Virus alert - NetSky

  technique 14:52 20 Feb 2010

Hi informed people. I have a virus called Worm.Win32.Netsky with an alert that I'd contracted it through an email or an Active x object.

Full message reads:

"Worm.Win32.Netsky detected on your machine.
This virus is distributed via the Internet through email and Active x objects.
The worm has it's own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data.

Type: Virus
System Affected: Win 2000, NT, ME , XP, Vista, 7
Risk (0-5): 5
Recommendations: It is necessary to perform a full system scan."

I've ran Win Defender, McAffee on demand scan and also Spybot. Each have been ran several times and any detection from McAffee is removed/deleted or cleaned.

I've ran the above in both normal and in Safe mode but each time I still get the message from my system that the worm is in place.

Does anyone have any suggestions for a fix please?

Thanks in anticipation.

  johndrew 15:16 20 Feb 2010

It could be that the infection is `hiding` in `Restore`. To get rid of it from here, right click `My Computer` then the `System Restore` tab. Check the `Turn off System Restore on all drives` box and `Restart` into `Safe Mode`; from here run a further scan with your software.


There are several methods on the web:
click here
click here
click here
click here

  johndrew 15:18 20 Feb 2010

When you are sure you have cleared it make sure to turn`System Restore` back on by unchecking the box.

  MAJ 15:20 20 Feb 2010

It's probably being detected in one of your restore points, if you're sure the rest of the PC is clean, delete the restore points (by turning off system restore), rescan (download, install, update and run MBAM click here ). Then reactivate system restore and create a new, clean restore point.

  technique 16:14 22 Feb 2010

Great responses thanks but not sure if anything is working.

Because Netsky is linked to EXE files, it's not allowing me to run Smitfraudfix even in safe mode.

When I run AV it never finds the Netsky worm - that only appears on initial desktop launch.

In AV it finds Malware in System32 called smss32.exe. McAffee doesn't delete it or perform any actions. I've tried navigating through My Computer to delete smss32.exe but McAffee keeps finding it.

Would successful run of Smitfraudfix remove the Netsky bug and the smss32 probklem?


  johndrew 16:50 22 Feb 2010

Have you deleted all your Restore points? You must get rid of Netsky before you re-enable as it is likely to re-infect from here.

Have you looked at the links I gave you for dedicated removal?

  technique 17:49 22 Feb 2010

Hi John. I have switched off the restore and ran another couple of scans in Safe mode. This resulted afterwards in the Netsky alert still being presented when booting either into normal or into safe mode.

I then looked at the fixes you'd sent. The first one requires downloading Smitfraudfix which I think I've either used or seen before for another problem. When I attempt to link to the address for Smitfraud in 'normal' mode, I can download it but cannot run it in normal mode. I think because Netsky is attached to EXE files and it's not launching to ensure no further virus attacks.

So I tried in Safe Mode to run it and I get as far as the blue screen with the options, choose the options and then it just closes the command box/doesn't run.

Still working on this and will attempt the other options in the list you've provided but just thought I'd also add the smss32.exe issue into the mix.


  MAJ 18:28 22 Feb 2010

"I can download it but cannot run it in normal mode"

Try renaming the exe to something like xSmitfraudFix.exe, see if it will then run. If it still doesn't run try renaming the extension to something like xSmitfraudFix.bat,, or xSmitfraudFix.scr

  technique 21:44 22 Feb 2010

Thanks Maj - have tried to re-name but it just keeps coming back with "unable to launch application because it is infected. Please run your antivirus software."

Did that but to no effect.

I think it's permanently screwed

  johndrew 10:30 23 Feb 2010

Have a look in the root (C:) directory (Select show all files including system and hidden files and extensions) and see if you have an entry for "VisualGuard.exe". If you have this is generally where Netsky hides.

There is another removal tool here and instructions. I woyuld suggest that after downloading it you boot into Safe Mode and install and run from there.

Let us know how you get on.

  johndrew 11:45 23 Feb 2010

Sorry didn`t give to the links.

For the Cleanup Engine click here and download the Damage Cleanup Engine/Template.

For the latest virus pattern files click here and download the file. Note this file may change its numerical identity as updates are added on a very regular basis.

When you have downloaded, create a new folder in your Root directory in this install the Damage Cleanup Engine. Then unzip the lpt file into the same folder - make certain it is in the folder but not in a folder of its own.

Double click the `sysclean` icon and the application will open. Make certain both `Automatically Clean infected files` and `Enable Spyware scan` are ticked. Click `Scan` and go for a long walk or long cup of tea as this scan will take some time.

When it is finished you can check the report to see what it has found and cleaned.

In the event this fails I have one further suggestion and that is to do a HiJackThis click here scan and post it here click here in the English section for help.

If you feel confident you could use the automatic analysis tool here click here which may also help you.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Dell XPS 13 9370 (2018) review

The art of 'British' pulp fiction

Best password managers for Mac

TV & streaming : comment regarder le Tournoi des Six Nations 2018 ?