If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Had the same problem – the above fixed it but task manager still won’t run – seems damaged, any ideas? Thanks.
Hi i have this bug to and cant use any of the fles you say to download to get rid of it, i save them to the desk top but when i try to run them i get error messages ending ‘MSVBVM60.DLL was not found’….any ideas??
thanks
My wife’s computer got infected by this nasty, vicious worm, and I did all kinds of things before hitting the tech sites. Not only did these steps fix her problem (XP OS), but I am delighted by the Malwarebytes anti-malware program and am going to purchase it for both our computers.
I cannot thank you enough. All appears to be normal and running smoothly again. I feared the worst and was prepared for a re-format of the infected drive.
I have downloaded hijackthis to my usb, reboot in safe mode, the virus warning popup as usual. I renamed hijack to explorer.exe and copy to desktop, but I still can not run the program. Looks like the virus also run on safe mode. What can I do? Please help.
Hey Patrik,
so I downloaded HijackThis, then did the scan only button, and these entries don’t come up. One of them did, but these below two did not. Please help! Thank you
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Help, I’m in the contin. loop of logon/log off.
I used spyware.
Any help will be appreciated.
Thanks!
Sorry, I used spybot and when I rebooted I got stuck in the log on/log off mode. I can’t go any where from here.
thank you so much. seriously. but i skipped the 2nd step, on running the file in the .zip since the trojan/fake virus disabled my winrar.
anyway the thing’s gone now. thx again
Thank you for the excellent help.
There’s just one more thing that would be really useful – to find the ass who wrote the Internet 2010 stuff and put him out of his misery.
People like this don’t belong in society.
Again…. Good prevails over Evil!! This is the BEST site for the Netsky worm. Apparently, there are different affects/flavors of it and this site helped the most. I had to run mbam 2 times to completely remove trojan and backdoorbot crap. The comments section on this site helped as well. Bravo and THANK YOU!!
Steven, the you have two variants:
1. reinstall Windows
2. restore windows installation (all system files and windows registry)
Yana, looks like your computer is infected with a trojan that reinstalls the malware. Ask for help in our Spyware removal forum.
Steve, Malwarebytes should fix the trouble. If you still having blocked TaskManager, then ask for help in our Spyware removal forum.
Susie, please download the following MS run-time installer which will install the missing file and allow you to use Malwarebytes Anti-malware without any problems: http://www.microsoft.com/downloads/details.aspx?FamilyId=7B9BA261-7A9C-43E7-9117-F673077FFB3C
lawrence, you can remove core components of trojan using Recovery console.
Boot with the windows installation disk.
At “Welcome to setup screen” Press R.
Select the appropriate path for windows and press Enter.
If it asks you for the administrator password, type the administrator password and press Enter or just hit Enter.
You will now see the Prompt c:\windows>
Type cd system32 and press Enter.
Type copy userinit.exe winlogon86.exe and press Enter.
Type copy userinit.exe winlogon32.exe and press Enter.
Type del winupdate86.exe and press Enter.
Type del smss32.exe and press Enter.
Type del critical_warning.html and press Enter.
Type exit and press Enter.
Reboot your computer and run Malwarebytes Anti-malware.
Andrea, read my previous comment.
I have all the symptoms of this Win32.Netsky fake virus alert. However, when I run Hijack This, I do not have the following entries: F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Why is this? Should I continue with the other steps?
I would like to attach this to the previous post.
When I run Hijack This, the only entries I have starting with O10 are these:
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper32.dll
The only entry I have starting with F2 is this:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
I don’t have the others, but are these part of the fake spyware alert?
Bryan, you have infected with a new version of the trojan. Use these removal instructions.
Patrik,
I do not have any disks. I do not know how to get into the console because of the loop of the log on.
Thanks!
Same problem!!!! and i have version 1.44.0.0
HELP!!!!
“Once the program has loaded you will see window similar to the one below.”
I did not get the image that you have at that point. (I printed the instructions on the printer at work.)
Then I got
Setup
“Unable to execute file: c:\ProgramFiles\Malwarebytes’Anti-Malware\mbam.exe”
“CreateProcess failed; code 2.
The system cannot find the file specified.”
I will continue to search.
Help ?!?
Comment by Bridget — December 12, 2009
nevermind, i got it, worked like a charm after i installed it about 10 times! thanks
Hi,
I read the previous post
“You will now see the Prompt c:\windows>
Type cd system32 and press Enter.
Type copy userinit.exe winlogon86.exe and press Enter.
Type copy userinit.exe winlogon32.exe and press Enter.
Type del winupdate86.exe and press Enter.
Type del smss32.exe and press Enter.
Type del critical_warning.html and press Enter.
Type exit and press Enter.
Reboot your computer and run Malwarebytes Anti-malware.”
When I get to the del winupdate86.exe and del critical, it says that there are no matching files.
i still have the contin. loop of log on.
It did get the disk from my friend.
what do I have to do now?
Thank you
I also thank you for this web My Anti Spyware page. It also help me remove the annoying Worm.Win32.NetSky popup during bootup.
Ray, dpwnload this file.
Save the file to C:\program files\Malwarebytes’ Anti-Malware\ .
Run it.
Andrea, then you have two variants:
1. reinstall Windows
2. restore windows installation (all system files and windows registry)
This same problem hit me on January 2nd. It started with the ‘svchost generic error’. After running windows defender and being told my system was ‘clean’ the next reboot gave me the Spyware alert window as shown at the beginning of this thread, the blue/green background wallpaper (unable to change it), cntrl+alt+del to open taskmanager gave either a warning the file was infected or that task manager has been disabled by the administrator. I opened internet explorer but I would be directed to random sites, (many times yellowpages.com).
This solution seemed too easy but it worked for me: I pulled my cable modem, and did a System Restore to a date far previous to the first time I recieved the error message. On reboot, everything worked normally. I reconnect my modem, (turned off windows auto update), did a re-install/full update of my anti-virus software (McAfee), disconnected the modem again and ran a full scan. It found and quarantined what was labeled as a trojan in the system32 folder (i forget the exact name, it was a long day fighting this thing). I rebooted and it has been running normally since Saturday night with several shut-down/start-ups to verify the issue is gone.
Note: I have not yet turned Windows auto-update back on. I did my last update manually through the windows web-site. The issue may not be truly ‘solved’ but my computer is no longer a paperweight. If anyone has any constructive feedback, let me know.
DC, try run Malwarebytes Anti-malware.
worked like a charm… thanks !!!!
Yay!!! 🙂 Following these instructions exactly fixed my computer. It took about 30 minutes but thanks so much for the help. With HiJack This, I selected a file associated with Internet Security 2010 to delete.