Category: developers journal

Biohazard outbreak of wintems.exe – 28 hours later (how to get rid of a virus if you can’t boot to safe mode and your computer keeps deleting anti virus software)

Author: seven January 13, 2008

mutated alien virus

Winter season is among other things, also well known for flues, colds, sore throats and people being sick in general. Some of my team members have been struck down by some nasty mutated flue and are now on antibiotics. I was successfully winning the fight with alien mutation by eating abnormal quantities of vitamin C…. and until yesterday I though I got away!

Yesterday I came to the office around 4pm, and it was like any other Saturday in the office. Everybody was here – working as usual. :) I booted up my xp and started to checkout latest version of project on which I had to work. While I was reading my emails I noticed that half of my programs didn’t start up normally (chameleon clock, NOD32, SpyBot…). I thought this was pretty strange because I tend to keep my xp in good condition (or at least better than what rest of my crew does). I tried starting nod32 manually, but… nod32.exe was gone. The same was with the SpybotSD.exe. Strange shit… I don’t remember uninstalling them, and especially not deleting just exe files. So that got me little worried, because everybody knows that running xp without antivirus is like keeping your front door open and leaving for long vacation.

First thing I tried was starting CCleaner (which luckily didn’t get deleted), and to my big surprise – upon starting CCleaner just exited. Then I tried reinstalling Nod32 and SpyBot, but no luck aether. Setup in both cases went 95% of its way, and just when setup needed to copy .exe’s, I got error stating that “setup was unable to write to file…” program executable files (!?). I tried deleting unknown running processes, and one process got my immediate attention – I couldn’t delete process wintems.exe – Access denied! BAH!! It sounded like I got infected big time. I deleted all processes (my xp was running using 120 mb of ram) but I still couldn’t install any anti virus. To make things worse I was unable to find any reference to wintems.exe nor in my file system nor my registry. Weird shit! Next stop – safe mode!

As you could foresee from this post subject, my trip to safe mode land didn’t last long. I was unable to boot to any kind of safe mode. BOSD just keep blowing in my face (without any explanation, dysfunctional dll names etc.). OMG!! WHY ME?! OH, WHHHY! Anyways, when I got back to “normal mode”, I tried installing every single freeware antivirus and trojan hunter I could get my hands on. Every single one of them got deleted momentarily by this strange phenomenon. Everyone except Spyware Nuker XP which helped me to put some light on this conundrum.

As it turned out by Spyware Nuker scan, I was infected with Trojan.Mitglieder also known as: W32.Beagle.DP, Trojan.Mitglieder.Q, Trojan-Downloader.Win32.Bagle.aj. The reference to stated names and technical reference, I found several hours later. Nuker told me only that it’s Mitglieder and that he is being started from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:german.exe . However, I couldn’t see that registry entry from regedit, so I couldn’t do anything about it. Other references also stated the exact location of wintems.exe, but I couldn’t see that file, nor delete it (delete however gave some bizarre error message, and not – file not found.).

Since I was unable to boot to safe mode to get rid of the bastard from there, I used only option available – boot from xp boot disc and repair from command line. From there I was able to delete wintems.exe conveniently located at %system% folder. I rebooted and tried reinstalling antivirus. The same error as before popped up. The wintems.exe was gone from process list, but as I suspected, virus was buried somewhere between drivers and system services.

Luck has left the guycalledseven’s town. I had tons of work to do for our project, I couldn’t boot to safe mode, I was unable to install anything that could locate infected files… I was near the point of no return – xp reinstall.

Luckily, one of trial anti virus software I tried was BitDefender, whose installer (after he detected error while writting to bdagent.exe) suggested me to run free online antivirus scan (IE ActiveX). Virus I had was unable to detect online virus scanners!! Woohoo! :) Scan lasted for several hours and after it completed I got exact locations and virus names of infected files. Just to be on the safe side, I also ran Kaspersky online virus scanner too. I got tons of different viruses inside “%system%\drivers\down\” folder (101343.exe – Trojan-Downloader.Win32.Bagle.ho, 104937.exe – Email-Worm.Win32.Bagle.of, 4858953.exe – Trojan.Win32.Pakes.bwy). Then I realized what am I fighting against – a root kit. Bastard originally came to my system packed into JPG files (I found them inside Internet Explorer cache folders), after installing him self deep into the system he replaced NTXXX functions with pointers to his evil root kit code (NTCreateFile, NTEnumerateKey, NTEnumerateValueKey, NTQueryKey, NTQueryDirectoryFile, NTQuerySystemInformation). Pretty ingenious piece of work if I might say.

By time I found out what I had on my system, I already left office. Thank God to Remote Terminal Client, otherwise I would lost and Sunday too. As I said I was connected remotely from my home to my xp in the office, so booting from xp boot cd was not an option (although I know you can do that with Ubuntu). Instead I tried downloading few anti root kit software’s (which were luckily free). Since they all had shitty installers many of them failed, and their exe’s got deleted. Cmon, how hard can it be to detect if another process is messing with anti root kit installer?? However, guys from AVG know their viruses. AVG Anti-Rootkit Free was able to install, and upon rebooting he installed him self before the virus could get control over the system again. Around 3am I finally got rid of wintems.exe for good. Now when my system was clean, I could again install anti virus. But, which one? NOD32 again? I don’t think so. :)

I don’t believe much to antivirus reviews found on the net, and so far I was pretty unhappy with everyone I tried. That would be: NOD32 (far the worst, didn’t detected anything, and I already god infected couple of times this year), Symantec (bah), McAffee, AVG, Kaspersky (when I was running Kaspersky I got infected with something that has forbidden me to log in to the system – luckily I left Remote Registry service running so I could connect from remote computer and fix this), and last but not least – BlackIce Defender + Trend Micro. Some years ago, when I had those two installed, I barely survived that virus outbreak. The virus was actually exploit for BlackIce which randomly screwed with sectors on my HDD’s so I lost almost 50% of all my files.

All that being said, I didn’t want to go back to any of those I got screwed with once. Since online BitDefender helped me to identify problem this time (and NOD32 didn’t warn me at all), I decided to go for 30 day trial of BitDefender Antivirus 2008 (not so long ago, he got some good ratings – no matter because I don’t believe them). I left it to run over night and this morning (9 hours and 5.000.000 files later), he found and removed cca 50 viruses (from emails mostly). BitDefender is now running on highest security setting, and he is really processor hungry. I don’t know if I will be able to live with that on day to day basis, but 10 hours I spent removing W32.Beagle is something I don’t want to repeat any time soon. :)

A friendly word of advice for all of you running web servers (especially Windows IIS), and running sites with user uploadable content – INSTALL ANTI VIRUS SOFTWARE! We have it on our unix machines, and they alone can’t get infected, but can detect if malicious user uploaded avatar picture containing a virus inside.

update: it seems that somebody else got infected with the same disease. I hear you bro. :)

update (19-02-2008): Would you believe me if I would tell you that I got infected again??? :) Well I did. This Tuesday. Again. This time, I got BitDefender running on maximum settings, and he only warned me when he detected that wintems.exe want to write him self to the registry. I didn’t allow him, but it was already too late. Bagle installed him self as a hidden service, as a driver, put stuff in registry, copied 100 viruses in /system32/drivers/down/ folder (various versions of Bagle), and he also infected some of my programs that I had in usual windows startup (lexmark printer driver). I think I could outsmart him this time, and just run AVG Root Kit, but that didn’t help. I had to install Spyware Killer again (he delted hidden registry keys) and I had to start online virus scanner (bitdefender again), and 10 hours later, after bitdefender deleted all infected files (printer driver), only then I could start AVG Root Kit. The virus was gone again… But for how long? :)

Author
seven
CEO/CTO at Nivas®
Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online projects. He is an experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

    17 thoughts on “Biohazard outbreak of wintems.exe – 28 hours later (how to get rid of a virus if you can’t boot to safe mode and your computer keeps deleting anti virus software)”

  • Quote: “I tend to keep my xp in good condition (or at least better than what rest of my crew does)”

    LIES!! Mine works like Swiss clockwork!

  • Just finished cleaning my hard drive from yet another bagle spawn. My aproach was to unhook my HD and scan it as slave from another system. And yes, NOD32 was the tool of trade.
    Usually, when someone gets infected running nod32 its because they didnt configure it right. I was infected not because nod32 is a bad antivirus, but because I ran the damn trojan. Yes, I double clicked it.

  • Nope, it wasn’t nods config fault. As I said, nod already ignored couple of viruses on my system last year and he allowed them to get installed. When this shit happened, I was running nod32 daily and realtime scanning was on for everything.

    Anyways…Few days later after uninstalling nod32 and testing BitDefender, I can tell you how bad nod32 email scanner is. I thought that my outlook is dying because of my 5 gb inbox, but it was nod32s fault. He was freezing my whole system while he was scanning emails. Although, now with BitDefender, I noticed radical slowdown of application startup time.

  • Man you saved my life (and a lot of time)!

    I’ve tried a lot of things before reading your post (killing process, booting on linux… removing that one thousand *** .exe files, …).

    I’ve create a batch file like this:

    :@loop
    taskkill /IM wintems.exe
    goto @loop

    And so…

    Then I take notice here about the Root Kit…

    Thanx a LOT! =)

    Today I swear that I will put my wireless card to work on *linux*… then ALL my problems will stop.

  • I’m having the exact same problem! Following your outline for repair. Running Bitdefender online scan right now

  • I’ve got same problem, however, i managed to remove the rootkit first (or i’ve just thought I did :( ).
    The malware prevent most of anti virus/rootkit running. So I had to use tool that don’t need install.
    I download some tool from this site _http://antirootkit.com/software/index.htm (those with five star ;) )

    BEFORE extract the packages, I renamed the extention of .exe file to .exe.bak (so it can’t get infected), renamed the file name (so the malware can’t close the sofware by it name).
    AFTER extracted, I set those *.exe.bak file to READONLY, and rename to *.exe to start using them.

    First I used Panda Anti-Rootkit to detect rootkit, and it found several interesting things, but I noticed those :

    C:\WINDOWS\system32\drivers\hldrrr.exe;;”TRUE”;”FALSE”;”FALSE”;”SOFTWARE\Microsoft\Windows\CurrentVersion\Run”;”drvsyskit”;”TRUE”;” “;” “;” “;” “;” “;” “;” “;” “;
    C:\WINDOWS\system32\wintems.exe;;”FALSE”;”FALSE”;”FALSE”;”SOFTWARE\Microsoft\Windows\CurrentVersion\Run”;”german.exe”;”TRUE”;” “;” “;” “;” “;” “;” “;” “;” “;
    C:\WINDOWS\system32\drivers\srosa.sys;;”TRUE”;”FALSE”;”FALSE”;”SYSTEM\CurrentControlSet\Services\srosa”;”ImagePath”;”FALSE”;” “;” “;” “;” “;” “;” “;” “;” “;

    but unfortunately, It can’t remove them. I can’t use explorer and regedit neither.
    But with Rootkit UnHooker, I killed and erase hldrrr.exe, wintems.exe, and IceSword to delete registry entries, srosa.sys file.
    After reboot, I check the system again with Panda Anti-Rootkit, IceSword, Rootkit Unhooker and look like everything is clean (with rootkit :) ). Now I can running antivirus software, hope it’ll clean the system (although so many services, software was broken :( )

    Sorry about my English, but I hope I can give your guy some issues to solve this problem, so maybe you will not suffer as I did.

  • This is insane. I live in fear of infection day by day… running nightly virus scans… my workstation is operating at 50% of cpus (since other 50% is taken by ativirus scanners)…

    Some of my friends suggested running virtual pc and browsing the internet on completely separate os installation. Well, that would be a great idea if surfing the net wouldn’t be may day job. :)

  • I can’t believe how bad trhis virus really is.. I’d like to hang the bastard who created this, by his balls.
    Shamless people.

  • I think that we have the same thing here. Thanks for posting all this information you have saved me a lot of money. We outsource most of this stuff so hopefully we can correct it.

  • Thanks man.
    I had the same fucking problem. (I had AntiVir Anti-virus)
    I solved the problem by running into Safe-Mode, and luckily, the SpyBot
    was able to run, and clean it.

  • Had this for a while now, cannot get rid of it!! I also would like to hang the dick who created it, gives me a thought though, if everyone donated a dollar who got stung with this it might be enough to pay a guy to break their legs

  • I find it ridiculous that many PC owners prefer installing all kinds of trials and demos and

  • 7even my friend you could’ve just ask, and i would told you that new Nod32 has Sysrescue option that boots and cleans your system when there is no other option. Got the cd right here.

  • Interessanter Beitrag, danke.

  • i am only using free virus scanners like avast and avira but they seem to be great tools though,`,

  • Bitdefender! That was the name I was trying to remember. I’ve been looking for something to supplement NOD32.

  • for me, the best scanner is avast antivirus and kaspersky. they can really find those annoying malwares:’*

  • Leave a Reply to Josiah Russell Cancel reply

    Your email address will not be published. Required fields are marked *