Goodwill Security Tools:

Recently, we noticed a significant increase in Scareware being downloaded due to malware authors using a technique called Search Engine Optimization (SEO) Poisoning.  The problem occurs when a user types in a hot topic term into Google (or another search engine) and clicks on a link that they believe to be legitimate.  However, instead of getting the desired webpage, the user will be redirected to a different site.  The redirected sites often times point to a malicious website that automatically downloads malware on to the unknowing users system. In an effort to help customers and non-customers alike, Thirtyseven4 has felt a calling to assist the public and has decided to create dedicated stand-alone removal tools to deal with the website redirection issue and other issues possibly related to the cybercriminals tactics.  Thirtyseven4 Antivirus users have built-in protection against such threats

Tool:  RemoveZAccess.



Version: 2.3.0.0
Type:  Free
Download location:  Click here

The RemoveZAcess tool will scan the drivers folder for any malicious "sys" files that can cause the website redirection issue. If a .sys file is infected, the tool will clean the infection properly.  In the event there are multiple "sys" files infected, the tool will detect all the infections in each malicious "sys" file one by one and will restart the system to properly clean it.  The process will repeat itself until all the “sys” files are cleaned.

The tool will generate a log file on the root drive of the system with the name "RemoveZAccess1.9.log".

In the case where the tool is unable to run in normal mode, we suggest that you boot the system with any other bootable CD, like Windows XP Live, and run the tool.

Please perform the steps above and check whether the website redirection problem is solved. If not, please provide us the "RemoveZAccess1.9.log" and any other observations for further analysis. Our virus research team will review the log and if necessary make any needed adjusts or enhancements to the tool.

Please email the log and any other questions or concerns to support@thirtyseven4.com.  Please also feel free to email us any feedback after using this tool.  Your feedback is appreciated and may help others.


Tool:  Rogueware Remover



Version:   2.0.0.1
Type:  Free
Download location:  Click here

The Thirtyseven4 Rogueware Remover tool has been created to assist users with removing installed Rogueware. The tool has enhanced generic detections to quickly identify known and unknown malware.


Tool:  Remfakealert



Version:   1.0.0.3
Type:  Free
Download location:  Click here

The Remfakealert tool will scan a system for Scareware (ie. Internet Security 2011, System Restore) related infections.  If an infection is detected, the tool will properly clean the system, including restoring system functionality and restoring modified registry settings.  Users who suspect they may have fallen victim to a Scareware related attack may notice Fake Security Application Alerts, Messages, Scans, etc.

This tool is being updated routinely for the latest threats and Scareware, however, if you feel your infection is not getting properly detected, please email your questions or concerns so support@thirtyseven4.com.  Our virus research team will review your email and contact you with further instructions. Please also feel free to email us any feedback after using this tool.  Your feedback is appreciated and may help others.


Tool:  Decrypt-CyptoLocker



Version:   1.0.0
Type:  Free
Download location:  Click here

Decrypting CryptoLocker Files--

Steps to decrypt CyptoLocker encrypted files:

1. Download the following CyptoLocker removal tool:
http://www.thirtyseven4.com/downloads/RestoreCryptor.zip 

2. Extract the tool onto the C:\ drive

3. Open a command prompt and navigate to the C:\ prompt (ie cd c:\)

4. Type in the following command: RestoreCryptor.exe <path_to_corrupt_folder> <path_to_a_destination_folder>

The tool "RestoreCryptor" works as follows:

- Decrypt files having the file types .pdf, .doc, .docx, .xls, .xlsx, .pptx, and .jpg

- Decrypt those files encrypted with specific CyptoLocker algorithms.

* Variations of CyptoLocker surface daily so the tool is continually updated against the latest algorithms, however, because of this some newer encryption algorithms may not yet be included in this tool.


Tool:  DNSChanger



Version:   1.0.0
Type:  Free
Download location:  Click here

The DNSChanger tool has been created to allow users to easily verify if their systems DNS Settings have been modified by the malware, DNSChanger.


Tool:  Bootkitrm



Version:   1.0.0.3
Type:  Free
Download location:  Click here

The Bootkitrm tool has been created to detect the presence of TDS/TDL4 infected MBR.  If detected, the tool will allow for proper cleaning


Tool:  Rmnecurs



Type:  Free
Download location:  Click here

Rmnecurs is a helpful tool to remove the Trojan.Necurs infection.

Symptoms of a Necurs infection include:-
* Upon installation of Thirtyseven4 on an already  infected system, network or Internet connection is not available.
* Thirtyseven4 Virus Protection and other antivirus protection suites are disabled.

Following these steps to execute the tool:-
* Download the Removal tool to a temporary location. e.g. C:\Temp
* Execute the Removal tool. (In case of Windows Vista and above run the tool as Administrator.)
* If the infection is found, it will ask to restart the system.
* After the restart, perform a memory scan using an updated Thirtyseven4 AntiVirus version.
 
Memory scanner will detect the %WinDir%\installer\{***}\syshost.exe file and remove it.
* Scan Windows folder with Thirtyseven4