If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Thank you for this – after repeatedly running AVG and Spybot on a co-worker’s computer who got the Netsky worm, THIS was what finally fixed the problem.
Now, if you just have a solution for co-workers who click on stupid *&^% in their spam folders…
I think that the trojan programmers for this worm have developed a new trick since this last posting. They are very fast. But I see in a posting on a different site that at least one other person has the same problem as me.
With a couple of variations, your above instructions worked for me up until:
\
“Once the program has loaded you will see window similar to the one below.”
I did not get the image that you have at that point. (I printed the instructions on the printer at work.)
Then I got
Setup
“Unable to execute file: c:\ProgramFiles\Malwarebytes’Anti-Malware\mbam.exe”
“CreateProcess failed; code 2.
The system cannot find the file specified.”
I will continue to search.
Help ?!?
Muy buena informacion, logre reparar el problema de mi maquina, intente quitar pormedio de nod 32 pero no resulto.
Gracias!!!
your guide worked ! your the best ! Thanks.
Cj
This thing REALLY did a number to my system. Did anyone else have to actually run Windows XP repair from their CD?
While I’m certain I have this infection, I think this may just be one amongst others I picked up last night.
Biggest nightmare I’ve had with a personal system in almost 10 years (IT background… actually previously managed system security for over 1000 employee agency in the past).
Thanks for this help!
Thank you for the guide to remove this annoying and potentially destructive mal-ware. Yr guide was the most recent and clearest procedure I could find. Well done for publishing your solution.
THANK YOU SO MUUUUCh!! You’re Genius!
Дякую за допомогу. Все супер.
thank you very much for help!!!
THANK YOU SO MUCH..I DEAL WITH THIS VIRUS ALL THE DAY..norton,mcafee,avira,kaspersky can do nothing..bullshit with them..you re the best !!
Thank you so much.. It worked well for me after trying several tricks from the internet…
“CreateProcess failed; code 2.”
Bridget, this was a fault with Malwarebytes update! Not what you want when we are fighting such a problem. Manually updating the database to the very latest version solves this problem.
You are god! I was seriously worried, the comp has some real important files in it that i was worried we were gonna lose if we formatted, a six star rating to your solution!!
Super… it worked like charm. Thanks again. Before trying this method I tried numerous, none worked & this was the quickest. Thanks a million
Thank you so much worked great. After scanning with avast i decided to try this because avast came up with nothing, I got this from a torrent (just saying)
Thank you so much. I tried to remove this shit and fix my system 2 days (comodo, ad-aware, S&D, SpyHunter3, SpyWare doctor, atc.). But just this guide definitelly helped me.
Thank you, thank you, thank you!!!!!! Very easy step by step. I thumbs up’d you on StumbleUpon.
Your guide is so clear and helpful. Thank you so much for sharing knowledge.
Thank you so much! I thought my computer was doomed. I had been downloading some stuff off a site that kept giving me popups when my anti-virus totally freaked out with warnings windows security manager started to flash warnings with a red X saying my fire wall was off. My background was changed and I couldn’t get task manager. I was certain my computer and all my precious 3D models I create were doomed to a reformat and to be lost forever. But you saved me! Thank you so much for the easy step by step guide. I will NEVER go there again.
I too became infected by the NetSky virus (XP Media Home). After much searching and trying things on my computer I was able to get to the McAfee site and update my AV software. After running the updated scan it seemed to catch the viruses and quarentine them. However, my wallpaper and sound was gone. I did a reboot but am stuck at the Login screen. As soon as I click logon to an account, it clocks for about 10 seconds then logs me off. I tried rebooting in Safe Mode, but I get a wierd blue screen with a warning message telling me to restart and run a virus scan! No other reboot method works either. Help, I’m locked in a loop!
Mike, looks like your AV is removed infected files, but did not repair Windows registry.
Boot your in Recovery console mode using installation disk. Then copy userinit.exe to winlogon86.exe, then reboot your computer.
Just got this virus yesterday. At first Windows would not boot at all, went into bios and set to start up as last good working config. It now starts up in Windows XP, is very slow but eventually shows me a bright green desktop with VIRUS WARNING screen.
So I’d love to follow all the steps above to remove, but the virus won’t allow me to access the web. So I downloaded each file from another PC and burned them to CD. But its so slow I can’t access the my computer to get to the drive.
Any suggestions? I set the bios to boot CD drive first, but thats not working either and it won’t let me start in Safe Mode.
Any help is very appreciated…
Just a quick question – I’m really nervous about running the LSPfix as the winhelper86.dll does not appear in my Keep box. There is something called winrnr.dll – should I get rid of that?
Thanks removed the worm flawlessy. Still can’t get IE to work but all system programs are now running.
IT’s now gone, but if I boot into anything but a variation of safe mode, windows explorer stops working, and I can’t load up my toolbar, plus my icons do NOT show up and my desktop backgroung is still the black one. HELP, safe mode SUCKS!
Josh, try run Windows registry editor and restore HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Winlogon, UserInit
to “c:\windows\system32\userinit.exe,”
Then reboot your computer.
tara, winrnr.dll is legit Windows file. But anyway you can scan it in Virustotal site.
nick, when Windows loaded, press CTRL + ALT + DEL. Once TaskManager opens, CLick File, New Task, type explorer.exe and press Enter.
help!, I can’t find F2 – REG:system.ini: Shell=Explorer.exe logon.exe on hijackthis 🙁
I followed your steps with these results:
Hijackthis only found the bottom 2. I checked those clicked “fix checked”. LSPFix did not display winhelper86.dll so I moved on, Malwarebytes ran for 21 hours 51 minutes 48 seconds. It claimed to have scanned 3727008 objects, yet it stopped displaying different file names when it got to its own file (mbam.exe) within the first few minutes of the scan. I canceled scans and rebooted. The computer still has the virus.