Life in the Malware Trenches – Killing Worm.Win32.NetSky and Internet-Security 2010

Guest writer PJ Liberatore (aka as Cappydawg, to many of my fellow bloggers), takes you into the real world of virus removal, by relating her successful experience in removing Worm.Win32.NetSky, a component of the insidious scareware application, Internet Security 2010.

Recently, I had the experience of helping a co-worker with a virus on his Netbook.  He had mentioned to me, that his Netbook was popping up all kinds of strange messages, stating he was infected with numerous Trojans – so he was going to take it to the “geek people”.  I offered to take a look at it for him instead, and maybe save him some money.

When I turned on the Netbook, right away I noticed it took much too long to boot.  I made sure I had turned off the WIFI connection so that it wouldn’t go out to the net, and attempt to download more suspicious files. When it finally reached the desktop, it told me:

Security Warning! Worm.Win32.NetSky detected on your machine.

Immediately, another screen popped up listing more Trojans! This screen looked suspicious to me, since my co-worker had McAfee Antivirus installed and yet, the screen read “Internet Security 2010“.

At this point, I had 3 screens open, all of them warning me of these potential hazards on this Netbook.  One of these screens started up Internet Explorer (I wasn’t worried, since I had WIFI off), and I noticed the web address read: buyinternet-security 2010.com. I knew then, I had a bugger of a virus staring at me.

Before I show you how I got this cleared up, let me tell you a little bit about this virus.

Internet Security 2010 gets installed via malware, and will quickly setup to start every time Windows is booted.  It will also load a number of Trojans on your computer.  Once infected, the next time you boot up your computer you will be notified that you are infected with Worm.Win32.Netsky. This is exactly what happened on the computer I was trying to fix.

What makes the virus a real bugger is, it blocks certain applications and when that happens, you get the warning “File is infected”. It will then recommend that you activate your antivirus.

But it is really trying to get you to buy Internet Security 2010.  DON’T DO IT! Second, another Trojan that comes with this virus warns you to purchase a codec called, VSCoded Pro.  DON’T DO IT!  All this virus wants is your credit card number, and whoever is behind it, will have a field day with it.

Now that you have a little information about this virus, let me tell you what I did to remove it.

My first step was to research this on the internet using my own Laptop. I began my search with “buy internet security 2010.com”.  I choose a few articles from the results, and read through them to get some advice on squishing this bugger.

It recommended in the articles, that I download a program called Rkill.  Rkill is a small, freeware program, developed by Microsoft MVP, Lawrence Abrams, that helps stop malware processes; it’s also portable.

It’s available in four file formats; .exe, .com, .scr and .pif.  If you are wondering why four different formats, it’s because malware is getting smarter all the time – some malware can block the execution of an anti-malware tool executable file. For more information on this tool, check out Technibble’s write up.

I ran Rkill first, to stop the process of this virus. It took a while, but it did stop the process. I then pulled out my little USB tool drive, where I keep some of my favorite antispyware and malware tools, and downloaded the latest free versions of SuperAnti-spyware, and MalwareBytes Antimalware.

Next, I ran MalwareBytes in quick scan mode, and sure enough it found about 40 different Trojans. I cleared those, and then ran SuperAnti-Spyware in full scan mode.  It also found a few, so I proceeded with the removal process thru SuperAnti-Spyware. I then decided to run MalwareBytes again, but in full system scan, just to make sure nothing was missed in the quick scan. It found nothing.

Now feeling pretty confident that it was under control, I rebooted the machine. It booted quicker, and had no messages stating that Worm.Win32.NetSky was on the machine, or any other annoying pop ups. For added protection I ran Dr. Web Antivirus and it found nothing. One more re-boot, and all was good.

Since I was at it, I updated his antivirus definitions, and installed the free edition of SuperAntispyware.

It’s been 2 weeks now, and all is going well.

By doing a little research on the web, and taking it step by step, I was successful in removing this virus and, helped a co-worker save a little money.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

35 Comments

Filed under Anti-Malware Tools, cybercrime, Don't Get Scammed, Don't Get Hacked, downloads, Free Anti-malware Software, Free Security Programs, Guest Writers, internet scams, Malware Advisories, Malware Removal, Rogue Software, scareware, Scareware Removal Tips, trojans, Viruses, Windows Tips and Tools, worms

35 responses to “Life in the Malware Trenches – Killing Worm.Win32.NetSky and Internet-Security 2010

  1. abhijit

    i have a question …bill ……many of antivirus dont work in safe mode ………….at that time ……which virus removal tool is of more help……………..thanks for this article…………..knowledgeable…..

    • Bill Mullins

      Hey Abhijiit,

      Part of the key to malware removal (as P.J. explains), is shutting down the running processes of the malware. Techies and Geeks, can generally do this by changing Registry entries; after which, most AV tools can generally remove the infection. The tool that P.J. discusses, will be a great help for average users who don’t have knowledge of the Registry.

      I think there’s agreement though, amongst professional techs, that a good bootable rescue disk as discussed by guest writer mark Schneider, in his article Kaspersky Rescue Disk The Ultimate Malware Solution?, is the best solution. There is of course, a fair degree of skill required to get the proper results with such a tool. While malware can often be removed, it takes skill, knowledge, and patience.

      Bill

  2. Ahmed Helmi

    McAfee Antivirus is realy good program but maybe that co-worker didnt keep it up to date.. any way good job there clearing all those viruses and spywares!

    • Bill Mullins

      Hey Ahmed,

      You’re right – it’s possible that the definitions were not updated. Generally though, Scareware requires user interaction to create the infection. I other words, the victim has to say “yes” somewhere in the process. For this reason, awareness, good habits, and education, are critical to remaining infection free.

      Thanks for visiting.

      Bill

  3. Murphy

    Hi,
    Thanks for this article .
    Always is good to know how to fight against ”malware” .
    Best regards !

    • Bill Mullins

      Hey Murphy,

      I agree. It’s particular important that users realize, that with good effort and knowledge, they don’t have to remain a “victim”.

      Best,

      Bill

  4. “McAfee Antivirus is realy good program ” I would completely disagree with this statement, but to each his own 🙂

  5. Bill
    Thank you very much for this article.Very inspire.
    Yes-Dr Web & Malwarebytes Anti-Malware is very good.

    • Bill Mullins

      P.J. will appreciate your comment Robert. She did a great job in explaining her adventure in malware removal.

      Bill

  6. Ranjan

    Nice article Bill.. And thanks to P.J. also for sharing this…
    All i can say that ‘Prevention is better than Cure’.
    I also have a keen interest in malware removal so that i can help anyone who’s in need of it.. Few days before, i removed some viruses and worms from my cousin’s pc manually…

    • Bill Mullins

      Hey Ranjan.

      P.J. will certainly appreciate your comment.

      You’re right again “Prevention is better than a Cure”. Good to see your skill level allows you to remove malware manually – a very good skill to have.

      Bill

  7. Mal

    I am wondering if the infected computer had just McAfee. Some less skilled people only run one product, (which we all know is rubbish) which claims to be the cure all for all infections. Could be the reason this scareware got on the system in the first place.

    Layered security is the go, using different products from a few different vendors.

    Cheers

    • Bill Mullins

      Hey Mal,

      I don’t know the answer to that (maybe P.J. will key in on this later), but I suspect that you’re right.

      You’re absolutely right in saying “Layered security is the go, using different products from a few different vendors”. Recent stats indicate that a “good” AV, *might* manage a 75% stop ratio on a zero day threat. This reinforces, one more time, how necessary it is to run in a sandbox, or isolated environment, at a minimum. Or, running a heuristic application like ThreatFire. Preferably both.

      Users who become infected by scareware, in a sense, deserve it. Except for the occasional driveby download, scareware gets installed because the user chooses to install it by saying “yes”, to an offer to install.

      It bears repeating; users need to – Stop – Think – Click. Simply and effective, but………

      Bill

  8. No matter which establish software you own, one have to update it regularly. PJ’s co-worker forget it and get the punishment. But, this article again shows the power of free utility. Nice work.

    Arafat

    • Bill Mullins

      Hey Arafat,

      Free is good. I run several machines exclusively on free software.

      I agree, applying patches is an absolute necessity but, it is only one step of many that must be taken, in order to remain free of infection, If a user approves the installation of a malware application by saying “yes”, (and many do, which explains the huge success of scareware), or if a user unknowingly surfs a site that contains a driveby download where no user interaction is required, the game is over.

      2010 will be the year, in my view, when isolation software, and sandboxes, will become absolutely necessary to remain infection free while surfing the Net. No matter what Av, or security solution is installed, isolating the system will become critical. Average users simply don’t have the knowledge, or awareness, needed to stay safe on an Internet that is being overwhelmed by constantly evolving malware attacks. It’s not going to get better any time soon.

      Bill

  9. Cappydawg

    Hi Mal,

    To answer your question, yes it only had McAfee on it, I put Super Anti Spyware fee edition on it and I did suggest to him to buy the full version to help start the layer process of protection.

    Thanks everyone for reading my article, I appreciate all the comments.

  10. Mal

    Hey Cappydawg,

    I agree, I wouldn’t be without Superantispyware. A superb tool. I run on demand scans with it on a regular basis.

    Cheers

  11. John

    Hi Bill,

    Good article by PJ and it shows that we must always be vigilant when surfing the net.

    I guess I have a question in when is enough enough, or too much when booting up. For me on boot up I have Eset Nod32 V4, Online Armor++, Superantispyware , Spybot S&D, Secunia PSI, Zemana and Techtracker.

    I also scan with Malawarebytes Antimalaware, and Spyware Blaster.

    Have I missed anything that I should also include?

    At what point do these programmes all start conflicting with one another and also slow the pc down on boot up?

    Questions questions………………..

    Also Bill thanks for your help the other day getting the wifes pc up and running again!

    Cheers
    John

    • Bill Mullins

      Hey John,

      P.J. will be pleased with your comment.

      Since Online Armor++ includes a firewall, antivirus and anti-malware, you shouldn’t be running Superantispyware and Nod32 at the same time. Actually, I’m surprised you haven’t had system conflict. Continue to run Spybot S&D, Secunia PSI, Zemana and Techtracker in conjunction with Online Armor++.

      To stop Superantispyware and Nod32 from starting automatically at system startup, type “msconfig” (do not use quotes, these are here for emphasis only). This command will open a system configuration applet – click on “Startup” and in this box, clear the check marks on Superantispyware and Nod32. Then click on “Apply”. You will be ask if you want to restart the system now – click “yes”, or “OK”.

      However, If either Superantispyware and Nod32 are NOT already checked in the Startup box, then that means that they DO NOT automatically startup, so no changes are required.

      You should notice some difference in boot time – if you not, don’t be discouraged. Many, many factors can affect boot time, not just application load. Frankly, I normally reformat all my system drives, and then do a complete system reinstall every 6 to 8 months or so, simply because I need to get absolute top speed from all facets of my systems. Most IT Pros I know do this as well since Windows systems are notorious for developing system slowdown over time.

      If you have a problem with this let me know.

      One word of advice – before making ANY system changes always create a System Restore Point, just in case. Better safe than sorry… and all that.

      Bill

  12. Ranjan

    @John
    Ya.. I hope Bill’s reply has solved your doubts John.. Just remember not to set too many apps to auto-start which are made for same purpose.
    I suggest you should apply the changes which Bill said i.e. removing Nod32 and SAS or OA++ and SAS from auto-start and let Nod32 to auto-start.
    @Bill
    Ya making a system backup i.e. System restore is a good practice but it’d be even better if John could use a Boot-2-restore app which can help him to restore his pc to a defined date even when the computer isn’t booting-up…
    As far as i know, Sality can cause your pc not to boot either normally or in safe mode. To be more clear, it boots-up but there’s nothing on the screen except a restart times of 60s and result in an endless loop of restarts until you manually switch the CPU power off. Although we can force the pc not to restart by command line parameters but most pc users run away from command window simply because it seems boring to some users.
    So its better to keep the tools aside instead of running here and there and spending much money to get it solved.

    • Bill Mullins

      Hey Ranjan,

      “most pc users run away from command window simply because it seems boring to some users” – I can’t agree.

      Statistically, average users barely understand 10% of the functions of the * applications* they use on a daily basis. To expect an average user to understand the esoteric commands needed in the command line, is just not on. Average users are not in the least bit interested in the behind the scenes technology, or command structure – they simply want their computer to work. After all, that’s what Windows is supposed to be all about – ease of use. Typical users have no interest in running a computer as if it operated in DOS.

      Bill

  13. Ramesh Kumar

    Dear Bill,
    Thanks for a great post. Went through it & the Rkill link as well. I have a 2 queries so please guide.
    1) Which of the 4 file formats of Rkill should I download – exe, com, scr or pif? Or should I download all 4 file formats of Rkill?
    2) Since Rkill only stops the malware process but does not remove the malware files (since it is not meant to do so), how does one manually remove malware files?

    Grateful for your kind guidance

    Ramesh Kumar

    • Bill Mullins

      Hey Ramesh,

      If you are going to use Rkill from a flash drive, you should download all 4 formats, since you can’t be sure which one you will need.

      Removing malware files manually is generally specific to the actual malware, since file names vary considerably even within various versions of the same malware. Identifying the infected files is the key, and this is not always an easy task. Luckily, there are some very good sites that will assist in identifying these files including Bleeping Computer .

      By and large, if the situation requires files to be removed manually, then it should be left to an experienced computer technician.

      Sorry I can’t be more specific, but the question is just too broad.

      Bill

  14. Pingback: » Life in the Malware Trenches – Killing Worm.Win32.NetSky and … RWPS

  15. Ranjan

    I meant that average users don’t know much about commands in command prompt and they like GUI more than a blank black command window like DOS….

    • Bill Mullins

      Hey Ranjan,

      Then we’re in agreement. I misunderstood your reference to “it seems *boring * to some users”. Thanks for clearing that up Ranjan .

      Bill

  16. I appreciate your part in helping other get rid of these Fake Antivirus Programs. I have seen them on the rise on the computers coming into my shop, particularly in the last couple months. We use some of the same programs, but I hadn’t heard of “rkill” so thanks for the lead, I’m always looking for new and better tools.

    Thanks,

    Dale Powell
    http://spywarepreventionguy.com

    • Bill Mullins

      Hey Dale,

      Thank you for the update on what you’re seeing on the job. Good to hear this from a tech professional.

      Appreciate you dropping by.

      Bill

  17. Cappydawg

    Thanks to everyone for your comments on my article. It is greatly appreciated that all took time to read it and post comments. Thank you again.

  18. Cappydawg

    Bill,
    I wanted to thank you for posting my article on your blog. Thank you for being so supportive.

    • Bill Mullins

      Hey Cappydawg,

      It was a pleasure.

      Lots of comments – lots of interactivity, and a perfect learning opportunity for readers. That’s a combination that’s hard to beat!

      Keep on writing – you’ve got something there.

      Best,

      Bill

  19. nice article.
    hope this may help me.
    Thanks for sharing.

  20. Cappydawg

    Thank you muhyar!

    I really enjoyed writing it and hope to do more.