Gusano Bagel

It would, of course, would have been far easier to reformat my hard drive.

The problem seems to be a bagel variant and has something to do with files named
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
and possibly an infected NETWAITING.EXE file.

I have tried multiple rootkit detection and removal programs with varying degrees of success.

McAfee Security Center says that no parts of my McAfee software are enabled. It says that parts of the software are missing and I have to reinstall.

McAfee Rootkit Detective 1.1 flagged hidr.sys and said it would remove it, but it didn’t.

F-Secure Online Virus Scanner is unable to download all its files – I suspect the bug is blocking them. Their Blacklight program has been integrated into the new scanner. Oh well.

AVG Free won’t install – it can’t find one of its installation files – I assume the malware is deleting it. AVG is my number one favorite free antivirus program.

Panda Anti-rootkit, available from Download.com, found the files and renamed one of them, but the problem came back next boot. Panda offers a number of free tools too, including an online scanner called ActiveScan and a beta online scanner named nano-scan. The big thing they offer is repair utilities for specific infections.

EliBagle v10.75 located the files and a registry entry. I rebooted in safe mode. I deleted the files. I deleted the registry entry. And just to be certain, I deleted the preload file for hidr.exe.

At this point IE is no longer going out to strange web sites. I can only hope that it was unable to download something even worse while McAfee was down.

My McAfee subscription is still active, but I haven’t decided whether to reinstall or to switch to something cheaper and just as useless.

2 Responses to Gusano Bagel

  1. Hi I had nearly the same problem two days ago with Bagel.ii downloader.
    It took me whole day to figure out solution.
    Symptoms:
    – Norton antivirus crushes
    – Google toolbar produces strange messages
    – Installation of any antivirus product (Norton/Kaspersky/Panda) not working
    – No visible strange process
    – Safe mode not working
    Working Solution:
    Run windows from disk into recovery shell
    delete the following files:
    Windows/System32/mdelk.exe
    Windows/System32/drivers/hldrrr.exe
    Windows/System32/drivers/wintems.exe
    Windows/System32/drivers/srosa.sys
    Windows/System32/drivers/down/*

    If you use google toolbar, delete googleToolbarNorifier.exe
    Delete all antivirus installation (this trojan replaces main antivirus executable so if you dont remove it, when you restart it loads virus instead of antivirus :( )

    Reload computer in Directory recovery mode – this mode, unlike safe mode, is working. If you have registry recovery, reset registry to date before infection to enable safe mode. If not – you loose safe mode and have to do hard work to recover it.

    In safe or directory recovery mode- Install kaspersky trial or any other good and most recently updated antivirus. Perform full scan and remove all ***. Hopefully you did it :)

    I hope this can help anyone with same problem
    -Dmitry

  2. Hey, Dmitry. It looks as if what you got is very similar. The file srosa.exe didn’t show up in google search until several days after I posted it originally.

Bad Behavior has blocked 390 access attempts in the last 7 days.