How to Remove popups and core.sys Rootkit

Remove is part of the Adware zedo and is a browser hijacker. pop ups are extremely difficult to remove manually and can cause computers to freeze.

Are you seeing this scenario where whenever you start Firefox or Internet Explorer page, you start to see pop ups beginning with or Powered by Zedo pop ups. Usualy IE7 would show a “page cannot be displayed” but occasionally you are directed to an unknown site. Would they take your search term if you try to do a Google search and display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit

I usually consider myself pretty good at removing these nasty spyware and rootkits but this one definitely stumped for a while. The javascript that was producing these popups was part of several ad networks including zero dot com, aavalue dot com and the biggest

With regard to internet explorer, I started off by trying to add to my list of blocked sites. Google Toolbar and Firefox were not blocking these popups.

I started off with

a. Downloaded Lavasoft AdAware SE personal. It did its usual scan but did not detect anything that would stop the popups or remove the core.sys rootkit.

b. I then got Spybot and ran it in safe mode. Again, no detection and the result was a clean system.

c. I tried to run Avenger, but it would not run of Windows Vista :(

I used other tools including CWShredder, VundoFix and other tools in my spyware disc but nothing could remove this infection. I then moved to online scanners such as Panda ActiveScan and also Kaspersky Online Scanner… nothing. Any removals through these tools, the spyware keeps coming back spyware keeps coming back

Finally, I go get PC Tools Spyware Doctor which is part of Google Pack. You can also including the PC Tools Spyware Doctor. You might want to go ahead and download this as we will be using this for the rest of our disinfection process.

PC Tools Spyware Doctor found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory. I also found other files called core.cache.dsk. core.sys was running as a service and was starting automatically everytime Windows started. There were multiple components to the core.sys rootkit

remove core.sys rootkit

core.sys rootkit

core.sys, because of its generic name did not immediately strike as suspicious to me and I actually thought it was a false positive early on during the spyware removal process.

How to remove core.sys Rootkit and the popups

1. Download PC Tools Spyware Doctor

PC Tools Spyware Doctor is part of Google Pack. Get PC Tools Spyware Doctor and

2. Disable System Restore on your computer

* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore.
* Click Apply, and then click OK.
* Restart the computer.
How to Remove Core.sys

3. Boot into Safe Mode

a. After booting into safe mode, Click on Start –> Search and then type in core.sys in the search box.

b. If core.sys is found, right click and delete. Also go to your C:\Windows\System32\drivers directory and search for core.sys and core.cache.dsk and delete them if they exist. If they don’t do not panic.

c. Now, press <Windows key> + R and from the run command press regedit

d. Click on Plus sign(+) next to HKEY_LOCAL_MACHINE. Click on (+) next to SYSTEM. There you will see CurrentControlSet and usually CurrentControlSet1 and also CurrentControlSet2.

e. Under each one of the CurrentControlSets, click on (+) next to Service. You WILL see the folder called CORE in one of these CurrentControlSets. Right click on the folder and press Delete.

remove core.sys rootkit

4. Run Spyware scan under Normal Mode

Reboot your computer in Normal Mode. Now, go to PC Tools Spyware Doctor, and run a complete system scan. You will find some infections, some advert cookies and tracking and tracing cookies. Remove them. Your Computer is now free from the core.sys Rootkit and popups.



  1. Anand & Manan said,

    June 6, 2007 @ 12:59 pm

    1) Poison your HOSTS file and point the URLs that show up in popups to

    2) Use Firebug to debug the javascripts that popup in Firefox. You will get breakpoints and shit to figure out what the hell is wrong.

    3) Tell all potential users to switch to Opera in case they have/want to surf “p*orn” :)

  2. Jeff said,

    July 6, 2007 @ 10:00 am

    Oh great! Finally the perfect solution outlined perfectly. I have been looking at many forums and all of this twist and turn you without telling you how to solve it. Thanks dude. Works perfectly. removed those nasty popups

  3. Remove | AskStudent said,

    July 6, 2007 @ 10:09 am

    […] on the link to remove browser hijacker and also remove core.sys […]

  4. lola said,

    July 14, 2007 @ 7:22 pm

    After doing all this…..I won’t lose any “programs” will I? I new at this computer thing, that is the reason I ask.

  5. Ajit Gaddam said,

    July 16, 2007 @ 5:23 am

    No lola you would not lose any “programs”. The files you are deleting were added on through the rootkit. So go ahead and finish up the clean up process on your computer

  6. DanZee said,

    July 18, 2007 @ 1:09 pm

    Your instructions got rid of the core.sys bug in my system where McAfee, Spybot, etc. could not.

  7. DaveL said,

    July 23, 2007 @ 9:43 am

    Excellent clear instructions and an effective fix at last. Thanks very much, this has been driving me crazy !!:)

  8. Ajit Gaddam said,

    July 30, 2007 @ 4:31 am

    Animesh I believe a lot of people who were infected with this rootkit in the first place got it because they downloaded something from a source that should not be trusted. I am not sure about combofix… I havent researched about it yet..

    While a one stop solution might work in most cases, a solution that goes in depth in cleaning out the problem would work better when we are dealing with nasty computer viruses or spyware. Cleaning out a problem straight from the registry represents the best possible solution

  9. Raja said,

    August 4, 2007 @ 3:16 pm

    Yo, thx for the solution man… Even though I never found core.sys or .cache etc, I def found the damn Reg Entry n after taking it out in safe mode n scanning with the Spyware Doctor, it all seems A+ Ok! Well, the only thing I was going to suggest was, to, A) either put a direct link to the Spyware Dr setup file and give some info on how to get it free, or B) Post the file here 😉
    I didn’t think having to download that whole Google Package was the best bet. Anyways, thx a LOT for your help! :)

  10. Bob Cofod said,

    August 13, 2007 @ 9:45 pm

    Man, your description for killing cpvfeed was right on the mark! Been plagued with the darn thing for a couple of months and tried everything I could find from Hijack to XSoftSpy – NOTHING! Even had about a dozen go rounds with XSoftSpy experts – as they advertise that the product kills cpvfeed. One of their “fixes” destroyed svchost.exe and was less fun than cpvfeed. Finally I hit your solution which worked like clockwork.
    Can’t thank you enough for writing such a clear and concise description of the process. I bought Spyware Dr, and hope you’re getting a big kickback there. Thanks again for being smart and knowing how to write effective procedures.

  11. MESavage said,

    August 16, 2007 @ 12:35 am

    Thank you for the great suggestions and identifying the problem files. For some reason I could not start in safe mode (hang at agp440.sys) and so could not delete the files OR remove CORE from the registry. SO…

    My solution was to use KillBox and set the two files to be removed on the next boot:

    killbox removed:
    and c:\windows\system32\drivers\core.cache.dsk

    After that I was able to remove the CORE sections from the registry.

    Running well for the last half hour -so good so far….

  12. Saint Amy Jane said,

    August 16, 2007 @ 9:51 am

    i went through a bunch of crap to get rid of mine…. two 8 hour days… blah… now I have to do it for a friend and this way is so much easier x;)

  13. William McKinlay said,

    August 17, 2007 @ 2:31 pm

    great system… except I removed core.sys AND core.cache and I am still getting ‘zedo’ pop-ups (I ran a search on core.sys and it has not reappeared)

    PLUS I am still getting the windowsantivirus2007 pop-ups!

    Any OTHER ideas out there!?

  14. Andrej said,

    August 19, 2007 @ 7:37 am

    Great solution but didn’t quite work for me as I rund an (old, I know) Windows 2k professional which I don’t wanna’ re-install on this old mashine which I still have to use though (at least once in a while).

    My problems:
    1. Google Pack won’t work on Windows 2000.
    2. After working around this problem with other Anti-Spyware tools I found out that I won’t be allowed to start in Safe Mode. Everytime I try, the system just freezes. So the Malware has somehow managed to only allow a normal starting rotuine which of course will execute the rootkit.
    3. Killbox couldn’t kill it, even in reboot.

    Any ideas, anybody?

  15. Frostbitten said,

    August 19, 2007 @ 7:31 pm


    Thirty hours with seven commercial syyware killers….then I found your post. 15 minutes later, it’s alive. You are a techweenie of the first order, and I bow before you!

  16. rudolf said,

    November 4, 2007 @ 5:07 am

    just done this thing, but funny was that i could not find the core folder in the regedit anymore after running Spyware Doctor for the second time plus
    Disabled System Restore
    and worste thing is that something is still interfering in the background on IE
    Please advice what still could be wrong, thanks

  17. ann said,

    November 9, 2007 @ 8:59 am

    on my computer there are 17 blocked pop ups,the question is,how can i unblock to zero?

  18. vista windows explorer hang said,

    December 25, 2007 @ 6:28 pm

    vista windows explorer hang…

    Nice points……

  19. Fred said,

    January 12, 2008 @ 4:59 pm

    I could not locate core.sys, but I did find core.cache.dsk. I ran spybot and ad aware, yet they could not locate the registry entries or the files that would reproduce them after a reboot. You mentioned spy doctor, so I tried to get it BUT IT WILL NOT LET ME CLEAN IT UNLESS I BUY THE PRODUCT. I thought I would try google pack, but GOOGLE will not GIVE ME their pack because I AM ON 2000. SO, I had to DUMP 30 BUCKS to try to remove this infection, and should it fail, Spyware DR better refund my money

  20. Lynne said,

    January 13, 2008 @ 4:31 pm

    Well, it didn’t work for me. I only had the core.casche.dsk file, and after 2 dsys of tryin to rid my PC of this, I finally said f’it. I am just so pissed off that some jack ass had to put this out there!!! It’s just ridiculous and should be a crime punishible BY LAW.

  21. Brandon said,

    January 17, 2008 @ 4:28 pm

    It worked for me! THANKS!

  22. matt said,

    January 17, 2008 @ 4:55 pm

    Has anyone figured this out yet? Especially those who have (core.cache.dsk)I cannot get rid of this thing. I really dont want to wipe the whole drive.

  23. jason said,

    January 18, 2008 @ 9:16 pm

    I can’t find core.sys.dsk nor core.sys in safemode, but when i log in window(vista) in the normal mode, its there again!! try spydoctor, it detects it, and clean it, but it is still there!!! try killbox, both kill now and remove in reboot, still didn’t work!! Please help, anybody!!!!!

  24. Chris Zimmerman said,

    January 18, 2008 @ 10:12 pm

    I had the same core.cach.dsk problem on several customer systems over the past couple of weeks. However, the core.sys file and service were NOT present. I made several attempts at this that the other (basiclly fixe’s from other forums), none helped at all.

    Finally, I decided to simply reinstall the OS, but not before going midevil on the darn thing. I decided to copy the IExplorer main files (program files\Internet Explorer) from another system. This gerenrated an ierutitl.dll not found error. Looking that up, it is basicly an identifier for the browser version and this and that lead to the conclusion that even though the OS was reporting that IE6 was installed, in fact IE7 was. Go figure… next step, uninstall IE7. Add Remove had it listed, but no tab to un-install. Bit more googling and found the uninstaller is located in windows\ie7. Naturually that folder didn’t exisit. Copied it from another system, it worked! No more IE7… but still had the pop-ups. Until I reinstalled IE7. In a nut shell… uninstall IE7 with the unistaller from another system if needed, delete the core.cache.dsc (from ERD commander or PE disk) reinstall IE7.

    Hope this helps

  25. Bob S. said,

    January 24, 2008 @ 4:58 am

    This little bugger is still around. The CORE.SYS file may be resident elsewhere. Im my case, it was in the root directory. There was also another “randomly-named” file in \windows\system32\devices that “happened” to have the same timestamp as the CORE.CACHE.SYS file in the same directory. I booted into “safe/commandprompt” and deleted both, and then CORE.CACHE.SYS no longer “returned from the dead”. Finally, I did “cleanups”, with various tools, and all is well. Go figure, eh?

  26. Sean said,

    January 24, 2008 @ 8:55 pm

    I can not find this “core” folder in my registry. I was able to locate and delete the core.cache.dsk file through safemode but just doing this does not solve the problem. Please help!


  27. Robert said,

    February 9, 2008 @ 5:30 pm

    Hi. I can´t delete this stupid kinda virus i have tried for about 10 times and i still have core.cache.dsk…. please can someone explain what i have done wrong. I have tried your deleting thing but i can just delete it in safe-mode and then its back again when i restart it… Sorry About my English //Robert

  28. Jerry said,

    April 21, 2008 @ 12:35 am

    I have tried the solutions posted on this site, but it doesnt help. I have tried other methods as well. Nothing I do stops core.cache.dsk from coming back after I reboot. Has anyone found something that can help?



    August 18, 2010 @ 3:25 pm

    please remove the url blocked

  30. treating toenail fungus said,

    May 5, 2013 @ 5:46 pm

    I have read so many content on the topic of the blogger
    lovers however this piece of writing is in fact a nice piece
    of writing, keep it up.

  31. hotel pest management companies said,

    July 17, 2013 @ 12:39 pm

    Hi there! I just would like to offer you a huge thumbs up for your excellent info you have right here on this post.
    I am coming back to your website for more soon.

  32. Dominick said,

    August 1, 2013 @ 8:56 am

    If some one wishes expert view concerning running a blog after that i advise
    him/her to go to see this weblog, Keep up the nice job.

  33. Terminix said,

    October 10, 2013 @ 8:53 am

    Hi to all, as I am genuinely keen of reading this website’s post to be updated on a regular
    basis. It includes nice data.

  34. porno gratuit pour smartphone said,

    September 25, 2014 @ 4:56 am

    Ԛuel plaisir dde visiter votre site

  35. sexe hard gratuit said,

    September 25, 2014 @ 1:43 pm

    Post ruɗement captivant

  36. new idea said,

    October 1, 2014 @ 8:53 pm

    Nice article, thanks for sharing here
    new idea

  37. film hardcore en streaming said,

    October 4, 2014 @ 4:36 am

    Οn voit directement que vߋus maîtrisez bien ce thème

  38. insanity workout website said,

    October 8, 2014 @ 5:36 pm

    Today, I went to the beachfront with my kids.
    I found a sea shell and gave it to my 4 year old
    daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to
    her ear and screamed. There was a hermit crab inside and
    it pinched her ear. She never wants to go back!
    LoL I know this is entirely off topic but I had to tell

  39. porno gratuit en streaming said,

    October 12, 2014 @ 6:44 am

    Splendide pօste, pour ne rien changer

  40. Sexe FrançAis said,

    October 18, 2014 @ 8:46 am

    Jе peux vous dire que c’est clairement սne joie de venir sur ce site

  41. salope africaine said,

    October 18, 2014 @ 10:35 am

    Ϲet article est rempli de bons ϲonseils

  42. salope bresilienne said,

    October 18, 2014 @ 12:31 pm

    Оn va dire que cce n’est nuullement faux !!

  43. belle gosse said,

    October 18, 2014 @ 12:54 pm

    Вon, je n’ai guèгe fini de lire par contre jee reviendrai dans la jօurnée

  44. grosses salopes said,

    October 18, 2014 @ 7:38 pm

    Excellent poste une fois de plսs

  45. porno gratos said,

    October 21, 2014 @ 1:27 am

    Un mߋnumental remerciement au créateսr de ce site

  46. salope blonde said,

    October 23, 2014 @ 11:44 pm

    С’est du plaisir Ԁe lire votre site

  47. monsieur glisse said,

    January 4, 2015 @ 11:42 am

    Whats up very nice website!! Guy .. Excellent .. Amazing ..
    I’ll bookmark your website and take the feeds also? I’m happy to seek
    out so many useful info here in the publish, we
    need develop extra techniques on this regard,
    thanks for sharing. . . . . .

  48. said,

    January 27, 2015 @ 9:35 pm

    Although there is no shortage of themes to choose from
    on the main site, there are a lot of people choosing them. To start with,
    my husband has become very attached to, (or should I say
    addicted to) a strange game about “Angry Birds”.
    I compared the price with the local store, it is $30 dollars cheaper.

  49. défonce hard said,

    February 7, 2015 @ 9:43 am

    Je sսis pressée de lire le prochain article

  50. mature black porn video said,

    February 10, 2015 @ 8:16 pm

    Risky woman masturbates in public library once more. See her cumming on the floor
    between bookcases – newbie videos (sent by Dolores) Tara putting some
    jewelry in her pussy, Caprice on a sandy seaside, Lauren taking off her office
    gown and extra House Made Videos Blindfolded black chick offers
    sloppy blowjob by her big lipped mouth for her new buddy after party – beginner videos (despatched by Rocky) Full pussy fuck videos
    and high quality photographs! Young Heart Breakers Real novice submitted galleries of Naked Girlfriend photographs from private house sex
    albums Euro Beauties (HOT!) High quality erotic nudes, softcore nudes, nude art,
    novice erotica, outdoor nudity and extra! Loopy Dwelling Sex
    (VERY HOT!) Individuals add their private newbie dwelling
    videos right here Mom seduced stepson Hot 50 plus Vol

  51. electrician jobs in las vegas said,

    February 11, 2015 @ 7:10 pm

    To obtain an electric engineer task of your desire,
    you must have the ability to endure the massive competition.

  52. End of lease Cleaning Melbourne said,

    February 12, 2015 @ 8:01 am

    Great post.

  53. Krystle said,

    February 21, 2015 @ 12:22 pm

    Et donc cliquez sur ” Login with facebook ” et puis on vous demandera
    de confirmer votre choix pour se faire cliquez sur “ Okay “.

    Après avoir choisi la partie de la video en mettant
    le temps de début dans ” Start time ” et le temps de fin dans ”
    End time “, vous cliquez sur ” Generate Animated GIF “.
    Le Buzz est une expression utilisée pour designer une video qui a été vue des milliers de fois par des personnes en un temps très
    court. Au fait, si vous souhaitez Télécharger des MP3 , vous pouvez vous rendre sur notre sie de videos de buzz!

  54. juicer lalanne said,

    February 25, 2015 @ 3:27 am

    They are considering a ban on these compounds
    due to concerns that the paralysis could become permanent.
    To take hold of this gentle wisdom and to remember that
    if I let go and be held by Mother Nature’s ebb and
    flow that I too will be brought back to pools of stillness.
    Just like having dolphin velour beach towel which is eye-catching
    to one and all due to the uniqueness it brings.

  55. data center jobs nj said,

    March 2, 2015 @ 1:40 pm

    Information Center Managers that help 10 to Twenty Years in their line of work
    often earn concerning $98K.

  56. wystrój wnętrz tapety said,

    March 4, 2015 @ 9:11 am

    Nice respond in return of this query with real arguments and telling all on the topic of that.

  57. מושלם! להיט! העברת דירה בחינם! said,

    March 10, 2015 @ 11:05 pm

    If it hurts to stand or even walk, then you definitely should endure or
    walk less. The prostate sweat gland and the
    female’s g-spot are usually one and the same, anatomically speaking.

    This individual also has to utilize digital and laser gear to send information and
    pinpoint his goals.

  58. clash of clans hack download android,clash of clans hack apk 2015,clash of clans hack apk root,clash of clans hack cydia source,clash of clans hack tool,clash of clans hack no survey,clash of clans hack tool no survey no password 2015,clash of clans hack said,

    October 18, 2015 @ 5:48 am

    As clash of clans is all about online playing, conflict of Clans is one among my.Conflict of Clans Hack Obtain Now.

  59. Sim Only Contract said,

    June 5, 2016 @ 3:18 am

    The Hobbit production diaries #9: Crew crazy busy weeks before premiere.
    India SIM cards supply you a comprehensible way to keep in touch while you’re roaming.
    If you use a sim free Mobile phones then you can switch with a SIM of local area.

    Given the increasing demands for people to travel from
    one place to another many companies were found to
    supply a roaming SIM cards. The increase of technology has allowed many workers to
    keep in contact using their offices, their co-workers, and in many
    cases their families by means of texting, e-mailing, along with the use of social networks.

RSS feed for comments on this post · TrackBack URI

Leave a Comment