Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How To Remove Kill & Clean And Spymarshal (removal Instructions)

  • Please log in to reply
No replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,622 posts
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 30 December 2006 - 10:54 PM

How to remove Kill & Clean and SpyMarshal (Removal Instructions)
What this program does: Kill & Clean and SpyMarshal are rogue anti-spyware applications that install rootkits, other malware, fake autostarts to the Windows Registry, display fake scan results, and provides misleading information. When Kill and Clean or SpyMarshal is installed on your computer it will install random autostart entries into the Windows Registry that appear to be malware related. These entries, though, are not real and are only added so that the program can find them and state that you are infected. When you try to clean them, it states that you need to purchase the full version of the program in order to clean them. This is obviously a tactic used in order to scare you into buying their software. Needless to say, you should not purchase Kill & Clean or SpyMarshal. Due to the fact that Kill & Clean and SpyMarshal install random names for the fake entries it installs in the Registry, this guide can not remove these essentially harmless but unwanted entries. What this guide will do, though, is allow you to determine if you have this software installed, remove the rootkit and its associated infectors, and remove Kill & Clean itself. To further remove the fake random entries from your Windows Registry we suggest you follow the instructions at the link below to post a HijackThis log. When posting the log please reference this guide so people understand why you are posting the log. Preparation Guide For Use Before Posting A Hijackthis Log [Link]
Kill & Clean Screenshot
Kill & Clean Screenshot

Tools Needed for this fix:
Symptoms in a HijackThis Log (Not all of these symptoms may be in the same log):

O4 - HKCU\..\Run: [KillAndClean] C:\Program Files\KillAndClean\KillAndClean.exe
O4 - HKCU\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
Sample of fake malware entries in a HijackThis Log: R3 - URLSearchHook: (no name) - {AF083D28-2650-CA80-E017-41974D7AA625} - Brong32.dll (file missing)
R3 - URLSearchHook: (no name) - {4CFA5D1A-8050-F260-9AC4-BAB092DBF7D9} - sound64.dll (file missing)
R3 - URLSearchHook: (no name) - {1C722BC0-0EAB-39B1-8483-391EAE7B189B} - NsCplTray.dll (file missing)
R3 - URLSearchHook: (no name) - {4A67DB37-F1C1-68C8-3AEA-818C7C21D5D0} - msag.dll (file missing)
O4 - HKLM\..\Run: [avpmondll] ABCXYZ.exe
O4 - HKLM\..\Run: [MONITER] ERTYDF.exe
O4 - HKCU\..\Run: [SYSTRAV] clamav.exe
O4 - HKCU\..\Run: [nmdllw] XTermInit.exe
O4 - HKCU\..\Run: [typeconf] PasswdMon.exe
O4 - HKLM\..\Run: [NSYSCPLSTR] MON76234.exe
O4 - HKLM\..\Run: [XTermInit] MONITER.exe
O4 - HKCU\..\Run: [uio] EXE32EXE.exe
O4 - HKCU\..\Run: [KeywordFinder] ssweeper.exe
O4 - HKCU\..\Run: [SpyElim] sysconf16.exe
O4 - HKLM\..\Run: [cnftips] AppMasterCenter.exe
O4 - HKLM\..\Run: [TForm1] 34763.exe
O4 - HKCU\..\Run: [bingo9] sysconf16.exe
O4 - HKCU\..\Run: [install2] TorontoMail.exe
O4 - HKCU\..\Run: [NsCplTray] KeywordFinder.exe
O4 - HKLM\..\Run: [WTFCTF] newbreed.exe
O4 - HKLM\..\Run: [progmen] ABCXYZ.exe
O4 - HKCU\..\Run: [driver32] nmdllw.exe
O4 - HKCU\..\Run: [gabber] Serviceprocess.exe
O4 - HKCU\..\Run: [sysmon12] ftbar.exe
Revision History

No revisions.
Kill and Clean and SpyMarshal Removal Instructions:

Please note that these instructions may appear to be very long, but in reality it should not take too long to complete. The reason the instructions appear long is because we have provided as much detail as possible when writing this fix.
  1. Print out these instructions as there will be points in this fix that you will not have access to your web browser.

  2. Download FixWareout.exe from the following location and save it to your desktop.

    FixWareout.exe Download Link

  3. When the file has finished downloading double-click on the FixWareout.exe icon. The icon will look like this:

  4. After double-clicking on the icon you will be presented with the first setup screen as shown below.

    Simply press the Next button to continue the installation.

  5. You will now be presented with the next installation screen as shown below.

    Press the Install button to install FixWareout to the C:\FixWareout folder.

  6. You will now be at the last screen of the FixWareout setup. Make sure that the checkbox labeled Run fixit is checked as shown in the image below.

    Then click on the Finish button to automatically start FixWareout.

  7. FixWareout will start and you will see a screen like the one below.

    Press any key on your keyboard to start the removal process.

  8. FixWareout will now display a prompt stating that you will need to reboot your computer to continue with the fix. An image of this prompt is shown below.

    Click on the OK button to start the reboot process.

  9. Your computer will now reboot. Please be aware that the reboot time of your computer may be longer than normal due to the running of this fix. Before your desktop appears you will see a prompt like the one below.

    Press the OK button to continue with the removal process. This process can take a while, so please be patient.

  10. Finally you will see a prompt stating that FixWareout has finished.

    Press the OK button to close FixWareout and for your Windows desktop to appear.

  11. When the desktop appears a file called report.txt will automatically open in Notepad. This contains a list of some of the files that FixWareout found and removed on your computer. Feel free to look through this information and when you are finished, close the notepad window.

  12. The last step is to run a free online antivirus scanner to remove any possible leftover files. Please follow the steps below to run Bitdefender Online Scanner. It is important to note that this process requires you to use Internet Explorer.

    1. Open Internet Explorer and visit this address:


    2. Click on the I agree link.

    3. The first time you install Bitdefender online Internet Explorer will show a bar at the top of the screen prompting you to install the ActiveX control as shown below.

      Right-click on the bar and select Install ActiveX Control...

    4. A prompt will appear asking if you want to install the software as shown below.

      You should click on the Install button to continue.

    5. Now, back at the Internet Explorer screen, click on the Click here to scan link to start the scanning and removal process. If BitDefender Online detects any malware it will attempt to clean the file or remove it.
    6. When BitDefender Online has completed you can close Internet Explorer.
The Kill & Clean or SpyMarshal infection should now be removed from your computer. It is still advised that you post a HijackThis log to further clean up the fake random entries in your Windows Registry. Once again the guide on how to post a HijackThis log is below.
Preparation Guide For Use Before Posting A Hijackthis Log [Link]

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users