Biohazard outbreak of wintems.exe – 28 hours later (how to get rid of a virus if you can’t boot to safe mode and your computer keeps deleting anti virus software)
Winter season is among other things, also well known for flues, colds, sore throats and people being sick in general. Some of my team members have been struck down by some nasty mutated flue and are now on antibiotics. I was successfully winning the fight with alien mutation by eating abnormal quantities of vitamin C.... and until yesterday I though I got away!
Yesterday I came to the office around 4pm, and it was like any other Saturday in the office. Everybody was here - working as usual. :) I booted up my xp and started to checkout latest version of project on which I had to work. While I was reading my emails I noticed that half of my programs didn't start up normally (chameleon clock, NOD32, SpyBot...). I thought this was pretty strange because I tend to keep my xp in good condition (or at least better than what rest of my crew does). I tried starting nod32 manually, but... nod32.exe was gone. The same was with the SpybotSD.exe. Strange shit... I don't remember uninstalling them, and especially not deleting just exe files. So that got me little worried, because everybody knows that running xp without antivirus is like keeping your front door open and leaving for long vacation.
First thing I tried was starting CCleaner (which luckily didn't get deleted), and to my big surprise - upon starting CCleaner just exited. Then I tried reinstalling Nod32 and SpyBot, but no luck aether. Setup in both cases went 95% of its way, and just when setup needed to copy .exe's, I got error stating that "setup was unable to write to file..." program executable files (!?). I tried deleting unknown running processes, and one process got my immediate attention - I couldn't delete process wintems.exe - Access denied! BAH!! It sounded like I got infected big time. I deleted all processes (my xp was running using 120 mb of ram) but I still couldn't install any anti virus. To make things worse I was unable to find any reference to wintems.exe nor in my file system nor my registry. Weird shit! Next stop - safe mode!
As you could foresee from this post subject, my trip to safe mode land didn't last long. I was unable to boot to any kind of safe mode. BOSD just keep blowing in my face (without any explanation, dysfunctional dll names etc.). OMG!! WHY ME?! OH, WHHHY! Anyways, when I got back to "normal mode", I tried installing every single freeware antivirus and trojan hunter I could get my hands on. Every single one of them got deleted momentarily by this strange phenomenon. Everyone except Spyware Nuker XP which helped me to put some light on this conundrum.
As it turned out by Spyware Nuker scan, I was infected with Trojan.Mitglieder also known as: W32.Beagle.DP, Trojan.Mitglieder.Q, Trojan-Downloader.Win32.Bagle.aj. The reference to stated names and technical reference, I found several hours later. Nuker told me only that it's Mitglieder and that he is being started from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:german.exe . However, I couldn't see that registry entry from regedit, so I couldn't do anything about it. Other references also stated the exact location of wintems.exe, but I couldn't see that file, nor delete it (delete however gave some bizarre error message, and not - file not found.).
Since I was unable to boot to safe mode to get rid of the bastard from there, I used only option available - boot from xp boot disc and repair from command line. From there I was able to delete wintems.exe conveniently located at %system% folder. I rebooted and tried reinstalling antivirus. The same error as before popped up. The wintems.exe was gone from process list, but as I suspected, virus was buried somewhere between drivers and system services.
Luck has left the guycalledseven's town. I had tons of work to do for our project, I couldn't boot to safe mode, I was unable to install anything that could locate infected files... I was near the point of no return - xp reinstall.
Luckily, one of trial anti virus software I tried was BitDefender, whose installer (after he detected error while writting to bdagent.exe) suggested me to run free online antivirus scan (IE ActiveX). Virus I had was unable to detect online virus scanners!! Woohoo! :) Scan lasted for several hours and after it completed I got exact locations and virus names of infected files. Just to be on the safe side, I also ran Kaspersky online virus scanner too. I got tons of different viruses inside "%system%\drivers\down\" folder (101343.exe - Trojan-Downloader.Win32.Bagle.ho, 104937.exe - Email-Worm.Win32.Bagle.of, 4858953.exe - Trojan.Win32.Pakes.bwy). Then I realized what am I fighting against - a root kit. Bastard originally came to my system packed into JPG files (I found them inside Internet Explorer cache folders), after installing him self deep into the system he replaced NTXXX functions with pointers to his evil root kit code (NTCreateFile, NTEnumerateKey, NTEnumerateValueKey, NTQueryKey, NTQueryDirectoryFile, NTQuerySystemInformation). Pretty ingenious piece of work if I might say.
By time I found out what I had on my system, I already left office. Thank God to Remote Terminal Client, otherwise I would lost and Sunday too. As I said I was connected remotely from my home to my xp in the office, so booting from xp boot cd was not an option (although I know you can do that with Ubuntu). Instead I tried downloading few anti root kit software’s (which were luckily free). Since they all had shitty installers many of them failed, and their exe's got deleted. Cmon, how hard can it be to detect if another process is messing with anti root kit installer?? However, guys from AVG know their viruses. AVG Anti-Rootkit Free was able to install, and upon rebooting he installed him self before the virus could get control over the system again. Around 3am I finally got rid of wintems.exe for good. Now when my system was clean, I could again install anti virus. But, which one? NOD32 again? I don't think so. :)
I don't believe much to antivirus reviews found on the net, and so far I was pretty unhappy with everyone I tried. That would be: NOD32 (far the worst, didn't detected anything, and I already god infected couple of times this year), Symantec (bah), McAffee, AVG, Kaspersky (when I was running Kaspersky I got infected with something that has forbidden me to log in to the system - luckily I left Remote Registry service running so I could connect from remote computer and fix this), and last but not least - BlackIce Defender + Trend Micro. Some years ago, when I had those two installed, I barely survived that virus outbreak. The virus was actually exploit for BlackIce which randomly screwed with sectors on my HDD's so I lost almost 50% of all my files.
All that being said, I didn't want to go back to any of those I got screwed with once. Since online BitDefender helped me to identify problem this time (and NOD32 didn't warn me at all), I decided to go for 30 day trial of BitDefender Antivirus 2008 (not so long ago, he got some good ratings - no matter because I don't believe them). I left it to run over night and this morning (9 hours and 5.000.000 files later), he found and removed cca 50 viruses (from emails mostly). BitDefender is now running on highest security setting, and he is really processor hungry. I don't know if I will be able to live with that on day to day basis, but 10 hours I spent removing W32.Beagle is something I don't want to repeat any time soon. :)
A friendly word of advice for all of you running web servers (especially Windows IIS), and running sites with user uploadable content - INSTALL ANTI VIRUS SOFTWARE! We have it on our unix machines, and they alone can't get infected, but can detect if malicious user uploaded avatar picture containing a virus inside.
update: it seems that somebody else got infected with the same disease. I hear you bro. :)
update (19-02-2008): Would you believe me if I would tell you that I got infected again??? :) Well I did. This Tuesday. Again. This time, I got BitDefender running on maximum settings, and he only warned me when he detected that wintems.exe want to write him self to the registry. I didn't allow him, but it was already too late. Bagle installed him self as a hidden service, as a driver, put stuff in registry, copied 100 viruses in /system32/drivers/down/ folder (various versions of Bagle), and he also infected some of my programs that I had in usual windows startup (lexmark printer driver). I think I could outsmart him this time, and just run AVG Root Kit, but that didn't help. I had to install Spyware Killer again (he delted hidden registry keys) and I had to start online virus scanner (bitdefender again), and 10 hours later, after bitdefender deleted all infected files (printer driver), only then I could start AVG Root Kit. The virus was gone again... But for how long? :)