If you are seeing a Spyware Alert box that stats that Worm.Win32.Netsky detected on your machine, then you have become infected with a trojan that uses this Spyware Alert to trick you into purchasing Advanced Virus Remover, Antivirus 2009 or another rogue antispyware program. Once running, the trojan will display a fake Security alert as shown below:
Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active-x
objects.
The worm has its own smtp engine which means it gathers
emails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your
computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your
computer.
Continue working in unprotected mode is very dangerous.Recommendation: It is necessary to perform a system scan.
Worm.Win32.Netsky detected on your machine – Fake Spyware Alert
What is more, the troajn will also display a lot of popups, disable Windows Task Manager and change a desktop background to blue with a black window saying that you have a serious infection and need to run a spyware removal tool. However, all of these warnings are fake and supposed to scare you into thinking your computer is in danger. Use the removal guide below to remove this infections and Worm.Win32.Netsky Fake Spyware Alert from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
Use the following instructions to remove Worm.Win32.Netsky Fake Spyware Alert
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select winhelper86.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
The infection creates the following files and folders
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\winhelper86.dll
c:\windows\system32\winupdate86.exe
c:\windows\system32\winlogon86.exe
The infection creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Rahul, you have infected witn a new variant of the trojan. Follow the steps.
Hey thanks for making the process clear and simple, but I still have one problem.
The fake AV alerts are gone and my desktop doesnt get hijacked, but when I search stuff on google, I still get redirected to some other site.
I dunno if it’s because of my computer’s version, but its XP.
Sorry if I’m a bother
Micah, probably your PC also infected with TDSS trojan. Ask for help in our Spyware removal forum.
Many thanks too. Norton found nothing. one lost day and you fixed it in 4 hours including scan.
When money is there I will buy your software to support your work.
Thank You! I did not have any of the files listed in step 1 or step 2 but step 3 sure did fix the problem. Thanks for sharing your knowledge and resources.
Patrik,
Got back on track and almost there..trying to fix System Restore by following your advice on Jan 6.
“Right click to DisableConfig and select Delete. Click OK to confirm it.”
– There’s no DisableConfig…Can I ignore?
“Right click to the value DisableSR and select Delete. Click OK to confirm it.”
– There is a DisableSR but not sure what the ‘value’ is and how to delete. If it’s under the “TYPE” or “DATA” column, there is no Delete option. Only the DisableSR has a Delete option and I don’t think that’s what you mean.
Is there a different fix?
got the virus and killed but AVG. then couldn’t logon. thanks to your info. you save my laptop!!!!
i’m getting that spyware alert message when windows first opens, but for some reason i can’t access the internet on the infected computer. also:
*my desktop background has been changed to a message telling me “your system is infected”
*my computer has slowed down considerably
*my task manager has been disabled
*the task bar is displayed but nothing on it is clickable including access to the start menu
any help from this point would be appreciated.
I had a similar issue where when I tried to run Malwarebytes’ Anti-Malware, it said that the program could not be found. I was so frustrated, but I realized what was happening. I happened to look in the folder that the program was being installed to, and about 2 seconds after it was installed, the MBAM file erased itself. I have to imagine that the virus was doing this.
I got around this by quickly copy/pasting the MBAM.exe file. This “copy of mbam.exe” file was not erased, and I was still able to run it. Hopefully that helps anyone else who ran into this trap.
Jim, if above guide does not help you, then probably you have infected with another variant of the trojan. Read the instructions.
Sierra Amber, right click to “DisableSR” and select delete.
Thank you!
I think that did it and thanks for your help. Unfortunately, I think I have the TDSS as well. Will start something on the forum.
Just to say thanks – of all the sites proposing a remedy and after many hours of tryingto get rid of this thing, this worked.
Thank you. This worked perfectly for me.
I think i love you man 🙂
I completed steps 1 and 2. Now I can’t get onto the internet but downloaded the Malware file onto a USB stick but it won’t run. I double click on it but nothing happens. Help!
Mona, try Safe mode with networking. Read the instructions.
Thank you Patrik. When I boot in Safe Mode, a Control center screen (virus) opens and I can’t close it or get past it. Now when I boot in Safe mode or non safe mode the Control center screen opens and I can’t do anything. I’ve tried turning my PC off and on but now it appears the virus has completely locked me out! Any advice?
You are amazing! Worked like a charm! Thank soooo much 🙂
Mona, try boot your PC in Safe mode with Command prompt. Once computer loaded, command console opens.
Type explorer.exe and press Enter. It should display your desktop icons and task bar. Run Malwarebytes and perform a scan.
Hi Patrik, I am so sorry to keep posting my questions – here is one more though. I booted in safe mode with command prompt and opened the desktop with icons after typing explorer.exe. When I double click on Malwarebytes (shortcut) or click on it in my programs list, nothing happens. I get the hour glass for a couple of seconds and then nothing happens. I tried to go back and reboot with networking to reinstall the Malwarebytes but I get the control center screen where I can’t go anywhere. Am I stuck?
Mona, run computer in Safe mode with command console. Once command console opens, type regedit and press Enter.
Registry editor opens.
Navigate to the following keys by expanding the + at left of each key at left:
HKEY_CURRENT_USERSoftware
Microsoft
Windows NT
CurrentVersion
Winlogon
In right part of window, double click to Shell.
In the open window remove all text and type:
explorer.exePress OK.
Close regedit.
Reboot computer in normal mode.
Hi Patrik, it’s me Mona again. Your latest help worked, and I reinstalled Malwarebytes. When it finishes installing, nothing happens. I have tried double clicking the application file, the shortcut on the desktop and even running it from the start menu. Nothing happens. I have installed it 3 times and each time nothing happens. I can see the mbam.exe file. This is very frustrating. Any help would be greatly appreciated!
Mona, ask for help in our Spyware removal forum.
Sorry for repeating but I go another copy of this on another computer and thought again I had safely removed it with Malewarebytes. However my internet connection was slow and netstat revealed many connections (worm is generating lots of connections). netstat and tcpview now cause a BSOD.
Can anyone either help or run netstat on their “cleaned” computer to verify they also havent cleaned this problem.
To be clear it all looks fine and virus checkers return positive but netstat reveals another problem
thanks for help
This guide was truly a life saver. However, I am still suffering from the possible after effects of the virus?
My system is now running very slow. At times, it has begun to freeze after a bit and a loud alarm-like sound has been emitting from the speakers. Other times, it just runs very slow. I’m not sure what is going on.
Any suggestions?
Steve, just checked netstat on my test PC, works fine. Try run WinSock XP Fix.
Brian, probably your PC still infected. Open a new topic in our Spyware removal forum.
Patrik, thanks for the advice. I finally cleared it by booting into safe mode, reinstalling the TCP/IP stack and then rerunning Malewarebytes. This had the effect of removing the remaining problem and stopped it from coming back.
Dont know if this was the real fix or something else I had done – you know how it is you finally get it working and then try to work out which of your attempts worked and which were red herrings 🙂
regards
Steve