If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Patrik,
It took me a while to find the installation disk, but I followed your instructions and everything seems to be back to normal! It was a little scary to watch it re-install Windows thinking I would lose evrything, but it just overlayed what was already there. Thanks again.
Thank you so much, after spending 6 hours and various programs your solution was the only one that worked!! THANK YOU!! :OD
pat and Kurt, please ask for help in our Spyware removal forum.
Hi Bridget!
No sure if you are still looking to resolve this. I know the issue you are having. This fake alert virus immediately starts up its own .exe files on reboot. What you need to do is, ASAP once the system reboots, start the task manager ( better to right click on the Taskbar than go from Start>run>taskmgr.exe) ..
1. click on “processes”
2. sort by image name
3. terminate anything which looks like winlogon86.exe, winupdate86.exe, winupdate.exe and anything ending with sysguard.exe ( be quick on this one .. the longer you take, the chances are that your task manager and registry files access would be rendered ineffective and the alerts would start popping up)
Once these are rendered quiet, you can start up MalwareBytes and scan up. In the meantime you may go into your registry files, and C:\Windows to clean up/ delete the malicious files.
well tenks for the reply though! 😀 happy holidays 😀
Thanks alot guys , I just followed these instructions and managed to clear my virus , cant thank you enough guys
Ok, I finally was able to burn all these steps to CD and load them onto the infected laptop. Ran hijack & removed problems. Ran LSP but it didnt show I had any of the listed problem files. Ran malwarebytes (updated on the 1st) and removed 19 affected files.
Laptops no longer displays virus warning messages but still is so slow it is unusable, and still won’t let me connect to internet or start in safe mode. Any ideas ?
I the above and it has worked. However, my internet explorer is still not working (I’m typing from another computer). Any suggestions how to get this working again?
Many thanks in advance.
Josh, probably you`re still infected. Make a new topic in our Spyware removal forum. I will help you.
Craig, you have used LSPFix ? It should fix trouble with Internet access.
thanks very much for this. I did not run HijackThis or LSPFix because I could not connect to the internet on this computer, but I was able to locate and delete the infected files by running regedit, fixing the value for DisableTaskMgr from 1 to 0, then running taskmgr and ending the winupdate86 process. After that, I removed the files and folders listed in your fix, then ran MalwareBytes, which found and deleted 22 infected files/keys/values. I restarted, was able to connect to the internet, downloaded HijackThis, ran it, but didn’t find any associated entries, so hopefully this means I am clear of this nasty virus. Hope this helps those who can’t connect to the internet to download fixes. Time to renew my internet security, I certainly won’t delay renewing again.
I have, yes, although the internet is still acting up. Perhaps I possibly used the LSPFix incorrectly?
Followed literally every signle step.
Doesn’t work. Go back to school 😉
SO I TRIEDD ALL THE STEPS HERE. AND THOUGH I AM NOT GETTING THE POP-UPS ANYMORE, I STILL CANT SEEM TO OPEN UP MY TASK MANAGER….. SOMEONE HELLLP MEE!!!!
Thank you guys, the worm was successfully removed from my infected PC.
Thank you for this contribution. It seems as though it might be the only true fix I have encountered and I have been reading and researching for about six hours.
I still have it but a nastier form than what has been posted. I have this on a laptop with Verizon VZAccess. I knew there was a problem but not as bad until my usage increased at a rate I have not yet used. My browser is hijacked. I attempted a copy of the hijack and the and malware to a thumb drive only to find the error of “could not create directory”. I’m on another laptop, any input as how I can get this over to my other system? If I got to the internet on the infected lap, I go anywhere but where I direct the browser.
Thank you.
http://www.symantec.com/connect/forums/wormwin32netsky
The last comment of recent is interesting relative to the hijacking of the browser.
(Notice the site help symantec is offering, zilch).
All I have is blue screen. I can’t access the internet. I have downloaded hijackthis to a cd. I then attempted to run hijackthis using task manager. I got a popup saying that I should save hijackthis to my desktop. Unfortunately, I can’t do that using task manager. When I tried to run hijack this without saving it to desktop it froze up and wanted me to switch tasks. Any suggestions? thanks
Have been working on trying to clean my daughter’s laptop since Christmas Day. God bless you for your help. It appears that every single problem is fixed. Only wish I had tried this sooner. Thank you!
all you have to do is run a different task manager kill the winupdate86.exe then delete the 5 files reboot with a recovery disk in and repair startup back too normal
Thank you.
Thank you.
Thank you.
Thank you.
Running Windows Vista Home Basic, and picked up the “Internet Security 2010” variant of this nasty little bugger. After several days battling this sucker on and off, and fearing the outright destruction of every file I had or indeed having to format my hard drive with every digital photo we had of me, my wife, and our baby daughter, I finally came across these pages. This worked, top to tail. One small tip, though, that might help for other Windows Vista users, if not other versions: if this particular variant of the spyware puts up an error message that regedit can’t be run in safe mode, try clicking on regedit again while that error message is still on the screen. The second time, for me at least, regedit actually did run, which got me onto the first step of enabling the Task Manager again. From there, the steps as described in this guide kicked the malware’s butt. And thereby proved 100% superior than Norton Antivirus 2010 which I desperately bought trying to get rid of this annoying little toad.
Thanks a lot! Very clear and helpful. And it works! 🙂
I had to reset the internet explorer to defaults
Craig, try run WinSock XP Fix.
JJ McKenzie, try move HijackThis, LSPFix and Malwarebytes Anti-malware to infected PC using a CD or DVD disk.
keith, you can copy any file to you computer using the following:
Open task manager, new task, type cmd and press Enter.
Command console opens.
Type:
copy e:\hijackthis.exe c:\It will copy hijackthis.exe from disk e (use your CD disk name) to root of disk C.
Run Task manager, new task, type c:\hijackthis.exe and press Enter.
Worked like a charm. Quick and simple. A few tips for readers about to employ this fix.
When I ran ‘HijackThis’ REG:system.ini: Shell=Explorer.exe logon.exe did not display but the 2 other files did.
When I ran LSPFix winhelper86.dll was not there, so I did nothing.
I already had MalwareBytes (MBAM) installed but downloaded it again. Be sure to update, looks like something was added in late December.
My comp is clean now, no doubt whatsoever. Thanks so much for your article.
hello
when i loaded hijack.this,(im in safe mode)
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
wasn’t there! the other two were.
i continued anyway with the lspfix, and winhelper86.dll was there, but when i run malwarebytes i still get the message
unable to execute file “CreateProcess failed; code 2. message. please help!! i dont know what to do. i think someone else had the same problem and you told them to ask for help but i cant find the page.
(i wanna shoot whoever made this stupid bug!) >:(
oh yeah, i actually got internet to work (kinda, it still blocks some websites)
and i can open task manager.
i STILL can’t get malwarebytes to run because of the code 2 message.
Patrik,
I am experiencing the following:
Whenever I log in, i get imediately logged out (all users, all boot modes)
I cannot manage to log in and thus I am unable to get to RegEdit to restore the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Winlogon, UserInit
to “c:\windows\system32\userinit.exe,”
Is there anything you know of that can be done?
Sincere thanks in advance!