Removal of NETSKY

This is a Email virus that comes in email attachments and just opening the email will affect the system.We have to find the malware program first. There are many automatic cleaner programs from Trend Micro, Symantec, or Kaspersky etc but preferably manual removal will give us a better cleaning of the file.

Removing the malware files from the memory:

1. Open Windows Task Manager by CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file WINLOGON.EXE  that has manufacturer as unknown.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager. 

Removing autostart entries from the registry :

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
3. HKEY_LOCAL_MACHINE>Software>Microsoft>
4. Windows>CurrentVersion>Run 

In the right panel, locate and delete the entry or entries: ICQ Net = "C:\Windows\ winlogon.exe -stealth" 

Restoring the deleted registry keys from the registry: 

1. In the left panel of Registry Editor, double-click the following:
   HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-
   9C87-00AA005127ED}
2. Right-click the subkey, select New, and then click Key.
3. Type "InProcServer32 to name the new key.
4. In the right panel, right-click (Default) then click Modify.
5. Under Value Data, type the following string:
   %Root Folder%\System32\webcheck.dll
   (Note: %Root Folder% is usually C:\.) 

Best way to avoid this file is not opening any emails that are not from recognized  sender.

Posted in: Email virus,PC Support,Removal of Netsky worm,Technical Support,TechSupp 247,Trojans,Virus Removal Expert