Inadvertently hit by the Netsky family, and been having troubles getting rid of it? Check this step by step removal procedure out.
Suddenly getting *.pif attachments in your emails or a bunch of very personal and realistic sounding mails from people you don’t even know? That’s because the Netsky family has gone primetime and spawned a million and one variants: I-Worm.Netsky.A, I-Worm.Netsky.B, I-Worm.Netsky.C, I-Worm.Netsky.D, and now even I-Worm.Netsky.E. Many people have tried updating their anti virus definitions for their respective tools, but Netsky is clever (it stores info in the Windows registry, and deletes some vital keys as well!)
I use Grisoft‘s wonderful AVG tool, which is great if you had it BEFORE the Netsky virus (but then I also use a combination of Spam Assassin and Clamav)
IMPORTANT NOTE: DISABLING AND ENABLING SYSTEM RESTORE
Windows Me/XP uses the System Restore feature (enabled by default) to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer as well.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file onto your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. SO it’s best to disable it and then re-enable it after the deletion process.
HOW TO DISABLE SYSTEM RESTORE
- Click Start > Settings > Control Panel.
- Double-click the System icon.
- Click on the System Restore tab and disable the System Restore:
- Click Yes, when you are prompted to restart Windows.
Now that you know how to disable and enable System Restore, let’s get cracking.
OPTION 1: THE MCAFEE WAY (STINGER)
McAfee has made a very nifty tool called Stinger available which automatically scans your computer for 39 viruses and deletes them. It’s pretty simple to use, just download and execute.
- Download Stinger.
- Disable System Restore as described above. This will take your system into a reboot.
- When the computer is back again, wun Stinger from your desktop by double-clicking it. Wait, get some coffee, etc etc. This takes time.
- Reboot.
- Optional but recommended if the first run above found some virii: Run Stinger again to make sure your PC is clean.
- Reboot.
- Re-enable System Restore from the Control Panel > System > System Restore (checkbox).
On my machine with 120GB hard disk, 57% used, 1 GB RAM, this tool took about an hour to scan through all files. Which is probably a worthy price to pay
for the convenience of automation. Worth a shot for sure.
If and only if this doesn’t work, try the next and somewhat more convoluted tool from Symantec.
OPTION 2: THE SYMANTEC WAY
Roll up your sleeves as this is can get a bit involving for people who don’t know MS-DOS prompts or some Windows system functionality (although there are screenshots to boot below whenever possible)
- Download the FxNetsky.exe file. Save the file to a convenient location, e.g.,
c:\netsky_remove
- Download the file chktrust.exe. IMPORTANT: Save this file as the same location as above:
c:\netsky_remove
- Now close all programs, including the browser from which you downloaded the above applications. Then, START –> RUN, and type
cmd
This will start the MS DOS PROMPT. Here, type:
cd c:/netsky_remove chktrust -i FxNetsky.exe
Press Enter after typing each command. If the digital signature is valid, you will see the following:
"Do you want to install and run "FxNetsky.exe" signed on 3/1/2004 10:33 PM and distributed by: Symantec Corporation?"
- If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
- Disable System Restore.
- Double-click the
FxNetsky.exein yourc:\netsky_removefolder to start the removal tool. - Click Start to begin the process, and then allow the tool to run. Sit back and enjoy the ride. This takes time.
- When the tool has finished running, you will see a message indicating whether W32.Netsky@mm infected the computer. In the case of a removal of the worm, the program displays the following results:
Total number of scanned files Number of deleted files Number of repaired files Number of terminated viral processes Number of fixed registry entries
- Reboot the computer.
- If virii were found, then run the removal tool again to ensure that the system is clean.
- If you had disabled System Restore, then re-enable it.
Let me know if this doesn’t work as desired!
17 Comments
more netskys!!
http://download.zonelabs.com/bin/free/securityAlert/10.html
How do I remove the NetSky virus off of my Macintosh?
The .exe files for removal are not reconized by any applications.
Thanks,
J.
Hi Jason, are you sure you have a Netsky on a Macintosh? How did you test it or find it? I thought Mac users are pretty much unaffected. Let me know. -Shanx
iu recently checked for viruses and found more than 20 netsky viruses, all from pop-up ads that i have never seen before. How do i get rid of it? It has already managed to delete all of my documents and im scared!!
I’ve had feedback from recipients of emails (sent from my macintosh) that the I-Worm.NetSky.d virus has been detected. I’m in the process of tracking down the right software to kill it. I thought macs were safe too!
Hi Lisa,
Thanks for sharing. But the virus could also have been sent from machines of people whose address books have you listed, not necessarily your own machine.
For example, if you have a friend named Mary and you are in her address book, then if Mary had a virus on her machine, the virus would randomly send emails by faking the FROM and the TO address.
This means some emails would be sent as if they were FROM you, although they were actually sent from Mary’s machine.
In other words, just because your friends are receiving viruses “FROM” you does not mean that your machine has a virus.
The virus creators are getting more savvy now. Which is the problem!
Shashank
Symantec has quarantined the netsky on my mac, so it must be there, I can’t seem to find any removal tools? Help!
I believe I removed Netsky P. However, I never had the option of actually downloading the virus tool. It said it removed the virus though. How can I save it to disc for future purposes?
Linda what removal tool did you use? Do you have the url? I have Netsky-D.
Trojan horse detected on system. AVG healed it – but could not remove it from C:system restore.
Now my computer won’t even boo. Is the hard drive shot? What can I do???? I have the restore CD. Will it boot with the CD?
Terry,
What if you disable System Restore? This will kill all previous System Restore files, but is surely better than reinstalling Windows. Then, run AVG again, and clean up the system. Also run Ad-Aware with latest updates, and if necessary, kill the file with “HijackThis” utility. Finally, reboot the system and re-enable System Restore.
HTH,
Shashank
Cheers bitches that worked, im now fine
I too seem to have Netsky on my Mac, running Mac OS 10.3.9. It’s in Mail, I get an error message every time I delete a message, saying that the inbox is infected. I can’t seem to find any removal tools – anyone else managed to track one down?
Cerise, it is highly unlikely that you have a Netsky on a Mac, at least your PC is not infected even if you did get a mail with the virus.
Does your anti-virus tell you specifically which email is affected? All you need to do is delete the mail in question.
If you are not sure which email it is, try looking at emails with attachments that are from senders you do not recognize, or contain a generic yet unlikely message like “Hi this is the file you asked for”.
HTH,
Shashank
I have this on a friends Millenium machine – does the process work the same way? did’t know ME had a restore option.
hi…I recently go a worm and i’m not really sure what it is. one of my friends gave me a link to a site where i could see who blocks me on msn. it requires me to enter password and login id of my msn. And i foolishly did!
I need help!!! i’m using macintosh and I have no idea how to get rid of it. My msn just keeps on sending links to my contacts! It doesn’t seem to affect my mac but I can’t be sure. I tried changing my msn password and it doesn’t work. Can anyone help???
send me an e-mail to fier_Factor17@hotmail.com
I’d appreciate all the help i CAN GET. THANKS.
i have trojan.fakealert and i can’t seem to figure out how to get rid of it any help is wanted thanks to anyone