Comments on: Hard to Kill Malware: Wintems.exe, Hldrrr.exe and Random Number.exe http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html Random thoughts and news by Andrew Chen and friends Thu, 11 Mar 2010 17:48:56 +0000 http://wordpress.org/?v=2.5 By: Compalusa.com Has The Best Financial Crisis Proof Business: TDSS Malware » Siusic Dot Com http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html#comment-53557 Compalusa.com Has The Best Financial Crisis Proof Business: TDSS Malware » Siusic Dot Com Thu, 05 Mar 2009 08:18:50 +0000 http://www.siusic.com/wphchen/hard-to-kill-malware-wintemsexe-and-random-number-executables-143.html#comment-53557 [...] in the following registry keys so that they could be launched on boot time. I went ahead and use a rootkit detecting tools. But nothing was [...] […] in the following registry keys so that they could be launched on boot time. I went ahead and use a rootkit detecting tools. But nothing was […]

]]> By: kostas http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html#comment-38475 kostas Wed, 24 Sep 2008 22:01:23 +0000 http://www.siusic.com/wphchen/hard-to-kill-malware-wintemsexe-and-random-number-executables-143.html#comment-38475 Hi everyone I had the same problem, and this blog was of great help. I tested everything; the solution that worked form me was: 1. to use RootKit Revealer so as to stop all services and clear files infected 2. use EliBagla afterwards and after rebooting clean the rest of the files. Everything is OK now!!! Boy, this virus was a nightmare!!! Hi everyone

I had the same problem, and this blog was of great help.

I tested everything; the solution that worked form me was:
1. to use RootKit Revealer so as to stop all services and clear files infected
2. use EliBagla afterwards and after rebooting clean the rest of the files.

Everything is OK now!!! Boy, this virus was a nightmare!!!

]]> By: Jonathan http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html#comment-35846 Jonathan Wed, 03 Sep 2008 15:27:14 +0000 http://www.siusic.com/wphchen/hard-to-kill-malware-wintemsexe-and-random-number-executables-143.html#comment-35846 I wish I had known about this blog 2 weeks ago. I did the removal myself and thoroughly cursed the villains who created this nasty bug. Comodo Pro tipped me off because it showed (briefly) the hldrrr.exe executable name before my AV was disabled. I hacked the registry to remove all instances of hldrrr. Finally (after more cursing and exploring) my AV came back but all was disabled. Once I enabled it again I ran a full scan which turned up 36 infected files. almost all were numbered, like A0***** something. All seems to be well now. I will print this blog and review it carefully in case there was something I missed. This bug is really horrible! I wish I had known about this blog 2 weeks ago. I did the removal myself and thoroughly cursed the villains who created this nasty bug. Comodo Pro tipped me off because it showed (briefly) the hldrrr.exe executable name before my AV was disabled. I hacked the registry to remove all instances of hldrrr. Finally (after more cursing and exploring) my AV came back but all was disabled. Once I enabled it again I ran a full scan which turned up 36 infected files. almost all were numbered, like A0***** something. All seems to be well now.
I will print this blog and review it carefully in case there was something I missed. This bug is really horrible!

]]> By: Puschel http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html#comment-35352 Puschel Sat, 16 Aug 2008 20:54:47 +0000 http://www.siusic.com/wphchen/hard-to-kill-malware-wintemsexe-and-random-number-executables-143.html#comment-35352 Thanks to all the tips here! Only thing that worked for me was first running Combofix and then the spanish Elibagla. After that the last stuff was removed by ma anti virus program, which is running again :smile: Bloody damn thing, never had such a thing before on my computer. Thanks to all the tips here!
Only thing that worked for me was first running Combofix and then the spanish Elibagla. After that the last stuff was removed by ma anti virus program, which is running again :smile:
Bloody damn thing, never had such a thing before on my computer.

]]> By: trojansthatrocks http://www.siusic.com/wphchen/hard-to-kill-malware-wintems-exe-and-hldrrr-exe-random-number-exe-143.html#comment-34364 trojansthatrocks Wed, 06 Aug 2008 11:32:45 +0000 http://www.siusic.com/wphchen/hard-to-kill-malware-wintemsexe-and-random-number-executables-143.html#comment-34364 ok I roughly read the posts above(not having so much time),and want to share my experience with these sucking virus/trojans: at first,after downloading a fake dictionary searching engine and rebooting my system ,my NOD32 begun to have trouble loading at system startup,and forced me to uninstall it . then reinstalled nod32 with a "fail in start the ESET(ekrn) service" prompt.no use for manually start. like situations most people here encountered,all the famous anti-virus software suddenly fails to work;when you're trying to install an AV or anti-rootkit software such as sophos or antivir ,the system just says they're not a correct win32 programs which apparently have been revised by the Wintems.exe or its foes;even you've already have one in your system,it is immediately revised to the useless status once you double click the file in its folder. It seems no way to delete and no tools for recovery with the existing resource,especially when you encounter the mixed attack by the strong bagle trojan family (usually they are grouped and will download a virus tank folder (maned ldown in my case)in your system with various family members),you have no where to go ,not to mention crying help in the internet or trying to get some remedy .They're efficient and powerful indeed even for the systems with reputable NOD32 and routinely checking anti-rootkit. While the trojan was active ,my CPU usage was above 50% at efficiency tab in the windows task manager,but there were no any processes shown on the process tab with similar usage. Cau'z the trojan process "wintems.exe" hid itself in task manager and in the folders,even using the searching function to search hidden files,you can only see the normal hidden files but not it.Of course above were given the condition that the hidden files cannot be set to show in the Folder Settings. I didn't know my computer was infected by the Wintems,but knowing it's was infected by failing to show the hidden files through the windows folder setting and the abnormal CPU usage. With previous experience to the Kavo virus, I assumed they're somehow related. I downloaded the following Zipfile which is specially designed to kill the USB virus: http://moscps.myweb.hinet.net/tools/OverUSBWorm.zip don't care the log or txt file if you cannot read them correctly .Just run the OverUSBWorm_v1.1.bat ,then the hidden files and folders will be seen after ,however,still won't find the hidden trojan files at this time and required to reboot ,you have to do it again since the trojans are still there but this time do it with no reboot. After that,the bastard Wintems.exe showed on the windows task manager,so that I could know what was attacking and way to this blog. Maybe this one helps some people who don't know the type of the trojans and recovering the hidden file settings can help delete some less dangerous virus like kavo or kav1.exe since they will show after you run this progam to reset the folder settings. In my case,the trojans also prevent users from accessing the Windows Safe mode. Here are the steps for me to get back my system: 1.Uninstall the existing anti-virus software,reboot. 2.find a clean Windows XP Install CD (of course find a clone if needed in this emergency),and reboot your computer by the CD,then enter the Recovery mode (press R)with your administrator password.(At some cases,system with FAT and updated XP without SP2,3 can just recover the whole system without loosing any data by using the recovery mode ) Go the the following path Find and del (using the "del virusname.exe")the main bagle trojan files \WINDOWS\system32\wintems.exe \WINDOWS\system32\drivers\hidrrr.exe \WINDOWS\system32\drivers\srora.sys \WINDOWS\Prefetch\hiddrrr.exe.pf \WINDOWS\Prefetch\srora.exe.pf \WINDOWS\Prefetch\wintems.exe.pf \WINDOWS\system32\drivers\down (delete whole folder) \WINDOWS\system32\drivers\ldown (delete whole folder) reboot ,it should be recovered 3.install anti-virus and anti-rootkit software ,do the scan to find the remaining trojans. so,when facing the kind trojans, trying to find the names and the paths with some presaved tools that can uncover the hidden files like OverUSBworm may be the fastest way to clean them compared to searching for those so-called remedies and procedures on the internet. ok I roughly read the posts above(not having so much time),and want to share my experience with these sucking virus/trojans:

at first,after downloading a fake dictionary searching engine and rebooting my system ,my NOD32 begun to have trouble loading at system startup,and forced me to uninstall it . then reinstalled nod32 with a “fail in start the ESET(ekrn) service” prompt.no use for manually start.

like situations most people here encountered,all the famous anti-virus software suddenly fails to work;when you’re trying to install an AV or anti-rootkit software such as sophos or antivir ,the system just says they’re not a correct win32 programs which apparently have been revised by the Wintems.exe or its foes;even you’ve already have one in your system,it is immediately revised to the useless status once you double click the file in its folder.

It seems no way to delete and no tools for recovery with the existing resource,especially when you encounter the mixed attack by the strong bagle trojan family (usually they are grouped and will download a virus tank folder (maned ldown in my case)in your system with various family members),you have no where to go ,not to mention crying help in the internet or trying to get some remedy .They’re efficient and powerful indeed even for the systems with reputable NOD32 and routinely checking anti-rootkit.

While the trojan was active ,my CPU usage was above 50% at efficiency tab in the windows task manager,but there were no any processes shown on the process tab with similar usage. Cau’z the trojan process “wintems.exe” hid itself in task manager and in the folders,even using the searching function to search hidden files,you can only see the normal hidden files but not it.Of course above were given the condition that the hidden files cannot be set to show in the Folder Settings.

I didn’t know my computer was infected by the Wintems,but knowing it’s was infected by failing to show the hidden files through the windows folder setting and the abnormal CPU usage. With previous experience to the Kavo virus, I assumed they’re somehow related.

I downloaded the following Zipfile which is specially designed to kill the USB virus:

http://moscps.myweb.hinet.net/tools/OverUSBWorm.zip

don’t care the log or txt file if you cannot read them correctly .Just run the OverUSBWorm_v1.1.bat ,then the hidden files and folders will be seen after ,however,still won’t find the hidden trojan files at this time and required to reboot ,you have to do it again since the trojans are still there but this time do it with no reboot.

After that,the bastard Wintems.exe showed on the windows task manager,so that I could know what was attacking and way to this blog.

Maybe this one helps some people who don’t know the type of the trojans and recovering the hidden file settings can help delete some less dangerous virus like kavo or kav1.exe since they will show after you run this progam to reset the folder settings.

In my case,the trojans also prevent users from accessing the Windows Safe mode.

Here are the steps for me to get back my system:

1.Uninstall the existing anti-virus software,reboot.

2.find a clean Windows XP Install CD (of course find a clone if needed in this emergency),and reboot your computer by the CD,then enter the Recovery mode (press R)with your administrator password.(At some cases,system with FAT and updated XP without SP2,3 can just recover the whole system without loosing any data by using the recovery mode )

Go the the following path
Find and del (using the “del virusname.exe”)the main bagle trojan files

\WINDOWS\system32\wintems.exe
\WINDOWS\system32\drivers\hidrrr.exe
\WINDOWS\system32\drivers\srora.sys
\WINDOWS\Prefetch\hiddrrr.exe.pf
\WINDOWS\Prefetch\srora.exe.pf
\WINDOWS\Prefetch\wintems.exe.pf
\WINDOWS\system32\drivers\down (delete whole folder)
\WINDOWS\system32\drivers\ldown (delete whole folder)

reboot ,it should be recovered

3.install anti-virus and anti-rootkit software ,do the scan to find the remaining trojans.

so,when facing the kind trojans, trying to find the names and the paths with some presaved tools that can uncover the hidden files like OverUSBworm may be the fastest way to clean them compared to searching for those so-called remedies and procedures on the internet.

]]>