Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

worm.win32.netsky

Created: 22 Dec 2009 | 121 comments
Hi,

My Norton-anti virus (for Winxp) is not able to detect and fix worm.win32.netsky
I am having critical warning messages periodically.. Here is the exact list of problems:

1. My Symantec Live update has stopped working. It says problem with internet connection (although my internet is working perfectly)
2. I am not able to access task manager (even from run). It says that i do not have admistrator rights - I have never received these messages before.
3. I downloaded spyware doctor and it detected the following files to be infected:

c:\WINDOWS\system32\winhelper86.dll
c:\WINDOWS\system32\winlogon86.exe
c:\WINDOWS\system32\winupdate86.exe
c:\WINDOWS\system32\AVR10.exe

4. I tried using safe mode - but i am having exactly same problem in safe mode.

Is there no fix for this virus with Symantec?

Please let me know

Thanks
Aditya

Discussion Filed Under:

Comments 121 CommentsJump to latest comment

sandra.g's picture

How old are your definitions?  How do you know you have Netsky without a detection?  Which Symantec product exactly do you have?  I ask because Netsky seemed to be something that bloomed back in 2004... (search the following page for "netsky")

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=W

If the tool noted above doesn't help you, I would

- get the Intelligent Updater from a computer with working internet.  Download the file appropriate to your version of the antivirus program.

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

- put the computer into Safe Mode
- run a full system scan.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

wsroadrunner's picture

Sandra,

I am running Norton Antivirus 2010 with Antispyware. The program is fully installed and should be able to detect and stop this from what I am understanding in your answer here. The problem is, it didn't.

I am having the same issues as the poster you replied to, and when I contacted Symantec about this I was told "No problem, we can straighten it up for you for only $140.00 - I thought that was why I bought the Antivirus program from you guys in the first place?

To be quite honest, I purchased the Antivirus 2010 and installed it when my 2009 edition came due for renewal. I am now wondering why? I currently have 5 computers with Norton Antivirus on them and if as you say, this file/virus is from 2004 (almost 6 years old) and Norton can't protect against it, I am wondering if any of my computers actually have any protection from anything.

I have run the W32.Netsky@mm Removal Tool to no avail... it is not removing anything.

Can I even safely save off my files (photos, etc...) and install them after I have to have my system completely wiped and reloaded if it comes to that, or is all the work I have on my computer now lost forever?
 

wsroadrunner's picture

After over a dozen calls to Symantec support and not getting anywhere I have formatted my computer and reloaded everything...except Symantec software.

I find it interesting that a program released for 2010 is incapable of protecting against or even warning about something that has been around since 2004. I did get the standard reply that for only $140 Symantec could get it off of my system. Gee... I thought I had bought the Nortons 2010 to protect my computer and prevent from having to bother with that?

I refuse to have my computer held ranson by Symantec and now have all 4 of my machines protected by AVG. I am also writing to Staples main office and letting them know of the experience I have had and suggesting that they look at these forums to see if they are really selling a good product with reliable support.

BTW... why is it that since Symantec wants American dollars for their products people have to talk to someone in India or Pakistan or wherever the call center is?

Thanks to all the Norton staff who never bothered to reply to my questions. That told me how inportant my business is to you guys.

aditya_rawal's picture

All,

Thanks for your reply. Unfortunately none of this works. Here is step by step description:

Firstly i would like to mention that i am using Symantec version 10.1.4.4010. My virus definitions are updated till 20th Dec 2009.
I did run a Full Scan using Symanted anit-virus in both normal and safe mode - but this does not detect any virus.

1. I downloaded W32.Netsky@mm removal tool - FxNetsky.exe (http://www.symantec.com/security_response/writeup....). This tool crashes repeatedly in both normal and safe mode. It seems that the virus does not allow it to run.
2. Second, i downloaded IntelligentUpdater (http://definitions.symantec.com/defs/20091222-023-...). However, this too does not run in both normal and safe mode. Here is the error message that i get - "Intelligent Updater session complete. All updates failed to install on the machine"

Other symptoms that i can observe:

  1. Each time i access Task Manager, it gives me error saying that i do not have administrator rights. I had to download TaskManagerFix.exe to overcome this problem (this problem is surely due to the virus).
  2. My Symantec Live update has stopped working. It says problem with internet connection (although my internet is working perfectly)
  3. Each time my computer boots (in both normal and safe modes), Windows defender detects a virus - TrojanDownloader:Win32/Fakeinit. At best, my windows defender can quarantine this virus and it shows up again on every boot up.
  4. Each time my computer boots, i also receive a message saying that machine is infected with worm.win32.netsky.
  5. After boot (in both safe and normal mode), each time i run a full scan using Wondows defender, it detects another virus - Trojan:HTML/Fakeinit. Windows defender allows me to remove it, but it appears again after next boot.
  6. My desktop wallpaper has message in red - "Your System is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommeded to use spyware removal tool to prevent data loss. Do not use th computer before all spyware removed"
  7. Note, none of the above issues are detected by running a Full Scan of Symantec Anti-virus in normal and safe modes.
  8. I also ran Windows Malicious Software Removal Tool (version Dec 2009). But this also does not detect any virus.
  9. Finally, I downloaded Spyware Doctor program and it detects virus in the following files (however it asks me to buy full version to fix these):
    1. c:\WINDOWS\system32\winhelper86.dll
    2. c:\WINDOWS\system32\winlogon86.exe
    3. c:\WINDOWS\system32\winupdate86.exe
    4. c:\WINDOWS\system32\AVR10.exe

I have tried to explain my problem in detail. I have been using Symantec for 4 years, but this is first time that i am facing this inconvenience. I do not want to buy another Anti-virus just to solve this problem.
Please let me know how to fix these problems using Symantec.

Thanks
Aditya

Hicaliber's picture

I've got very similar problems on my laptop.  Last Saturday, the fakeAV alert pop ups started.  It hijacked my desktop background graphic with an alarm message, the background selection menu is now grayed out, and cannot be changed.   I'm using Symantec Endpoint Protection.  The updates were last done 20 Dec.

On Saturday last,  I was able to run a full scan, and it showed up with AVR10.exe and IS2010 as violating files, but could not delete them.  A scan on Sunday, listed a Trojan Winhelper86.dll.

I've followed this thread, downloaded and ran the W32.Netsky@mm removal tool.  It scanned for several hours, but did not list any found problems.

Other symptoms to note:

Live update cannot connect to the network.  No network connectivity is working.

I cannot open regedit.

Is this a recognized issue?  It seems we've been blindly shotgunning fixes?

Hicaliber's picture

I just lookied in the risk log file listing and see:

CoreGuardAntivirus2009 - Access Denied -  filename AVR10.exe
CoreGuardAntivirus2009 - Access Denied - filename SetupIS2010[1].exe

FredWalter's picture

I've got the same problem:

I cannot open taskmgr
I cannot open cmd.exe
I cannot open regedit
I cannot go into safe mode (I get a blue screen)
My desktop background was replaced
I get fake antivirus alert popups

Hopefully a fix for this problem will be found. I'd hate to have to wipe the hard drive and start over.

NairBals's picture

Goto Run --> Copy & paste the below code:

This will enable the taskbar...

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Rgds
Nair

sandra.g's picture

You should know that this is an old build (2006, I think) with known security vulnerabilities.  Not a good idea to try to upgrade during a threat event, but just wanted to let you know that you need to get something more up to date as soon as possible.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

NairBals's picture

How to remove IS2010 manually:

Manual removal of IS2010 is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.
The files and folders to be deleted are listed below:

%Program Files%\InternetSecurity2010
%Program Files%\InternetSecurity2010\IS2010.exe
%WINDOWS%\system32\41.exe
%WINDOWS%\system32\winhelper86.dll
%WINDOWS%\system32\winlogon86.exe
%WINDOWS%\system32\winupdate86.exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
%UserProfile%\Desktop\Internet Security 2010.lnk
%UserProfile%\Start Menu\Internet Security 2010.lnk

The registry entries that need to be removed are as follows:

HKEY_CURRENT_USER\Software\IS2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Internet Security 2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “winupdate86.exe”

mwap's picture

Does not work. It is hiding somewhere else. Comes back on reboot.
.
Also, this Symantec crap is, well, crap. The bastards wanted more money to do something I already pay them (a lot of money, many computers) to fix.
.
I am looking at McAfee and a few others now. Symantec seems to not like to keep us informed of updates and the automatic thing is not worth a damn.

AravindKM's picture

I think antivirus is not working in your system.
Go to add remove programs
Select SEP click on change in the second screen you will get an option for repair .Try it.
 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

AravindKM's picture

Even after that if  you are facing the problem try scanning that pc with nss tool in safe mode for more detail refer below comment
download NSS and SCAN.
 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

sandra.g's picture

Sounds like a fake AV is telling you you have something you don't.  Symantec products do not use the naming scheme of worm.w32.netsky.

It is likely that this was something new when it hit your computer.  If you are not able to slave the drive to a working system to do a scan, your best bet is:

- the NSS scanner as noted above.
- booting into the Windows Recovery Console (if XP), trying to apply new definitions and run a scan
- use the SEP support tool to identify suspicious files and submit them for analysis

Title: 'What to do when you suspect that a Symantec antivirus product is not detecting viruses'
Document ID: 2001031909215448
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001031909215448

Title: 'The Symantec Endpoint Protection Support Tool'
Document ID: 2008071709480648
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008071709480648

I hope this helps,
sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Lois Healan's picture

I have even tried reinstalling the OS.  This gives an EXCEPTION with TRAP 00000006.
I have a Windows XP SP2 running  Enterprise Edition 10.1.7.7000

jimauer's picture

My laptop has been infected with Worm,Win32.NetSky.  Have treied to remove following the instructions above, but am having the following problems:

1. Cannot start in Safe Mode.
2. Cannot turn off System Restore: the tab does not appear on the System Properties screen, even though I'm signed in as admin. I found the folder by running a search, but cannot open it; error message appears stating the file is infected. 

I'm running W32.Netsky FixTool 1.13.0 anyway to see what it will do.

Any suggestions on how start get rid of this virus would be much appreciated.

Thanks, and have a Happier Holiday.

jimauer's picture

The FixTool finished it's scan, and displayed message that the Worm.Win32NeytSky virus could not be found.  I restared as non-admin, and the message following message appeared:

ScreenGrab worm warning message.jpg

gfaron's picture

The Netsky infection is not real.  The culprit is an application suite call winupdate86 in your C:\WINDOWS\System32 directory.  It claims that you're infected with Netsky (also disables regedit, task manager, et al) and changes your desktop background to an infection warning.

I'm in the process of trying to get this off my system, but here are some tips so far:

1) when trying to run regedit and getting the message that it's been infected and cannot run (fake), simply try to run it again while the fake warning alert is still on-screen.  You'll get through the second time.  Then fix the value for "DisableTaskMgr" under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to be zero instead of one.  This will reinstate your task manager.  Then use it to blow away the winupdate86 process, the 41.exe process, and anything else that looks hinky.

Finally, delete all the files described at https://www-secure.symantec.com/connect/forums/int...

If I figure out more after this step, I'll post it.  So far, I think I'm clean... *cross fingers*

jimauer's picture

I tried this process. Each time I run regedit after getting the first error message, i get the following message -- 'Registry editor has been disabled by your administrator.'  Cannot get to regedit to fix value for  'Disable TaskMgr.' 

Any suggestions for getting past this error message?

Lois Healan's picture

I created a new user with ADMINISTRATOR rights on the local machine.  This allowed me to get into regedit to correct the task manager setting.

pbess's picture

Yes, the winupdate86 was the problem.  I followed your directions to get TaskManager back which makes it possible to stop the process and delete the file from C:\windows\system32.  I deleted all the files from the same directory that are mentioned in these posts but now I have a bigger problem :-(

As soon as I login, I get logged out.  It seems that there is some other piece of code left behind that sends a shutdown command if the winupdate86 file is missing?  Of course, I still cannot get in with safe mode, so I'll have to find another way to get in.  

Lois Healan's picture

Yep, the same thing is happening here.  The minute I log in I get logged right back out.  I have tried booting to a system disk, a usb boot disk....nothing works.  I would think Symantec needs to come up with some kind of fix for this.  I can't even reformat the machine.

pbess's picture

I get logged off immediately from the administrator account and the regular user account on this Dell laptop.  It seems that somewhere in the registry there is a call for the existence of one of the trojan files that immediately logs off the current user.  I can get to the registry in Recovery console but don't know where to look. 

Hopefully, someone at Symantec will come up with a solution to this mess...

Jimmy K's picture

I'm also having same problem (immed log off)

I am getting logged off immediately from all users in all boot modes.

Can someone PLEASE PLEASE PLEASE help ????????????????
There has to be a solution for this.

Many thanks and much appreciation! 

sandra.g's picture

https://www-secure.symantec.com/connect/forums/wormwin32netsky#comment-3396731

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

jubal04's picture

After working on this for several days off and on I finally found a fix for the log off problem!  If you have a windows XP disk, insert it in the CD drive and convince your computer to start from the disk.  F12 will probably get it started.  Select the CD drive.  You don't want to install a new OS, so start the repair utility.
  Go through the startup sequence and you will eventually get to the C:\windows prompt.  Change the directory to system32  (cd \windows\system32). 

At the C:\ windows\system32 prompt type

copy userinit.exe winlogon32.exe.

This replaces the missing winlogon32 file with the  correct userinit file.

type EXIT

After you get the computer restarted you will still need to fix the registry problem!  (START RUN Regedit)
HKEY_LOCAL_MACHINE\Software\windowsNT\currentversion\winlogon\

Just click on the winlogon folder and find the file in the window.  This is where I screwed up initially.  The winlogon file needs to be set to

userinit=c:\windows\system32\userinit.exe.  This will probably show up as userinit=c:\windows\system32\winlogon32.exe. (But the winlogon.exe file is missing 'cause I deleted it)

I found the fix in relation to a wsaupdater.exe fix that was posted on another forum.  Thanks to whoever posted it.

tnobles's picture

Spent the whole day trying to get rid of this thing and now I can't log in either. GRRR. Is reformatting the only solution or does anybody no another way to log in and stay in?

I'd like to meet the punks that wrote this in a dark alley someday!

Mcoop's picture

Thanks to you all for posting on this subject it has been a real help.  My laptop was infected with this crap a couple of days after Christmas.  I called the help desk at Symantec a number of times...and i must say i was completely underwhelmed, not only did we spend hours going around in circles trying the same thing over and over again but it all came to nothing and they basically just gave up and said that i should take my computer to a local technician. 

Firstly i can't believe that my anitvirus software - Norton 360 didn't pick-up a virus supposedly written in 2004 (evidenced by an earlier post)  &
Secondly that the supposed technicians didn't read the above posts to get some really good ideas on how at least to get the "task manager" back up and running

My major issue...i couldn't get an internet connection to download any of these patches or tools to get rid of this thing (or to give remote access to a technician which is what they really want so they can charge $130 for it)

I followed the tips outlined by gfaron here and had some success to a point, at least i got my "Task Manager" up and running but on re-boot my windows stopped working - no icons / no start button nothing even in safe mode.... DOH!  Even though this happened i still want to thank you gfaron for your post b/c at least i got a lot further than speaking to the supposed "help desk" at Symantec.

In the end i just restored by computer to two days earlier than when i knew the infection came in.  I didn't lose any data and system is now working sweetly.  I found this to be a quick and easy solution for any of you not that technically adept.

I am running Vista so not sure if the following helps you all but this is how i restored the comput.

1) on re-boot click on the F8 key until the "safe mode" etc screen comes up (not sure what this screen is really called"

2) use curser keys to select "repair" option then follow the prompts about restoring you comput to an earlier date.  Note you may lose any programs that have been downloaded/installed in the intervening period but your shouldn't lose any data, i.e. word docs or emails in outlook etc.

I hope this helps.

DragonSkySP's picture

you said when trying to run regedit that you get the fake message that its infected and to try it again while its still on screen that didnt work for me cause it said regedit was disabled by the admin on the computer

hbomb78's picture

Same problem as those above me I get logged off immediately on normal, and safe modes.... any answers out there???? thanks in advance.

abhaysinghb's picture

Hello,

I have spent my entire day to resolve this issue. I can easily go and format my machine but I wanted to find an alternate method.

Regards,
Abhay

Lois Healan's picture

I have tried to reformat.  I get the message "no hard drive".  I have tried using a Ghost book disk.  No luck there either.  I have put in a request for support with Symantec.  I hope to get an answer so we can all use these computers again.  I am afraid it will infect the other 2000 pcs I am responsible for!

Lois Healan's picture

Well Symantec told me to contact HP Compaq because the Windows XP OS disc said I had no hard drive.  I contacted HP and they had me set the SATA drive to DISABLE in the bios.  After that and a couple of errors, I finally got the Win OS to reload.  I am in the process of reformatting the hard drive. 
Not the answer I wanted and I am sure all of you feel the same.  Good luck.

dmcourtn's picture

My laptop got the Blue Screen of Death today.

I did an emergency repair using the original WinXP SP-2 disk.

After the repair, I'm getting the exact same symptoms as everyone above. Also, my wireless has stopped connecting to the internet.

It looks to me like this is becoming a big problem. And the timing couldln't be worse: over the New Year weekend.

Dale

hbomb78's picture

http://www.tek-tips.com/viewthread.cfm?qid=924408

FOLLOW THE INSTRUTIONS THIS GOT ME BACK UP AND RUNNING NO DATA LOSE THO MY IEXPLORE ISNT LAUNCHING AT THE MOMENT BUT IM WORKING ON IT GOOD LUCK TO YOU ALL

HBOMB

bratchild's picture

CREATED A NEW USER AND THEN COPIED  THE EXE AND IT INSTALLED AND RAN IT AND ALL GONE..IT IS A FREE MAL-WARE REMOVER THAT WORKS !!!!

J. LeVan's picture

restore your registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

UserInit = c:\windows\system32\winlogon86.exe

back to:

UserInit = c:\windows\system32\userinit.exe

Offline NT Password and Registry Editor can be used http://pogostick.net/~pnh/ntpasswd/

MarcT's picture

Another forum recommended MalwareBytes (free version, www.malwarebytes.org), and it appears to have worked for me, too, 100%, but it required one trick:

The infection prevented MalwareBytes' installer from writing the file, mbam.exe, so...I installed MalwareBytes on another clean computer and updated it (an option at the end of the installation). I then put that updated copy of mbam.exe on a USB thumb drive, moved it to the infected machine, copied it into the MalwareBytes program folder, and double-clicked it there. I selected full scan, then "Remove" all, and allowed it to restart the computer when prompted. The machine appears fine now.

Good luck!

snekul's picture

A lot of times when this Fake A/V junk gets on your computer, it manages to disable your virus scanner from working properly...sometimes new definitions are no help.  In this cases, you'll have to use specialized tools or boot from clean media--like a CD--to scan the computer.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

tju6's picture

First, thanks you to those who posted in the forum.  You got me a long way down the road to a fix.  All seems to be OK now.  So, I thought I'd share:

My symptoms:

- Got the worm.win32.netsky screen
- Got the "spyware alert" wallpaper
- task manager was disabled
- ability to change wallpaper was disabled
- winupdate86.exe was present
- removed winpudate86.exe and got the login/logout loop problem
- Symantec email protection kept detecting that my machine had been compromised and I was sending spam

The final solution appears to be:

- Kill winupdate86 process
- Run symantec scan
- Run Ccleaner (free download)
- Run malwarebytes (free download)
- Update to win xp SP3 (which handles the spamming problem)

I tried to manually fix all of this, but the problems came back twice.  When I turned Symantec email-protection back on, it showed I was still spamming, and then the other symptoms came back eventually.  Doing the steps above seems to have solved it. 

Here are some tips on some of the other problems people are having:

Enabling  Task Manager
See gfaron's post above:

***
When trying to run regedit and getting the message that it's been infected and cannot run (fake), simply try to run it again while the fake warning alert is still on-screen.  You'll get through the second time.  Then fix the value for "DisableTaskMgr" under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to be zero instead of one.  This will reinstate your task manager.  Then use it to blow away the winupdate86 process, the 41.exe process, and anything else that looks hinky.

***

I would add that FastNetSrv was a process that was problematic in my scenario.

Login/Logout problem after removing winsetup86.exe
See JLevan's post above:

***
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

UserInit = c:\windows\system32\winlogon86.exe

back to:

UserInit = c:\windows\system32\userinit.exe
***

However, if you are already in the loop and can't get to the registry to make the change, here is something I found in another forum that helped me:

Put in your Windows Disc and boot into Repair, you will see a dos mode, press “1″ go into “C:\Windows” directory and type in your user/admin password.

after that go into your “System32″ folder by typing “cd System32″ without “quotes”

then enter in:
“copy winlogon.exe winlogon86.exe” and
“copy winlogon.exe winupdate86.exe” <— just incase

type: "exit" to restart

Use malwarebytes
But, in the end, after you are able to kill the winsetup86.exe process, make sure and run malwarebytes AND update to Win XP SP3.  I had to both to keep the problems from coming back.

usioumeo's picture

l got to that part when l need to terminate processes but in task manager on my list there arent those processes u listed above (winupdate86, the 41.exe)

any1 got solution for this?

abhi_don's picture

Spybot resolved it.

Spent about 2 days trying to follow the threads and get rid of NetSky - installed spybot finally and things are looking good again.
 

jeff7602's picture

I am not a computer expert by any means, and  a lot of this stuff I am struggling to understand.  I was working on this last night and eventually found myself with the logout problem.  I currently have not been able to get back in.  Right now when I start up it goes to a screen that has my original background on it for about 5 minutes, then goes to the log in screen.  I log on and it goes to back to a screen that just has my background on it, nothing else.  I can see the mouse when I move it around, but can't do anything else. 

Grant_Hall's picture

Press alt + ctrl + del to start the windows task manager. Then click on file -> New Task (Run..). Then in the open diaglog box type explorer.exe and hit enter. This should start explorer.exe which is the program that takes care of displaying all the things you are missing like the start button, icons, ect ect. If this doesn't work post back and we can try a few other things : )

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Grant_Hall's picture

You can also just hit the windows key (located next the to left alt) + r. This brings up the run dialog window. Type in explorer.exe and hit enter. This does the same thing as what I posted above, but since one of the things about the virus in this thread is that it disables the task manager you might have to do it this way.

Hope this helps
Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

Nothing works.  Pressing ctrl+alt+delete does nothing, nor does pressing windows +r does nothing.  I have put in the windows disk and am going to try to run repair to make the changes that tju6 suggested, but I don't have the admin password.  It was a work computer, but when I left they let me keep the computer.  However, I'm not the one that set it up originally.  I was givin admin privilages, but don't know this password.  I emailed the guy hoping he remembers what password he used, but so far he hasn't responeded.  I have a feeling he won't remember, as it's been a few years and he's kind of a volunteer IT guy and it would totally be something he wouldn't remember.  So now I wait for that....if he doesn't remember I don't know what to do next.

Grant_Hall's picture

Sorry Jeff,

Try booting into safe mode and running a full system scan from there. If you don't know how to boot into safe mode try this web guide http://www.pchell.com/support/safemode.shtml. You must turn system restore off before running the scan. If I were you I might conisder calling in and making a case on this issue. Most of the guides or advice we could give you over the forums are intended for more serious computer people (nerds : ) ). You will probably find it is quicker to just call phone support. If you do call in come back here and post your case number so we can follow your case for you.

Also try leaving the admin password blank. This is the default and your old admin might have just left it as the default. If you are still having trouble getting admin rights try this guide http://pcsupport.about.com/od/windowsxp/ht/adminpa....

Hope this helps
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

alright, I got the password for the admin account and made the changes suggested.  Now, here's what happens.  As windows opens up, it never goes to the login page.  It goes straight to a screen with my original desktop background on it with none of the icons.  A popup comes up that says "tcsd_win32.exe has encountered a problem and needs to close." I can send error report or not.  When I ctrl+alt+del I get the "Task Manager has been disabled by your administrator." popup.  No icons or anything are on the screen, no start buttton or anything.  I can't get anything else to do anything.  Windows key + r does nothing.  Any ideas?

By the way...same thing happens in safe mode, exept instead of my background, it's just a black screen.  The safe mode tags are in the corners and stuff, but the only thing I can get a response from is ctrl+alt+del saying it's disabled. 

Grant_Hall's picture

Were you able to try the scan in safe mode? What sometimes happens is viruses will disguise themselves as legitimate windows processes. My guess is that tcsd_win32.exe is actually a virus and not the actual windows process. If you are able to get your desktop back you should check in the C:\Windows\System32 folder to see if there is a file called tcsd_win32.exe. If there is please post back and tell us. You should also try logging in as the administrator and rerun the task manager. If you can get the tast manager running then do the explorer.exe task like I suggested before.

Thanks
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

I was able to get the task manager to run under the administrator account and ran the explorer.exe.  I'm running a scan right now.  I have my fingers crossed.

Grant_Hall's picture

Good I am glad you got that back up and running. Just to let you know the scan in safe mode would be better. Hopefully this works : )

Also did you check whether that file was in C:\Windows\System32 ???

Cheers
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

I haven't checked yet.  I am in safe mode.  Should I check whle the scan is running or is it better to wait until the scan is finished?

Grant_Hall's picture

Doesn't matter. You can check now.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

There is no file called tcsd_win32.exe in that folder.  Should there be?

Grant_Hall's picture

No that is a good thing. Usually the C:\Windows\System32 folder is where viruses will hide. It is good that the file was not there. How did the scan go?

Please don't forget to mark your thread solved with whatever answer helped you : )

jeff7602's picture

It's still going, but it looks to be going good so far.  It's finding what it should I think!

John_J's picture

Don't mean to high jack the thread but thought I'd put my experience in with this bugger.

This little nasty bug whacked me on Dec 19 while doing some searching on google. It did not activate until I tried closing Firefox. Norton AV popped up as did windows defender, however Internet Security keep popping over their GUI. I pulled the wifi card to keep it from down loading any further files and killed all the pop ups. I noticed Norton’s GUI was gone but windows defender was still running and had two listing (TrojanDownloader:Win32/Fakeneinit, and the second one Trojan:HTML/Fakeneinit added the following registries:
regkey:
HKCU@S-1-5-21-424206920-3905011538-1741360769-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\Wallpaper

wallpaper:
HKCU@S-1-5-21-424206920-3905011538-1741360769-1005\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\Wallpaper

file:
C:\WINDOWS\system32\critical_warning.html->(SCRIPT0000)->(EmbeddedCode)

containerfile:
C:\WINDOWS\system32\critical_warning.html

At this point my desktop was green with the Internet Security 2010 warning so I brought Norton back up and noted several files in quarantine (winupdate86.exe and 22.exe) I searched the HD for them and found copies in the user temp folder, Internet temp folder, and system32 folder and deleted them. I ran Norton, but noticed it was running very slow. Nothing else showed….I then tried starting the taskmanager and noted it was locked down so I started looking through the registries. I found several links to other files (winhelper86.dll and winlogon86.exe), which I deleted.

Thinking it was safe to restart I tried rebooting the machine into safe mode but it would not start. I then tried a standard restart, but found I was locked out…Just kept logging in and out. I tried the recovery console but no go either so I was left with reinstalling the OS.  

After reinstalling the OS I could boot the machine and restarted in safe mode, re-ran Norton and Windows Defender. Norton still did not show anything. However, Windows Defender did and I proceeded to clean out the rest of the infected files. I fixed the task Manager and checked for any running processes that weren’t supposed to be there.

I then ran windows update and re-installed all updates and service pack 3. Over the last week I researched all the info I could find on this bugger and found dozens of registry entries and files that it modified including the Desktop HTT file.

I then ran Hijackthis and rootkitbuster, but nothing turned up. So I tried Ad-Awear and that just came to a screeching halt. It did reference an infected file as Win32.Backdoor.Agent (CpqsetVer.exe ), but Its part of HP software and has been on the machine since I bought it. I also ran Malwarebytes and it flagged several more registry entries and removed them:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

I also noticed I kept getting a balloon popup saying Norton AV was not active on boot ups but it was loading. I looked through the options and noted Start Auto-Protect and Load Auto-Protect on Boot was not checked and none of the help link worked. Had to remove and reinstall Norton at this point, which fixed all the above.  

I’m pretty sure I’ve got 99.9% of this thing removed. However, I’ve notice my machine is making connection attempts to all kinds of DNS servers that it never did before. All the networking controls and registry entries that I can find are set to 68.94.156.1 & 68.94.157.1. So I believe there’s still something either in the OS or registries.

Bobf_two's picture

Why did such a nasty bug like this bet past Norton?  Additionally, why have they not come up with a fix yet?

I can't find a solution to even get started.  I cant run Task manager, regedit, command prompt or any Symantec product.  I can't delete the identified bad files because they are "in use".  If I boot in safe mode this bugger runs anyway, exactly as if I was running normally.

This lack of protection really makes me eager to spend $40 to renew my Norton Anti Virus subscription!!!!! 

John_J's picture

Bobf_two

Try downloading Malwarebytes. Install and let it update. Then run a complete scan.  www.malwarebytes.org/mbam.php

If the Virus wont let you run the mbam-setup.exe file change its name to goodby-setup.exe and see if it will run. Do a google search for "malwarebytes won't run" for more info.

Once the scan is complete save the log file. Verify the items to repair and click fix it.
   

Bobf_two's picture

Well I finally was able to get into safe mode without the bug and then ran malwarebytes, did a full scan, but the problem remains.  Also ran Avast.  Both programs removed bugs.   I can get to safe mode using administrator, but cannot boot normally via administrator. 

Bobf_two's picture

Now I can get logged in, not as an admin but under a user account (the one that was active when the computer got infected).  The only real symptom is that I cannot get on the internet via IE Explorer.  The windows Live Messenger logs in just fine, so I know the connection is active. But when I try to go on the net I get the "IE cannot display the webpage" error

Walfrid's picture

I managed to get into msconfig and changed the Boot.Ini to safeboot but when I restart, I'm stuck in a safeboot loop !!! It won't let me run Windows in Safe Mode, Last Known Good Configuration or Start Windows Normally. Am guessing that the virus is stopping me. Don't know how to get out of the loop now.

Help please ????????
 

hedwigdaowl's picture

http://darfuns.com/download-malwarebytes/

I had this malware on my Win 7 machine. followed the tips to enable task manager , killed process and then installed the above malwarebytes and ran it - that cleaned up my system. what a pain this one was ;)

Bobf_two's picture

OK, the IE problem was a proxy that the bug must have enabled.  I disabled it thru IE settings and now IE works, Looking good now.

John_J's picture

"Just a word of warning" on this bugger. Keep an eye on your network connections for a while (use netstat -a command). As you can see from my post above...Something is still running DNS requests to servers all over the world. Here's a partial list just over the last couple of minutes:

E.ROOT-SERVERS.NET:domain
AS-20144-has-not-REGISTERD-the-use-of-this-prefix:domain
c.root-servers.net:domain
h.root-servers.net:domain
f.root-servers.net:domain
i.root-servers.net:domain
M.ROOT-SERVERS.NET:domain
G.ROOT-SERVERS.NET:domain
E.ROOT-SERVERS.NET:domain
d.root-servers.net:domain
ns1.isi.edu:domain
hntp1.hinet.net.domain
hntp1.hinet.net.domain
k.root-servers.net:domain
i.root-servers.net:domain
dns.hinet.net:domain
old-j-root-servers-net.verisign-grs.net:domain
a.root-servers.net:domain
k.root-servers.net:domain

dougjiang's picture

I had a new problem:

I ran malwarebytes and deleted all the files mentioned here. The problems seemed gone and I get my desktop background back.

However, every time I log in to windows or open a new program, it pops up a window says:

"The application or DLL C:|WINDOWS\system32\PR16.DLL is not a valid Windows image. Please check this against your installation diskette."

I googled for PR16.DLL and didn't find any meaningful discussion of this.

Anyone knows how to fix this?

Many thanks!

Grant_Hall's picture

Sounds like you might still be infected. Googling for "not a valid windows image" yields thousands of results about people in a similar situation you are in (ie recent virus lead to dll problem). I am still searching for a good solution for you. I will keep you posted here.

Thanks
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

PEscola's picture

I came across this link, will try it tonight when I get home.  I know how frustrated I am with this issue, so here is the link - http://www.pchubs.com/blogs/wormwin32netsky-removal-process

Hope it helps!

Jimmy K's picture

Can't Log on / get immediately logged off

I'm running XP. First i pulled my laptop drive and virus scaned it connected to another computer. This got me able to boot up.  Then I followed instructions above and (from safe mode in Admin)followed the tips to enable task manager , killed processes and then deleted the referenced files. I then rebooted and now i get continually logged off immediately after logging on (from every user, safe & reg mode)

Please please please,......... can someone help?

"I get logged off immediately from the administrator account and the regular user account on this Dell laptop.  It seems that somewhere in the registry there is a call for the existence of one of the trojan files that immediately logs off the current user.  I can get to the registry in Recovery console but don't know where to look."

fastco0311's picture

I got the virus worm.win32.netsky las night and it gave me the same dialog box error as described before.  I had to reboot and when i did the same warning error popped up in the start screen and prevented me from doing anything else.  I can run windows in safe mode which is what i've ran all the below programs on.  it is still giving me the pop up b.s. dialog box. 

i also get little errors saying "windows explorer is having problems running, then "windows explorer has shut down"..  plus a few others.. 

I have been all over these forums and have located the winupdate86.exe, .dll, avm10.exe, etc. files and deleted them .

I deleted any known worm.win32, winupdate86, etc. from my registry as well.  

I have NO processes running that are not correct.
I have NO programs that need to be uninstalled (was reccommended to go to control panel and remove the program)

I have ran the following programs to help:

Spybot search and destroy
Reg cure
hijackthis (could not find any of the issues that were reccomended in the previous posts)
Malware Antivirus loads but for some reason it will not recognize the .exe file so i haven't tried that one yet
Lps fix
tried running fxnetsky but battery on laptop died through process so will try again.

I've literally done all that i could and for a while i could see my task manager and not that error message about the worm.win32.netsky again..

when i run spybot it seems to get rid of whatever is preventing me from seeing task manager. 

i will continue with the steps but is there anything else that can be done????

AEH's picture

The Dell I have didn't come with OS CDs.  I have documentation saying "Microsoft Windows System Restore returns your computer to an earlier operating state without affecting your data files. For more information double-click the documentation icon on your desktop"

I can't get past the logon screen, even in safe mode. I loop, both as my personal ID and administrator. I have no way to restore the OS.  I am at my wit's end.  Can someone help me get past this????

Donnie's picture

OK, so I am a tech who deals with calls about this virus. I found that if you removed the hard drive from the computer that is infected and use a HD reader on a computer that is clean and scan the hd with Malwarebytes and AVG Free they will remove the virus but before you disconnect and plug the HD back in your machine, go to

D:(which ever the hd comes up as) :\Program Files and remove the folder called Internet Security 2010. Then do a search on the hard drive for the following file/folder names

Internet Security(if you have nortan, contact nortan to verify which folder is theirs so you don't delete their stuff, though I personal would, they suck!!!)
41.exe
22.exe
winlogon86.exe
winupdate86.exe
IS2010.exe
winhelper.dll
Internet Security 2010.lnk
AVR10.exe

After you have done a search for those files you may connect the hd back to your computer and log on as normal. This is where it gets tricky. You need to go to your regedit

Start
Run
Regedit
enter

On the left hand box click on Computer
Hit the cntrl and F keys at the same time to do a find. Do a search for the following names untill you have removed them all. If your unsure you ahve removed them all, click on Compture and do another search

is2010
Internet Security (if you have the nortan internet security do not remove, ask norton which one is theirs!!!!!!!!!!!)
winlogon86
winupdate86
winhelper86
avr10

You will also need to change a registry key. Not sure if this is the only one, but this is what i gathered from the forums for the past 5 hours.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

UserInit = c:\windows\system32\winlogon86.exe

back to:

UserInit = c:\windows\system32\userinit.exe

Now, after all that is said and done. Walla the virus is gone from your computer and your left with a really big paper weight. Your internet is turned off, your background settings can not be changed and some odds and ends services have been turned off. This is where I am stuck at. I do not know what I need to do to turn back on these issues. Ive been reading forums and talking with Norton for 5 hours now and have gotten nowhere. PS Norton chat support is completely useless. They have no idea what they are doing. If anyone has anything to add/subtract from this, please let me know so I can use it in the field to help these people. I want to try and help them as best as possible and doing complete re-formats aren't pretty or cheap. Thank for everyone's help.

PS, Its not as simple as going to services.msc and turning them on or going to msconfig and turning them on there. I have them all turned on in both places and they still won't work. I have also uninstalled and reinstalled network drivers, so its not driver malfunction. Aside from formating the computer and putting the OS back on, I have no clue what else to do. PLEASE HELP!

hamrack's picture

Ok I followed these directions, got rid of the popups, am able to get to the task manager and can bring up a command prompt.  I think its obvious that the registry change has left us in this situation.  Any clue on how to get back all of my setting?

zod's picture

Ok...spent a couple hours and finally got it fixed.

For windows XP:

1. Press F8 before windows loads
2. Select Safe mode WITH COMMAND PROMPT
3. login if you have to
4. This is where you will see the "Security Alert" window saying you are infected with the "Worm.win32.netsky" virus blah blah blah.  Trying to get to the task manager wont work either.
5. Click the close button on the secuirty window.  After that the command prompt should startup.
6. As soon as the command prompt is up, type "regedit" (without the quotes) and press enter.  You may have to try twice to get it to run (I did).
7. NOTE*: If any other windows popup at this time, ignore them!  Hitting close on the pop-up will close the command prompt.
8. If you have regedit up, Then fix the value for "DisableTaskMgr" under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to be zero instead of one.  (ty gfaron)
9. restore your user init: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\   
UserInit = c:\windows\system32\userinit.exe
10. Press CTRL+ALT+DELETE and bring up the task  manager (make sure you did step 8)
11. If smss32.exe is running, end the process (this should kill that popup window that crashes the command prompt)
12. if winlogon32.exe or 41.exe is running, kill those too.
13. If your command prompt is still open, go to C:\WINDOWS\System32
use the del command to delete the following files:
    41.exe (make sure you ended the smss32.exe process
    smss32.exe
    winlogon32.exe
14. Delete everything in C:\Program Files\Internetsecurity2010\
15. also check the rest of this post for other files you may have to remove, this is all i had to

16. restart

Hope this helps.
Good luck!

Bobf_two's picture

Hi Folks, another Friday and this bugger is back, but now on my daughter's machine.  Newest thing is it won't even let me get in via safe mode.  Going to use restore mode to get to a command prompt and see what I can do.  I'll keep you informed.  BTW, loaded Ma*Afee security suite after last weekends infection on this machine and it did no good whatsoever.

Donnie's picture

Do what I wrote above. Remove the HD and scan it with Malwarebytes and avg. Then go into the into the hd via explore and remove the folders. That should help.

Bobf_two's picture

Well I replaced the software file and got access, but it still wont let me run regedit or msconfig, so i am about to reload the OS, can't seem to get around it this time. 

Vikram Kumar-SAV to SEP's picture

 This reg key is very important

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

UserInit = c:\windows\system32\winlogon86.exe

back to:

UserInit = c:\windows\system32\userinit.exe

Antivirus will detect and delete winlogon86.exe but might not change the value back in registry will not allow you to logon to the computer.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

hamrack's picture

how do I get my settings etc back after I do this?  I got back in but I'm left with the default settings and most of my software isn;t showing up anymore.

Nate7056's picture

I recently acquired this virus and am having troubles logging into the computer. If i log in normally it is extremely slow with the spam popups of viruses and also the background warning me of my infection. I am unable to ctrl alt delete and cannot open up any other programs. I tried logging in safe mode, however when i press f8 and select safe mode, the computer reboots and returns to the same safe mode screen. I don't know what to do at this point, thanks for any help. 

kev.wright78's picture

OK guys I figured out how to eliminate this problem. I would like to thank everyone because I used almost everyone ideas to help me destroy so let me tell you step by step of what I did to resolve the issue.Also write or copy and paste all of this stuff down just in case the internet stops working.
Step 1: Use what ever virus software you have to remove any and all viruses they detect. I Used Avira and the one for Windows and it took like at least 4-5 hours for both to complete and it removed at least 12 viruses.
Step 2: Start you computer in safemode with networking.
Step 3: Try gfaron tips so you can get your task manager up and running again.
Step 4: Now here comes the long dull and tedious part. You now have to figure out when did you first notice the problem. Like for me it was January 9, 2010 and today is the 10th. So I deleted everything and I MEAN EVERYTHING from the 9th and the 10th. I went to computer then to hard drive and anything file that appeared on the 9th or 10th i deleted ( Also if something was created like a long time ago and it was modified just leave it alone. Because I almost deleted my Bootstat.dat because it said it was modified today the 10th.) So once again go to C: drive and delete everything from the date you noticed something wrong from until now. So if you got this message on the 3rd delete everything from the 2nd(Just to be safe) to now the 10th.
Step 5: If you try to delete something and it wont let you just rught click select properties then go to security and give yourself full power to delete it. Also when you delete something make sure you delete it out of your recycling bin too.
Step6: i forgot to mention but go to your harddrive and do a disk clean up so you can delete all of those temp files.
Now while your deleting this stuff your screen may flash a few times then everything will reboot and all of your open windows will close.
Step 7: Now when your sure you deleted everything ( it took me 3 hours) shutdown your computer. Leave it off for ten seconds then let it start up normally. Log in.
Step 8: Now the computer tech said when he removed the virus all the way the internet didn't work and it didn't work for me either. So I went to the control panel and went to the Network and Sharing Center. It showed I had internet but it wasn't working so I went to diagnose and repair and it told me something was trying to block my internet and it repaired it for me. The i reopened firefox and here I am typing to you guys. So I hope my step by step removal manual helps you guys. Also I'm using Vista so if your using XP a guy up top said he fixed it for XP already. If you have any questions just ask.

 
houstongb's picture

I was able to get to a command prompt and start the registry editory soon after my PC started, before the worm had a chance to block me from starting those programs.I was able to get to a command prompt and start the registry editory soon after my PC started, before the worm had a chance to block me from starting those programs.

After many hours, I think I have a few ideas on how this worm works, so you can fix all of your files.  I think it reads all of the programs listed in your registry under the key HKLM\software\microsoft\windows\currentversion\run (and probably other keys like HKCU...\currentversion\run).  Then the worm copies itself and overwrites all of the files it found in the registry keys.  So check your registry keys above and then, for all of the values listed in those registry keys, go to each file folder and determine if the file name, from the registry key, is a worm file (I've noticed that the worm files seem to be 40 KB.).  Delete or rename the file to give you a chance or controlling this worm. 

On my system, there were several files in my folder "C:\Documents and Settings\XXX\Local Settings\Application Data", where the folder name was a series of 6 random characters, and the files inside each of the folders started with 4 random characters followed by "sysguard.exe".  Example: bboxsysguard.exe.  All of the exe files seemed to be 245 KB.

I think there may also be some worm files in the c:\windows\prefetch folder and the c:\windows|temp.  Check for files created recently.

Now I'm going to reboot and try to start task manager before the worm is able to block taskmgr.

Good luck.  This one is pretty difficult to kill.

badoil_49's picture

I don't know how I was so fortunate, but I got mine to work in just a few minutes.

I had the exact same problems as the rest of you with fake anti-virus stuff coming, and I had tried several different things that I had found on the internet. This all happened to me just today! What I did almost seemed to simple, and I don't know if it's something that the virus prevents the rest of you from doing...

I restarted my computer in "Safe Mode." After it started up and I logged in, the same windows popped up like usual. From here, I went directly to Start > All Programs > Accessories > System Restore. I had been doing some maintenance work on my computer with uninstalling some unneeded programs. The computer automatically made a restore point for after my last uninstallation. I simply clicked that restore point and restored my computer to 3 hours before the virus hit it.

It was that easy! I know many of you have been struggling at this for a while, and it may be too late to do it, but I would suggest just giving it a shot. At this point, I'm sure that it can't hurt. :-)

I wish you all the best of luck and hope some of you are as fortunate as I was!!!
 

DrSolution's picture

Hello Friends

I had this problem this week & started searching on net for this issue & found this forum which actually helped me to resolve this issue. I actually combined lot of suggestions together & did some more search & found the following solution.

About the Symptoms à

*) While browsing the internet suddenly without any warning an application was installed by the name “Internet Security 2010” & this claims itself as anti-spyware & asked me to install it. This even list down some viruses which attcked my laptop, but that is actually a fake screenshot.

*) Starting getting notification that my laptop is infected & I have to install anti-spyware at the same time my desktop image changed to the text telling me the same thing.

*) I shut down my internet connection at that very moment & disable the wireless connection of my laptop.

*) I started the Full Scan of Symantec & it found the vrus called “”. Symantec deleted this one & asked me to re-start the system.

*) I re-started the system & then the first time I got snapshot ( shown by jimauer ) in this forum before logging.

*) Now once I am inside my Task Manager & regEdit were disabled. So I tried to start them using exe files but got response as “File are infected, install good anti-spyware” (something like this only)

*) Now I went to C:\windows\system32 & look for the timestamp when my laptop was infected with this virus. I was able to delete couple of exe’s but for most of the exe’s it says “process is running cannot be deleted”.

*) Now at this moment I shut down my PC as it was late night & when next day I tried to start it, the moment I logged in it throws me out with my domain ID & Administrator ID.

Solution for this Issue

Pre-requisites à

*) Logon CD of Windows XP ( depends on what kind of OS you have )

*) Administrator credentials of your laptop

*) Install Malwarebytes & Ccleaner in some clean PC & store it in USB drive

·         Follow the Part 1 mentioned in following Microsoft Site (http://support.microsoft.com/kb/307545/en-us )

·         Once you are finished with Part 1 you would be able to login inside your system with Safe Mode.

o   You might to need to follow the article 309531 to gain access of System Volume Information folder

·         Now start deleting following à

o   Delete folder Internet Security 2010 from Program Files

o   Goto C:\windows\system32 & look for the timestamp when virus attacked your PC & start deleting all the exe’s. In my system most of them were starting with the numbers like 41.exe, 3071.exe. Also delete exe’s like smss32.exe, winlogon86.exe.

o   I actually deleted most of them which had 32 or 86 in it.

·         Now complete the Part 2, Part 3 & Part 4 of Microsoft site mentioned above.

·         Also for Part 4 I actually picked up the Restore point 4 days before this virus infected my laptop

·         Once you complete all the steps login again in Safe Mode using your Administrator ID, Take note if you will try logging with any other ID it will take you to the blank screen with same desktop image you had before this virus attacked.

·         Install Malwarebytes & Ccleaner using USB drive & start scanning your syste, & in parallel you can do following tasks.

·         Now is the time do a lot of manual work (deletion), once you are inside the system. What I noticed that most of the folders & files when I right click on them & click on Security listed down the User ID (I will call him S) which was all numbers (starting with S & ending with 4137).

·         Goto your Program Files folder & listed down your directory in Detail mode & also select to show the Owner detail of these folders. You will find that for most of the folders Owner is that “S” as owner.

·         Sort the folder on the basis of Owner & select all with Owner as “S”. Now right click goto Security, click on Advance à Owners . Change owners as Administrators or anyone other name who has Administrative rights & don’t forget to click on to “Apply to sub-folders & objects”.

·         Come back to permissions & try to remove “S” user ID. In order to apply same thing on all the sub-folders & objects, click on option “ Child …..” & de-slect the option “ Inherit Permissions …”.

·         I did the same thing for all the folders in C:\Windows\system32  & then in all the folders of my laptop. This will actually take hours but worth resolving this issue.

·         After all this I went to Scheduled Tasks in Control Panel & found this user Id actually schedule some activities. I deleted all of them.

·         Now goto the Recovery folder & here I found recovery bin created by “S” & the name was also same as “S”. I deleted this one.

Malwarebytes didn’t found anything wrong with the laptop & at the same time I executed Full scan of Symantec, no threats noticed by this one too.

After all these my laptop is back to working condition & I didn’t lost any data yet. But as this happened in company laptop. This virus somehows deleted the domains & I am only able to login with IDs which are created for laptop only.

Hope above steps will resolve your issues, I will keep on checking this forum. Let me know in case you have any doubt or need any further information, pls. keep in mind I had Windows XP with SP3.

Many Thanks to everyone who share their experience here which actually help me a lot.

Happy Recovery

tanteadena's picture

I've been reading the posts and downloaded spybot.  After rebooting, I'm stuck in the cont. loop of log on/log off.  I can't get past this.  This is my friends computer and he doesn't have the disk.

Any help would be nice.

Thanks!