootkit eliminator called “Reg Run Reanimator” from Greatis Software. (Note that a couple people in this page mention this program as a remedy rather than a cause).
I was cleaning up my register and came upon Reg Run. I installed and ran it and it told me there were four virus files: hldrrr.exe, srosa.sys, wintems.exe and mdelk.exe; of which it killed srosa and wintems but could not eliminate hldrrr and mdelk. It did, however, tell me that I coud do it with the “Reg Run Startup Optimizer” which was not part of the program I was using.
My computer behaved as many in this page have stated:
antivirus disabled, not being able to delete the virus files, not being able to boot in safe mode, etc.
Apparently there is evidence that the executable file of Reg Run, partizan.exe, has been used to spread malware by third parties. See the following link in the Symantec forum:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4559&jump=true#M4559.
I can not say that Greatis has intentionally included malware in their application, but I find it coincidental that the last three letters of “hldrrr” may be construed to stand for “Reg Run Reanimator”. I urge anyone with this problem to be careful if they have used it.
I did solve the problem by restoring to an earlier point, using a CD to boot Windows to delete any of the the filesmentioned above, plus partizan.*, which I found in Prefetch, c:\windows\system32 and c:\windows\system32\drivers. Also searching the register and deleting any references to them.
Are you guys able to boot your computer normally?
If you always boot to a blue screen then you are experiencing somthing different then I. What does it say in the blue screen? Hopefully I can help.
If you are able to boot normally and the hldrrr.exe and srosa.sys keep re-appearing then try to find the pattern of how it re-appear. If it appear after your computer is boot up then most likely one of your start up program creates them. If it re-appear after you run certain progarm then most likely the program or its component creates them.
In my case IE was starting very slow and every time I start IE they re-appear. I was using google tool bar at the time. Deleteing those malware exe and registry key and uninstalling google tool bar was able to get my computer back to normal.
at first afd.sys crashed, so i just renamed the file to afd.sys and then the real trouble maker came through: srosa.sys.
You can find my efforts over here:
http://forums.spybot.info/showthread.php?t=22550
srosa.sys & hldrrr.exe work together with the files in C:\windows\system32\drivers\down and some other files.
After a lot of fiddling with BartPE i managed to clean the registry manually -> virus is gone buuuuuuuuuuuut:
I still haven’t found a resolution for the erors due to netlogon (and with that a load of others exchange e.g. ) not starting:
Error 10050: a socket operation encountered a dead network.
I found in some forums that this indicates that your whole dll stuff regarding network is messed up totally.
netsh winsock reset
netsh int ip reset log.txt
didn’t help either.
I tried installing SP2 over again, which helped a bit, now at least i can ping to my router (and outside again).
I will try to reinstall all patches after SP2 (this helped with a dead exchange server once). The problem is i can’t use windows update, so this will take a while
I REALLY hate this virus and will NEVER EVER open ANY file again on my server…….
The malware also prevents windows automatic update from runing. Are you sure your computer is clean and those trouble malware exes are not re-appearing? Are you able to install your anit virus software?
I think the malware may delete some windows update executables also. I forgot to mentioned that I installed serivce pack 3. I think that also help in correcting the problems
I reinstalled SP2 which made it better (there is no SP3 for w2k3 yet!), but even DNS lookups are not possible. I can ping to the outside though!
THe malware is NOT reappearing 100% sure.
I reinstalled AV software already.
Further investigation this evening….
You are right Win2k service pack 2, I have also install Office 2003 service pack 3 since I have word and excel
When you said you can ping to outside, do you ping the ip or domain name? If DNS lookup has problem then probably need to check your DNS setting and make sure your DNS server is working.
Your can dispay your DNS setting by runing “ipconfig /all” in a cmd window
One thing I tried to do was delete all the files in that stupid down directory - but it said one of the files was currently being used. I could however, go to CMD and delete it that way.
I know in system monitor I can see the PID of everything “normal” running, too bad when it says file is being used it can’t tell you by what. That is what I love about UNIX - you have Child and Parent PID you can look at. Really wish there was a way to know what program created or deleted what!
I still have not been able to delete this virus but will try again after reading all your comments.
Ugh! Wish I knew how I got it.
Thanks,
Markis
In my case the files in the down directory are “number.exe” files. They can be viewed in task manager and I can kill the number.exe process in task manager. It can be deleted after you kill the process.
But the number.exe files will re-appear. In my case they are created by hldrrr.exe. It is located in c:\windows\system32\driver diretory. It may be located in other diretory though.
I have pretty much the same symptoms as the rest of you.
My infection came from a folder called Network Surveilance Tools
And I tried booted to safe mode to delete the files under cmd, and it would cause my system to reboot everytime i tried to log into safe mode.
I must have had a different variety, this is one of the nastiest Ive come across.
I wiped my drive and re-installed.
Problem solved.
I forgot to mention, It wouldnt let me installed Hijack this or scan remotly from any of the free remote public av scanning services, nasty nasty
I found an EASY way to kill it. I searched for hldrrr.exe in the registry. It was in the startup - found lots of other files there too. Take each name and search on google - it will tell you if good or not.
Then go to your system startup and take out anything that doesn’t belong.
Delete all those number files (if you have to go to dos).
Then I was able to reinstall the virus scanner, then everything fine.
Still hated it. Had to research so many files.
Good luck everyone!
Hope they shoot these virus makers!
@Andrew:
I can ping to an IP only ! Almost ALL network related services are NOT starting on my windows 2003 server ! No AD, DNS & DHCP (client or server), netlogon and so on. All with the same failure:
a dead network encountered…..
I will try again tonight..
I had the same virus and I couldn’t kill it until the guys over at Spybot helped me out. I downloaded GMER, booted into into safe mode via GMER, and deleted hldrrr.exe/wintems.exe/srosa.sys.
I have read all previous comments for info… but I’m still screwed…
This thing has munged by wireless access as well as all else.
I tried the most recent suggestion of using GMER to no avail, even in GMER ’safe mode’ I cannot delete these files. I get an error message.
I can’t boot into ‘Windows Safe Mode’ either. Any attempt throws a BSOD.
Obviously some critical system files are messed up… what a nightmare…. This is the worst virus catastrophe I’ve ever had. I guess I’ve been pretty lucky over the 25+ years of computing… I guess it had to happen some time… yeeesh!
Any advice or ideas would be TREMENDOUSLY appreciated….
later…
Hello d,
Create a Bart PE boot cd, boot from that cd and delete the files mentioned.
Then repair safe mode while import/export the deleted registry hive HKLM\SYSTEM\CURRENTCONTROLER\Control\safeboot
Or try safebootkeyrepair.exe
Follow the articles on the safernetworking site (SpyBot)
regards,
Mark
One hint that might help.
1 - You can connect your HD to another PC and run your A/V to clean it up (its a start) or create a live CD of some kind in case you just have a laptop.
Delete the mentioned files above but create fake copies of them on the same location and change the file permissions so they cant be accessed, deleted or modified in any way.
This helps so the infected files cant be recreated. Apply the same restrictions to the “down” folder as well.
(Once the system is clean you can change all this)
If you have XP home, there is an add on from MS (not supported)(made for Windows NT) that adds the security tabs for changing files permissions.
2 - This “bug” modifies lots of known exes for A/V and clean up utilities like highjackthis. The file date on the modified files will be the same as the infection date. Search and replace those files with good ones. (Or at least you will know what to uninstall/reinstall.
PS: I am right in the middle of this too. I will post more details later…
thanks all for your suggestions. With this info from here and other places I manged to get rid of this…
the ‘wintems’ and ’srosa’ are gone. Rootkit removed.
Ongoing…
Windows Zero Config (for wireless access) couldn’t get working so i installed Intel version of same for my hardware and that works. It’s not the WZC service, but another service that it is dependent on.
Also, IE won’t process any javascript…. bizarre virus. Re-installing Anti-virus and the like is no problem, but all these other ‘changes’ made to system files is a pain. Not sure of what all is damaged yet. I might try to ‘re-do’ SP2 as suggested above. If not, I might just go ahead and do a re-install of Windows. It’s long overdue anyway, but what a pain as I have many, many software packages to re-install as well if that happens….. sigh.
But anyway, thanks all for info. It is appreciated.
ciao
Hello,
My beloved system recently got infected with these nasty little bastards. I found that I had: Hldrrr.exe, Wintems.exe, and Srosa.sys. One of these also liked to make a system32/drivers/down/ folder filled with ######.exe files.
The symptoms i had included all of my anti-virus softwares suddenly becoming unusable, lock-ups during any of the re-installs, and blue-screens when I attempted to boot to SafeMode. Basically, everything I’ve been reading about in the above posts.
My online scans showed that i had W32/Sdbot.worm, New Poly Win32, Bbeagle, and some other ones I think.
Anyway. I think I may have gotten rid of them. During my searches, I stumbled on the following link:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-061613-2224-99&tabid=3
that mentions deleting the following line from your registry:
HKEY_CURRENT_USER\Software\FirstRRRun
I did this and
- deleted everything from Window’s Prefetch
- deleted all the files under System32/drivers/down
- ran RegRuns Reanimator that found hldrrr.exe and srosa.sys
this also has a AntiSpyware dropdown that listed red Reg entrys that happened to show “prohibited” websites that included Mcaffee and other anti-virus sites. Deleting these entries allowed me to access the sites again.
after rebooting regrun claimed to have deleted the viruses but they were still there. But get this, I could now delete them myself…which i did. No more numbered.exe’s appeared in the Down folder either which would normally fill up on startup.
Now McAfee installed and I’m currently running a complete virus scan. I think I may have killed it.
I’ll keep you posted. Thanks for all the help in the previous posts. I wouldnt mind getting my hands on the people that created this crap. I’ve been battling viruses for the past 3 days.
-E
Hi,
I had problems with deleting srosa.sys, wintems.exe, mdelk.exe and the down folder. Every time I deleted them they got recreated. So I found a workaround: instead of deleting them again and again - and at one point deleting become impossibe (”File in use” error) - I just changed their security settings, by disallowing all Users, Administrators (incl. my own system account) and the System to do anything with this file (including running, deleting, reading the contents of a folder, etc.).
This is done by going to Tools -> Folder options -> View -> Untick: Use simple file sharing -> OK. Then when you right-click a file or folder you get to Security (and then, if you like, Advanced). There you can set the permissions to use the files/folders.
Watch out, this is a very powerful tool, you can e.g. deny permissions to your Windows folder or entire C: drive which will inevitably make your hard drive usable only as an external storage…
Hi all,
First I would like to thanks all of you for your advice and solutions. I now have my computer running normally (as far as i can tell at this stage). After going in circles for a long time I found this site and read all the comments and they helped alot, so i thought i would add my experience.
To remove most of the shite (not being able to use any anti-virus software or spybot) I downloaded F-Secure Blacklight from their site and ran it, removing references to srosa.sys, wintems.exe, and mdelk.exe. I then rebooted into another OS on my system and deleted the previously mentioned EXE’s as well as the entire drivers\down folder and cleared the prefetch.
Seemed to work for me!
Cheers again.
another solution :
Download the Windows Malicious software tool availabe at
support.microsoft.com/kb/890830
It worked on mine
Yes, the Windows Malicious software tool worked for me too, but I had to run it in Safe Mode (it would freeze up normally). To be able to get into Safe Mode, I had to use SafeBootKeyRepair. After I cleared the worms with the MS tool, I was then able to run Spybot Search and Destroy to get rid of a few more things, and then reinstall Avast.
What an ordeal! I don’t even want to say how many hours I sunk into cleaning up this mess.
I spent two of my thanks giving holidays on it. Thanks all that left their inputs and hopfully it can save time for many people.
I have read all previous comments
Thanks all
This is my way to get rid of evil:
1. Turn off system restore
2. Delete all startup entries including your antivirus and security software with a registry startup manager software or directly from registry itself.
3. Delete registry entries of the virus: hkcu/software/FirstRRRun, and other keys mentioned above.
4. Go to control panel > System > Hardware tab > device manager then click “view” then “show hidden devices” go to Non-plug and play drivers right click on Megadrv3 and uninstall it.
5. Restart the windows but boot from CD with Command prompt recovery console (you can use a bootable Microsoft windows XP CD)
6. Delete hldrrr.exe, hidr.exe, srosa.sys, and down folder with command prompt from directory: system32\drivers
7. Boot windows normally, don’t start any program and don’t waste time, go to system32\drivers and create blank files named hldrrr.exe, hidr.exe, srosa.sys and change their attribute to “Read Only”
8. Go to control panel > Folder Options > click “View” tab, uncheck “use simple file sharing” then return to drivers folder and right click your own created blank files select properties, security tab, check deny access for all users the OKoK
That is all it!
You can also create an inaccessible “down” folder in drivers directory and similar fake registry keys using properties > security > deny permission
Uninstall your unnecessary junk security software, update or re-install antivirus and firewall and ENJOY LIVING!
Here is a tip to find all the related files and registry key.
Start - Run - Regedit
Edit - Search - (Type) HLDRRR
That should take you to the search assistant or in other words:
HKEY_USERS
S-1-5-21-(xxxxxxxxxxxxxxxxx)
software
Microsoft
Search Assistant
Acmru
5603
5604
There you’ll find the following
000 REG_SZ HLDRRR
001 REG_SZ SROSA.SYS
002 REG_SZ EXEFLD
003 REG_SZ *.EXE
004 REG_SZ EXE
005 REG_SZ I1RU74N4
006 REG_SZ GODO
007 REG_SZ FOR?
008 REG_SZ NOAT
009 REG_SZ BAN
010 REG_SZ SSGRATE.EXE
011 REG_SZ BAN_LIST.TXT
012 REG_SZ 1234XXX.EXE
The virus has currupted the Windows search assistant.
I hope this helps.
Moin!
Thank you all for your helpful comments. I’ve the problem that I cannot boot anymore, so I’m forced to seek and delete the files using Knoppix and DOS-Shell.
Hi there!
It’s almost (not anymore) 5 in the morning but it seems, I finally have prevailed over this indeed vicious hell of a nuisance - following the steps of Alireza Peyman.
I encountered a slight difference though: there was no Megadrv3 driver, but I encountered and uninstalled an srosa one (shown with a yellow exclamation mark).
I hope, this is finally over - and still as good after rebooting again. (I only got a blue screen when trying to boot into safe mode before.)
I only have the Home Edition, so I used the software FJXPFileSecExt (just google the name) to enable the more sophisticated folder filesharing settings of Win XP Pro.
I denied every access to the dummy files and now I can’t even open a rightclick menu on them anymore… but as long as that damn malware can’t, that should be okay.
Thanks again!
Hi,
I’m not sure if I was infected with the same variant srosa.sys
, wintems.exe and MegaDrv3 but I fix it this way :
1. It disables safe mode boot , so you should fix it first,
get SafeBootKeyRepair.exe to fix it
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair.exe
2.download GMER and SDFIX and ComboFix
http://www.gmer.net/gmer.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
3.reboot system into safe mode.
4. run GMER and delete this file if you find them :
system32\drivers\SROSA.SYS.del
system32\wintems.exe
windows\svchost_.exe
system32\drivers\hldrrr.exe
system32\drivers\down\*.exe
5.run SDFix.exe , extract it to c:\sdfix and run
RunThis.bat from c:\sdfix
6. run ComboFix.exe
HTH ,
Mehdy Mohajery
–
Hi all, I’ve just escaped from the misery of suffering this annoying trojan. Still shaking
In my case, solution from Mr E. works for me and I myself think that using RegRun is a smart way to protect our computer from virus. Thanks to RegRun.
To Keith Shepherd: I don’t think those values was generated by the virus. I’m sure that was what you have input in the Search field.
I am in the middle of an epic struggle with this virus. It is definitely the worst yet.
Using Unhackme I managed to remove srosa.sys, hldrrr.exe etc but then I couldn’t install anything. Everything was either not a win32 application or I didn’t have permission to install stuff or installations uninstalled themselves because services wouldn’t start.
I went into the registry and got rid of FirsRRRun and everything with srosa in it, including all the versions in the Control Point (nnn) folders. To do this you need to change the permissions on each item.
This gave me some time to discover all manner of deviltry in the System32 folder: BmxControlState - {00000007-00000002 etc..).gfx, DVCs, and some other crap. Deleting them helped a bit but then they kept coming back.
I wnet in device manager and deleted an unnamed device (probably MegaDrv3 [showed up as registry value under LEGACY-SROSA]).
Couldn’t get in on safemode - kept crashing while loading alcxmntr.exe or sys or whatever. Safebootkey didn’t work.
In the end I simply installed a second version of XP on another partition (on the same physical disk), went in in safe mode, installed everything, AVG, Webroot, F-Fprot, and wiped out every little **** I could find. Also created dummy folders and placed a note: “You can’t touch this” inside before sealing them by denying permissions to everything.
But still — the infected XP instance will not open in safe mode!!!
Can anyone tell me how to finish this thing?
Hi
I got infected by and cleaned this rootkit three times. I have never seen a file named hidir.exe though. I have a hidir.sys and don’t know if it’s one of those suckers but so far no problem.
I also realized that no matter what you do to clean this, you need to restore safebootkey as well. Otherwise, you are not able to go on into SM. It will come down to a line and reboot there. So, I always use a file called SafeBootKeyRepair-CF.exe. I’m sure you can find it on the net. It’s a very very small file but solves the problem.
I believe this sucker will keep coming. So, I put all the relevant files in a folder and now can quickly get rid of it. The first time it lasted 3-4 days. Now, the third lasted 10 mins. Hope this helps…
[…] I Googled the term “wintems.exe.” for possible solution. Here is what Andrew Chen at Siusic Dot Com has to say: “My laptop infected a vicious malware recently. The first symptoms I saw […]
The virus was removed from my laptop by following the instructions below easily:
http://forums.pcpitstop.com/index.php?showtopic=154765
Good luck.
Hi again!
One month after applying your solution, I found somethin that may be linked to this virus.
This thread addresses the issue:
http://forums.techguy.org/networking/630190-solved-windows-wireless-service-cant-2.html
A Windows service which the WLAN config is dependent on is turned off, so that the implemented WLAN configuration doesn’t work anymore. (I have not needed a WLAN connection since then, so I did not notice before.)
In my case, when I tried to switch that service (NDIS usermode i/o back on, I only got a bluescreen - even when booting into safe mode.
So, I refrained from trying to repair the damaged system and - after 14 months without - did a “format c:”. That way, system integrity should be restored as well.
I am one of the moderators at wilders security.
Get yourself a safeboot.reg key on the web.
Find a new version of Combofix.
You do not have to run this in safemode, will do it in normal mode., Combo WILL run in normal mode and delete these.
THEN because of the critters hldrrr, wintems, and srosa carry with them, then run an online scanner from KAV or Panda or TrendMicro.
or find a free copy of ewido_micro.exe online, look for the url for download in search at Yahoo or google, and run it, normal or safe mode either way.
Look at this:
http://newbie-marketing.info/protecting-your-pc-is-a-must-for-affiliate-marketers/
Cite:
…Then I found Eset NOD32 Antivirus. It’s made by little known company called Eset. It comes with a 30-day full working trial and an online scanner. Using the online scanner, I was able to get rid of “wintems.exe” and all related viruses and registry files that it created…
ehhh wrong, wintems denys system privledges to this program
I’d like to thank the posters on this forum for helping me rid myself of this virus. For the record (and from memory), these are the steps that worked on my XP SP2 setup:
1) run RegRuns Reanimator to delete hldrrr.exe and srosa.sys
2) run SafeBootKeyRepair.exe to then enable safe boot
3) run Combofix, Avast Cleaner, Spybot S&D in safe mode
4) run Windows Malicious software tool in safe mode (this took hours)
I could then boot up noramlly and everything seemed to be OK apart from my internet connection, which kept failing after 4 or 5 minutes. After reinstalling AVG antivirus, and performing 5 or 6 different virus scans from other manufacturers, my connection is now working fine, and I’m virus-free.
Many thanks especially to Mehdy, Alireza and Aadarsh.
I’d like to thank the posters on this forum for helping me rid myself of this virus. For the record (and from memory), these are the steps that worked on my XP SP2 setup:
1) run RegRuns Reanimator to delete hldrrr.exe and srosa.sys
2) run SafeBootKeyRepair.exe to then enable safe boot
3) run Combofix, Avast Cleaner, Spybot S&D in safe mode
4) run Windows Malicious software tool in safe mode (this took hours)
I could then boot up normally and everything seemed to be OK apart from my internet connection, which kept failing after 4 or 5 minutes. After reinstalling AVG antivirus, and performing 5 or 6 different virus scans from other manufacturers, my connection is now working fine, and I’m virus-free.
Many thanks especially to Mehdy, Alireza and Aadarsh.
it’s funny that alomost ALL these progs require you to buy them online…which is exactly the type of info you DON’T want to tranmist over the interbutt with a virus of this type lurking on your comp…yeah, this is great help…
hello everyone
could you please help me
when I try to open ComboFix I get a message that it is not a Win32 application
I also can’t find SafeBootKeyRepair.exe
can anyone send it to me via e-mail
what should I do
and one more thing
I don’t have the “down” folder
instead I have “downld” folder that all those exe files with numbers appear is that somehow different
Please help
Where can I get a copy of SafeBootKeyRepair.exe - none of the links above work?
It appears SafeBootKeyRepair.exe is done by the people who do ComboFix and ComboFix is broken, so presumably SafeBootKeyRepair died with it?
It appears I have gotten rid of it (after several reboots no sign of it so far) by:
1. Using the recover option on the WinXP install disk
2. straight after the recover of windows, before rebooting (the virus is still loaded after recover), I was able to run AVG antivirus, Spybot S&D, and Windows Malicious Softare program and I updated my windows at the same time
3. Then I rebooted and appears to be gone.
I’ve rebooted a few times since, fingers crossed. If this hadn’t worked I was just going to reinstall windows as all my data is on separate drives and it appears this virus evolves with the fixes - just not worth spending days trying to remove it when you can just spend a few hours reinstalling windows.
[…] is possible because nowadays malware will do all kinds of things. You can check out another post, Hard to Kill Malware: Wintems.exe and Hldrrr.exe. Related Posts:Hard to Kill Malware: Wintems.exe and Hldrrr.exeTrouble Shooting SQL Server […]
[…] Still most of the traffic is brought by Search Engine. In fact most of the traffic is brought by this most Hard to Kill Malware: Wintems.exe and Hldrrr.exe […]
I have the same problem, and am on the phone tell Time warrner that CA software sucks.
After you load it, it reboots and a box pops up saying allow or deny c:system 32 dllrrr.exe
Why is ca asking me that question if dllrr.exe is a virrus?
Wouldn’t you think they would know at least as much about this stuff as we do?
When I tell the clecrk at Roadrunner about it and that I cant access the Internet to see if I should accept or deny, she says, “Well thats the way the software it is sir.
When I ask to speak to her supervisor she puts me on hold and I eventually get disconnected.
Great service for $40 a month.
Anyway, thanks to you guys, hopefully I will fix this thing tonight.
Tomorrow is a new month.
Jim
[…] the blog is from search engine. In fact half of the blog’s traffic is brought by this post, “Hard to Kill Malware: Wintems.exe and Hldrrr.exe” . Because this post is rank number two or three when you search “wintems.exe” or […]
[…] did a post on how to remove malware, Wintems.exe and Hldrrr.exe. It turns out to be the most successful post on my blog. It attracted almost 100 readers daily […]
[…] “wintems.exe” and they found a post on my blog. Most likely this is the post found, Hard to Kill Malware: Wintems.exe and Hldrrr.exe. This post is about how to remove malware “wintems.exe”. In fact this post is ranked […]
I also have got this virus :evil:. I analyzed the C:\WINDOWS\system32\drivers\down folder with KNOPPIX.
Luckily Linux doesn’t pay attention to the file ending, but to the content. Most of the number.exe are html files which have been renamed to exe.
I also have got this virus
. I analyzed the C:\WINDOWS\system32\drivers\down folder with KNOPPIX.
Luckily Linux doesn’t pay attention to the file ending, but to the content. Most of the number.exe are html files which have been renamed to exe.
Went through and documented the steps I took to remove the nasty bugger, may not be the quickest way but it worked for me:
1) Disable system restore
You should get a new drive letter relating to the hard-disk, change to that drive
2) To reinstate the folder-show hidden files and folders do a google search for foldersettings.reg.
Download and install to infected computer
3) Create a boot CD for windows 98 with CDROM support (can find at http://www.allbootdisks.com
4) download and install ntfs4dos to a non infected computer (find at http://www.avira.com, downloads)
5) Burn the installed files to CD (find in c:\program files\avira\ntfs4dos
Note: you can skip step 3 if you make the NTFS4DOS CD bootable
6) Boot the infected computer with the windows 98 boot CD
7) Insert the NTFS disk and run NTFS4dos
9) goto \windows\system32\drivers
10) delete hdrrr.exe
11) delete srosa.sys
12) use the command copy con hdrrr.exe, press enter twice, press -
13) use the command copy con srosa.sys, press enter twice, press -
14) use the command copy con mdelk.exe, press enter twice, press - (it will ask to overwrite, say yes)
(this will create dummy files with the same name as the virus)
15) goto c:\windows\prefetch, delete all files here
16)reboot into windows, normal mode
Note: I find a blank window opens with the title c:\windows\system32\drivers\hldrrr.exe - leave it open for now
17) run regedit, perform a find for hldrrr
18) Delete entry under HKCU_Software_Microsoft_Windows_Currentversion_Run called
18) Delete entrys under HKCU_Software_Microsoft_Windows_ShellNoRoam_MUICache called and
19) another find on srosa - when you find legacy_srosa, right click got permissions and tick allow on full controll
19a) delete legacy_srosa
20) do the same for srosa
21) same for the next legacy_srosa but delete the subfolder 0000 first (you cant delete the main folder while 000 exists)
22) delete the next srosa entry
23) search for rrr (from the beginning, press home to get to the top)
24) delete entry HKCU_Software (delete entire FirstRRRun folder)
25) use mycomputer and navigate to c:\windows\system32\drivers, find srosa.sys (make sure it’s about 4kb or less)
26) goto tools, folder options, view, untick use simple file sharing
27) right click srosa.sys, properties, security(tab)
28) click on each user listed and tick top right box (full control - deny), apply.
*Note: this will lock the file from being overwritten by the virus
29) Force a power off of the computer (dont use restart/shutdown)
30) power-up PC, boot into windows, normal mode.
31) The virus should now be rooted (unlike the virgin who created it)
32) open command prompt ( cmd )
33) goto c:\windows\system32\drivers
34) delete hldrrr.exe
35) use command attrib -r -s -h mdelk.exe
36) delete mdelk.exe
36) use the command copy con hdrrr.exe, press enter twice, press -
37) use the command copy con mdelk.exe, press enter twice, press -
38) use mycomputer and navigate to c:\windows\system32\drivers, find hdrrr.exe (make sure it’s about 8kb or less)
39) right click hdrrr.exe, properties, security(tab)
40) click on each user listed and tick top right box (full control - deny), apply.
41) find mdelk.exe (make sure it’s about 8kb or less)
42) right click mdelk.exe, properties, security(tab)
43) click on each user listed and tick top right box (full control - deny), apply.
44) Load antivirus software
45) perform a full scan and hopefully all existing infected files should be picked up and cleaned
46) reboot computer
Note: when i find out how to fix the windows wireless and safe mode I will add to the forum.
Ooops,
step 12, 13 and 14 should read press ctrl then z
18A) Delete entry under HKCU_Software_Microsoft_Windows_Currentversion_Run called drvsyskit
18B) Delete entrys under HKCU_Software_Microsoft_Windows_ShellNoRoam_MUICache called c:\windows\system32\drivers\hldrrr.exe and
c:\windows\system32\drivers\mdelk.exe
DO NOT DELETE HKCU_Software,
delete HKCU_SOFTWARE_FirstRRRun
Try again with no punctuation:
1) Disable system restore
You should get a new drive letter relating to the hard-disk, change to that drive
2) To reinstate the folder-show hidden files and folders do a google search for foldersettings.reg.
Download and install to infected computer
3) Create a boot CD for windows 98 with CDROM support (can find at http://www.allbootdisks.com
4) download and install ntfs4dos to a non infected computer (find at http://www.avira.com, downloads)
5) Burn the installed files to CD (find in c:\program files\avira\ntfs4dos
Note: you can skip step 3 if you make the NTFS4DOS CD bootable
6) Boot the infected computer with the windows 98 boot CD
7) Insert the NTFS disk and run NTFS4dos
9) goto \windows\system32\drivers
10) delete hdrrr.exe
11) delete srosa.sys
12) use the command copy con hdrrr.exe, press enter twice, press ctrl-z
13) use the command copy con srosa.sys, press enter twice, press ctrl-z
14) use the command copy con mdelk.exe, press enter twice, press ctrl-z (it will ask to overwrite, say yes)
(this will create dummy files with the same name as the virus)
15) goto c:\windows\prefetch, delete all files here
16)reboot into windows, normal mode
Note: I find a blank window opens with the title c:\windows\system32\drivers\hldrrr.exe - leave it open for now
17) run regedit, perform a find for hldrrr
18A) Delete entry under HKCU_Software_Microsoft_Windows_Currentversion_Run called drvsyskit
18B) Delete entrys under HKCU_Software_Microsoft_Windows_ShellNoRoam_MUICache called c:\windows\system32\drivers\hldrrr.exe and
c:\windows\system32\drivers\mdelk.exe
19) another find on srosa - when you find legacy_srosa, right click on permissions and tick allow on full control
19a) delete legacy_srosa
20) do the same for srosa
21) same for the next legacy_srosa but delete the subfolder 0000 first (you cant delete the main folder while 000 exists)
22) delete the next srosa entry
23) search for rrr (from the beginning, press home to get to the top)
24) delete entry HKCU_Software FirstRRRun (delete entire FirstRRRun folder)
25) use mycomputer and navigate to c:\windows\system32\drivers, find srosa.sys (make sure it’s about 4kb or less)
26) goto tools, folder options, view, untick use simple file sharing
27) right click srosa.sys, properties, security(tab)
28) click on each user listed and tick top right box (full control - deny), apply.
*Note: this will lock the file from being overwritten by the virus
29) Force a power off of the computer (dont use restart/shutdown)
30) power-up PC, boot into windows, normal mode.
31) The virus should now be rooted (unlike the virgin who created it)
32) open command prompt (start run cmd enter)
33) goto c:\windows\system32\drivers
34) delete hldrrr.exe
35) use command attrib -r -s -h mdelk.exe
37) delete mdelk.exe
38) use the command copy con hdrrr.exe, press enter twice, press ctrl-z
39) use the command copy con mdelk.exe, press enter twice, press ctrl-z
40) use mycomputer and navigate to c:\windows\system32\drivers, find hdrrr.exe (make sure it’s about 8kb or less)
41) right click hdrrr.exe, properties, security(tab)
42) click on each user listed and tick top right box (full control - deny), apply.
43) find mdelk.exe (make sure it’s about 8kb or less)
44) right click mdelk.exe, properties, security(tab)
45) click on each user listed and tick top right box (full control - deny), apply.
46) Load antivirus software
47) perform a full scan and hopefully all existing infected files should be picked up and cleaned
48) reboot computer
I’m so happy.
I haven’t got this nasty virus anymore. Do you know the solution? It’s ridiculously easy…
Now I’ll also tell it to you:
Go to zonavirus.com and download the newest EliBaglA (Descargar EliBagla 11.xx) (I write xx because a few days later there will be a newer version, the development is very active) (it’s Spanish). (PS: This virus/trojan is named Bagle)
Run EliBaglA.
Check whether your system drive is entered in “Unidad”. If not, change it to your system drive.
If it isn’t already there, check “Eliminar Ficheros Automaticamente”.
To start click “Explorar”. The program will scan your drive. There will be some error notes that say Bagle is denying the access. Just click them away. When the program has finished, click “Salir” to leave the program.
Now reboot the computer.
EliBaglA will start as the first program after the system itself, just before Windows Explorer and also before Bagle.
Run the program a second time with the same parameters.
It will kill Bagle.
I’m angry at myself that I thought it didn’t work because I missed to reboot…
However, this is the easiest and most efficient way to remove Bagle.
Sorry, I’ll correct it:
Go to http://www.zonavirus.com/datos/descargas/95/elibagla.asp and download the newest EliBaglA (Descargar EliBagla 11.xx) (I write xx because a few days later there will be a newer version, the development is very active) (it’s Spanish). (PS: This virus/trojan is named Bagle)
Run EliBaglA.
Check whether your system drive is entered in “Unidad”. If not, change it to your system drive.
If it isn’t already there, check “Eliminar Ficheros Automaticamente”.
To start click “Explorar”. The program will scan your drive. There will be some error notes that say Bagle is denying the access. Just click them away. When the program has finished, click “Salir” to leave the program.
Now reboot the computer.
EliBaglA will start as the first program after the system itself, just before Windows Explorer and also before Bagle.
Run the program a second time with the same parameters.
It will kill Bagle.
PS: This is how the log should look (C:\InfoSat.txt)
EliBagle v11.36 (c)2008 S.G.H. / Satinfo S.L. (Modificado el 15 de Mayo del 2008)
———————————————-
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE –> Eliminado Bagle
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT –> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS –> Eliminado Bagle (rootkit)
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE –> Eliminado Bagle.dldr
C:\DOKUMENTE UND EINSTELLUNGEN\JUTTA\ANWENDUNGSDATEN\M\FLEC006.EXE –> Eliminado Bagle
C:\DOKUMENTE UND EINSTELLUNGEN\JUTTA\ANWENDUNGSDATEN\M\LIST.OCT –> Eliminado Bagle
Tue May 20 19:08:28 2008
EliBagle v11.36 (c)2008 S.G.H. / Satinfo S.L. (Modificado el 15 de Mayo del 2008)
———————————————-
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\MDELK.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\107194781.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\1108812.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\1135937.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\1331109.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\15126984.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\155631578.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\155643921.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\170215250.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\170221656.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\259031468.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\348944140.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\348961718.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\393984109.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\393993750.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\423140109.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\437735281.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\437749390.EXE –> Eliminado Bagle.dldr
C:\WINDOWS\system32\drivers\down\587393218.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\587414093.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\602117859.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\679859437.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\679873796.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\694541390.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\756689968.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\771352500.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\771370671.EXE –> Eliminado Bagle
C:\WINDOWS\system32\drivers\down\92630343.EXE –> Eliminado Bagle
Nº Total de Directorios: 15567
Nº Total de Ficheros: 236486
Nº de Ficheros Analizados: 14957
Nº de Ficheros Infectados: 28
Nº de Ficheros Limpiados: 28
[…] Delete Megadrv3 device (follow instructions from Alireza Peyman). […]
Hello to all the people sharing one and the same Trojan destiny
First, I’d like to send many thanks to all forum-people that helped me to bring my computer back to life.
Second, I’d like to summarize the curing technology:
- Run Panda on-line (registration is needed) scanner to clean the computer for the first time
- Run EliBaglA on all possible drives (incl. flash drives!!!)
- Run ComboFix
- Reinstall old or install new Antivirus Software.
- Check the system again (especially the System Restore!!!)
Good luck!
Sashu.
Hi guys,
I went through hell because of this virus, trojan, whatever….
I solved the problem because of your posts here, so thanx very much.
In short lines it went like this:
I got infected by downloading some free software. Being stupid I was doing this while I was re-installing my antivirus software. I was lucky enough to have NetLimiter installed so I could limit outgiong and incoming connections of hldrrr and wintems. I couldn’t finish antivirus re-install, I couldn’t install any antivirus nor Spybot or similar, Even some new Micorsoft update for removal of malicious software didn’t work. Then, after i had read your posts, I tried with combofix which at first didn’t work. But ELIBAGLA.BHFBH did work. First I cleaned virus with ELIBAGLA.BHFBH and then combofix finished the job. Thanks guys, one very frustrating day has passed…
My dad went to go print some photos at harvey norman on his thumbdrive and came back with the virus which put itself on ym dads laptop and traveled over the network to the main computer.
HATE YOUU HARVEY NORMAN!
I was infected by srosa.sys and hldrr. Tried allsorts, then the following which worked flawlessly:
1. Uninstalled all antivirus software.
2. Took out the OS hard drive and hooked it up to another pc.
3. From other pc, ran antivirus software (comodo-free)and spysweeper and deleted the srosa.sys which was found by comodo.
4. Searched for hldrr*.* and deleted it (it was in the windows/prefetch folder).
5.Deleted the rest of the contents of the windows\prefetch folder after backing up its contents to another folder.
6. Put hard drive back into original pc. Everything OK, installed antivirus and all back to normal.
ok I roughly read the posts above(not having so much time),and want to share my experience with these sucking virus/trojans:
at first,after downloading a fake dictionary searching engine and rebooting my system ,my NOD32 begun to have trouble loading at system startup,and forced me to uninstall it . then reinstalled nod32 with a “fail in start the ESET(ekrn) service” prompt.no use for manually start.
like situations most people here encountered,all the famous anti-virus software suddenly fails to work;when you’re trying to install an AV or anti-rootkit software such as sophos or antivir ,the system just says they’re not a correct win32 programs which apparently have been revised by the Wintems.exe or its foes;even you’ve already have one in your system,it is immediately revised to the useless status once you double click the file in its folder.
It seems no way to delete and no tools for recovery with the existing resource,especially when you encounter the mixed attack by the strong bagle trojan family (usually they are grouped and will download a virus tank folder (maned ldown in my case)in your system with various family members),you have no where to go ,not to mention crying help in the internet or trying to get some remedy .They’re efficient and powerful indeed even for the systems with reputable NOD32 and routinely checking anti-rootkit.
While the trojan was active ,my CPU usage was above 50% at efficiency tab in the windows task manager,but there were no any processes shown on the process tab with similar usage. Cau’z the trojan process “wintems.exe” hid itself in task manager and in the folders,even using the searching function to search hidden files,you can only see the normal hidden files but not it.Of course above were given the condition that the hidden files cannot be set to show in the Folder Settings.
I didn’t know my computer was infected by the Wintems,but knowing it’s was infected by failing to show the hidden files through the windows folder setting and the abnormal CPU usage. With previous experience to the Kavo virus, I assumed they’re somehow related.
I downloaded the following Zipfile which is specially designed to kill the USB virus:
http://moscps.myweb.hinet.net/tools/OverUSBWorm.zip
don’t care the log or txt file if you cannot read them correctly .Just run the OverUSBWorm_v1.1.bat ,then the hidden files and folders will be seen after ,however,still won’t find the hidden trojan files at this time and required to reboot ,you have to do it again since the trojans are still there but this time do it with no reboot.
After that,the bastard Wintems.exe showed on the windows task manager,so that I could know what was attacking and way to this blog.
Maybe this one helps some people who don’t know the type of the trojans and recovering the hidden file settings can help delete some less dangerous virus like kavo or kav1.exe since they will show after you run this progam to reset the folder settings.
In my case,the trojans also prevent users from accessing the Windows Safe mode.
Here are the steps for me to get back my system:
1.Uninstall the existing anti-virus software,reboot.
2.find a clean Windows XP Install CD (of course find a clone if needed in this emergency),and reboot your computer by the CD,then enter the Recovery mode (press R)with your administrator password.(At some cases,system with FAT and updated XP without SP2,3 can just recover the whole system without loosing any data by using the recovery mode )
Go the the following path
Find and del (using the “del virusname.exe”)the main bagle trojan files
\WINDOWS\system32\wintems.exe
\WINDOWS\system32\drivers\hidrrr.exe
\WINDOWS\system32\drivers\srora.sys
\WINDOWS\Prefetch\hiddrrr.exe.pf
\WINDOWS\Prefetch\srora.exe.pf
\WINDOWS\Prefetch\wintems.exe.pf
\WINDOWS\system32\drivers\down (delete whole folder)
\WINDOWS\system32\drivers\ldown (delete whole folder)
reboot ,it should be recovered
3.install anti-virus and anti-rootkit software ,do the scan to find the remaining trojans.
so,when facing the kind trojans, trying to find the names and the paths with some presaved tools that can uncover the hidden files like OverUSBworm may be the fastest way to clean them compared to searching for those so-called remedies and procedures on the internet.
Thanks to all the tips here!
Only thing that worked for me was first running Combofix and then the spanish Elibagla. After that the last stuff was removed by ma anti virus program, which is running again
Bloody damn thing, never had such a thing before on my computer.
I wish I had known about this blog 2 weeks ago. I did the removal myself and thoroughly cursed the villains who created this nasty bug. Comodo Pro tipped me off because it showed (briefly) the hldrrr.exe executable name before my AV was disabled. I hacked the registry to remove all instances of hldrrr. Finally (after more cursing and exploring) my AV came back but all was disabled. Once I enabled it again I ran a full scan which turned up 36 infected files. almost all were numbered, like A0***** something. All seems to be well now.
I will print this blog and review it carefully in case there was something I missed. This bug is really horrible!
Hi everyone
I had the same problem, and this blog was of great help.
I tested everything; the solution that worked form me was:
1. to use RootKit Revealer so as to stop all services and clear files infected
2. use EliBagla afterwards and after rebooting clean the rest of the files.
Everything is OK now!!! Boy, this virus was a nightmare!!!
[…] in the following registry keys so that they could be launched on boot time. I went ahead and use a rootkit detecting tools. But nothing was […]