Netsky Removal: How to get rid of I-Worm.Netsky.A, B, C, D, E..

Inad­ver­tently hit by the Net­sky fam­ily, and been hav­ing trou­bles get­ting rid of it? Check this step by step removal pro­ce­dure out.

Sud­denly get­ting *.pif attach­ments in your emails or a bunch of very per­sonal and real­is­tic sound­ing mails from peo­ple you don't even know? That's because the Net­sky fam­ily has gone prime­time and spawned a mil­lion and one vari­ants: I-Worm.Netsky.A, I-Worm.Netsky.B, I-Worm.Netsky.C, I-Worm.Netsky.D, and now even I-Worm.Netsky.E. Many peo­ple have tried updat­ing their anti virus def­i­n­i­tions for their respec­tive tools, but Net­sky is clever (it stores info in the Win­dows reg­istry, and deletes some vital keys as well!)

Pls print these instruc­tions as you will even­tu­ally have to close Out­look as well as the browser that you will presently use for downloads.

I use Grisoft's won­der­ful AVG tool, which is great if you had it BEFORE the Net­sky virus (but then I also use a com­bi­na­tion of Spam Assas­sin and Cla­mav)


Win­dows Me/XP uses the Sys­tem Restore fea­ture (enabled by default) to restore the files on your com­puter in case they become dam­aged. If a virus, worm, or Tro­jan infects a com­puter, Sys­tem Restore may back up the virus, worm, or Tro­jan on the com­puter as well.

Win­dows pre­vents out­side pro­grams, includ­ing antivirus pro­grams, from mod­i­fy­ing Sys­tem Restore. There­fore, antivirus pro­grams or tools can­not remove threats in the Sys­tem Restore folder. As a result, Sys­tem Restore has the poten­tial of restor­ing an infected file onto your com­puter, even after you have cleaned the infected files from all the other loca­tions. Also, a virus scan may detect a threat in the Sys­tem Restore folder even though you have removed the threat. SO it's best to dis­able it and then re-enable it after the dele­tion process.


  • Click Start > Set­tings > Con­trol Panel.
  • Double-click the Sys­tem icon.
  • Click on the Sys­tem Restore tab and dis­able the Sys­tem Restore:
    System Restore disable in Windows XP Control panel
  • Click Yes, when you are prompted to restart Windows.

Now that you know how to dis­able and enable Sys­tem Restore, let's get cracking.


McAfee has made a very nifty tool called Stinger avail­able which auto­mat­i­cally scans your com­puter for 39 viruses and deletes them. It's pretty sim­ple to use, just down­load and execute.

  • Down­load Stinger.
  • Dis­able Sys­tem Restore as described above. This will take your sys­tem into a reboot.
  • When the com­puter is back again, wun Stinger from your desk­top by double-clicking it. Wait, get some cof­fee, etc etc. This takes time.
  • Reboot.
  • Optional but rec­om­mended if the first run above found some virii: Run Stinger again to make sure your PC is clean.
  • Reboot.
  • Re-enable Sys­tem Restore from the Con­trol Panel > Sys­tem > Sys­tem Restore (checkbox).

On my machine with 120GB hard disk, 57% used, 1 GB RAM, this tool took about an hour to scan through all files. Which is prob­a­bly a wor­thy price to pay
for the con­ve­nience of automa­tion. Worth a shot for sure.

If and only if this doesn't work, try the next and some­what more con­vo­luted tool from Symantec.


Roll up your sleeves as this is can get a bit involv­ing for peo­ple who don't know MS-DOS prompts or some Win­dows sys­tem func­tion­al­ity (although there are screen­shots to boot below when­ever possible)

  • Down­load the FxNetsky.exe file. Save the file to a con­ve­nient loca­tion, e.g.,
  • Down­load the file chktrust.exe. IMPORTANT: Save this file as the same loca­tion as above:
  • Now close all pro­grams, includ­ing the browser from which you down­loaded the above appli­ca­tions. Then, START –> RUN, and type

    This will start the MS DOS PROMPT. Here, type:

    cd c:/netsky_remove
    chktrust -i FxNetsky.exe

    Press Enter after typ­ing each com­mand. If the dig­i­tal sig­na­ture is valid, you will see the following:

    "Do you want to install and run "FxNetsky.exe"
    signed on 3/1/2004 10:33 PM and distributed by:
    Symantec Corporation?"
  • If you are on a net­work or if you have a full-time con­nec­tion to the Inter­net, dis­con­nect the com­puter from the net­work and the Internet.
  • Dis­able Sys­tem Restore.
  • Double-click the FxNetsky.exe in your c:netsky_remove folder to start the removal tool.
  • Click Start to begin the process, and then allow the tool to run. Sit back and enjoy the ride. This takes time.
  • When the tool has fin­ished run­ning, you will see a mes­sage indi­cat­ing whether [email protected] infected the com­puter. In the case of a removal of the worm, the pro­gram dis­plays the fol­low­ing results:
    Total number of scanned files
    Number of deleted files
    Number of repaired files
    Number of terminated viral processes
    Number of fixed registry entries
  • Reboot the computer.
  • If virii were found, then run the removal tool again to ensure that the sys­tem is clean.
  • If you had dis­abled Sys­tem Restore, then re-enable it.

Let me know if this doesn't work as desired!

  • GM
  • jason

    How do I remove the Net­Sky virus off of my Mac­in­tosh?
    The .exe files for removal are not reconized by any appli­ca­tions.

  • / snip­tools

    Hi Jason, are you sure you have a Net­sky on a Mac­in­tosh? How did you test it or find it? I thought Mac users are pretty much unaf­fected. Let me know. –Shanx

  • sarah

    iu recently checked for viruses and found more than 20 net­sky viruses, all from pop-up ads that i have never seen before. How do i get rid of it? It has already man­aged to delete all of my doc­u­ments and im scared!!

  • Lisa

    I've had feed­back from recip­i­ents of emails (sent from my mac­in­tosh) that the I-Worm.NetSky.d virus has been detected. I'm in the process of track­ing down the right soft­ware to kill it. I thought macs were safe too!

  • / snip­tools

    Hi Lisa,

    Thanks for shar­ing. But the virus could also have been sent from machines of peo­ple whose address books have you listed, not nec­es­sar­ily your own machine.

    For exam­ple, if you have a friend named Mary and you are in her address book, then if Mary had a virus on her machine, the virus would ran­domly send emails by fak­ing the FROM and the TO address.

    This means some emails would be sent as if they were FROM you, although they were actu­ally sent from Mary's machine.

    In other words, just because your friends are receiv­ing viruses "FROM" you does not mean that your machine has a virus.

    The virus cre­ators are get­ting more savvy now. Which is the problem!


  • Terry Utter

    Syman­tec has quar­an­tined the net­sky on my mac, so it must be there, I can't seem to find any removal tools? Help!

  • Linda

    I believe I removed Net­sky P. How­ever, I never had the option of actu­ally down­load­ing the virus tool. It said it removed the virus though. How can I save it to disc for future purposes?

  • Terry

    Linda what removal tool did you use? Do you have the url? I have Netsky-D.

  • Ray

    Tro­jan horse detected on sys­tem. AVG healed it — but could not remove it from C:system restore.
    Now my com­puter won't even boo. Is the hard drive shot? What can I do???? I have the restore CD. Will it boot with the CD?

  • / snip­tools


    What if you dis­able Sys­tem Restore? This will kill all pre­vi­ous Sys­tem Restore files, but is surely bet­ter than rein­stalling Win­dows. Then, run AVG again, and clean up the sys­tem. Also run Ad-Aware with lat­est updates, and if nec­es­sary, kill the file with "Hijack­This" util­ity. Finally, reboot the sys­tem and re-enable Sys­tem Restore.


  • shoslyn

    Cheers bitches that worked, im now fine :)

  • Cerise

    I too seem to have Net­sky on my Mac, run­ning Mac OS 10.3.9. It's in Mail, I get an error mes­sage every time I delete a mes­sage, say­ing that the inbox is infected. I can't seem to find any removal tools — any­one else man­aged to track one down?

  • / snip­tools

    Cerise, it is highly unlikely that you have a Net­sky on a Mac, at least your PC is not infected even if you did get a mail with the virus.

    Does your anti-virus tell you specif­i­cally which email is affected? All you need to do is delete the mail in question.

    If you are not sure which email it is, try look­ing at emails with attach­ments that are from senders you do not rec­og­nize, or con­tain a generic yet unlikely mes­sage like "Hi this is the file you asked for".


  • John Mur­phy

    I have this on a friends Mil­le­nium machine — does the process work the same way? did't know ME had a restore option.

  • Fiers

    hi…I recently go a worm and i'm not really sure what it is. one of my friends gave me a link to a site where i could see who blocks me on msn. it requires me to enter pass­word and login id of my msn. And i fool­ishly did!

    I need help!!! i'm using mac­in­tosh and I have no idea how to get rid of it. My msn just keeps on send­ing links to my con­tacts! It doesn't seem to affect my mac but I can't be sure. I tried chang­ing my msn pass­word and it doesn't work. Can any­one help???

    send me an e-mail to [email protected]
    I'd appre­ci­ate all the help i CAN GET. THANKS.

  • Dave

    i have trojan.fakealert and i can't seem to fig­ure out how to get rid of it any help is wanted thanks to anyone