Not a BLOG, just some notes

Winik.sys (also known as Rootkit.Win32.Agent.Q by Kaspersky) removal instructions:

The active part of this infection is winik.sys in the %windir%\system32 directory. This file hooks itself as a kernel driver and actively monitors any attempt to disable and/or remove while the system is active. Removal at present be must initiated 'off-line', that is with either recovery console, a parallel install, moving the infected HD to a clean system or using a tool such as Bart's PE. At present, although Kaspersky (and possibly other AV vendors) will detect the presence of this nasty, none has as far as I know, the ability to clean it in-situ.

Detection by examining the system in safe mode is possible. In normal mode, the winik.sys stealths it's presence and prevents access to the HKLM\..\run key. In safe mode, MSCONFIG will have an entry along the lines of

[randomname]c:\program files\[randomdirectory]\[random].exe

If you look in the reference [randomdirectory] directory you'll see a file named cnml.exe.

To clean this nasty from the machine using recovery console do the following:

Boot into recovery console (see http://support.microsoft.com/?kbid=307654 for information on booting into recovery console and if need be, how to obtain it).

At the recovery console command prompt simply enter the following:

disable winik

This will disable the kernel driver part of the infection and allow you to do the rest of the work in safe mode.

Warning it is very critical that you boot into safe mode for the remainder of the clean up or you'll need to start over.

Once you've disabled in the kernel driver via recovery console boot the machine into safe mode. You can now delete

%windir%\system32\winik.sys and c:\program files\[randomdirectory]

While still in safe mode, use regedit to delete the following:

HKLM\system\currentcontrolset\services\winik

HKLM\software\microsoft\windows\currentversion\run\[randomname] as referenced above

HKLM\software\[randomname] and finally

HKLM\system\currentcontrolset\enum\root\legacy_winik Note that you will need to alter the permissions on this key in order to delete it. Simply right click, select permissions and grant user group Everyone full control.

You can now reboot into safe mode and should be clear if this infection.