winik.sys

Discussion in 'other security issues & news' started by JacobSteelsmith, Jan 30, 2005.

Thread Status:
Not open for further replies.
  1. JacobSteelsmith

    JacobSteelsmith Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    4
    winik.sys

    01/25/2005

    New Piece of spyware discovered. This piece of software is difficult to remove in that it mimicks haxdoor by embeding itself into the user's system. It seems to cause popups and record users behavior as well as uniquely identifying the user with a generated uid.

    Indications of infection.

    Program installs a legacy driver called winik.sys which is loaded on reboot. This action allows it to run in safe mode, infecting even the administrator account on Windows XP (infected computer showed signs of infection in Administrator account when only being run in safe mode). The observer may notice the winik.sys being loaded as part of the driver list during safe mode startup. After one or two reboots into safe mode, auto start entries were added for the generated executables described below.

    winik.sys on this infected system (xp home) was found in windows\system32\drivers. The file is unique in that it has a forged Microsoft copyright for the company, but the file system verification utility lists it as not signed.

    The malware then adds one or more directories in the program files folder composed of random numbers and letters. The infected system I encountered had two. Each folder had similar items in them. Several data files and several executables as well as a copy of the winik.sys file. All of the data files and executables were named with the same random alphanumeric pattern. One folder did have a web page which was not named in the same random fashion.

    The folders were unable to be moved or deleted in real or safe mode. The executables were not able to be renamed, moved or deleted. I had to use a windows cd to boot to the recovery console to remove the directories.

    The malware adds several registry entries. Auto start entries for the generated executables are added by the legacy driver. In hklm/localmachine/software there are entries for the random directories. These registry folders contain keys with settings for the popups, userid and other program settings.

    The legacy driver key is added in one or more control sets. A search of the registry for winik found these entries.

    If the winik.sys in the windows\system32\drivers directory is renamed and the copy in one or more generated folders is renamed, the program seems to cease working. This may be contingent on the other programs that auto start being disabled.

    Jacob Steelsmith
     
  2. LarryVan

    LarryVan Guest

    Hey Jacob,

    I too was hit by this spyware. Your info was very helpful and you were right - this was a tough one to remove.

    Fortunately I was able to remove it by booting into my Windows 2003 partition and then deleting the offending files from Windows 2000.

    Again, thanks for sharing your insight on this.

    Larry
     
  3. pnoir

    pnoir Registered Member

    Joined:
    Feb 4, 2005
    Posts:
    4
    Hi!

    I got the same spyware. It's indeed hard to remove. I have been trying everything to get it out. But finally I found this winik.sys and searched it from google. Then I found this thread.

    So do I have to install the recovery console, then use it and delete winik.sys ?
    What about registry entries? :S I'm kinda noobie with this kind of things.. please help me out :D thanks!


    Felipe Peña
     
  4. Lysimachus

    Lysimachus Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    3
    Hi JacobSteelsmith,

    I have the same problem you had, but only to a greater and much more serious degree. For you to get a full scope on my problems regarding the "winik.sys" files (two of them!), please read everything you can in this thread:

    http://www.windowsbbs.com/showthread.php?t=41135

    Read Post#1, then jump to Post#13 and keep reading on to the next page.

    To make a long story short, there is a whole folder: C:\Program Files\wvpsxtwv that contains the deletable version of "WINIK.SYS" in caps, and the lowercase version, "winik.sys" which is not deletable in the System32/directory. Also, that one file (dyQAfwhN.dll) that was causing my IExplore.exe errors, which is NOT DELETABLE EVEN IN SAFE MODE, resides in the same "wvpsxtwv" folder that the deletable version of "WINIK.SYS" resides.

    So, can you please show me step-by-step how to nuke these files and directories? Before you give me instructions, please, if you have time, read the posts in the link above I recommended. For example, how do you boot using the windows cd into the Recovery Console? What are the exact step-by-step procedures?

    Thanks. :)
     
  5. Lysimachus

    Lysimachus Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    3
    Common guys...we need some answers here. This is a serious problem that no spyware and virus removing software has addressed! You cannot use Internet Explorer and browse efficiently, causing it to crash on various random links throughout the web. You may say "use Firefox", but I say bogus to that because you need IE to launch MSN Videos, etc.!
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You need to go to SpywareInfo: http://www.spywareinfoforum.com/index.php?b=1 , register and follow the instructions for cleaning they'll give you, if you're infected with this. Pete
     
  7. JacobSteelsmith

    JacobSteelsmith Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    4
    To delete the files in the system32 directory you'll have to use the xp cd or a windows 2000 cd. Boot to the CD (put the cd in the tray and restart. If it does not boot to the cd, you'll have to adjust your bios settings). When you finally get to the options screen select "repair an installation using the recovery console." If you are using windows 2000 DO NOT use the automated option. When you get to the recovery console (black with white writing) log onto the windows installation. IF anyone has problems doing this post and I'll post the workaround. Once you're into the windows installation type use "cd" to change directories. You'll want to change to the program files directory. Use the cd command to change to the directory(s) of the offending program (being the random numbers and letters in this case.). Use the dir command to view the files in the directory. I can't remember but the command "attrib -r -s -h *.*" should work (without the quotes). This will remove the read only, system and hidden attributes from all files in that directory. If not you'll have to substitute the name of the file (i.e. winik.sys) with *.* for each file in that directory. After you do that use the "del *.*" to delete all the files. Again you may have to do it one by one.

    use cd.. to navigate to the previous (upper) directory until you are at the root directory (c:\) type cd c:\windows\system32\drivers or navigate to it one directory at a time. Use "attrib -r -s -h winik.sys" to remove the file attributes then use "rename winik.sys winik.sys.bad" to rename that file so it can't be loaded. Be extra careful with sys files. If the system doesn't boot you can go back and name it back, but it should.

    To clean the registry click on start and run. type regedit. click on my computer. click edit and find... type in winik. it will stop on the folder containing the legacy driver info for winik.sys. It will say LEGACY_WINIK or something to that effect. The folder could be named that or if you look in the right pane the keys could reference the file. right click on the folder that contains that info and click on export. type winik.sys.bak in the save as and save it in your my docs folder. Then right click on the folder and click delete. click on edit and repeat the process but don't overwrite the previous reg backup with new ones (pick different names or add a number). There should only be one.

    Reboot. If you have issues, reboot into safe mode and double click on the backups you created from regedit. It will ask you if you want to merge the info and click yes. This will restore the configuration. You can also click on restore last known good at M$'s appolgy screen.

    Good luck and I hope you don't mess the computer up. :)
     
  8. Lysimachus

    Lysimachus Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    3
    Wow...thank you thank you Jacob....I'll definitely consider giving it a try. But is there not an easier way to delete these files? Is there any other easier way whatsoever?

    I thought that HiJackThis - v 1.99.0 can delete files on reboot. Can I not try this method? The option on HiJackThis is there, and shows as:

    "Delete a file on reboot..." -- button, "If a file cannot be removed from memory, windows can be setup to delete it when the system is restarted."--description. Then you browse, select file you wish to delete, and restart. Wouldn't this do the same thing? The whole reason you can't delete the winik.sys file is because it is in current memory anyway, right?

    WindowsBBS.com strongly suggests HiJackThis for situations like this.
     
  9. phs1965be

    phs1965be Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    1
    I confirm that this method does work if you delete all the files in the directory where the files are located ( in my case it was c:\program files\wpqrxxrs). To find the name of the directory you need to delete, open the registry editor and make a search on 'WinIk' , then note the name of the directory in the exeFile key. Using the Delete File on Reboot option of HiJackThis, locate the directory with the randomized name you found in your search for WinIk in your registry and select the files you want to delete. Do not answer Yes at the first restart prompt of HiJackThis if you want to delete several files at the first restart of windows. In my case, I selected the DLL and EXE files first.

    When Windows will restart, HiJackThis will delete the incriminated files before they start loading in memory and you will then be able again to delete the remaining directory and all its content. Don't forget to clean up your registry after that...

    Hope this help. :)

    Phil
     
  10. pnoir

    pnoir Registered Member

    Joined:
    Feb 4, 2005
    Posts:
    4
    Hey mates, I get Access Denied when I try to get into programfiles directory. How can I enter there?! :S
     
  11. JacobSteelsmith

    JacobSteelsmith Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    4
    Nice Phil. I think killbox will do the same thing. I'm just partial to the command line ease and destructive nature of the windows cd :)

     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    pnoir - your post has been removed. Vulgarity will not be tolerated on this board.

    ===

    A note to other's - as mentioned by spy1 in post #6, going to one of the forums that offer HijackThis review by an experienced spyware removal Expert is the best course of action to take when one believes they may be infected with spyware. Following unknown member's instructions is not advised as no one system is the same, nor is one variant of infection for that matter.

    As we no longer provide HijackThis analysis here at wilders, you can find a list of sites that do offer this type of cleaning service in this link: http://a-sap.org/

    Two of the bigger forums for HijackThis log processing, (meaning they process more log threads each day than many others) are: SpywareInfo.com and CastleCops.com.

    Regards,

    snap
     
  13. pnoir

    pnoir Registered Member

    Joined:
    Feb 4, 2005
    Posts:
    4
     
    Last edited by a moderator: Feb 21, 2005
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    pnoir

    Snapdragon made a suggestion. It takes time to get questions answered. Your patience is needed. No need to get mad at people trying to help.

    Please read the Terms of Service
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Post a log, as suggested, at one of the forums listed at ASAP .

    If you want your log reviewed, you'll need to pick a site and read their spyware scanning and cleaning (HijackThis posting) guidelines, following all their required steps carefully, and then posting as directed.

    Thread is closed
     
    Last edited: Feb 21, 2005
Thread Status:
Not open for further replies.