If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
You are a genius! Thankyou so much for your help!
After trying a load of other sites, this was the one that worked for vista!
You need to get paid more for your work.
Thanks for the help. I did not see winhelper86.dll in the LSPfix in step 2 but i moved on anyway and all is good now just the same, great job. Mcafee enterprise could not fix the problem, go figure. You restored my faith in 3rd part malware apps. You da man!
Hi, I too have this virus, my background has been replaced with a virus message, i cannot open internet explorer, and when i try to open any file on my desktop(including Hijakthis which I saved on a usb stick and tried to transfer over) i get an error message saying file explorer.exe is infected. Please can you help, my laptop won’t start in safe mode either and my task manager has been disabled. i have no idea what i’m doing so i can’t follow some of your suggestions above! thank you.
I had same problem.The use of MBAM helped.
When I installed MBAM, I received the “CreateProcess failed; code 2.” message.What you need to do is get the file downloaded in another system and rename it and copy it to execute it.
Otherwise you can use this link to download
http://mbam.malwarebytes.org/program/random.php
Just executing the MBAM helped. I did not do the first two steps because I did not see those problem.
Great help from this site.Appreciate this.
the Malwarebytes program worked! thank you SOO much!
Emma, try re-download it. You need rename HijackThis.exe to explorer.exe in Save dialog!
I have tried renaming it but I still can’t open it on the infected laptop as I can’t open any folder or file without the virus message blocker coming up (ie. i can open control panel but no folder within it) Is there anything else I can do? Thank you for your help.
Hi Patrik, thanks for the advice, gotten around to trying it today after a busy weekend. I fear i have made the problem worse, i copied the userinit.exe file to Winlogon.exe and winlogon86.exe by mistake and agreeing to over write the existing fies in these locations, but i have also copies them to logon.exe and winlogon32.exe. after exiting the Recovery Console the PC reboots to the black screen advising that Windows didnt start correctly due to a recent hardware or software change. when i try any of the options but it just freezes. I am unable to use safe mode or last known good configuration.
Thanks in advance, should do this while not being half asleep!
Thanks
Steven
Steven, looks like you have rewritten winlogon.exe – important system file.
You need restore it from Windows installation disk.
Boot your computer in Recovery console mode.
Type
expand e:\i386\winlogon.ex_ c:\windows\system32\Press Enter.
Where “e” – is your CDROM drive.
Note If you have to verify the source and destination drive letters, type Map, and then press ENTER.
Hey Patrik,
I followed your instructions and it worked like a charm!
I then had the same issue Steven had on Jan 6 where I couldn’t login to windows, and then your advice for him on Jan 7 (Steven, try copy userinit.exe to logon.exe and winlogon32.exe.) worked for me as well.
Now that I was able to login to windows once again, I ran virus scans, adware scans, malware scans, and registry cleaners to make sure everything is clean, but after 5-10 minutes of activity, depending on the amount of activity, my computer freezes up and I have to force a restart. Is this a registry issue? The virus scan took two hours, but I just let the computer sit there so it was able to finish. It seems like the more active on the computer I am, the quicker it freezes up.
Hi Patrik, i dont want to make it any worse by not completely understanding what to enter into the recovery console. are you able to confirm that i still need to go
1(enter)
Enter through password
cd system 32
expand e:\i386\winlogon.ex_ c:\windows\system32\
where e: is replace with d: as thats my CDROM drive, sorry to be a pain, just dont want to make this worse 🙂
Thank
Hi Patrik
I followed the blog and it seems to have allowed me to access my task manager again and the warning messages are gone, however under TCPIP view it is still hijacking my email and sending out spam. Do you have any ideas as to what I can do further?
Thanks
Should also mention that running Zonealarm has helped by blocking its use of my email, however this isnt ideal as I would like to get rid of the problem entirely.
Thanks
I did the first two steps and found nothing of thoe you listed and am having trouble getting MBAM to work, I have the code 2 issue when I download it normally and hte random name link gives me error 707 (3,0).
Dear Patrick,
Thank you thank you thank you so much for your help in cleaning thi up. Even though my computer remained operational the whole time (I have Symantec Anti-Virus that helped control the virus, but it couldn’t remove it completley), non of the patches I installed were able to fix the issue, until I found this.
THANK YOU THANK YOU THANK YOU!!!!!
Sam, probably yes (no 100%). Check your PC also using Kaspersky Online Scanner.
Steven, then you should use:
expand d:\i386\winlogon.ex_ c:\windows\system32\Celestine, looks like your computer is infected with another trojan. Ask for help in our Spyware removal forum (link at top of the page).
Clymos, open a new topic in our Spyware removal forum.
Hey Patrik,
It turned out that I also had a Master Boot Record infection which took some time to detect! Luckily, I was able to clear that up as well. Thanks a lot for your help!
I OWE YOU MY LIFE!!! MY GIRLFRIEND WOULD KILL ME IF SHE FOUND OUT I SCREWED HER BELOVED WORK PC UP! THANK YOU THANK YOU THANK YOU! I know that All Caps is annoying but I cannot stress how much you just saved my arse!!!!
Hi Patrik, i completed the steps, but it asked me to overwrite winlogon.exe and gave me the options of Yes/No/All/Quit. as i overwrite the files in the first place i selected Y for yes? was this the correct selection, as if it was the same issue is happening where my PC wont boot up past the “Windows failed to start correctly”
Cheers
Steven, run Recovery console once again.
Type chkdsk /r, and then press ENTER.
Once finished, type exit, and then press ENTER to restart your computer.
If this procedure does not work, repeat it and use the fixboot command instead of the chkdsk /r command.
Just finished doing that Patrik, it loads further but only the white bar at the bottom of the screen when i try and load it up
i did
1
chkdsk r
didnt work, so i did
1
Fixboot c:
did i execute it correctly?
Thanks
Steven
Hi Patrik, i thought i put in here a reply earlier but it seems to have gone, so ill type it again 🙂 prob me forgetting to submit comment 🙂
i did what you suggested above, and while its a little better, the bar loads up about 10%-15% through, it still doesnt boot. what i did was, 1, chkdsk /r, Exit once finished.
i think tried, 1, , fixboot c: then Exit which didnt work either. any other ideas?
Thanks
not it shows, sorry about double post
Thank you.
At first, i scan with Esset Smart Security 3.0, and found one file. i deleted it but the pop up still there. Thaen, i found this helpful site from google.
Step 1. I didn’t find the 3 files, so i move to the next step.
Step 2. I also didn’t find the winhelper86.dll, move to final step.
Step 3. I install mbam successfully, but can’t update (error 732, 12007). I scan it anyway. Found 45 files, remove, restart.
Finally the pop up stopped.
So, thank you, very much.
Steven, looks like the trojan has removed/damaged a few system files.
You have tried to boot your PC in Safe or last good configuration modes ?
Hi Patrik, i have tried all Safe Modes, when i try this, a few files from System32 scroll at the bottom of the screen, and then just stops, when i tried Last good configuration the screen went black and nothing else happened
Thanks
I followed the instructions and thought I was successful but several hours later it reappeared. Any suggestions?