If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
hey i cnt rum malwarebytes on my pc what to do ……
I’ll run it tonight and let you know of any findings. As of yesterday evening, everything booted and ran as normal and a search for the telltale files (see below) came up negative.
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
I’m feeling optimistic, but based on the absence of the files listed above and the performance being back to normal I hope I’m in the clear. I will run malwarebytes and report what I find.
Help please! my uncle got this virus on his laptop and usally im able to fix most viruses with malwarebytes but not this time. i cannot access taskmgr.exe or regedit 🙁 . mbam doesnt not find any infected objects and when i scan with hijackthis i dont have ANY of the known symptoms…. i cannot access the internet and ive tried running things in safe mode also. no luck. it is running Vista. on another note, gues its from the virus but the laptop also blue screens quite a bit. any ideas besides reformating ?
Jason, make a new topic in our Spyware removal forum and post your HijackThis log.
I followed the steps. In steps 1 and 2 I didn’t see any of the files listed. So I proceeded onto step #3. Malwarebytes found 346 infected objects. I rebooted and all seems well, except I still have the blue screen with the black warning box. Do I still have an infection?
Thank you,
Tim
worked like a charm!!! thank you so much!!!!
Update – Thought I was in the clear, but stupidly ran windows auto-update before running malwarebytes. The netsky symptoms have been long gone, but Mcafee found (and quarantined) E.exe and Smss32.exe trojans.
Running Malwarebytes tonight. My fault for assuming I was clear, and not actually checking.
One question: will Malwarebytes find and remove the winupdate.exe trojan/virus program and clear it from the registry? Or do I have to manually remove the registry entries? Thanks!
Tim, open desktop settings and try to change desktop background.
DC, yes, Malwarebytes should fix it.
I was having a hard time with this virus I couldn’t run regedit taskmanager I renamed hijackthis and nothing I got regedit to work by allowing all the pop ups to come when I typed regedit I got a error pop up I didn’t close it or hit ok I just dragged it to the bottom corner of my screen then i went to regedit again and it worked in regedit I hit edit then find and typed DisableTaskMgr when it found it I right clicked on the DisableTaskMgr hit modify then changed the default to 0 as stated by someone here I still didn’t click the pop ups I downloaded hijackthis and that worked then I was able to open task manager I hit process and found nothing with win I did find something that said i2010 or something like that just look for whatever says 2010 in the name I stopped that process then and only then could I follow the instructions above I went online and types lspfix and it would redirect me to a fake website I had to go to this webpage the myantispyware.com same one your reading this on and click on the blue lspfix download link then I was able to run lspfix for malwarebytes I couldn’t find it with this website I went to cnet.com then I did a search for malwarbytes and downloaded it from there just do what the instructions say and it should work I’m providing my experience because nothing else worked and I spent hours trying to figure this out sorry for making it this long but I know some of us need a lot of details like me hope this helps
Ran Malwarebytes last night: The quick scan found the remnants of the FakeAlert trojan, the d.exe Dropper trojan (McAfee missed both of these) and 2 altered registry files (disabling Anti-Virus and Windows Firewall in Windows Security at start-up). It fixed those and I did a second quick scan and then a full scan after a reboot, both came up clean.
From Malwarebytes Log:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Thank you!
SEVEN HOURS of total frustration……. I printed out these directions and followed them and THANK YOU sooooo much!!!! I have my laptop back and can get on with my school work!
Wow!!!
Thanks so much! Worked like a charm!
Thanks!!
please be aware, malwarebytes fixed MOST of the problem for me however I checked network connections and found I was still sending out many smtp requests.
running “netstat -a” should tell you of this. It will either list just the normal connections (assuming you have IE etc closed) or many sites
Up to now I still havent managed to fix this – however thought i would share as I am concerned other people may have thought they have also cleared it, but havent.
I’ve got versions of this virus twice – both with slightly different files than those you’ve listed – but this guide has helped me get it clean both times
thank you
Unfortunately though my laptop is infected, HijackThis did not list these specific symptoms, and LSPFix did not list the winhelper86.dll.
Followed the instructions to the letter and it worked like a CHAMP. Thank You!
Kevin, probably your PC is infected with a new variant of the trojan. Try the guide.
Hi all – I’m trying to remove the worm..netsky fake spyware alert trojan; but even with a boot into safe mode, the alert appears and disables task manager, so with no other obvious way to install and run mbam and highjackthis (I was hoping on doing this from a flash drive), I’m dead in the water. Holding down the Shift key during windows boot (rec from our ITA guy) to stop programs from autoinstalling didn’t seem to do anything. Unless someone has a way to end-run the virus, my next step is to yank the hard drive and link it as a slave drive on a clean machine and do the scanning/cleansing from there.
After two days of suffering through incessant pop-ups and blocked sites from this virus along with weird behavior on the desk top, Malwarebites got rid of the nasty virus on the first try. Such freedom to get my laptop back!
All the while Kaspersky keeps crashing the laptop while trying to remove the virus.
Malwarebites 1, Kaspersky 0.
Thank you so much Malwarebites. You are indeed the best!
Thank you for this great info. Your guide worked like a dream and laptop is now free and clean. Keep up the great work. It much appreciated.
I don’t generally post on sites like this, but I feel obligated to in this case. I downloaded Hijack and the other program for the 1st two steps and I was worried because I didnt see any of the files i saw here. Then I installed Malwarebytes, restarted my computer, and all was good in the world! I had the Worm.Win32.Netsky virus/work and it really really sucked. Does anyone know what sites, or where this could have come from? Also-why cant Norton or the other major programs (that you have to pay for by the way) detect this worm? I think I’ll send them an email or something. Thank you malwarebytes…do you all think I should send them a thank you chocolate basket?
Matt, you can purchase the full version of Malwarebytes Anti-malware. Its good for them and protect you from future threats.
Just like Matt, why is it other major pay AV programs can’t find and fix this trojan?
I’m about to try this fix (SmitFraudFix didn’t work for me)…I hope it works. Do I have to be in Safe Mode? Wish me luck!
Unfortunately, it didn’t work. Previously ran McAfee and SmitFraudFix.
Ran Hijaack, didn’t find the entries mentioned, assumed they were taken care of by previous fixes, continued to LSPFix, again, no entries, made same assumption.
Ran MBAM, flashlight looking for mbam.exe came on. turned laptop off to move to other computer for answers, now that I’ve turned the laptop back on I’m stuck in the “logon” loop that Matt wrote of on Dec. 28, 2009:
“I did a reboot but am stuck at the Login screen. As soon as I click logon to an account, it clocks for about 10 seconds then logs me off……Help, I’m locked in a loop!
Comment by Mike — December 28, 2009 #
I’m trying this fix you posted:
“Mike, looks like your AV is removed infected files, but did not repair Windows registry.
Boot your in Recovery console mode using installation disk. Then copy userinit.exe to winlogon86.exe, then reboot your computer.”
I’m trying to boot using the Recovery disk but even though the CD sounds like it’s running, the computer only boots up to the same login screen. Am I using the right disk? Is there another way?
Sierra, you need boot into Recovery console as i have posted above (Comment by Patrik — January 17, 2010).
Probably you need set your CD/DVD disk as first boot device in BIOS.
Patrik, you’re right. Sorry for being such a newbie. Unfortunately, Toshiba gave me their W98 recovery disk (not a good thing to find out 4 years after you purchase a laptop). On to search for an XP one.
Thank you so much!! You saved my laptop and my life!!
Hi,
After executing Step 1, I do not see any of the listed registry enteries. I have a windows xp professional as OS.
The only entry for F2 is
F2 – Reg:System.ini: UserInit=C:\Windows\system32\winlogon32.exe.
Do I need to delete this?
For Step 2:
Execute LspFix.exe
I do not see any winhelper86.exe
How do I go about removing this.
Thanks
Rahul
Hello to all, instructions worked very well, thanks alot, only issue i had was running MBAM, if anybody runs into this issue, installing MBAM on a removeable drive, allows you to run it, and them remove everything. Thanx again