3 years ago I’ve written about CaSIR, which is a very useful small and portable tool that has helped me removed a lot of stubborn virus infection with just a click (especially Brontok and some unknown variant) from computers when antivirus has failed to remove them. All I need to do is run it from my portable USB drive and click the Start button. Back then when CaSIR was in version 2, it is a shareware that cost USD14.95 and is limited to only running it on your computer since the license is machine dependent.
I revisited Sergiwa’s website today (the author of CaSIR), and found that CaSIR is now a freeware. Everyone can now use CaSIR on any computer without limitations. CaSIR takes merely a few seconds to scan because it only checks the areas where malware mostly hide and cleans them. Once the infection has been removed, I can then use other tools to further clean up any traces of the malware.
CaSIR uses generic and strong technique to recognize & remove illegitimate services, processes, scripts, autoruns and registry frequently used by these infectors. You can also easily and conveniently update the CaSIR definition by clicking the Update button on the software.
The thing about using anti-malware software such as SUPERAntispyware, Malwarebytes’ Antimalware (MBAM), NoVirusThanks Malware Remover is it has better detection in normal Windows mode when the malwares are active rather than in Safe Mode when malwares are inactive. This is the same case for CaSIR and you need to run it in normal Windows mode.
CaSIR used to have a couple of detections when scanned in VirusTotal (rest assured they are false positives) but now it has only 1 out of 43 which is by AVG. False detection are a headache to legit software developers, so I have gone ahead and submitted the false positive report to AVG to get them to fix their virus definitions, hopefully making CaSIR 0/43 real soon. CaSIR works on Windows XP, Windows Vista and Windows 7.
Virus Total gave 3 warnings as follows for Version 4.0 of this program:
1) Jiangmin 13.0.900 2011.09.02 Trojan/JboxGeneric.nj
2) McAfee 5.400.0.1158 2011.09.03 New Malware.d
3) McAfee-GW-Edition 2010.1D 2011.09.02 New Malware.d
Since the program demands full access to a computer, it is important to find out whether these are false positives or not
@Issam Sergiwa
I am unable to run this utility. After i updated it, whenever the exe file is clicked it opens up a notepad with some foreign language. I have downloaded it many times but the result is same. Any suggestions please…
@Issam Sergiwa
I think you should display a warning exactly explaining the “infection” including files/registry entries involved, and give the user an option to accept or decline.
@ilev
Based on your report, only one “infection” found, that is:
Default startup folder infection
You know, some malware use a trick to load itself every time Windows starts by changing the default startup folder to their own then put itself in that folder, CaSIR is trying to help by changing this back to default because it’s very suspicious to be not default, but since this is making complains, I think I will ignore it in the next version.
Thank you for your feed back
@Issam Sergiwa
According to your post above :
CaSIR does not blindly remove the infections. When CaSIR finds an “infection” on your computer, he shows up the infection in the following way :
XXX – YYY
XXX: is the type of the infection found
YYY: is the infection itself..
I didn’t get any warning, but the end result of CaSIR
s report was :
Phase No. 0
CaSIR v3.8 Status for user ilanlev (Administrator) :: Active Drive: C:
On: 31/07/2011 11:23:17 – CaSIR definitions file date : 30/07/2011
Total number of targets: 156
Found AND Processed: 0
==============================================
RKD – Default startup folder infection
Infection removed!
==============================================
Phase No. 1
CaSIR v3.8 Status for user ilanlev (Administrator) :: Active Drive: C:
On: 31/07/2011 11:24:19 – CaSIR definitions file date : 30/07/2011
Total number of targets: 156
Found AND Processed: 1
==============================================
==============================================
Phase No. 2
CaSIR v3.8 Status for user ilanlev (Administrator) :: Active Drive: C:
On: 31/07/2011 11:24:27 – CaSIR definitions file date : 30/07/2011
Total number of targets: 156
Found AND Processed: 0
I don’t and never had any infection in the last 10 years on my XP, and I didn’t get any type of explanation regarding “infection” found or which registry key has been deleted.
What is missing, and is a build-in feature in many registry cleaning application, is the option of backup and of recovery of deleted registry entries.
i triend running the app under win 7 64bit and the software able to load perfectly even with microsoft AV on
but when i tried on my laptop windows xp 32bit it keep showing that there’s no definition file found
although i already copy the whole folder into my computer
any one facing the same problem?
I ran the app once and got “RKD – Default startup folder infection
Infection removed!”
I don’t like an app that doesn’t explain exactly what is wrong and doesn’t give an option to skip the changes.
could not find any download page…
anyone pls provide me with the link
i have tried from the raymond link
but only got 27kb zip file that’s all
For all people who face the problem of getting stuck on the logon screen or getting into infinite loop of logging on and off, this is because they don’t read the instructions. Please and for the last time, make sure your are administrator and UAC is OFF and there’s no security tool (Antivirus/firewall) is blocking CaSIR.
In case you didn’t read the instruction and you faced this problem, please do not reformat your system, the solution is very easy and it’s in the download page of CaSIR, but I will put it here too:
When the empty desktop appears, press CTRL+ALT+DEL keys to bring up the Task Manager, in the task manager click File menu and select New task, then type “regedit” then click enter. Now go to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right panel you will see the registry entry called UserInet, double click it and change its value to : “Userinit.exe” then click enter, then restart your computer.
This will solve the problem. But please next time do not run CaSIR unless you have full administrator rights and UAC is set to OFF and make sure CaSIR is in your Antivirus/Firewall white list.
Thank you
@Lone Wolf
v3.5 had a bug which was taking you to a different software instead of taking you to CaSIR’s page, that’s why I updated it, CaSIR is FREE and will remain FREE
Thank you
@willie
CaSIR is not 100% compatible with 64 bit systems, please read the instructions before you judge.
Thank you
My computer went into log-on and log-off loop problem, and after all tries, i have to reformat my os (XP)and installing all applications cost me one day’s work. Previously i don’t have any problem at all (I use KIS-2011).
SORRY RAY!!!
Here is the report:
==============================================
Phase No. 0
CaSIR v3.5 Status for user Sundarajan (Administrator) :: Active Drive: C:
On: 7/30/2011 9:34:57 PM – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 0
==============================================
RKM – Disabled Show System Files/Folders restriction
Infection removed!
RKM – Disabled Show System Files/Folders restriction
Infection removed!
SFL – IM-Worm.Win32.Sohanad
Infection removed!
RKD – Default startup folder infection
Infection removed!
==============================================
Phase No. 1
CaSIR v3.5 Status for user Sundarajan (Administrator) :: Active Drive: C:
On: 7/30/2011 9:35:29 PM – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 4
==============================================
==============================================
Phase No. 2
CaSIR v3.5 Status for user Sundarajan (Administrator) :: Active Drive: C:
On: 7/30/2011 9:35:39 PM – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 0
==============================================
don’t waste your time with this CaSIR, my computer freezes after it removes something on my system Win7 64bit Ultimate all my games crashes and now I have to reformat my os
@Joe: Go to the official CaSIR download page and download the latest 3.9. Still free and not seeing anywhere that it says that I have to pay.
Only v 3.5 is free. If you want to update defs(3.9, it says,once updated defs, eventhough the download page only shows 3.5 as the latest) u have to pay. Just a nice trial, not a freeware as Raymond mentioned.thanks.
@Starlight …. RESPECTS for your humble follow-up !!!!
Hi! I’ve updated the CaSIR definitions today and after that it stops working. Any explanation plz?
Downloaded the version 3.5 through Ray’s link.Tried updating.Everything went fine.Now it says this version is obsolete as version 3.9 is released.”DO YOU WANT TO UPDATE NOW?” of course yes,as it won’t cost me anything.But alas,it takes me to a webpage which links to RRT V.6.5.0.2 for which I have to pay?
LOL.Thanks for this ‘FREEWARE’.No wonder they often detect this as malware.@Issam,You just can’t be straight!
@Starlight
No problem, How brave and honest you are as you get back and clear things up, many other users just create the “scareware scenario” and then go!
Thank you VERY much.
With reference to my previous post at #10 I went back and reread the instructions followed them to the letter disabled UAC gave caSIR Admin permissions and it workrd like a dream this time!
My apologies to one and all especially the developer, Issam Sergiwa,
for my leap frogging ahead without paying full attention and creating a scareware scenario through my lack of proper attention to detail.
Yes caSIR did change a couple of minor settings which I have no problem re-setting easily and gratefully because it also found 5 annoying infections that have been causing me problems by changing settins on my pc for some time now.
Needless to say, Mr Issam Sergiwa, your program did remove them and my PC is clean and working fine again now.
Thank you so much for this freeware and once again my apologies for my mistakes.
Yours respectfully
Starlight
Ziggy, You are welcome, If Raymond allowed me, regarding the false positives issue, I would like to refer you to this interesting story, it says it all.
sergiwa.com/modules/news/article.php?storyid=25
My regards
Thanks Issam for explaining!
@Lone Wolf
I would like to add something, I highly advice all computer users to always maintain the following three settings as advised:
- NEVER hide Hidden Files and Folders and drives
- NEVER hide extensions for knowing file types
- NEVER hide protected operating system files
These three settings are the most common trick malware use to spread and that’s why CaSIR says there are “infections” when he detects that these settings are not set as advised above. And when he does that, he does not mislead you, he’s just trying to tell you that “what leads to infection IS infection”, he just cut it short without boring you with technical details of how malware use them to spread.
Hope that helps
Thanks RAY………….
Thanks Raymond. Thanks also to Sergiwa for contributing.
@Ziggy
As Raymond said, false detection are a headache to legit software developers, I used to contact Symantec and every time they fix their mistake but once I publish a new version they flag it falsely again. I have nothing to do, they do the mistakes and we pay the bills!
@Lone Wolf
CaSIR does not blindly remove the infections. When CaSIR finds an “infection” on your computer, he shows up the infection in the following way :
XXX – YYY
XXX: is the type of the infection found
YYY: is the infection itself
XXX has 9 different keywords
RNP : Running Process
GFL : Group of Files
SFL : Single File
GFD : Group of Folders
SFD : Single Folder
RKM : Registry Key to be Modified
RKD : Registry Key to be Deleted
RKA : Registry Key to be Added
RSO: Regular System Optimization
But you are right, CaSIR is mainly for noobs because they don’t care what CaSIR did if they trust me and the result is their machine is running up again, please remember one important thing, CaSIR is not for normal malware, when your computer is infected with a stubborn virus CaSIR intended to remove, your computer become nearly unusable and then you don’t really care for the too much logs.
But CaSIR is for experts too, like Raymond and me? because CaSIR saves you time. I used to be like you, my job was to repair infected computers, I got tired of this job, so I automated all my manual routine procedures and made CaSIR, it’s a automated steps of me, if you run CaSIR on a computer, you are like giving that computer to me to repair it, the difference is CaSIR does the job for me when I’m not there :)
Thank you for your comments
Excellent post!
Thanks for the real picture Jean.I would not recommend this program unless you are a total n00b who got no idea what ‘infections’ are.Informed people would like to see where the infection lie,to get more info or get protected in future.This one just tells you that you are infected and you have no control on what happens next,other than depending blindly on the Author.@Issam,you might have good intentions,but as a person who repairs/fixes multiple PCs a day,I am forced to consider your app as a scareware(at least in the past,when it was paid).No comments on the freeware.as I have no intentions on trying it.
Thanks!
Thanks for the tip Raymond!
Unfortunately, as I ran the program the first time after installing it (to my flash drive), NIS removed it because of “suspicious behavior”. I know it may be a false positive but I have quite a few similar portable security tools that doesn’t get any trouble from NIS.
I see Issam Sergiwa, the developer in the comments. If you’re still here, could you please sort it out with Norton? probably there’s a channel for developers to review their software in such cases.
@Starlight
Thank you for your feed back
In the download page of CaSIR you read:
“Important notes: Since CaSIR is a security software that deals with your file system, your system registry and your running processes and services, it MUST be given all the rights it demands in order to remove any infection…”
It’s clear that you ran CaSIR while you have either UAC set to ON or you have no administrator rights, or both.
Thanks Raymond – This is one I had never heard of before. Some of the early responses from contributors are a little worrying however – though early intervention by the author is commendable. Sounds like one of those common scenarios that occur so often with McAfee / Norton products (things go pear-shaped for a few users due to incorrect use by the user or a strange system setup on the PC in question) – so I shall watch for further comments and observations with great interest. I confess I raised one eyebrow when I saw the Libyan connection but hey ho, we all have to overcome preconceived notions in life?
DO NOT DOWNLOAD THIS!! AS SOON AS I CLICK THIS SHIT, ALMOST DESTROYED MY PC!!!
@Jeanjean: Thanks for that. I was about to download.
Thanx bud!
On your recommendation I tried this and when I started it it told me it needed to restart my PC to work in shell mode to remove infections.
When it restarted it told me I had to sign in as Administrator and disable User Account Control. I was already signed in as an administrator so I don’t get that, but more importantly I click OK and another screen comes up with the same info, I click OK and ANother screen with the same info appears. I click OK and it restarts and goes into a loop showing the same 3 screens again about the administrator and UAC stuff.
I start the Task Manager and end the caSIR application process and then restart via the TaskMan and it does the same thing again and again.
The only way I got back in was to F11 (System Recovery) at startup and do a system restore !!!
So I am none too pleased with this and lsuspicious about using it again
Thank you Raymond for this input, it’s highly appreciated.
@Jeanjean
Based on your log, CaSIR didn’t find any serious infections.
CaSIR restored the icons of “My Documents”,”My Computer” and the “Trash Can” to the default icons because there’s a stubborn virus called Ahsan-Virus that changes these icons to humiliating images of George W. Bush and there’s no manual way to change them back to the default, and there’s no automated way to restore your customized icons as Ahsan-Virus deletes them. CaSIR thinks he’s helping, but you are right, he should have warned you first, but please pardon him, changing the icons to the default is not a disaster! Sorry though.
Other than this, there’s no “harmful side effects” of using CaSIR on clean machines.
Thank you
Issam Sergiwa
CaSIR Author
Agree with Jean. Though i have no doubts on the usefulness of this proggy, infections found are not always infections. And it offers user no choice but to remove them all irrespective of whether u like it or not. For example, hiding extensions or folders were removed as infections, when i used it the last time. But having said that, a very good program for someone who is infected and dont mind these changes it make. Thanks to Ray and Issam S.
The winrar file seems to be corrupted.Whenever i download and try extract, iam getting the message unexpected end of archive.File may be corrupted/damaged.
Can you pls guide me?
thanks n regs,
thanks Raymond always good to have extra protection
@Jeanjean:
thank you very much for the info about reboot and so the cleaning things without warning.
It is written in the program webpage but anyway, as you said, If you want to use it “just to be sure”, it is not a good thing to reboot when you’re doing other stuffs on your PC
Result of the scan of my PC :
==============================================
Phase No. 0
CaSIR v3.5 Status for user JEAN (Administrator) :: Active Drive: C:
On: 29/07/2011 9:37:04 – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 0
==============================================
RKD – Default startup folder infection
Infection removed!
==============================================
Phase No. 1
CaSIR v3.5 Status for user JEAN (Administrator) :: Active Drive: C:
On: 29/07/2011 9:38:34 – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 1
==============================================
==============================================
Phase No. 2
CaSIR v3.5 Status for user JEAN (Administrator) :: Active Drive: C:
On: 29/07/2011 9:38:40 – CaSIR definitions file date : 14/07/2011
Total number of targets: 156
Found AND Processed: 0
==============================================
Not very clear on what it found, right?!
After reboot,the icons of “My Documents”,”My Computer” and the trash have returned to the default.
Because it removes without warning, I would recommend this software only to those who are sure to have an infection.
Am I right ?
Thank you for this nice suprise! I also found out, that they made their original product free too! Years ago, I used sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=1 RRT Sergiwa Antiviral Toolkit on all systems to keep them safe from modification to system security settings. It was a pain in the ass to get illegal, so this change is NICE :) I Like!
Finally an interesting read.
Thanks for the update.
Thanks for the tip Raymond !