Re: How to remove winik.sys
- From: Malke <notreally@xxxxxxxxxxx>
- Date: Fri, 28 Oct 2005 10:21:38 -0700
Gromer wrote:
> Hi Friends,
>
> I have XP Home Edition and hv installed AVG a couple months back..
> Evertime i scan my system , the AVG detects a "Trojan Horse Agent DX"
> for the file winik.sys..
>
> C:\WINDOWS\SYSTEM32\DRIVERS\WINIK.SYS
>
> Even after several deletes this file still exists.. is this harmful
> virus??.. will my system gets affected ??...Does'nt Fire Sentry system
> guard the system against this virus???. How do i remove it
> permanently.
I have no idea what Fire Sentry is, but it obviously is not working.
Winik.sys (also known as Rootkit.Win32.Agent.Q by Kaspersky) removal
instructions:
The active part of this infection is winik.sys in the %windir%\system32
directory. This file hooks itself as a kernel driver and actively
monitors any attempt to disable and/or remove while the system is
active. Removal at present be must initiated 'off-line', that is with
either recovery console, a parallel install, moving the infected HD to
a clean system or using a tool such as Bart's PE. At present, although
Kaspersky (and possibly other AV vendors) will detect the presence of
this nasty, none has as far as I know, the ability to clean it in-situ.
Detection by examining the system in safe mode is possible. In normal
mode, the winik.sys stealths it's presence and prevents access to the
HKLM\..\run key. In safe mode, MSCONFIG will have an entry along the
lines of
[randomname]c:\program files\[randomdirectory]\[random].exe
If you look in the reference [randomdirectory] directory you'll see a
file named cnml.exe.
To clean this nasty from the machine using recovery console do the
following:
Boot into recovery console (see
http://support.microsoft.com/?kbid=307654 for information on booting
into recovery console and if need be, how to obtain it).
At the recovery console command prompt simply enter the following:
disable winik
This will disable the kernel driver part of the infection and allow you
to do the rest of the work in safe mode.
It is very critical that you boot into safe mode for the remainder of
the clean up or you'll need to start over.
Once you've disabled in the kernel driver via recovery console boot the
machine into safe mode. You can now delete
%windir%\system32\winik.sys and c:\program files\[randomdirectory]
While still in safe mode, use regedit to delete the following:
HKLM\system\currentcontrolset\services\winik
HKLM\software\microsoft\windows\currentversion\run\[randomname] as
referenced above
HKLM\software\[randomname] and finally
HKLM\system\currentcontrolset\enum\root\legacy_winik Note that you will
need to alter the permissions on this key in order to delete it. Simply
right click, select permissions and grant user group Everyone full
control.
You can now reboot into safe mode and should be clear if this infection.
It would be smart to go through additional malware removal scanning
afterwards:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
.
- Follow-Ups:
- Re: How to remove winik.sys
- From: Gromer
- Re: How to remove winik.sys
- References:
- How to remove winik.sys
- From: Gromer
- How to remove winik.sys
- Prev by Date: How to remove winik.sys
- Next by Date: Re: windows firewall
- Previous by thread: How to remove winik.sys
- Next by thread: Re: How to remove winik.sys
- Index(es):
Relevant Pages
|
