Virus Removal Resources
These are tools to remove severe malware infestations that may interfere with the ability of ZoneAlarm products to properly install and function.
Designed for technical users. These utilities were created by our anti-malware engine provider, Kaspersky Lab. Check "More Information" links for instructions. If you have further questions, contact Kaspersky Lab's virus analysts at newvirus@kaspersky.com, or go to virus-related issues forum.
Utility
What it does
Command line
Rescue Disk
Rescue Disk for operating system or anti-virus solution failure.
none
Use the Rescue Disk (iso image) when a computer is so damaged that the operating system or anti-virus solution fails to launch correctly.

Rescue Disk is a Linux-based .iso image that includes the following:
  • system and configuration Linux files
  • a set of utilities to diagnose the system
  • a set of additional utilities (file manager etc)
  • Rescue Disk files
  • Anti-virus databases files
none
AVZ
Analyzes and disinfects new malware
none
Downloads new anti-virus databases, scans your system, removes infected files and creates a report with results.
none
klwk.com
Detects and removes malware View list
View command lines
  • I-Worm.Zafi.b
  • I-Worm.Bagle.at,au,cx-dw
  • Virus.Win32.Implinker.a
  • Not-a-virus.AdWare.Visiter
  • Trojan.Win32.Krotten
  • Email-Worm.Win32.Brontok.n
  • Backdoor.Win32.Allaple.a
  • Trojan-Spy.Win32.Goldun.mg
  • Email-Worm.Win32.Warezov
  • Virus.Win32.VB.he
  • IM-Worm.Win32.Sohanad.as
  • P2P-Worm.Win32.Malas.b
  • Virus.Win32.AutoRun.acw
  • Worm.Win32.VB.jn
  • Trojan.Win32.KillAV.nj
  • Worm.Win32.AutoRun.cby
  • Trojan.Win32.Agent.aec
  • Net-Worm.Win32.Rovud.a-c
  • Worm.Win32.AutoRun.dtx
  • Worm.Win32.AutoRun.hr
  • Backdoor.Win32.Agent.lad
  • Backdoor.Win32.Small.cyb
  • Trojan-Spy.Win32.Zbot.dlh
  • Rootkit.Win32.Ressdt.br
  • Worm.Win32.AutoRun.lsf
  • Worm.Win32.AutoRun.epo
  • Worm.Win32.AutoRun.enw
  • Worm.Win32.AutoRun.pwi
  • Worm.Win32.AutoRun.pfh
  • Worm.Win32.AutoRun.qhk
  • Worm.Win32.AutoRun.ouu
  • Worm.Win32.AutoRun.bnb
  • Worm.Win32.AutoRun.ll
  • AdWare.Win32.Cinmus.sxy
  • Trojan.Win32.Autoit.eo
  • Worm.Win32.AutoRun.sct
  • Worm.Win32.AutoRun.qkn
  • Trojan-Ransom.Win32.Taras.a
  • Trojan-Dropper.Win32.Agent.ztu
  • Worm.Win32.Autorun.qpa
  • Net-Worm.Win32.Kido.j
  • Worm.Win32.Autorun.dcw
  • Trojan.Win32.Feedel.gen
  • Trojan.Win32.Pakes.mak
  • Net-Worm.Win32.Kido.r
  • Net-Worm.Win32.Kido.t
  • Worm.VBS.Autorun.cq
  • Worm.Win32.Pinit.ac
  • Worm.Win32.Pinit.ae
  • Worm.Win32.Pinit.af
  • Worm.Win32.Pinit.gen
  • Net-Worm.Win32.Kido.bw
  • Net-Worm.Win32.Kido.db
  • Net-Worm.Win32.Kido.fk
  • Net-Worm.Win32.Kido.fx
  • Net-Worm.Win32.Kido.fo
  • Net-Worm.Win32.Kido.s
  • Net-Worm.Win32.Kido.dh
  • Net-Worm.Win32.Kido.ee
  • Net-Worm.Win32.Kido.gh
  • Net-Worm.Win32.Kido.fa
  • Net-Worm.Win32.Kido.gy
  • Net-Worm.Win32.Kido.ca
  • Net-Worm.Win32.Kido.by
  • Net-Worm.Win32.Kido.if
  • Net-Worm.Win32.Kido.eo
  • Net-Worm.Win32.Kido.bx
  • Net-Worm.Win32.Kido.bh
  • Net-Worm.Win32.Kido.bg
  • Net-Worm.Win32.Kido.ha
  • Net-Worm.Win32.Kido.hr
  • Net-Worm.Win32.Kido.da
  • Net-Worm.Win32.Kido.dz
  • Net-Worm.Win32.Kido.cg
  • Net-Worm.Win32.Kido.eg
  • Net-Worm.Win32.Kido.eq
  • Net-Worm.Win32.Kido.bz
  • Net-Worm.Win32.Kido.do
  • Net-Worm.Win32.Kido.fw
  • Net-Worm.Win32.Kido.du
  • Net-Worm.Win32.Kido.cv
  • Net-Worm.Win32.Kido.dv
  • Net-Worm.Win32.Kido.dq
  • Net-Worm.Win32.Kido.ed
  • Net-Worm.Win32.Kido.em
  • Net-Worm.Win32.Kido.bo
  • Net-Worm.Win32.Kido.bk
  • Net-Worm.Win32.Kido.bm
  • Net-Worm.Win32.Kido.cs
  • Net-Worm.Win32.Kido.ia
  • Net-Worm.Win32.Kido.gg
  • Worm.Win32.FlyStudio.bh
  • not-a-virus:FraudTool.Win32.XPSecurityCenter.c
  • not-a-virus:Downloader.Win32.VistaAntivirus.a
  • not-a-virus:FraudTool.Win32.UltimateAntivirus.an
  • not-a-virus:FraudTool.Win32.UltimateAntivirus.ap
  • not-a-virus:AdWare.Win32.Cinmus.wsu
  • not-a-virus:FraudTool.Win32.UltimateDefender.cm
  • Trojan-Downloader.Win32.Todon.an
  • Trojan-Downloader.Win32.Losabel.ap
  • Trojan-Downloader.Win32.Agent.Apnd
  • Trojan.Win32.ConnectionServices.x-aa
  • Trojan-Downloader.Win32.Agent.wbu
  • Trojan-Downloader.Win32.Small.abpz
  • Backdoor.Win32.UltimateDefender.a
  • Worm.Win32.AutoRun.czz,daa,dhq,dfx


  • /s - to force scanning of hard drives. Program will scan hard drives for infection in any case.
    /n - to force scanning of mapped network drives.
    /path - to force scanning specified path
    /y - end program without pressing any key.
    /i - show command line info.
    /nr - do not reboot system automatically in any case.
    /Rpt[a][o][=] - create report file
    a - add report file
    o - report only (do not cure/delete infected files)
    clrav.com
    Detects and removes malware View list
    View command lines
  • I-Worm.BleBla.b
  • I-Worm.Navidad
  • I-Worm.Sircam
  • I-Worm.Goner
  • I-Worm.Klez.a
  • I-Worm.Klez.e
  • I-Worm.Klez.f
  • I-Worm.Klez.g
  • I-Worm.Klez.h
  • Win32.Elkern.c
  • I-Worm.Lentin.a
  • I-Worm.Lentin.b
  • I-Worm.Lentin.c
  • I-Worm.Lentin.d
  • I-Worm.Lentin.e
  • I-Worm.Lentin.f
  • I-Worm.Lentin.g
  • I-Worm.Lentin.h
  • I-Worm.Lentin.i
  • I-Worm.Lentin.j
  • I-Worm.Lentin.k
  • I-Worm.Lentin.l
  • I-Worm.Lentin.m
  • I-Worm.Lentin.n
  • I-Worm.Lentin.o
  • I-Worm.Lentin.p
  • I-Worm.Tanatos.a
  • I-Worm.Tanatos.b
  • I-Worm.Win32.Opasoft.a
  • I-Worm.Win32.Opasoft.b
  • I-Worm.Win32.Opasoft.c
  • I-Worm.Win32.Opasoft.d
  • I-Worm.Win32.Opasoft.e
  • I-Worm.Win32.Opasoft.f
  • I-Worm.Win32.Opasoft.g
  • I-Worm.Win32.Opasoft.h
  • I-Worm.Win32.Opasoft.i
  • I-Worm.Win32.Opasoft.j
  • I-Worm.Win32.Opasoft.k
  • I-Worm.Win32.Opasoft.l
  • I-Worm.Win32.Opasoft.m
  • I-Worm.Win32.Opasoft.n
  • I-Worm.Win32.Opasoft.o
  • I-Worm.Win32.Opasoft.p
  • I-Worm.Avron.a
  • I-Worm.Avron.b
  • I-Worm.Avron.c
  • I-Worm.Avron.d
  • I-Worm.Avron.e
  • I-Worm.LovGate.a
  • I-Worm.LovGate.b
  • I-Worm.LovGate.c
  • I-Worm.LovGate.d
  • I-Worm.LovGate.e
  • I-Worm.LovGate.f
  • I-Worm.LovGate.g
  • I-Worm.LovGate.h
  • I-Worm.LovGate.i
  • I-Worm.LovGate.j
  • I-Worm.LovGate.k
  • I-Worm.LovGate.l
  • I-Worm.Fizzer
  • I-Worm.Magold.a
  • I-Worm.Magold.b
  • I-Worm.Magold.c
  • I-Worm.Magold.d
  • I-Worm.Magold.e
  • Worm.Win32.Lovesan
  • Worm.Win32.Welchia
  • I-Worm.Sobig.f
  • I-Worm.Dumaru.a
  • I-Worm.Dumaru.m
  • Trojan.Win32.SilentLog.a
  • Trojan.Win32.SilentLog.b
  • Backdoor.Small.d
  • I-Worm.Swen
  • Backdoor.Afcore.l
  • Backdoor.Afcore.ad
  • I-Worm.Sober.a
  • I-Worm.Sober.c
  • I-Worm.Mydoom.a
  • I-Worm.Mydoom.b
  • I-Worm.Mydoom.e
  • I-Worm.Torvil.d
  • I-Worm.NetSky.b
  • I-Worm.NetSky.d
  • TrojanDownloader.Win32.Agent.a
  • TrojanDownloader.Win32.Agent.j
  • I-Worm.Bagle.a
  • I-Worm.Bagle.j
  • I-Worm.Bagle.n
  • I-Worm.Bagle.r
  • I-Worm.Bagle.z
  • Worm.Win32.Sasser.a
  • Worm.Win32.Sasser.d
  • Worm.Win32.Sasser.f
  • Backdoor.Agent.ac
  • Trojan.Win32.StartPage.fw

  • /s[n] - to force scanning of hard drives. Program will scan hard drives for I-Worm.Klez.a(e,f,g,h) infection in any case.
    n - include scanning of mapped network drives.
    /y - end program without pressing any key.
    /i - show command line info.
    /nr - do not reboot system automatically in any case.
    /Rpt[a][o][=] - create report file
    a - add report file
    o - report only (do not cure/delete infected files)
    KL Anti-FunLove
    Disinfects worm Win32.FunLove
    View command lines
    Disinfects worm Win32.FunLove
    /i - to install programm.
    /u - to uninstall programm.
    /hide[i][s] - hide
    i - installation window
    s - work window
    Anti-Nimda
    Disinfects I-Worm.Nimda
    none
    Disinfects I-Worm.Nimda
    none
    Virus Removal Tool
    Remove all types of infections
    none
    Remove all types of infections from your computer.

    IMPORTANT: This tool conflicts with security software—you must uninstall it before you install ZoneAlarm.

    Designed for one-time use. Does not provide ongoing detection and removal.
    none
    KK
    Removes Conficker
    View command lines
    Removes Conficker (aka Downadup, Net -Worm.Win32.Kido)
    -p <Scan path> - scan a defined folder
    -f - scan hard disks
    -n - scan network disks
    -r - scan flash drives, scan removable hard disks connected via USB and Fire Wire
    -y - end program without pressing any key
    -s - silent mode (without a black window)
    -l <file_name> - write info into a log
    -v - extended log maintenance (the switch -v works only if the -l switch is entered in the command prompt)
    -j - restore the registry branch SafeBoot (if the registry branch is deleted, computer cannot boot in safe mode)
    -z - restore the services
    • Background Intelligent Transfer Service (BITS),
    • Windows Automatic Update Service (wuauserv),
    • Error Reporting Service (ERSvc/WerSvc)
    • Windows Defender (WinDefend),
    • Windows Security Center Service (wscsvc).
    -t - registry clean up from the services that remain after removing the network worm using Kaspersky Lab's products.
    -x - restore display of hidden system files
    -m - monitoring mode to protect the system from getting infected
    -a - disable auto start from all drives
    ZbotKiller
    Removes Trojan programs in the Trojan-Spy.Win32.Zbot family
    View command lines
    Removes Trojan programs in the Trojan-Spy.Win32.Zbot family
    -y - end program without pressing any key
    -s - silent mode (without a black window)
    -l <file_name> - write info into a log
    -v - extended log maintenance (should be entered with the -l switch)
    -help - show the list of all parameters
    TDSSKiller
    Removes malware in the family Rootkit.Win32.TDSS
    View command lines
    Removes malware in the family Rootkit.Win32.TDSS
    -l <file_name> - write info into a log
    -v - extended log maintenance (should be entered with the -l switch)
    -d - search for a specific malicious service name
    -o <file_name> - save a dump into the specified file. This dump is needed for analysis in case of problems with detection
    KatesKiller
    Removes malware in the family Trojan-PSW.Win32.Kates
    View command lines
    Removes malware in the family Trojan-PSW.Win32.Kates (also known as W32/Daonol)
    -y - end program without pressing any key
    -s - silent mode (without a black window)
    -l <file_name> - write info into a log
    -v - extended log maintenance (should be entered with the -l switch)
    SalityKiller
    Removes Virus.Win32.Sality.aa
    View command lines
    Removes Virus.Win32.Sality.aa
    -p <path> - scan a defined folder
    -n - scan network disks
    -r - scan flash drives, scan removable hard disks connected via USB and Fire Wire
    -y - end program without pressing any key
    -s - silent mode (without a black window)
    -l <file_name> - write info into a log
    -v - extended log maintenance (the switch -v works only if the -l switch is entered in the command prompt)
    -x - restore display of hidden system files
    -a - disable auto start from all drives
    -m - monitoring mode to protect the system from getting infected
    -q - scan the system and then go to monitoring mode
    -k - the utility will scan all disks, detect files autorun.inf created by the virus Virus.Win32.Sality and eliminate them. It will also delete the executable file linked by autorun.inf, even if such file has been already disinfected.
    Antiboot
    Removes Backdoor.Win32.Sinowal.deg
    View command lines
    Removes Backdoor.Win32.Sinowal.deg and some its modifications.
    -l <file_name> - write info into a log
    The utility generates boot sector dumps (MBR) of the disks infected with the malicious program.
    Dump file names are <file_name>.origmbrXX and <file_name>.curedmbrXX.
    The files *. origmbrXX contain original MBR copies (before disinfection).
    The files *.curedmbrXX contain cured MBR copies.
    The XX number depends on the hard disk drive location on PCI bus.
    -p <folder_name> - use it to create MBR dump files on all hard disk drives.
    VirutKiller
    Removes Virus.Win32.Virut.ce
    View command lines
    Removes Virus.Win32.Virut.ce
    -p - scan a defined folder.
    -n - scan flash data storage devices.
    -r - scan removable media.
    -y - when the utility finishes, its window will be closed.
    -s - silent mode (without a black window).
    -l <file_name> - write info into a log.
    -v - extended log maintenance (the switch -v works only if the -l switch is entered in the command prompt).
    XoristDecryptor
    Removes malware of the family Trojan-Ransom.Win32.Xorist
    View command lines
    Removes malware of the family Trojan-Ransom.Win32.Xorist
    -l <file_name> - write info into a log
    -y - close the window after the utility work is over.
    PMaxKiller
    Removes malware of the family Rootkit.Win32.PMax
    View command lines
    Removes malware of the family Rootkit.Win32.PMax
    -c <file_name> - reset DACL on the indicated file (in order to eliminate blocking of execution of legal processes by the malware).
    -d <file_name> - dump malicious driver into the file.
    -l <file_name> - write utility runtime log into the file.
    -v - output a detailed log (of used with key -l).
    Virus.Win32.Xpaj
    Disinfect a PC from Virus.Win32.Xpaj
    View command lines
    Disinfect a PC from Virus.Win32.Xpaj
    -l <file_name> - write log to the file.
    -v - detailed logging (must be used in combination with the parameter -l).
    -s ;- scan in "silent" mode (without opening console box).
    -y - when the utility finishes, its window will be closed.
    -p <folder_path> - scan a specific folder.
    -r - scan removable drives (flash), external USB and FireWire hard disks.
    -n - scan network drives.