أفضل وأجدد أربع أدوات حمايه لحذف أصعب الفيروسات من الشركة العملاقة Kaspersky مع الشرح لكيفية أستخدامها بصور

أفضل وأجدد أربع أدوات حمايه لحذف أصعب الفيروسات من
الشركة العملاقة
Kaspersky
مع الشرح لكيفية أستخدامها

Virus Removal Tools




مباشرة ندخل على الموضوع للأنه معروف لدى الجميع من العنوان
وهي أربع أدوات جديدة من الكاسبرسكاي لحماية وإزالة الفيروسات
الخبيثة والمزعجة من جهازك وموضح نوعية الفيروس
ومع أسم الأداة

أولآ














How to eliminate Trojan-

Ransom.Win32.Rector


In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.





n Cybercriminals use Trojan-Ransom.Win32.Rector for disrupting normal performance of computers and for unauthorized modification of data making it unusable. Once the data has been “taken hostage” (blocked), its owner (user) receives a ransom demand. The victim is supposed to deliver the ransom in exchange for pirate's promise to send a utility that would restore the data or repair the PC.

Kaspersky Lab specialists have developed a special utility for decrypting the data encrypted by Trojan-Ransom.Win32.Rector. The utility has a GUI.

Do the following to decrypt files encrypted by Trojan-Ransom.Win32.Rector:

1. Download the utility RectorDecryptor.zip to an infected computer;
2. Extract its content using an archiver (WinZip, e.g.);
3. Run the file RectorDecryptor.exe;
4. The utility starts working by clicking the button Start scan.
   It finds and decrypts encrypted files.
5. Select the option Delete crypted files after decryption to delete copies of encrypted files with extensions .vscrypt, .infected, .bloc, .korrektor, etc. after successful decryption.
   
   
   
6. By default, the utility saves its runtime log in the system disk (disk with installed operating system, usually ?:\) root directory.
   Log files have names like: UtilityName.Version_Date_Time_log.txt
   E.g., C:\RectorDecryptor.2.2.0_12.08.2010_15.31.43_log.t xt

Command line switches for the utility RectorDecryptor.exe:

• -l - create a log file.
• -h – show help on usable switches.

The malicious program Trojan-Ransom.Win32.Rector encrypts files with extensions .jpg, .doc, .pdf, .rar. An offers to unblock files comes in from a cybercriminal named “††KOPPEKTOP††”. He is offering to communicate with him using the following contacts:

أسم الأداه

RectorDecryptor

download [ZIP, 188 KB]


2.3.0.0 New!



أسم الفيروس



Trojan-Ransom.Win32.Rector

ثانيآ










How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?


In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.


A rootkit is a program or a set of programs designed to obscure the fact that a system has been compromised.
For Windows operating systems, the term rootkit stands for a program that infiltrates the system and hooks system functions (Windows API). By hooking and modifying low-level API functions, such malware can effectively hide its presence in a system. Moreover, rootkits as a rule are able to conceal in the system any processes, folders and files on a disk as well as registry keys described in its configuration. Many rootkits install own drivers and services (hidden as well) into the system.
It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe.
The utility has GUI.

The utility TDSSKiller.exe supports 32-bit and 64-bit operation systems.

Disinfection of an infected system

• Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
• Execute the file TDSSKiller.exe.
• Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.

How to use the utility

• Press the button Start scan for the utility to start scanning.
  It detects malicious and suspicious objects.
  
  
• The utility can detect two object types:
  • malicious (the malware has been identified);
  • suspicious (the malware cannot be identified).
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.:
  C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  
  
  
  
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot might require after disinfection.
  
  
  
• By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
  Logs have names like: UtilityName.Version_Date_Time_log.txt.
  E.g. C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

Command line parameters to run the utility TDSSKiller.exe

-l - write log to a file.
-qpath - quarantine folder path (it will be created if does not exist).
-h - list of command line arguments.

The following arguments make the actions apply without prompting the user:

-qall - copy all objects to quarantine (even non-infected);
-qsus - copy to quarantine suspicious objects only;
-qmbr - copy to quarantine all MBR;
-qcsvc - copy this service to quarantine;
-dcsvc - remove this service.

E.g. use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):

TDSSKiller.exe -l report.txt

For example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with TDSSKiller.exe), use the following command:
TDSSKiller.exe -l report.txt



Symptoms of an infection

• Symptoms of infection with Rootkit.Win32.TDSS first and second generation (TDL1, TDL2)

Experienced users may try to monitor the following kernel function hooks:

• IofCallDriver;
• IofCompleteRequest;
• NtFlushInstructionCache;
• NtEnumerateKey;
• NtSaveKey;
• NtSaveKeyEx.

Using the utility Gmer.

Symptoms of infection Rootkit.Win32.TDSS third generation (TDL3)

An infection can be detected with utility Gmer. It detects replacement of a “device” object of the system driver atapi.sys.

أسم ألأداة

TDSSKiller

download [ZIP, 1.08 MB]


2.4.1.4 New!



أسم الفيروس



Rootkit.Win32.TDSS

ثالثآ

How to disinfect my computer from Virus.Win32.Sality?


In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.


The recommendations given concerning disinfection of a computer from Virus.Win32.Sality should be applied only if NO Kaspersky Lab product is installed on an infected computer, and/ or if the computer is already infected and a Kaspersky Lab product cannot be installed by regular means. Kaspersky Lab experts also recommend using Rescue Disk to disinfect an infected computer.
The SalityKiller.exe utility given in this article allows detecting and disinfecting only the following Sality modification Virus.Win32.Sality.aa, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh.

In order to disinfect a computer from Virus.Win32.Sality, do the following:

If infected computers are in the local network under domain control:
Step 1. Preparation to disinfection:

• Download the file SalityKiller.zip
• Unpack the file SalityKiller.zip
• Run the file SalityKiller.exe on each computer in turn (for example, through Kaspersky Administration Kit, or the server group policy).
  • on all computers on which the domain administrator can register and work

While disinfecting this group of the computers do not log on under domain administrator on any other computers to prevent further spread of the infection in the network.

• • on all other computers

Do not stop or terminate work of the utility until all computers in the network have been disinfected.

Step 2. Algorithm of computer disinfection.
Computers on which you log on under a domain administrator rights should be disinfected first. Once these computers are disinfected, start disinfecting other computers in the network.

• Run the utility SalityKiller.exe on the infected computers once again (no additional commands to run the utility are needed).
• A reboot might require after disinfection.
• Make sure that the anti-virus icon in system tray has turned red thus indicating the anti-virus software is fully functional. If otherwise, reinstall the anti-virus via Kaspersky Administration Kit.
• Update the anti-virus databases (signature threats) for the Kaspersky Lab’s product installed on your PC. If you cannot download the updates from the Internet, update from the zip-archives.
• set the full scan options to their
• run full computer scan

Step 3. Signs of a disinfected/ clean computer

• Kaspersky Anti-Virus is running and works in normal mode
• full computer scan does not detect infected objects on the computer

Step 4. Cleaning the registry of infected computers in the domain network:

• download the file Sality_RegKeys.zip
• unpack the file Sality_RegKeys.zip
• run the file Disable_autorun.reg from the archive Sality_RegKeys.zip
  
  
  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.
• Click Yes to confirm adding the information to the registry

• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista / 2008 run the registry file SafebootVista.reg
  • under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

If infected computer are not in the network

• Disable the technologies iSwift and iChecker, if one of the following products is installed and running on your PC:
  • Kaspersky Anti-Virus 7.0
  • Kaspersky Internet Security 7.0
  • Kaspersky Anti-Virus 6.0
  • Kaspersky Internet Security 6.0
  • Kaspersky Anti-Virus 2009;
  • Kaspersky Internet Security 2009;
  • Kaspersky Anti-Virus 2010;
  • Kaspersky Internet Security 2010;
  • Kaspersky Anti-Virus 2011;
  • Kaspersky Internet Security 2011;
  • Kaspersky PURE;
  • Kaspersky Anti-Virus 6.0 for Windows Workstations
  • Kaspersky Anti-Virus 6.0 SOS
  • Kaspersky Anti-Virus 6.0 for Windows Servers
• Download and unpack the file SalityKiller.zip
• Run the file SalityKiller.exe
• A reboot might require after disinfection.

With an installed Kaspersky Lab product you might be prompted to allow any activity to the process Sality_killer.exe

• • Go to Start > All programs > right-click Startup > select Open

• • Right-click any place in the Startup folder
  • In the menu select New > Shortcut
  • In the Create Shortcut window click Browse
  • Browse the folder into which the file SalityKiller.exe was unpacked
  • Highlight the file SalityKiller.exe
  • Click the OK button
  • Click Next
  • Click OK
    
    
• Download the file Sality_RegKeys.zip
• Unpack the file Sality_RegKeys.zip
• Run the file Disable_autorun.reg from the archive Sality_RegKeys.zip
  
  
  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.
• Click Yes to confirm adding the information to the registry

• Update the anti-virus databases (threat signatures) for the installed Kaspersky Lab’s product. If you cannot download the necessary databases (threat signatures) form the Internet, update
• set the full scan options to their maximum scan level
• run full computer scan
• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista / 2008 run the registry file SafebootVista.reg
  • under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

You can restore the registry branch SafeBoot which is needed for a PC to be able to boot in safe mode, by running SalityKiller.exe with parameter -j.

Additional parameters to run SalityKiller.exe from command line:
-p - scan a specific folder;
-n - scan network disks;
-r - scan flash drives, scan removable hard disks connected via USB and Fire Wire;
-y - close the window when the utility finishes;
-s - scan in "silent" mode (without opening console box);
-l - write log to the file;
-v - detailed logging (must be used in combination with -l);
-x - restore possibility to view hidden and system files;
-a - disable autorun from any devices;
-j - restore the registry branch SafeBoot (if it is deleted, the PC will not be able to start up in Safe mode);
-m - monitoring mode to protect the system from getting infected;
-q - scan the system and then go to monitoring mode;
-k – the utility will scan all disks, detect files autorun.inf created by the virus Virus.Win32.Sality and eliminate them. It will also delete the executable file linked by autorun.inf, even if such file has been already disinfected.








أسم الأداة


SalityKiller

download [ZIP, 153 KB]
i

1.3.5 New!




أسم الفيروس




Virus.Win32.Sality.aa, ag, bh

رابعآ














How to secure your computer from malicious programs of Trojan-Spy.Win32.Zbot family


In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.





At present Kaspersky Lab analysts detect wide spread of Trojan programs of Trojan-Spy.Win32.Zbot family. These programs are used by cyber-criminals to steal any bank information from computers. As a rule the work of the malware cannot be visually traced and is thus hard to detect on a victim-computer which is not protected by an anti-virus program. Additionally these programs use rootkit technologies as self-defense to hide their executable files and processes.
Programs of Trojan-Spy.Win32.Zbot family usually penetrate your computer when you visit infected Internet pages. However each cyber-criminal finds his own way how to use this malware and how to make it penetrate your computer.
You can secure your computer and your personal data from Trojan-Spy.Win32.Zbot by installing anti-virus software onto your PC and by updating the program regularly so that it would “know” new modifications of Trojan-Spy.Win32.Zbot . Kaspersky Lab applications will prevent your computer from being infected by Trojan-Spy.Win32.Zbot, and if your PC is already infected, will delete any traces of infection.
If you do not use any anti-virus programs you are strongly recommended to scan your computer for modifications of Trojan-Spy.Win32.Zbot with a special utility ZbotKiller.exe before you perform any online bank operations. If you detect any modifications, disinfect an infected system with the utility ZbotKiller.exe.
This article describes where programs of the Trojan-Spy.Win32.Zbot family usually save their data (but these files may be hidden), and how the utility ZbotKiller.exe can be launched.

Main symptoms of Trojan-Spy.Win32.Zbot infection

1. (One or several) files appear in the folders %windir%\system32 and %AppData%:

• • ntos.exe
  • twex.exe
  • twext.exe
  • oembios.exe
  • sdra64.exe
  • lowsec\\local.ds
  • lowsec\\user.ds

%windir%\system32 and %AppData% are Microsoft Windows system folders. Respective on the version of the OS installed, the path to these folders may vary:

• • • Under Windows Vista the full paths to these folders are the following: C:\Windows\System32 and C:\Users\\AppData.
    • Under Windows XP Professional the full paths to these folders are the following: C:\WINDOWS\system32 and C:\Documents and Settings\\Application Data.

2. Links to the suspicious files mentioned above appear in the following system registry keys:

• • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit o
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Methods of disinfection
A special utility ZbotKiller.exe should be used to disinfect systems infected with malicious programs Trojan-Spy.Win32.Zbot. The utility:

• performs quick system scan for infection

• finds and deletes a malicious code of known Trojan-Spy.Win32.Zbot modifications, which spread into other programs launched on the computer.

• deletes functionality of malicious programs used to hide malicious files and processes (rootkit).

• deletes malicious files and cleans the system registry from activity of Trojan-Spy.Win32.Zbot.

The utility ZbotKiller.exe can be launched either locally or remotely, if Kaspersky Administration Kit is implemented in the network.

To remove the malware locally

1. Download the archive ZbotKiller.zip and extract content into a separate folder on an infected (or potentially infected) computer.
2. Run the file ZbotKiller.exe.
When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility with the parameter –y.
3. Wait until the scan is complete. No computer reboot is required.

To remove the malware via Administration Kit:

1. Download the utility ZbotKiller.zip and extract content into a separate folder.
2. In Administration Kit console create installation package for application ZbotKiller.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.
In the field Executable file command line (optional) define the parameter –y to close the console window automatically once the utility work is over.
3. Create either a global or group task for remote installation of the package to designated computers and run the task. The utility ZbotKiller.exe can be run all computers in your network.
Run the task.

Switches to manage the utility ZbotKiller.exe from the command prompt:

-y - end program without pressing any key
-s - silent mode (without a black window)
-l - write info into a log
-v - extended log maintenance (should be entered with the -l switch)
-help - show additional information about the utility

For example, in order to scan a computer and to generate and write a detailed report into a file report.txt (which will be created in the setup folder of the utility ZbotKiller.exe), use the following command:

zbotkiller.exe -y -l report.txt -v

The parameter –y used in the command prompt will close the console window automatically once the utility work is over.

أسم الأداة



ZbotKiller

download [ZIP, 98.9 KB]


1.2.0.0 New!


أسم الفيروس





Trojan-Spy.Win32.Zbot

أتمنى التوفيق والإستفاده للجميع








في أمان الله

أكثر...