How to Clean Up a Windows Spyware Infestation

“or ditch Windows and switch to Linux or Mac. problem solved.”

Or you could slit your wrists and do the world a favor.

We need ot consider malware as a question with several answers as to the “why” In the dawn of networks it may indeed have been a proto-“KeWlD00dZ” trip./me more leet… gaming even. But it soon mutated into a cash cow. like many similar cancers even becoming a threat to it’s host’s health. So we began the zeno race of virii and antivirii writers.

How many cases may there be of the same cockroach both writing a virus and selling an antivirus? Sort of like poisoning someone to sell the antidote eh? In the real world that stunt gets you major jail time.
Why should net crime be more lenient especially in light of the victim pool being XX millions worlld wide so affected.

The answers?

The reason we have malicious code existing at all is primarily monetary.
Strongly punish the monetary aspect and give non-trivial jail time for participating wittingly in computer crime or accept that we condone it.

The concept of RICO laws applying seems most apt to bear drastic force application potential. Hell- why not argue for calculating the “lost time” due to a cyber malfeasance and force the convictiid criminal/s to pay restitution? The recent arrest of a “spam king” provides a chance to reverse engineer how his ilk works and persecute them in a sadly mundane fashion.

The “final fix” thus will be a consensus to make witting participation in cyber crime rewarded by a hard 10 at minimum jail term PER COUNT.

“For your deliberate flaunting of interstate wire fraud laws your sentence is 7,394,209 years BEFORE you wil be considered for parole”

For all the Mac trolls:

I’ve also used ProcesExplorer to remove unwanted junk from a PC. A little tip for the multi-process stuff that detects when you kill it’s sibling app: don’t just kill the process - pause the processes before you kill them. Most of these apps arn’t smart enough to check for a paused app.

recently i had somethin called clcr.exe om my laptop no idea where it came from…it was puttin the most interesting porn etc on my computer…couldn’t get rid it…still cant…gonna try the above steps…the only safe computing im doin right now is thru ubuntu…which is how i was ablt to see the incoming trash…dual booting has its benifets…im a father of three…so im weaning everyone off of window…its tooo vulnerable…but linux has its drawbacks as well…but it does see alot of the sh@t that trojans put in your computer…heres a plug for the people who dont want to dual boot look up something called wubi…

“One of the reason’s for Maya’s popularity was that it was so widely pirated.”

I can’t believe anyone actually believes this nonsense.

Maya made its fortune when it was running on SGI machines at $20K per licence. It became the market leader because it was (and still is) the best software in its field.

The parent company, when it shifted to a platform more easily pirated, started losing money hand over fist and was passed from owner to owner until finally being bought by its main rival for a bargain price.

People will pirate whatever is easy to pirate. Copy protection removes the temptation. Instead of complaining about ALL protection, just complain about the ones that are badly implemented.

Sean Kane:

You give a method to remove rootkits:

“…the kernel-mode driver is identified, and a system file-check is run…”, “…the majority cannot hide from RootkitRevealer…”, “…boot outside of the Windows install, scan around, repair install whatever Windows version you’re running…”

Sounds easy.

Which kernel mode driver? How do you find it? Some rootkits modify existing pieces, so there are no new drivers or registry settings to find/remove. They mutate (simple version - find the code to morphine and study it). Now how do you detect if your kernel32.dll is bad? There are many legit versions from various MS patches, but your repair install should get it. How about other drivers that are not from the XP install, but were installed from other apps, like Quicktime, antivirus :), iTunes, etc? These are not repaired nor removed by your method, and will still be loaded upon reboot, reinfecting anything else the rootkit targets

Your method does not address boot sector rootkits (exist) nor BIOS rootkits (exist). Your method does not clear ADS on the filesystem. It does not check slackspace (methods exist), and does not check sections marked bad by NTFS (where things do hide).

Your method does not address RAM only rootkits (exist), which require shutting down all machines simultaneously on the network, making sure none have a persistent carrier, cleaning, and then putting them all back online.

You say that the majority of rootkits cannot hide from RootkitRevealer, but all it takes is one. Most recent rootkits bypass RootkitRevealer since it is a popular tool, and is easily bypassed. Here is a year old forum thread and code showing how to do it:
Not hard at all. Rootkits also exist that bypass IceSword, Blacklight, and Sophos Anti-Rootkit.

You mention white-hats can fix rootkits. The white-hats with detailed windows internal knowledge I know in the malware field across the board recommend reinstallation.

Oh well, stubborn people continue along :slight_smile:

Good article! This should be looked at as one more tool/option for the toolkit/notes file. Not all tools are as effective or do as good a job but having the tool/option for your particular situation is valuable.

It’s obvious that everyone here has different ideas and using those ideas will result in different outcomes depending on ones situation and circumstances. While throwing out the baby with the bath water may be the answer to one situation it will not be a viable option in answer in another circumstance.

Having choices is what we all are arguing over and I am glad Jeff has given me another choice to put in my took box just as many of the other suggestions that have been added to these posts.

Even the option to switch to Lixux or Mac…just maybe not as many options :wink:

An excellent article, I’ve a couple of comments. For those that want to grab the systinternals software, Microsoft was nice enough to allow you to grab it all as a bundle here:
(8 MB)

For the use of ‘more secure’ systems… it doesn’t always work that way. Sure you can focus on user space / separation, sandboxes, etc, but you can (inadvertently or not) load and unload unix kernel modules, etc. I can do it even to the big Commercial unices like Solaris / AIX. Personally I don’t use Linux (would prefer to install Solaris if I was going that route), and I currently don’t have a Mac as I don’t like BSD’esque O/S’s.

My biggest problem with XP is that it is shipped with IE. It’s a cart before the horse problem when you’re using an unsafe (unpatched) browser to get patches for the browser to make it safe. IMO - Jeff got what he deserved (not that I wish this stuff on anyone). I wish windows would complete it’s installation then (as a clean up task), grab you the newest version of IE, then as a final cleanup, grab all security patches by default.

A good read !



This article and all its comments is a wonderful exploration into the the impact of human fear on computing and how it makes people behave (often quite irrationally) as a result.

It’s amazing how people seem to fall into different categories of behavior in dealing with computers and their fears [of malware].

  1. Switch to a “safer” computing platform
  2. Use anti-x protection/cleaning software
  3. Learn every possible file/execution/memory interaction
  4. Develop a “tried and true” save/restoration process

1 and 2 are clear examples of primitive fight-or-flight behavior. 3 and 4 depict a more evolved knowledge-based approach.

I learned at an early age while playing adventure games that SAVE/RESTORE was the greatest gift of computers to mankind and it should be utilized accordingly in all situations of potential danger.
As a result, I live a happy life free of realtime scanning software, UAC, or limited user privileges, and full of optimal performance, a pragmatic understanding of the risks, and a religious awareness of “Update Tuesday”. :slight_smile:

Keep up the good work. Your site is an inspiration.

Thank you so much for this article. I had 2 dlls hooked with winlogon and explorer for about two weeks now. From other info gained from searches I had already tried using Process Explorer and Autoruns both, and to no avail. Your article clearly showed me what integral step I was missing. I didn’t know to kill the threads in the process properties dialog of procxp until I read this. Thank you again for this, you saved me many hours of burning cds and formatting to get rid of my issue.

  • I thought the thinking went like… Don’t log in as admin, ever! If your games won’t run as non-admin, make a shortcut and select ‘Run as…’ to start them. Running as admin + having spyware = told you so, many people told you so.

  • Use DaemonTools / DeamonTools for no-cd goodness, that way you can keep out of the dark, shady underbelly of the internets and not have to DJ your game disks. Maybe don’t play games that consider DeamonTools a hacker tool.

Use BufferZone (found at, on a completely clean PC. This is one of the best programs I’ve found! It will run everything virtually, and nothing is able to access your actual files. If you do get spyware/adware, just empty the “bufferzone” and everything will be back to normal. I have actually tried to get as much spyware, and viruses as I could to test this program, and it removed everything!

You can still use administrator account and run IE in a limited account:

This really helped me out despite the fact that I didn’t have spyware. A lot of legitimate companies leave programs that don’t do anything but take up processor time. (i.e. my mouse drivers came with a bunch of “configuration software” that starts every time I log on. Adobe reader has a speed loader that starts even though I hardly use it. goggle update. ect.) Without a program like autoruns you can’t keep stuff like that from coming back constantly. Thanks for cluing me in.

Thanks for this guide. I had been struggling to remove the same virus “core.sys” from my machine for a couple of weeks and this has sorted me out.

Great article, the kind that one needs to always have onhand as a hardcopy.

As an independent IT consultant, I have access to and use all the OS’s mentioned in the above postings, and more.

My laptop and main personal computer have been happily running WINDOWS 98SE for many many years. Currently, w/o any antivirus protection or antispyware protection. Firefox is mandatory, and I’m a very happy camper -

Current TaskList= net surfing, writing MSAccess code, using RDP to my 2K3 server, VNC from laptop to desktop, RDP to my XP/Knoppix box, listening to music from desktop to laptop via Media Player
Classic, snapshotting desktops for maps edited in MSPaint and printed, Nero disk burning, dual monitors, an (occasional) bunch of (slightly) naughty jpegs. Word and/or Excell open, a Post-It note program, Outlook Express, writing (simple) C programs in the CLI, and even sometimes routing my neighbors wireless through the NIC into my network when my Internet goes down.

All at the same time, all nice and fast.

Any real problems? Reformat, bring back my previous days’s
"echo a|xcopy /d /r /i /c /e /h .\here .\there" backup.

(I’ve not had to restore for any virus issues, but once recently due to impending drive failure)

Thank you, I’ve been wanting to get this off my chest for a while now.

The reason I hollered the demon ‘W’ word in the above text is to be the first one to start the inevitable yelling that I’ve probably started…


I wanted to thank you for this tutorial, not only was it very informative and insighful but it helped me bring an end to my spyware/malware problem on my workstation computer here at the office. Thanks again and I hope you continue youre work as Im sure many of us appreciate your efforts!

to those who said quicktime has an option to disable auto startup.

IT DOES NOT… at least not in its preferences.

the trick only worked for a while, it is again back on every reboot.

that’s malware. congrats apple.

Dude, Cant thank you enough. I ran my McAfee system about 100 times. I would take the spyware off but did nothing for the crap that was hidden in other files. It took a while but this website directed me to kill all the BS on my laptop. It feels liberating to be able to shove it up the hineys of these jerkoffs that do this crap. Thanks again bro.

Tom Whiting