Good Morning, A customer of mine has the trojan rootkit.win32.agent.q.

I used KIS beta 6.0.12.167 to clean his pc from viruses but at the specific virus.. KIS detects it but does not remove it. I tried in safe mode also. Disinfection is impossible, (since it is a trojan virus) but deletion is also impossible. I 've searched in some websites to find any solution(s) / suggestions and the only one i found is to format the hard drive ( Anything else )

Why KIS doesn't delete the infected files on restart ? I also tried KAV 5.0 same as KIS

I have seen KAV 5.0 deleting infected files on restart before.. but why not this time too ?

And something else.. When KAV / KIS deletes a virus from a pc.. does it remove the registry keys that the virus may have created ? ( If not then you (the developers) should create a utility for registry scanning to remove that kind of keys and values)

1. it seems your problem is because of the malware type (an rootkit). this kind of malware has very advance options to hide and protect from antivirus programs (and any other kind of tools/programs). most of the time av software is not even able to detect rootkits.

as the first step you could try to use this little tool http://f-secure.com/blacklight/ and see if it will be able to remove/disable the rootkit.

2. the suggestion to format your hard disk is the recommended way to clean your system if you find an rootkit on your system. why? the basic idea of rootkit technology on it self is to hide/protect things so that the user and programs are not able to see/detect it. so rootkit on itself basicly does not do anything dangerous/malicious, so no need to do an reformat. but rootkits are used to hide other malware, and this other malware can do much damage... so to do a reformat is the recommended way to clean your computer because even if you are able to detect and remove the rootkit, it is quite possible that there are several (10+, 100+ or even 1000+) other things (malware) that needs to be removed before your computer is clean. but of course you can also try to clean by not reformating your system.

so for you it would be very important if you would be able to get more detailed information on exact version of your rootkit, so you will know exactly what it was doing on your computer and so you will be able to see how big the damage is and how easy it is to clean your computer.

3. about the cleaning of reg keys from malware... kav 5 is not able to do this, but the new kav2006 (and kis2006) have this technology

to sum up... you have quite a big problem (because of the rootkit), but sometimes there are simple solutions also for the big problems and some help from KL experts would be good

Looks like my customer is in biiiiiig problem. i'll try that from f-secure but i have to tell you that the f-secure antivirus trial didn't make me to feel as secure as with kaspersky.

So if i understand what you say.. even if this rootkit is removed, we cant be sure if there are malicius parts of it remaining on the pc. Right?
OK lets format the Hard disk Drive ...

saso i tried the utility from http://f-secure.com/blacklight/ and detects nothing heheheheh i Told you that Kaspersky is MUCH better than f-secure.. Kaspersky at least detects it. F-secure didn't even detect it.

Lets format..

i am not suggesting to use the f-secure av program, just this special anti-rootkit tool caled blacklight

---

yes, this is exsactly what i was trying to say as i said before rootkits are normaly using just to hide/protect other stuf... an example:

rootkitA is installed on the pc just to hide/protect trojanA, trojanB, backdoorA, backdoorB, backdoorC, keylogerA,...

---

the problem with an rootkit is that you never know what it was used for and what is was doing on your computer, maybe removing the rootkits will remove all malicius parts from the computer or maybe not, maybe 1000+ of other things will remain...

so as i said before it would be good if you would be able to get some more info on what this rootkit is and what it was doing on the pc, and then you can decide if you will remove it manualy or simple reformat the system.

one more importaint thing to do would be to find out how this rootkit came on the system so that you can then prevent reinfection. alot of rootkits are installed using exploits, so make sure the system is patched.

the way kav and that tool detects an rootkit is verry different... if you are able to reformat (if you dont loose no critical data,...) then reformat is good. but i would suggest you to wait for a comment from an KL virus expert, maybe an reformat is not needed.

one more thing before reformating, since the #1 thing is allways to protect and safe the user data

it is verry importaint to make sure that this is not an false positive. normaly kav does not make alot of false positives but you never know

so please, if you are able, post the scan log of kav dececting this malware, so we can see how kav detect it, what files are detected and what is the location of this files...

That's for sure not a false positive.
This rootkit is widely spreaded.

It should have the name "winik.sys" by default and should be around 15Kb in size.

Cheers, Happy Bytes

excactly happy bytes.. this is it I just hope that the Security Experts of Kaspersky Labs will create real good working anti - rootkit utility or something because Blacklight anti - rootkit ( provided by F-Secure ) didn't even detect the rootkit

I cant beleve that there is a virus that can not be removed.. Viruses are human - made programs, so, there must be a way to delete the virus somehow.. maybe on restart or by booting with linux discs...
(i dont know.. i am just thinking )

Maybe booting with Linux discs WITH KAV's antivirus database.. will solve the problem.
BUT the security experts will answer this.. i am just a computer technician.. working with Local area networls .. and It's loooooong time ago when i stopped programing

Try again using KAV 5.0.372 please.(Do a full system scan after the startup scan)

If it doesn't work - please give extract from logfile(s) which says why KAV can't delete it.

Hi,
i got the same virus and same problem. I tried to run black light rootkit removal tool, and he found once a hired program : extel.exe (which must be the virus program becausi i've never seen it running, can't find anything about it on the web, and it keeps using 50-80 of my CPU). The problem is that the only solution blacklight offered me was to rename the file. Finally i didn't do anything and now blacklight tool can't find the hired program anymore...
Does this bring any clue and can anyone bring us some help to clean this ?
thanx for help
Bye

hehe gregj one format per 3 months keeps the pc in good working condition
for me the black light rootkit removal tool didn't even detect the rootkit. i don't know what is that extel.exe, i had a pc with a file named winik.sys.. something like that. and because of the write protection of the file, deletion was impossible.. Try to remove the virus with Kaspersky Antivirus running on an other pc. (set the infected hard disk as slave) maybe this can help, because the rootkit won't load it self. I didn't try it. I am not sure that this will help.. personally i selected to format the infected pc.

Good morning, i found a way to delete that winik.sys of the rootkit. And maybe this way can help with viruses that cannot be deleted.

I started my pc booting with windows xp cd rom. and using the recovery console, i used the attrib -r winik.sys command and i finally was able to delete winik from dos. del winik.sys

After that, in safe mode i run msconfig in order to uncheck ZUgDC4xN and i was ok after that

Hello Lightning...

There are many out there suffering from this winik.sys.

Is it possible for you to make a description of how this file is deleted as in "details", as if written for happy PC amateurs?

Things like "msconfig in order to uncheck ZUgDC4xN and i was ok after that..." is a bit cryptical for anyone except well trained programers etc(?)

It would be nice to find a solution that is descibed as to "idiots", due to the dact that the operation seems a bit risky, if once does not have a black belt in PC, but is still only wearing a yellow belt even after ten years of experience in the "art of fixing problems on PC's"

Please provide som info.

Best regards
Atle
Norway

I'm a home user and I have this too. If someone has found a way to get rid of this I need help but written in an easy way to do this. I would be very grateful for any help.

Hi Blondz & welcome

Is Kaspersky detecting it, but not able to delete it, or?

@Atle

please try to follow this thread

Heres how I got rid of Winik.sys.
On bootup I hit F8 and went to safemode command prompt...went to c:\windows\system32\drivers and deleted winik.sys
Only way I found to delete it.

As for CNML.exe I had to use Killbox to get rid of...Hope this helps someone!
thanks


MaJiKgUy