1. The presence of WLCtrl32.dll (or WinNT32.dll) in %SYSDIR% folder and the following values in the registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32    
        DLLName = WLCtrl32.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32   
        StartShell = WLEventStartShell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32    
        Impersonate = 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32
        Asynchronous = 0    

2. The presence of a driver file in %SYSDIR%\drivers with a random name; the name has the following format:
<capital_letter><two_lowercase_letters><two_digits>.sys and the following values in the registry:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
        Lxt61.sys @= "Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
        Lxt61.sys @= "Driver"

1. Disable SystemRestore if running Windows XP
2. Reboot your system as described here:
http://forum.bitdefender.com/index.php?showtopic=1054
and delete the infected files using the following commands:
del %SYSDIR%\WLCtrl32.dll
del %SYSDIR%\drivers\<random_name>.sys
Then reboot your system and delete the following registry keys using regedit as described here:
http://forum.bitdefender.com/index.php?showtopic=5435 (section Regedit)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ - delete the key .sys
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ - delete the key <random_name>.sys

Dana Stanut, virus researcher