Probably you will not believe this, but many computer users do not have an antivirus program installed

in their machines or the installed program is not updated from the Internet on a regular basis, and they think they are immune from malware attacks. Even more dangerous, even with the presence of an effective and updated antivirus, many users believe they are protected from malware attacks! In fact, they are wrong, and the result is I receive a lot of machines that need to be fixed due to malware attacks, which cost the owners a lot of money they would have avoided spending. As a daily routine, when I start fixing any machine, I used to do a full scan with the latest and updated versions of Malware Removal Tools to eliminate malware first, and then I reboot the machine, but every time I do that I find the same problem; the malware had applied many restrictions on the use of the machine to hide themselves from detection. These restrictions are usually the following: 1 - Disable Folder Options So the user cannot set the option to show hidden files! 2 - Disable Registry Tools So the user cannot see what is going on during system startup! 3 - Disable Ctrl+Alt+Del So the user cannot see the virus and the other applications through Task Manager! 4 - Disable Show hidden files & folders So the user cannot see the malware bodies which always come with hidden attribute set to true! 5 - Disable Run Command So the user cannot use it to run some tools to track the virus and remove it. 6 - Disable Windows Firewall (SharedAccess) So the virus can send & receive any data through the network without the attention of the user! 7 - Disable Windows Firewall (Wscsvc) So the virus can send & receive any data through the network without the attention of the user! 8 - Disable Windows Firewall (Wuauserv) So the virus can send & receive any data through the network without the attention of the user!

9 Restrict Internet Explorer Home Page Changing So the user cannot change the malicious web page set as IE Home Page by the malware! 10 Restrict Internet Explorer Closing So the user cannot close the popup windows that appear when visiting the malicious web page or any other website! 11 Hide Internet Options So the user cannot change any Internet setting set by the malware! 12 Hide Internet Explorer Address Bar So the user cannot see what web page being visited and what scripts being executed! 13 - Restrict Internet Explorer Right Click So the user cannot view the source of the page being visited. 14 Hide Internet Explorer Navigation Buttons So the user will be forced to use the keyboard shortcuts to navigate through the web sites! 15 - Hide Internet Explorer Context Menu So the user cannot access this menu and change settings. 16 - Hide Internet Explorer Toolbar So the user cannot use it to remove malicious or unwanted toolbars installed by the malware. 17 - Disable Command Prompt (cmd.exe) So the user cannot run any console programs to remove the virus. 18 - Disable Control Panel So the user cannot use the control panel applets. 19 - Hide system files/folders So the user cannot see the malware bodies which usually come with system attribute set to true! 20 - Change Show Hidden files option button So even if the user selects "Show hidden files and folders from folder options these files & folder will not be shown! 21 - Disable Show System files check box So even if the user unchecked "Hide protected operating system files" these files & folders will not be shown! 22 - Disable Show all files/folders check So changing this from Folder Options will be ignored! 23 - Hide Desktop items To prevent the user from accessing My Computer and other desktop shortcuts! 24 Hide files extensions. This is commonly used by malware to trick the user. By hiding common file extensions and giving the malware executable a folder icon, a user will not know he/she is starting a malicious program not opening an ordinary folder.

25 Disable File Extensions Check So changing this from folder options will be ignored! 26 Restrict Windows Update So the user cannot download security patches from Microsoft website. 27 Disable Shutdown Command So the user cannot shut down the system normally. 28 Restrict Settings Folders Just imagine when all items under Start menu>Settings> do not run! 29 Disable Taskbar context menu You right click your taskbar. Oops; nothing happens! 30 Disable Logoff Command So the user cannot logoff current profile and use another profile. 31 Hide Start Menu Logoff So the user cannot use this shortcut to logoff! 32 Restrict Add/Remove Programs So the user cannot see what applications and windows components are installed or uninstall/reinstall any application. 33 File Extension Default So the user cannot select "Hide extensions for known file types". 34 No Windows Update So the user cannot download security updates and other fixes for windows. 35 R-Media Malware (Removable Media Malware) This item is indicating that a malicious object is trying to attack your computer through removable media, please see the details below. 36 Hidden Drives So the user cannot see any of the storage drives but they still can use RUN command to access and explore them. 37 Restricted Drives So the user can see but cannot access the drives even by using RUN command. 38 No Search So the user cannot search the file system using the start menu item. 39 No Display So the user cannot access Display Control Panel to change the display settings. 40 - Corrupted Safe Mode So the user be forced to start the computer in normal mode where the virus always active. 41 - Execution Debugger Cannot install or run specific security tools and antivirus software to get rid of the virus.

42 - Windows Security Center So the user cannot access many security settings. Unfortunately, All Antivirus software do not care about these restrictions, they only delete the malware bodies, leaving the remnants of malware untouched, which was taking me a lot of time to remove manually (which is of course translated into more money on the shoulders of the machine owner). Having long experience in computer maintenance and malware removing and with a good experience in programming and managing automated tasks, I developed a little tool that removes all these restrictions simply with the click of a button. It has helped me a lot and saved me a lot of time and effort. Then I wanted this tool to benefit the others so I published it on the Internet for free. Since then, the number of users who used the tool (at least once) all over the world reached millions whether they were normal users or computer maintenance experts. You probably one of these millions, if you are not, this tool is:

After that RRT had great success and had achieved wide fame until version 3.0, I decided to develop it and make it able to defend computers against malware and not just remove the remnants of them; this is what actually happened. I developed version 4.0 of the tool and added new features to it, one of the most noticeable feature was ( emovable edia alware efender). Since I noticed that most of todays malware spread via removable media (Flash disks in specific), I implemented RRT with the ability of monitoring, blocking and removing any type of malware that uses flash disks to spread. RRT with AutoRemove enabled will monitor your system in real time, detects any flash disk as soon as it gets plugged into a USB port. The smart detection technique will work in less than few milliseconds, if it detects any infection in the flash disk, it will block it and remove the infection before it makes any harm to your computer. Again, after that v4.0 had great success and had achieved wide fame, I decided to add more features to it, so I merged it with other previous programs of mine, developed new programs and packaged all in one program and called it: ( )

SAT can be obtained in many ways; the fastest and the easiest way is to download it from the Internet. All you need is to visit Sergiwa.com or point your browser directly to the download page of the product at this link: http://www.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=1 After the completion of the download, open the folder in which you downloaded the file and you will find the main program icon as shown in the following image:

Double click this icon to run the program, once you run the program the following message box appears:

This message box tells you that you are using the free demo version of the program. It is a limited version that removes the remnants of malware and restrictions applied by them but it does not include the advanced features of the toolkit. This screen gives you the serial number of your copy or so-called , and asks you -if you need the full version- to go to the purchase page and enter this serial number in the specified field. Note: It should be noted that the serial number above should be copied and pasted and not written by hand in order to avoid errors, this is very important because if you enter the wrong number in the order form you will receive the wrong license. Once you complete your order of the program by one of the payment methods described later you will receive your license key which makes your copy of the software runs in FULL mode and includes all the features. Note: It is noteworthy that after you purchase your copy of the full version it will be locked to your computer only, meaning it will not work on any other computer, which saves you your right if someone attempted to steal your license info. If you need a copy that works on specific or unlimited number of computers, or works as a shared application on your local network contact sales@sergiwa.com Whereas you did not purchase the program yet, click .

If you click and you are connected to the Internet, the program will run and take you at the same time to the purchase page on our site in case you decided to buy the program and get the full version, if you didn't decide yet, simply close the purchase page and continue using the Limited Free Demo version.

Difference between the free DEMO version and the paid FULL version: In the program's interface there is no apparent difference except in the main form caption, where in the free version it reads: Sergiwa Antiviral Toolkit v6.5.0.2 *DEMO* And in the full version it reads: Sergiwa Antiviral Toolkit v6.5.0.2

By using the free limited version of the program you can remove the leftovers malware leave behind and remove the restrictions applied by malware, either one by one, or all altogether by one click. When you run the demo version of the program it notifies you as soon as it detects a restriction on your computer and enables the corresponding check box for selecting with red color so that you can select it and click button to remove it. If the program did not find any restriction on your computer it does not enable any check box for selecting as doing so does not make any sense.

Example: If a virus that had infected your machine in a prior time applied a restriction on the use of the system registry editor, when you try to access the Registry Editor by typing regedit in the command line, Windows will give out the following message:

This message means that there is a restriction on the use of Registry Editor and you cannot access it. In order to get rid of this problem, run and it will look like this:

As you can see in the above image, detected that Registry Editor is restricted, therefore, the corresponding check box goes enabled and flagged in red. In order to fix this problem all you need to do is to select the red check box and then press button to remove it. Once you press button you get the following message:

Means that has successfully removed the restrictions on the use of Registry Editor for the current user and all users who work on your computer, but you may need to restart your computer in order to complete the operation (Usually not required). Now as removed the restriction on registry editor you can type regedit in the command line to access the Registry Editor with full privileges. End of example. You can apply the above example to all the restrictions mentioned in the beginning of this document in the same way, and instead of removing the restrictions one by one, you can select all enabled check boxes by clicking on button and then click button and the program will remove all the restrictions it detects.

In some cases, you may need to ignore some restrictions from being monitored, for example: Suppose you want the software to monitor your system but ignore Show hidden files and folders restriction. In this case, just click ignore option button beside the specific restriction checkbox as shown in the following image:

You can do this with all restrictions you want to ignore. Also, you can do this with Removable Media Malware detection by clicking R-Media Malware option Ignore button. In this case the software will no longer monitor your removable media for malware. (Not recommended)

If all check boxes are disabled (grayed out) then this mean your computer is free of restrictions. This is a good sign, you can then click on the standard box at the top right of the program window to minimize the program and put it as an icon in the system tray next to the clock so that it appears as in the following image:

Here, tells you that it is now monitoring your system and will notify you when any emergency occurs, whether it is an applying of a restriction or a presence of malware in a flash disk you have just plugged in. If a malicious program that uses the method of applying restrictions in order to hide itself from detection entered your system through the Internet or a CD-ROM drive (CD/DVD) or even was hidden in your file system before you run the toolkit, will notify you immediately. In the event of malware attack, the notification would be as follows:

If there is a virus inside a flash drive or a memory card of a mobile phone you have just inserted, the former warning accompanied by a human voice tells you about the presence of the malware. It goes: "Virus Found! To respond to this alert, double click the program icon where you can remove the restrictions in the same manner described earlier.

If the detected problem is a virus, it appears in the program interface as follows:

Note the existence of the red circle next to the option of removable media malware ( ). There is also a red line warns you to NOT open the flash disk before pressing button. Needless to say that the free demo version of notifies you of the presence of restrictions and removes them, it also notifies you of the presence of viruses within flash disks, flash memory cards, digital cameras mobile phones but it does NOT remove these viruses, if you press button the program shows you the following message:

This means that has found viruses but you cannot remove them because you are using the free demo version, therefore, all you can do is to thank for letting you know about the presence of the malware, and then do immediately remove the flash disk, otherwise your system will get infected. If you want to defend your computer against these viruses and remove them you will need to buy the full version.

When right-clicking the program icon, a context menu appears with several items as follows:

Clicking on this option shows the program main window.

This option can be enabled only in the full version (see full version specification later).

This option enables/disables loading each time your system starts to ensure that the program works automatically in case you forget to load it manually. This option is enabled by default, once you run for the first time on your computer it will start automatically every time you reboot your computer. You can disable this option by clicking it, in this case, will not work unless you run it manually (not recommended).

This option is enabled by default, but if you do not want to receive more notifications about emergency events taking place in your computer, you can

revoke the alarms by selecting want to re-activate the alerts you simply select

from this list. If you .

Warning: Disabling notifications is not recommended at all because it prevents from notifying you. Disabling notifications is only desirable when you are sure youre your machine is free of malware. However, please note that disabling notifications does not mean disabling protection, will remain doing the job but it will not notify you of what it is doing.

This option takes you to our new software; . This software is still under developing and not published yet. For more information about this software, please read the web page this option takes you to.

Clicking on this item takes you to a web page that shows my point of view about software piracy. If are not a software pirate do not click on this option! However, it is much appreciated that you spread the word; Say No to Piracy.

Shows information about the program.

Exits the program.

The Full version of the SAT includes many great features, including: Defend your computer against removable media viruses, stop them and remove them before they enter your computer. Scan your removable media drives for suspicious components. Quarantine zone to save copies of suspicious components and viruses in an isolated environment. Removing viruses automatically as soon as they arise. Scanning your entire file system for viruses with a database that contains (up to this moment) more than 62,000 records of unique malware digital signatures. Heuristically scan your system for suspicious components, so viruses can be identified by its activities not by their digital signatures. The possibility of building up a database of malware digital signatures of your own. These features are available only in the full version. If you try to use one of them in the demo version it shows you the following message:

1. Defend your computer against removable media malware, stop them and remove them before they enter your computer: This feature is powerful, new, unique and it is the first of its kind. Some giant security companies copied this feature later. It allows you to make sure viruses will not attack your computer through removable media drives; Pen drives, flash memory cards, digital cameras and mobile phones. Removable storage media are widely used today and are considered as one of the largest means of spreading viruses between computers. This feature works in real time, once you insert any storage media the program alerts you of the presence of malware or suspicious files and gives you the option to remove them immediately before they cause any damage to your computer. When gives out such an alert, you should follow the instructions on screen. You should select check box then click button. The red alert line in the bottom of the tool will turn to green and the alarm sound will stop. 2. Scan your removable media drives for suspicious components:

After you remove the viruses, you should click on following form:

button to bring the

Click on button to start scanning the removable media, the program will scan all removable media and shows you a list of all suspicious components found and gives you the option to delete some and keep others, or delete all. To delete one single object, select the name of the object, and then click button, to delete all objects, click button. Click to abort the scanning process at any time. Click reset the display. button to

CAUTION: Not all the objects this feature detects are necessarily viruses, so be careful when you delete them. However, even if you deleted an object by mistake it can be restored by clicking button at the bottom left of the main program window and follow the instructions on screen as described later. To return to the main program window press following image: button as shown in the

3. Quarantine zone to save copies of suspicious components and viruses in an isolated environment. When you press button the following dialog box appears:

is a secure place where in keeps backup copy of every object it removes. In the event of false positive alarms or you just want to restore a

particular file you can simply restore it from there. saves a backup copy of every object it removes in a folder named RRTVAULT under the root folder of your system drive (usually C:) by adding random numbers to the end of the file name. If you want to restore a file, all you need to do is to rename the file back to its original name by deleting these random numbers. The above dialog box asks you to do one of two things: Either press button to open the quarantine folder to review the files in case you want to restore one of them. Or press button to delete all the backup files in it. Warning: It is not recommended to delete all files in the quarantine folder before reviewing them. It is recommended to keep these files, zip them and send the zipped file to newvirus@sergiwa.com for analysis. 4. Removing viruses automatically as soon as they arise (AutoRemove): This great feature automatically removes all restrictions and removable media malware as soon as they are detected and only notify you that the work is done, and if you prefer, you can as described above, so the program silently and efficiently defend your computer against all types of viruses that spread through such media. This option can be selected from the context menu mentioned above. It is the second option from the top as shown in the following image:

Once selected, the program red icon turns to green as the follows:

Important Notes: 1. In order for to remove viruses, all removable media drives must be write enabled. Some USB drives come with the possibility to be locked (Write Protected), in this case, once detects a write protected USB drive it notifies you in two ways:

If the program is minimized, the notification goes as follows:

If the program is maximized, the notification goes as follows:

2. If you are using an Antivirus software, and theres a virus that is detected by both and your Antivirus, a conflict will take place when tries to remove the virus. In such case, it is highly recommended leaving the initiative to the Antivirus software to delete the virus. If the virus is not detected by your Antivirus, SAT will take care of it. If you are using Kaspersky Antivirus and you encountered this conflict during the removal of a virus, the following message appears:

3. When a new virus is active (running) and is undetected by your AV software and you try to remove it with , an access violation error will arise. You still can use smart detection technique to identify it. Reading the following message will tell you how:

To be able to remove this virus you have two options: a. Send this file to newvirus@sergiwa.com for analysis so that I can add it to the database and you can then update the program and use to remove the virus easily as described later in this document. b. Use as described later in this document. 5. Scanning your entire file system for viruses with a database that contains more than 62,000 records of unique malware digital signatures. This feature is based on the traditional scanning technology which is based on digital signatures of malware used in most of antivirus software. The database of contains 62,000 records up to the date of writing this document. Most of these records are for todays malware because we focus mainly on the effectiveness. There is no meaning to overburden the program database with signatures of extinct malware. Start this feature by clicking button as shown in the picture below:

Once you click on the button, the program interface turns as follows:

Scan process can be started directly by pressing button. The program scans all files on all disk drives, whether they are internal or external hard drives or CD or floppy or flash or any type of storage media. If a virus detected, it is immediately deleted and moved to quarantine folder. If you want to scan specific files or folders or disk drives you can do so by clicking on button and the following message shows up:

This message tells you that the program has been linked to your Windows Explorer successfully. From now on, whenever you want to scan a folder or a disk drive you just right click it then select:

As shown in the following image:

If you want to know the names and the number of viruses in the programs database you can do so by clicking on button so a list of the database contents appear as in the following image:

Note: Malware whose names appear in the image above are not really found in your machine, they are just the main program databases contents, just the names of viruses that can be removed by .

6. Heuristically scans your system for suspicious objects, so viruses can be identified by their activities not by their digital signatures: In the case the did not find any malware but you suspect that your computer is infected, you still can use ; a great feature that scans your system for any viruses or suspicious objects and add them to a database of your own so that you can get rid of them even if they were not included in the main program database. Click button and the following screen appears:

Since your custom malware database is empty now, you cannot start scanning of course, if you click button now, the following message will appear:

This message box tells you that your custom database is empty and asks you to press button to start filling it up with the malware signatures. Click button and the following screen appears:

Notice the four buttons, namely:

It allows you to check the file system.

It allows you to check the running processes and services.

It allows you to examine the startup programs that run automatically when you start Windows.

It allows you to generate a log file about your computer status. When you press button you see the following buttons:

| |

| |

| |

The buttons above represent the critical locations and targets malware usually attack. Click on each button of the buttons above and the program will check if there are any suspicious objects in there. If any, it will be shown in the white space as shown in the following image:

If you double-click on any item, the program will show its properties as shown in the following image:

If you click on it when you are using the DEMO version you will not be able to know its properties and you'll see the following message:

The message box above tells you that you cannot view the path or the file name or its properties or add it to your custom database because you are using the demo version. You have two options: Either you buy the full version, or uncheck check box to show all files as it appears in the following image:

When you uncheck this box, you no longer use RRT under the current location will be shown as follows:

and all files

With OFF, you are on your own; you have to decide by yourself which of these files are malware and which are clean. Since this is too difficult for normal users, the only real option available is to buy the full version of the program, which will decide on behalf of you and show you only the names of the suspicious files and their full paths and gives you the ability to add them to your custom database and remove them from your system. Warning: When working with OFF, you should be very careful. Removing clean files will result in system instability, installed application corruption or even complete unrestored damage. After you decide which of the objects are malware either by yourself or by the help of , you can drag any file you see in the space and drop it into the small box on the top left labeled as shown in the following image:

By dragging and dropping it, the following message box appears:

Answer if you want to add this file to your custom database and following message appears:

This means that you have dropped a single file and it will be removed from your system and added to your custom database. Click , and the following message appears:

This means that one file has been removed from your system and added to your custom database. From now on, you are immune to this virus; the program will detect and remove this virus if it tried to infect your computer in the future. You can follow this method with all the files in the areas targeted by viruses as described previously under button. In case you want to check other folders, click following image: button as shown in the

When you press this button the following window appears:

You can select any folder to be analyzed by RRT the same steps above.

and then apply

In addition to button, theres button. It lets you check the running processes in real time. RRT can determine which process is suspicious where you can add these processes to your custom database. Theres another button called . It lets you check the programs that start automatically when you start Windows. RRT can determine which are suspicious and show them in the white space where you can add these items to your custom database. The last button is as you can see in the following image:

By clicking this button, generates a report about the status of your entire system as shown in the following image:

This feature is very important, in the case you was unable to determine what you should do, all you need to do is to send this log file via email to support@sergiwa.com and I will analyze your log and determine whether your computer is infected or not and give you the appropriate instructions and guide you step by step to get rid of the viruses. This service is free for licensed users only.

Uninstalling the software is very easy, just click button and follow the instructions on screen.

button then click

1. A PC with Pentium 500 MHz and 128 MB RAM or above. 2. Windows XP or Windows Vista or Windows 7. 3. A user profile with administrator rights (Administrator). 4. In Windows Vista you will need to turn off UAC as shown in the following image:

5. In Windows 7 you will need to set the UAC to the lowest level (Never Notify) as shown in the following image:

6. In general, since this product is security software that deals with file system, system registry and running processes, it MUST be given all the rights it demands in order for it to do its job. Some other security software will try to block the toolkit and prevent it from doing its job; some other will mistakenly flag the software itself as malware. Please make sure that it's not blocked by your firewall and there's no other program blocking it. Before running this toolkit, we recommend you to add it to the whitelist of other security solution you are running such as Antivirus, Firewall, monitoring tools...etc.

1. By using , you acknowledge that you are solely responsible for any damage inflicted on your computer as a result of inappropriate use of the program and do not bear Sergiwa Software any responsibility towards this. We strongly advise you to read this manual very carefully. 2. The demo version of this software is for FREE for Personal use only. If you would like to use the demo version in a business environment or you want to enjoy the advanced features of it you are required to license it. Licensing is quick, and the pricing is flexible. 3. Licensed users can upgrade to minor versions of the purchased software for free. For example, when you buy version 6.0 you will have the right to upgrade to all minor updates of version 6.x for free, while the upgrade to version 7.0 requires an upgrade fee. 4. Sergiwa Antiviral Toolkit price paid once for lifetime, no annual fees required. Licensed users enjoy free technical support for one year (including answering questions and queries, resolving the program's issues if any, explaining the methods of using, analyzing the logsetc.), after the end of the year, the free technical support expires and a user must renew the support subscription. 5. If you have the desire to become an authorized distributor for Sergiwa Software and get a commission on the distribution of up to 25% please contact us at info@sergiwa.com

1. If you have a credit card or PayPal account or you can use any other online payment method, you can purchase the software by following this link: https://www.plimus.com/jsp/buynow.jsp?contractId=2012988 2. If cannot use any online payment method, you can purchase via Western Union or MoneyGram. Send the payment to the following address: Name: Issam Sergiwa City: Derna Country: Libya Once we receive your payment, we will immediately send you the license key. License key is a file named regkey.dat. All you have to do when you receive it is to do the following: 1. Make a folder under C:\ and name it say RRTPE 2. Transfer both "RRT.exe" and "regkey.dat" to that folder. 3. Run the software and it will be activated. Please note that the software will run in FULL mode as long as you have the license file (regkey.dat) in the same folder where the executable file (RRT.exe) is. Once you delete the license file (regkey.dat) or move it to another folder the software will get back to DEMO mode. End of Document. For v6.5.0.2 Issam Sergiwa (SAT Author). CEO & Founder of Sergiwa Software Sergiwa.com June 6, 2011