Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Monday, March 15, 2010

How to remove Worm.Win32.Netsky (Free removal)

Tell your friends:
Worm.Win32.Netsky is a fake infection, false system security threat. Another commonly reported fake infection is Win32.Netsky.Q. You may find some references of infections called W32.Netsky or Email-Worm.Win32.NetSky on the Internet. These infections are real, but please note that "Worm.Win32.Netsky" is not related to them. It's fake infection that appears on fake security warnings that usually come from fake (rogue) anti-virus programs.

This fake alert may come in various forms. It is used by newly created malware, so there are many new fake alerts every day that reports Worm.Win32.Netsky infection in compromised infections. Usually, fake security warning appears with the following title:

"Security alert
Security Warning!
Worm.Win32.Netsky detected on your machine"

And it may look like this fake warning in the image below.



If you area reading this article, then your computer is probably infected with trojans or rogue program that display fake Worm.Win32.Netsky infection. Thankfully, there is a way to remove this infection from your computer for free using legitimate anti-malware programs.

Also note that trojan viruses that display this fake infection my also change your desktop background and disable Windows system tools such as Task Manager and Registry Editor or even block antivirus programs. That's why you will have to end malicious process related to Worm.Win32.Netsky first. That would be: winlogon86.exe and winupdate86.exe. Of course, there might be other malicious processes too, but these are most common ones. Now, please follow the removal instructions below. If you have any questions, don't hesitate and ask or leave a comment if you have something valuable to add. Good luck and be safe!


Worm.Win32.Netsky removal instructions:


1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entries in the scan results:
F2 – REG:system.ini: Shell=Explorer.exe logon.exe
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Select all such entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download the file LSPFix.zip and extract it into a folder on your PC.
Launch LSPFix. Place a tick in the "I know what I'm doing".
In the KEEP box select winhelper86.dll and press ">>" button.
Press Finish>> button. Wait while LSPFix removes winhelper86.dll and displays a summary. Press OK.

4. Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Worm.Win32.Netsky files and registry values:

Files:
  • C:\windows\system32\winhelper86.dll
  • C:\windows\system32\winupdate86.exe
  • C:\windows\system32\winlogon86.exe
  • C:\windows\system32\AVR10.exe
  • C:\windows\system32\critical_warning.html
Registry keys and values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe

Share this information with other people:

0 comments: