I was lucky enough to have my computer hijacked by the worm.win32.netsky malware/virus last night. Here’s how the malware works: you start up your computer, and it says, “Your computer has been infected by worm.win32.netsky. Press OK to download antivirus software.” Of course, if you were to click OK, you’d download some fake antivirus software that might send emails on your behalf, steal sensitive information or corrupt your computer.

In my case, my desktop background was hijacked and replaced by a warning page. Worst of all, I couldn’t access my task manager to see which .exe was causing the problem. Because I wasted a good three hours scanning/trying to eliminate worm.win32.netsky, I thought I’d write a quick guide to help you eliminate the pest if you run into it:

1) Go to the Start menu and select RUN.

2) Paste the following (without quote marks) in the RUN box and hit ENTER to reactivate the task manager:
“REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f”

3) Hit Ctrl + Alt + Del to launch your task manager. If you still get an error message, DO NOT close the error message. Instead, leave it open, and try to launch the task manager again.

4) Once you have the task manager open, navigate to the “Processes” tab and – if it exists – close the following program: sms32.exe.

5) Now, your computer should be running better, but you’ve still got to clean up your registry. Go to the start menu and select RUN.

6) Type “regedit” (without quotes) and hit enter.

7) Navigate to the following items and delete them from the registry (just click on the items and hit the DELETE key):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”

8) Delete the contents of your recycle bin.

9) IMPORTANT: Run some antivirus/malware software to ensure worm.win32.netsky gets removed entirely. I made the mistake of not doing this (because I thought I could get around the infection without shelling out any cash), and I paid for it after I restarted my computer. In fact, I couldn’t restart my computer. As soon as I tried to log on, I was automatically logged off. Boo! It took tons of effort and the use of a second computer to get my laptop working again.

So, that said, I can’t stress enough that you’re going to need to shell out $25 or so to zap your malware. I opted to go with Malwarebytes’ Anti-Malware, but there are tons of other options out there including Norton.

10) Run a FULL scan of your computer (not the QUICK scan), and delete ALL rogue files. It’ll take a long time, but this will fully clean up your registry.

11) You should now be free of the worm.win32.netsky malware/virus. If not, keep in mind that malware writers can adapt quickly. Your best bet will be to Google the name of the .exe that’s affecting your computer and check forums for more information. Good luck!

P.S. I’ve got to give a shout-out to Dan Fischbach, who helped me solve the Windows XP Log-on/Log-off loop that worm.win32.netsky created. Nice work, Dan (I donated $5, and you inspired me to write this post!).

0 Comments