How to Remove the NetSky Virus

By
Jay Munro
January 7, 2006, 8:00 AM ET
2 min read

March 4, 2004 -- Unlike other recent computer e-mail bugs, Netsky.C does not exploit any holes in Microsoft's Internet Explorer or Outlook programs and infects only by running an executable file.

All antivirus vendors we've seen have updates that detect the virus, though some have been able to detect Netsky heuristically. If keep your antivirus up to date, and avoid opening attachments and running suspicious files, you will be relatively safe.

Clearing infected machines is easiest with your updated antivirus tool. If you don't have one, you can use Symantec's Netsky removal tool (www.sarc.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html), which works for either Netsky.B or Netsky.C.

You can also use TrendMicro's Housecall (housecall.trendmicro.com), McAfee Stinger (vil.nai.com/vil/stinger/), or Panda Software's activescan (www.pandasoftware.com/activescan/com/activescan_principal.htm).

How To Remove Netsky Manually

Disable System Restore if you're using Windows ME or XP. (More information here:http://support.microsoft.com/default.aspx?kbid=283073) When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.

Restart the computer in Safe Mode. Since W32/Netsky.C creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean.

Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner gives you the option, also scan mapped drives to find any copies left in Shared folders. If your scanner does not remove everything, follow the next few steps.

Your antivirus software should, during detection, produce a list of files associated with the Netsky.C or Moodoom.c virus (depends on scanner). Delete all these files. The files will typically be in the Windows system folder, the location of which depends on which version of Windows you're running. You will also have to delete any files in the Shared folders on mapped drives.

Make a backup of the registry before you edit. (More information here: support.microsoft.com/default.aspx?scid=kb;en-us;322756) Delete the Run entries associated with Netsky.C from the registry. These will be either flagged by the antivirus program, or you can go directly to the keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and delete the value:

"ICQ Net" = "%Windir%\winlogon.exe -stealth"

Exit the registry editor.

Re-enable System Restore, reboot machine.