Guest writer PJ Liberatore (aka as Cappydawg, to many of my fellow bloggers), takes you into the real world of virus removal, by relating her successful experience in removing Worm.Win32.NetSky, a component of the insidious scareware application, Internet Security 2010.
Recently, I had the experience of helping a co-worker with a virus on his Netbook. He had mentioned to me, that his Netbook was popping up all kinds of strange messages, stating he was infected with numerous Trojans – so he was going to take it to the “geek people”. I offered to take a look at it for him instead, and maybe save him some money.
When I turned on the Netbook, right away I noticed it took much too long to boot. I made sure I had turned off the WIFI connection so that it wouldn’t go out to the net, and attempt to download more suspicious files. When it finally reached the desktop, it told me:
Security Warning! Worm.Win32.NetSky detected on your machine.
Immediately, another screen popped up listing more Trojans! This screen looked suspicious to me, since my co-worker had McAfee Antivirus installed and yet, the screen read “Internet Security 2010“.
At this point, I had 3 screens open, all of them warning me of these potential hazards on this Netbook. One of these screens started up Internet Explorer (I wasn’t worried, since I had WIFI off), and I noticed the web address read: buyinternet-security 2010.com. I knew then, I had a bugger of a virus staring at me.
Before I show you how I got this cleared up, let me tell you a little bit about this virus.
Internet Security 2010 gets installed via malware, and will quickly setup to start every time Windows is booted. It will also load a number of Trojans on your computer. Once infected, the next time you boot up your computer you will be notified that you are infected with Worm.Win32.Netsky. This is exactly what happened on the computer I was trying to fix.
What makes the virus a real bugger is, it blocks certain applications and when that happens, you get the warning “File is infected”. It will then recommend that you activate your antivirus.
But it is really trying to get you to buy Internet Security 2010. DON’T DO IT! Second, another Trojan that comes with this virus warns you to purchase a codec called, VSCoded Pro. DON’T DO IT! All this virus wants is your credit card number, and whoever is behind it, will have a field day with it.
Now that you have a little information about this virus, let me tell you what I did to remove it.
My first step was to research this on the internet using my own Laptop. I began my search with “buy internet security 2010.com”. I choose a few articles from the results, and read through them to get some advice on squishing this bugger.
It recommended in the articles, that I download a program called Rkill. Rkill is a small, freeware program, developed by Microsoft MVP, Lawrence Abrams, that helps stop malware processes; it’s also portable.
It’s available in four file formats; .exe, .com, .scr and .pif. If you are wondering why four different formats, it’s because malware is getting smarter all the time – some malware can block the execution of an anti-malware tool executable file. For more information on this tool, check out Technibble’s write up.
I ran Rkill first, to stop the process of this virus. It took a while, but it did stop the process. I then pulled out my little USB tool drive, where I keep some of my favorite antispyware and malware tools, and downloaded the latest free versions of SuperAnti-spyware, and MalwareBytes Antimalware.
Next, I ran MalwareBytes in quick scan mode, and sure enough it found about 40 different Trojans. I cleared those, and then ran SuperAnti-Spyware in full scan mode. It also found a few, so I proceeded with the removal process thru SuperAnti-Spyware. I then decided to run MalwareBytes again, but in full system scan, just to make sure nothing was missed in the quick scan. It found nothing.
Now feeling pretty confident that it was under control, I rebooted the machine. It booted quicker, and had no messages stating that Worm.Win32.NetSky was on the machine, or any other annoying pop ups. For added protection I ran Dr. Web Antivirus and it found nothing. One more re-boot, and all was good.
Since I was at it, I updated his antivirus definitions, and installed the free edition of SuperAntispyware.
It’s been 2 weeks now, and all is going well.
By doing a little research on the web, and taking it step by step, I was successful in removing this virus and, helped a co-worker save a little money.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.