How to remove winik.sys

  • Thread starter Thread starter Gromer
  • Start date Start date
G

Gromer

Hi Friends,

I have XP Home Edition and hv installed AVG a couple months back..
Evertime i scan my system , the AVG detects a "Trojan Horse Agent DX"
for the file winik.sys..

C:\WINDOWS\SYSTEM32\DRIVERS\WINIK.SYS

Even after several deletes this file still exists.. is this harmful
virus??.. will my system gets affected ??...Does'nt Fire Sentry system
guard the system against this virus???. How do i remove it permanently.

Thanks,
Gromer
 
Gromer said:
Hi Friends,

I have XP Home Edition and hv installed AVG a couple months back..
Evertime i scan my system , the AVG detects a "Trojan Horse Agent DX"
for the file winik.sys..

C:\WINDOWS\SYSTEM32\DRIVERS\WINIK.SYS

Even after several deletes this file still exists.. is this harmful
virus??.. will my system gets affected ??...Does'nt Fire Sentry system
guard the system against this virus???. How do i remove it
permanently.
Click to expand...

I have no idea what Fire Sentry is, but it obviously is not working.

Winik.sys (also known as Rootkit.Win32.Agent.Q by Kaspersky) removal
instructions:

The active part of this infection is winik.sys in the %windir%\system32
directory. This file hooks itself as a kernel driver and actively
monitors any attempt to disable and/or remove while the system is
active. Removal at present be must initiated 'off-line', that is with
either recovery console, a parallel install, moving the infected HD to
a clean system or using a tool such as Bart's PE. At present, although
Kaspersky (and possibly other AV vendors) will detect the presence of
this nasty, none has as far as I know, the ability to clean it in-situ.

Detection by examining the system in safe mode is possible. In normal
mode, the winik.sys stealths it's presence and prevents access to the
HKLM\..\run key. In safe mode, MSCONFIG will have an entry along the
lines of

[randomname]c:\program files\[randomdirectory]\[random].exe

If you look in the reference [randomdirectory] directory you'll see a
file named cnml.exe.

To clean this nasty from the machine using recovery console do the
following:

Boot into recovery console (see
http://support.microsoft.com/?kbid=307654 for information on booting
into recovery console and if need be, how to obtain it).

At the recovery console command prompt simply enter the following:

disable winik

This will disable the kernel driver part of the infection and allow you
to do the rest of the work in safe mode.

It is very critical that you boot into safe mode for the remainder of
the clean up or you'll need to start over.

Once you've disabled in the kernel driver via recovery console boot the
machine into safe mode. You can now delete

%windir%\system32\winik.sys and c:\program files\[randomdirectory]

While still in safe mode, use regedit to delete the following:

HKLM\system\currentcontrolset\services\winik

HKLM\software\microsoft\windows\currentversion\run\[randomname] as
referenced above

HKLM\software\[randomname] and finally

HKLM\system\currentcontrolset\enum\root\legacy_winik Note that you will
need to alter the permissions on this key in order to delete it. Simply
right click, select permissions and grant user group Everyone full
control.

You can now reboot into safe mode and should be clear if this infection.

It would be smart to go through additional malware removal scanning
afterwards:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
 
Thanks Malke,

It worked for me.. i was able to remove the winik.sys.. and im feeling
my systems bcoming bit fast..

One thing!! ive not run the Malware u hv recommended.. will this b a
problem... And how does this winik.sys get into my system.. wht r the
precautions to be taken to inhibit its acquisition on my system.

Gromer
Gromer said:
Hi Friends,

I have XP Home Edition and hv installed AVG a couple months back..
Evertime i scan my system , the AVG detects a "Trojan Horse Agent DX"
for the file winik.sys..

C:\WINDOWS\SYSTEM32\DRIVERS\WINIK.SYS

Even after several deletes this file still exists.. is this harmful
virus??.. will my system gets affected ??...Does'nt Fire Sentry system
guard the system against this virus???. How do i remove it
permanently.
Click to expand...

I have no idea what Fire Sentry is, but it obviously is not working.

Winik.sys (also known as Rootkit.Win32.Agent.Q by Kaspersky) removal
instructions:

The active part of this infection is winik.sys in the %windir%\system32
directory. This file hooks itself as a kernel driver and actively
monitors any attempt to disable and/or remove while the system is
active. Removal at present be must initiated 'off-line', that is with
either recovery console, a parallel install, moving the infected HD to
a clean system or using a tool such as Bart's PE. At present, although
Kaspersky (and possibly other AV vendors) will detect the presence of
this nasty, none has as far as I know, the ability to clean it in-situ.

Detection by examining the system in safe mode is possible. In normal
mode, the winik.sys stealths it's presence and prevents access to the
HKLM\..\run key. In safe mode, MSCONFIG will have an entry along the
lines of

[randomname]c:\program files\[randomdirectory]\[random].exe

If you look in the reference [randomdirectory] directory you'll see a
file named cnml.exe.

To clean this nasty from the machine using recovery console do the
following:

Boot into recovery console (see
http://support.microsoft.com/?kbid=307654 for information on booting
into recovery console and if need be, how to obtain it).

At the recovery console command prompt simply enter the following:

disable winik

This will disable the kernel driver part of the infection and allow you
to do the rest of the work in safe mode.

It is very critical that you boot into safe mode for the remainder of
the clean up or you'll need to start over.

Once you've disabled in the kernel driver via recovery console boot the
machine into safe mode. You can now delete

%windir%\system32\winik.sys and c:\program files\[randomdirectory]

While still in safe mode, use regedit to delete the following:

HKLM\system\currentcontrolset\services\winik

HKLM\software\microsoft\windows\currentversion\run\[randomname] as
referenced above

HKLM\software\[randomname] and finally

HKLM\system\currentcontrolset\enum\root\legacy_winik Note that you will
need to alter the permissions on this key in order to delete it. Simply
right click, select permissions and grant user group Everyone full
control.

You can now reboot into safe mode and should be clear if this infection.

It would be smart to go through additional malware removal scanning
afterwards:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...
 
Gromer said:
Thanks Malke,

It worked for me.. i was able to remove the winik.sys.. and im feeling
my systems bcoming bit fast..

One thing!! ive not run the Malware u hv recommended.. will this b a
problem... And how does this winik.sys get into my system.. wht r the
precautions to be taken to inhibit its acquisition on my system.
Click to expand...

It's your choice as to whether or not you run additional scans. I like
to be thorough. As for the future, practice Safe Hex:

http://www.claymania.com/safe-hex.html

Malke
 
Back
Top