Tips on dealing with the Bagle rootkit
Normally I don’t concern myself with Windows- related matters. However, the infamous Bagle rootkit and its numerous variations deserve some attention even from Unix sysadmins. Bagle annoyed me and my customers long enough. Essentially, Bagle turns you PC into someone’s personal email server for sending out spam. It also gives that someone remote access to your PC. The exact procedure for removing this virus varies depending on the type of the Bagle rootkit you have. How do you know you have it?
Most antivirus applications are written by idiots. This is exactly the reason why Bagle is able to kill and delete most antivirus scanners before they ever get a chance to catch it. And, once it is on your system, Bagle will not let you install or run any antivirus application. You can still run online scanners, but those will accomplish exactly nothing because they run via IE, which Bagle infected.
So the first sign of trouble is when your antivirus application suddenly quits and disappears. You can’t start it and you can’t reinstall it. You’ve definitely been Bagled. Another symptom: you wireless card would no longer connect to the network. Windows says that something else is trying to manage it. Scroll down to the end of this page to see notes on dealing with the wireless problem – but only after you got rid of the virus!
Do CTRL-ALT-DEL to bring up the Task Manager and take a look at the running processes. If you see hldrrr.exe or wintems.exe running – you’ve been Bagled. If you don’t see these processes – that doesn’t mean your are in the clear. See, the problem is that many viruses have the ability to hide from the Task Manager. This is primarily because, just like the antivirus applications, Windows XP and Vista were written mainly by C-minus-average Comp Sci grads from the University of Mumbai.
So how do you get rid of Bagle? To be perfectly honest with you, the best way to go is to just reformat your drive and reinstall Windows. Sure you will need to reinstall your apps and rebuild your settings, but you will get rid of Bagle 100% guaranteed. The alternatives are time-consuming, extremely convoluted and not always effective. But if you are willing to give it a shot, below are some tips that you may find useful. And keep in mind: most methods for removing Bagle you find online will not work because that information was posted by either hackers who wrote the damn thing or by the aforementioned idiots.
So here’s the action plan:
- Before you take any drastic measures, log out of your PC and try to log back in as Administrator. To do this, at he login screen hit CTRL-ALT-DEL twice and a login window will appear. If you don’t know your Administrator password, find somebody who does. Alternatively, try to log in as another user (if you have another user configured on your PC): there is a slight chance that Bagle only infected your account. When you log in as Administrator or another user, check the Task Manager to see of hldrrr.exe or wintems.exe are running. If they are not – you’re in luck.
- Get Spybot Search & Destroy and see if you can install it. If you can – you’re definitely one lucky SOB. Run a full system scan and see if Spybot finds your Bagle. Now see if you can reinstall your useless antivirus and do a full system scan.
- If this approach fails, then make yourself some coffee: this will take time. The basic steps for removing Bagle from your system are the same as for removing any other virus: 1) kill any processes infected by the virus; 2) delete any infected files from your drive; 3) delete any registry entries that start the virus. Easier said than done. With Bagle the problem starts with #1: there is no simple way of killing infected processes. And, as long as they are running, they will not let you delete anything and any registry changes you make will be promptly overwritten. So you need to access your Windows filesystem without starting Windows.
- Download Knoppix bootable image and burn it to CD.
- Boot from Knoppix CD (without installing it)
- Your Windows drive “C” will be mounted in read-only mode. You need to mount it in read-write mode.
- Go to “C:WINDOWSsystem32drivers” and remove “hldrrr.exe”
- Go to “C:WINDOWSsystem32”, remove “wintems.exe” and “mdelk.exe”
- Remove “srosa.sys” from “C:WindowsSystem32drivers”
- Remove the “C:WINDOWSsystem32driversdown” directory and everything in it.
- Not all of the mentioned files and directories will exist on your system, so delete what you find.
- You can run regedit from Knoppix. So run it and delete the following keys from registry:
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] “drvsyskit”=”C:\WINDOWS\system32\drivers\hldrrr.exe”
“german.exe”=”C:\WINDOWS\system32\wintems.exe”
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] “drvsyskit”=”C:\WINDOWS\system32\drivers\hldrrr.exe”
- Just for the hell of it, search the registry for “hldrrr” and “wintems”, just in case you missed something. Delete what you find.
- Install Spybot and do a full scan. Let it fix whatever it finds.
- Reinstall your antivirus and do another system scan. Your AV is junk, but maybe it will find something now that the virus is not running.
- Use notepad to open C:WINDOWSsystem32driversetchosts. If you see many line looking something like 127.0.0.1 followed by some unknown URL, you need to select all, delete it and then save the empty file. When trying to save you may get “Access Denied” error. Download KillBox, run it, point it to the C:WINDOWSsystem32driversetchosts file and tell it to delete the file. Then use Notepad to create an empty “hosts” file in its place (no TXT extension, please). Next time you reboot, check this file one more time: if it’s full of garbage as before, then you still have a virus that keeps repopulating the hosts file.
- It would have been just wonderful if you could scan your Windows drive by connecting it to another computer via an external USB enclosure or something like that. This way the antivirus can do its job unhindered by the virus. This is really the best way to get rid of a virus. Get an external disk enclosure and find a good friend with an up-to-date antivirus and Spybot.
Wireless card not working
It is true: Bagle takes control of your wireless card away from Windows. It does so by turning off the NDIS protocol driver (NDISUIO). This in turn prevents the WZC (Wireless Zero Configuration) service from starting.
- To fix this little problem, go to Start –> Run –> service.msc –> try to start WZC.
- If it fails to start and gives you error 1068, then go to Start –> Run –> regedit –> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNdisuio –> make sure the Start value is set to 1, 2, or 3 – doesn’t matter which as long as it is not 4.
- Reboot your PC, go to services.msc again and check if WZC is running.
- If it doesn’t, try to start it manually. If it does but you still can’t see any available wireless networks, you will need to reinstall your wireless card driver.
- Make sure you have the original manufacturer driver or setup file for your network card. Got to Control Panel –> System –> Hardware –> Device Manager and under Network Adapters delete your wireless device.
- Reinstall the device using the original driver. Reboot your PC and recreate network configuration (if you are not using DHCP).
How antivirus makers rip you off
The Bagle virus is a “trojan”, implying that, aside from its ability to self-replicate, it has a hidden payload. But what exactly is a difference between a virus and a trojan? None whatsoever. There is a purely artificial distinction concocted by the antivirus industry folks. Why? It’s really simple.
Say, you parted with hard-earned fifty bucks and purchased antivirus software. A week later your computer got infected with Bagle, even though your AV program was installed, updated and fully functional. So you get understandably pissed off and call the antivirus maker. Once they get a general idea of what happened to your PC, they tell you: “Oh, well, this is not a virus – it is a trojan! That’s why our software didn’t catch it.” Unfortunately this bogus excuse is enough to convince most users.
Antivirus makers make much more money than all virus creators put together. So on one side you are being robbed by the hackers and on the other – by the antivirus industry. The antivirus makers don’t really lie to you: they will never tell you that their software will keep your computer 100% secure. They will readily admit that some viruses may slip through. This is like buying an umbrella full of holes: it will block some of the rain, but what’s the point if you are going to get wet anyway?
The sad truth is that the hackers who write these viruses are far more experienced and more talented than the programmers who write antivirus applications. Hackers do this for fun and for good money. For them it’s a form of self expression – a way to show off their skills. The antivirus industry, on the other hand, attracts mediocre programmers with average salaries and a boring job of tracking down and cataloging code written by someone much more talented.
very talented, the best article concerning “hldrrr.exe” problems, as far as I could find.
I had managed to un-Bagle myself, but was still suffering from lack of wireless on my laptop. Thank you for the concise and accurate instructions for altering the registry key to allow WZC to restart. Very helpful page; my thanks to you.
Thanks for the well written and useful post. The best article about the issue, by far. How come it’s so far back in “bagle” search in Google? The world is full of idiots… BTW, SUPERantiSpyware seems the best tool fot dealing with this, just uncheck the direct kernel file acess, or it will bagle-crash.
Interesting research! But I used to apply reliable anti-virus software, http://www.search-and-destroy.com. It fights computer viruses and spyware approaches.
“Choosing anti virus software is such a difficult job, i have a suggestion for you guys use http://www.search-and-destroy.com and see the result you will find best from this software.
Thank You”
Thanks for this posting. It describes exactly my struggle to get rid of BAGLE. Extra inconveniances on my PC were: Virusscanner McAfee is still not installable (framework errors), System Recovery was disabled, Booting in Safe Mode gave BSOD and 0x..7b, System-/Hidden files unable to see. Greatis freeware rootkit killer and Google helped me solving everything.
Reinstalling XP doesnt give me satisfaction.
Thank You
i suggest you use reginout to have this issue sorted out… reginout is a best of registry cleaners that take care of rootkit problems : http://www.reginout.com also make it sure you have your system tuned up by computer experts… consider using geeks mobile usa services,, they are quite reasonable : http://www.losangeles-computer-repair.net/
This is a simple one step solution that Bagle didn’t know about when I had it:
http://www.zonavirus.com/descargas/elibagla.asp
(Its in Spanish, have google translate on the go!)
Thanks for this. The Bagle rootkit is a pretty big problem which even the most advanced of systems might struggle to protect themselves against.
i suggest you use regtweaker to have this issue sorted out… regtweaker is a best of registry cleaners that take care of rootkit problems and clean junk file,optimize internet & optimize system: http://www.regtweaker.com/download.php also make it sure you have your system tuned up by computer experts.
very talented, the best article concerning “hldrrr.exe” problems, as far as I could find.
very very nice post,keep coming~
Bagle and the Vundos are some of the most common viruses I run across. Thanks for the helpful tips on dealing with them. The level of sophistication of some of these viruses is astonishing compared to just a few years ago. Here’s to eradicating (or at least limiting) them!
I have recently become aware of a software called combofix which seems to do a fairly good job of removing rootkits. I don’t think it is a very feasible program to run remotely, although I have had good success with using while onsite at my client’s offices.
The registry cleaner tool will scan the Windows registry for various invalid entries. Each entry is shown after the scan with the possibility to clean it up. By default a backup of the Registry will be created before any cleaning takes place. It is furthermore possible to schedule regular Registry cleanups or restore a previously created Registry backup.
The disk cleaner is a basic tool that will scan the hard drives of the computer for temporary or duplicate entries giving the user the options to delete those files from the disk. It is nowhere as extensive as tools like CCleaner offer but it covers the most widely used temporary locations.
4 days ago my computer became slower and I have not been able to stay connected to the applications server on facebook. What is the problem?
I need a antivirus application which must be effective especially for virus… so give apps name who can delete my phone’s viruses
I have a Free Personal Edition Avira as my antivirus software and another software for spyware, so I’m sure that I’m not just safe from viruses but also from other threats. Is their any problems that I might encounter in having paraller antivirus software? I just found there’s a winsock32.dll running, which as I researched is a virus so I deleted it. I was wondering if having 2 antivirus software caused this virus to be undetected. Thanks to anyone who answers!
So I am getting a new MacBook pro for college and my school requires that I run an antivirus program. They supply a program called McAfee virusscan for Mac 9.0 or you can get your own program. I was curious if this is a good program or not as I currently use McAfee for windows (which I find to be decent). If this program isn’t that good does anyone have a recommendation for a better program. Thanks!
I have already downloaded Norton Antivirus, but now whenever I try and open Norton, it just fades away and never opens. I have Windows 7, and I had a downloadable version, not by the cd. So anyone that knows how to fix this, please help.