What is a system process debugger? Guide to using AVZ antivirus. Indications for use

Antivirus programs, even when detecting and removing malicious software, do not always restore full functionality of the system. Often, after removing a virus, a computer user receives an empty desktop, a complete lack of access to the Internet (or access to some sites is blocked), a non-functional mouse, etc. This is usually caused by the fact that some system or user settings changed by the malicious program remain untouched.

The utility is free, works without installation, is surprisingly functional and has helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually correcting traces of the virus, it is worth using the “system restore” operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).

To start the recovery, run the utility. Then click file - system restore

and such a window will open before us

check the boxes we need and click “Perform selected operations”

This firmware restores the system's response to exe files, com, pif, scr.

Indications for use: After the virus is removed, programs stop running.

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: substitution home page

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

Windows provides a mechanism for restricting user actions called Policies. Many people use this technology malware, since the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

Registering a system process debugger will allow you to hidden launch application, which is used by a number of malware

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode. This firmware restores boot settings in protected mode.

Indications for use: .

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: Suspicions that Hosts file modified by malware. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer.

Indications for use: After removing the malicious program, I lost access to the Internet.

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

Performs backup SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use:

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions are “5.Restoring desktop settings” (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and “10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting into safe mode).

Like

Like

Tweet

There are universal ones like Swiss knife programs. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With the help of this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

AVZ capabilities

I already talked about the fact that this is an anti-virus program. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you another side of the program: checking and restoring settings.

What can be “fixed” with AVZ:

• Restore startup of programs (.exe, .com, .pif files)
• Reset Internet Explorer settings to default
• Restore desktop settings
• Remove rights restrictions (for example, if a virus has blocked programs from launching)
• Remove a banner or window that appears before you log in
• Remove viruses that can run along with any program
• Unblock the task manager and registry editor (if the virus has prevented them from running)
• Clear file
• Prohibit autorun of programs from flash drives and disks
• Remove unnecessary files from hard drive
• Fix desktop problems
• And much more

You can also use it to check Windows settings for security (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect your Windows from careless actions.

The AVZ program has Very many functions affecting the operation of Windows. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore the settings, Windows registry to an earlier state.

System Windows recovery- a mandatory component of all Windows versions, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

After work, AVZ creates subfolders with backup copies in its folder:

/Backup- backup copies of the registry are stored there.

/Infected- copies of deleted viruses.

/Quarantine- copies of suspicious files.

If after using AVZ problems started (for example, you thoughtlessly used the AVZ “System Restore” tool and the Internet stopped working) and Recovery Windows systems did not roll back the changes made, you can open registry backups from the folder Backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click “System Protection” in the “System” window.

Click the “Create” button.

The process of creating a restore point can take ten minutes. Then a window will appear:

A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

How to restore your computer using a restore point

There are two options for running System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Select a different restore point and press Further. A list of restore points will open. Select the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows does not boot

You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

Boot from the disk (how to boot from boot disks is written) and select:

Select "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no point - the running virus will “break” the corrected settings again.

Restoring program launches

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

First we go to Control Panel- set any type of viewing, except Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, click File - :

Points to note:

1. Restoring startup parameters of .exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

We confirm the action, a window appears with the text “System restoration completed.” Afterwards, all that remains is to restart the computer - the problem with launching programs will be solved!

Restoring the Desktop launch

A fairly common problem is that the desktop does not appear when the system starts.

Launch Desktop you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

To avoid doing this every time, you need to restore the program launch key explorer(“Explorer”, which is responsible for standard viewing of the contents of folders and the operation of the Desktop). In AVZ click File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

Unlocking Task Manager and Registry Editor

If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlock task manager

17. Unlocking the registry editor

And press Perform the marked operations.

Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ knows how to clean your computer from unnecessary files. If you don’t have a hard drive cleaning program installed on your computer, then AVZ will do, since there are many options:

More details about the points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it when required.
2. Delete Windows Log Files- you can clean various databases and files containing various entries about events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
3. Delete memory dump files- when it occurs critical errors Windows stops working and shows BSOD ( blue screen death), at the same time preserving information about running programs and drivers to a file for subsequent analysis special programs to identify the culprit of the failure. The option is almost useless, since it allows you to win only ten megabytes of free space. Clearing memory dump files does not harm the system.
4. Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by clicking right click on this item in the Start menu and selecting “Clear list of recent items”. The option is useful: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
5. Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player - clearing temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in the fight against glitches Flash Player. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
7. Clearing the terminal client cache- as far as I know, this option clears temporary files Windows component called "Remote Desktop Connection" ( remote access to computers via RDP protocol). Option it seems does no harm, frees up a dozen megabytes of space at best. There is no point in using it.
8. IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
10. Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the Trash- the purpose of this item is absolutely clear from its name.
12. Remove system update installation logs- Windows keeps a log installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
13. Remove Windows Update Protocol- similar to the previous point, but other files are deleted. Also a demon useful option.
14. Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
15. Internet Explorer - clearing cache- cleans Internet Explorer temporary files. The option is safe and useful.
16. Microsoft Office- cache clearing- cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security options because I don't have Microsoft Office.
17. Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
18. Cleaning the system TEMP folder- unlike the user TEMP folder (see point 5), cleaning this folder is not always safe, and usually frees up little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- This folder stores various files created by program installers. The folder is large if the installers did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- Windows Task Scheduler keeps a log where it records information about completed tasks. I don’t recommend enabling this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
21. Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
22. Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome- cache clearing- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
24. Mozilla Firefox- cleaning the CrashReports folder- every time when Firefox browser a problem occurs and it closes abnormally, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. Does not affect the stability of Windows and Mozilla Firefox.

Depending on the installed programs, the number of items will vary. For example, if installed Opera browser, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources that will not be taken up by programs running in the background.

AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

The lines identified by the antivirus as known are marked in green. This includes both system programs Windows and third-party programs that have a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

The question arises: how to determine what can be turned off and what cannot? There are two solutions:

Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype program When installed, it creates an entry to start automatically when you turn on the computer. If you don’t need this, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

Disable only those programs that you know for sure - you don’t need them at startup.

Bottom line

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing the most different tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely, what I described above.

If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

Related posts:

Like

Like

We will talk about the simplest ways to neutralize viruses, in particular, those that block the desktop Windows user 7 (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it extremely difficult to perform any actions other than entering a special “unlock code”, to obtain which, allegedly, you need to transfer a certain amount to the attackers by sending an SMS or replenishment of a mobile phone account through a payment terminal. The goal here is one - to force the user to pay, and sometimes quite decent money. A window appears on the screen with a threatening warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the working environment. Windows environment- blocks pressing special key combinations to call up the Start button menu, Run command, task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, antivirus scanner). But, nevertheless, in the vast majority of cases there is a way out.

New technologies implemented in Windows Vista / Windows 7 have made it much more difficult for malware to penetrate and take full control of the system, and also provided users with additional opportunities to get rid of them relatively easily, even without anti-virus software (software). We are talking about the ability to boot the system in safe mode with command line support and launch from it software control and recovery. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems of the Windows family, many users simply do not use it. But in vain. IN command line Windows 7 does not have the usual desktop (which may be blocked by a virus), but it is possible to launch most programs - registry editor, task manager, system recovery utility, etc.

Removing a virus by rolling back the system to a restore point

A virus is an ordinary program, and even if it is located on the computer’s hard drive, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, an ordinary text file. If you solve the problem of blocking the automatic launch of a malicious program, then the task of getting rid of malware can be considered completed. The main method of automatic startup used by viruses is through specially created registry entries created when they are introduced into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore using checkpoint data. A checkpoint is a copy of important system files, stored in a special directory ("System Volume Information") and containing, among other things, copies of files system registry Windows. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to obtain the state of the system registry without the entries made by the invading virus and thereby exclude its automatic start, i.e. get rid of infection even without using antivirus software. In this way, you can simply and quickly get rid of the system from being infected by most viruses, including those that block the worker Windows desktop. Naturally, a blocking virus using, for example, a modification boot sectors hard drive (MBRLock virus) cannot be removed in this way, since rolling back the system to a restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support, since the virus is loaded even before Windows boot loader. To get rid of such an infection, you will have to boot from another medium and restore infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of loading, press the F8 button. The Windows boot loader menu will appear on the screen, with possible options system boot

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is completed and the user registers, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Run the System Restore tool by typing rstrui.exe in the command line and pressing ENTER.

Switch the mode to "Select another recovery point" and in the next window check the box "Show other recovery points"

After selecting a Windows restore point, you can view a list of affected programs during a system rollback:

The affected programs list is a list of programs that were installed after the system restore point was created and that may require reinstallation because their associated registry entries will be missing.

After clicking the "Finish" button, the system recovery process will begin. Upon completion it will be executed reboot Windows.

After the reboot, a message will be displayed indicating the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use a more advanced method presented below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not have recovery point data for various reasons, the recovery procedure ended with an error, or the rollback did not produce a positive result. In this case, you can use the System Configuration diagnostic utility MSCONFIG.EXE. As in the previous case, you need to do loading Windows in safe mode with command line support and in the cmd.exe command line interpreter window, type msconfig.exe and press ENTER

On the General tab, you can select the following modes Windows startup:

When the system boots, only the minimum required system services and user programs will be launched.
Selective launch- allows you to set in manual mode a list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of programs that automatically start. If in this mode the virus stops blocking the desktop, then you need to move on to the next step - determine which program is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs manually.

The "Services" tab allows you to enable or disable the launch of system services whose startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be launched during system boot. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not display Microsoft services" mode, which, when enabled, will display only third-party services.

I note that the likelihood of a system being infected by a virus that is installed as a system service, with standard security settings in Windows Vista / Windows 7, is very low, and you will have to look for traces of the virus in the list of automatically launched user programs (the "Startup" tab).

Just like in the Services tab, you can enable or disable the automatic launch of any program that is present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic startup of services and applications that start in the standard way for operating systems of the Windows family. However, virus authors often use techniques that allow them to launch malicious programs without using standard autorun points. You can most likely get rid of such a virus using the method described above by rolling back the system to a restore point. If a rollback is not possible and using msconfig did not lead to a positive result, you can use direct editing of the registry.

In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system starts normally, but does not reach user registration. The computer hangs due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in previous cases, you can boot into safe mode with command line support and run the check system disk command

chkdsk C: /F - check drive C: and correct detected errors (key /F)

Since the system disk is occupied by system services and applications when chkdsk runs, chkdsk cannot gain exclusive access to it to perform testing. Therefore, the user will be presented with a warning message and asked to perform testing the next time the system is rebooted. After answering Y, information will be entered into the registry to ensure that the disk check will start when Windows restarts. After the check is completed, this information is deleted and Windows restarts normally without user intervention.

Eliminating the possibility of a virus running using the Registry Editor.

To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs programs used for previous versions operating systems from Microsoft. Viruses installing their own drivers and services, reconfiguring the WINLOGON service with connecting their own executable modules, correcting registry keys that are relevant to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor costs that they are practically impossible to meet. Typically, changes to the registry that enable a virus to run are made only in the context of the permissions that exist for the current user, i.e. in the HKEY_CURRENT_USER section

In order to demonstrate the simplest mechanism for blocking a desktop using a substitution of the user shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you yourself correct the registry data in order to get, for example, a command line instead of a desktop . A familiar desktop is created Windows Explorer(Explorer.exe program) launched as the user's shell. This is ensured by the values ​​of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as the shell when the user logs in. Typically, in the section for the current user (HKEY_CURRENT_USER or abbreviated as HKCU), the Shell parameter is missing and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE\ or abbreviated as HKLM)

This is what the registry key looks like HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with a standard Windows 7 installation

If you add to this section string parameter Shell taking the value "cmd.exe", then the next time the current user logs into the system, instead of the standard user shell based on Explorer, the cmd.exe shell will be launched and instead of the usual Windows desktop, a command line window will be displayed.

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker, and other nasty things instead of a desktop.
Making changes to the key for all users (HKLM...) requires administrative privileges, so virus programs usually modify the settings of the current user's registry key (HKCU...)

If, to continue the experiment, you run the msconfig utility, you can make sure that cmd.exe is not included as a user shell in the list of automatically launched programs. A system rollback will naturally allow you to return the initial state registry and get rid of the automatic start of the virus, but if for some reason it is impossible, the only option is to directly edit the registry. To return to the standard desktop, simply remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log in again) or reboot. You can edit the registry by running the registry editor regedit.exe from the command line or using the console utility REG.EXE. Example command line to remove the Shell parameter:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The given example of substituting the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system environment. Enough high level security with standard system settings does not allow malicious programs to access registry keys that were used to infect Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use launching executable files (.exe) from the current user's temporary files directory (Temp). When analyzing the automatic launch points of programs in the registry, first of all you need to pay attention to the programs located in the temporary files directory. Usually this is a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as additional means to detect viruses. Legitimate programs never automatically launch from the TEMP directory.

To obtain a complete list of possible automatic start points, it is convenient to use the special Autoruns program from the SysinternalsSuite package.

The simplest ways to remove blockers of the MBRLock family

Malicious programs can gain control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which the boot is performed. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded, which displays a ransomware message on the screen demanding money for the crooks. Since the virus gains control before the system boots, there is only one way to bypass it - boot from another media (CD/DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use Live CD / Live USB, usually provided to users free of charge by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also perform and checking the file system for malware and removing or disinfecting infected files. If it is not possible to use this method, then you can get by by simply downloading any version of Windows PE ( installation disk, ERD Commander emergency recovery disk), which allows you to restore normal system booting. Usually just being able to access the command line and run the command is enough:

bootsect /nt60 /mbr

bootsect /nt60 /mbr E:> - restore boot sectors of drive E: The letter for the drive that is used as the boot device for the system damaged by the virus should be used here.

or for Windows prior to Windows Vista

bootsect /nt52 /mbr

The bootsect.exe utility can be located not only in system directories, but also on any removable media, can be executed in any operating system of the Windows family and allows you to restore program code boot sectors without affecting the partition table and file system. The /mbr switch is usually not needed, since it restores the main program code boot entry MBR, which viruses do not modify (perhaps they do not modify it yet).

A simple and convenient AVZ utility that can not only help, but can also restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I am providing a complete list of what AVZ can restore.

Material taken from the reference book AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into address bar browser).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list.

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

16.08.2019

Dedicated AVZ, I want to share with you some more knowledge on the capabilities of this wonderful utility.

Today we will talk about system recovery tools, which can often save your computer’s life after being infected with viruses and other horrors of life, as well as solve a number of system problems that arise as a result of certain errors.
It will be useful for everyone.

Introductory

Before we begin, traditionally, I want to offer you two formats of material, namely: video format or text. Here's the video:

Well, the text below. See for yourself which option is closer to you.

General description of the program functionality

What kind of recovery means are these? This is a set of firmware and scripts that help return certain system functions to working condition. Which for example? Well, let's say, return either the registry editor, clear the hosts file or reset IE settings. In general, I give it in full and with a description (so as not to reinvent the wheel):

• 1. Restoring startup parameters of .exe, .com, .pif files
  Indications for use: after removing the virus, programs stop running.
• 2. Reset Internet Explorer protocol prefix settings to standard
  Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
• 3. Restoring the Internet Explorer start page
  Indications for use: replacing the start page
• 4. Reset Internet Explorer search settings to default
  Indications for use: When you click the "Search" button in IE, you are accessing some third-party site
• 5. Restore desktop settings
  This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.
  Indications for use: The desktop settings tabs in the "Properties: Screen" window have disappeared, extraneous inscriptions or pictures are displayed on the desktop
• 6. Removing all Policies (restrictions) current user.
  Indications for use: Conductor functions or other system functions are blocked.
• 7. Removing the message displayed during WinLogon
  Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.
  Indications for use: During system boot, an extraneous message is entered.
• 8. Restore File Explorer settings
  Indications for use: Changed conductor settings
• 9. Removing system process debuggers
  
  Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.
• 10. Restoring boot settings in SafeMode
  Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode. This firmware restores boot settings in protected mode.
  Indications for use: The computer does not boot in SafeMode. Use this firmware only if you have problems booting into protected mode.
• 11. Unlock task manager
  Indications for use: Blocking the task manager; when you try to call the task manager, the message “Task manager is blocked by the administrator” is displayed.
• 12. Clearing the ignore list of the HijackThis utility
  The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list
  Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
• 13. Cleaning the Hosts file
  Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard "127.0.0.1 localhost" line.
  Indications for use: Suspicion that the Hosts file has been modified by a malicious program. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
• 
  Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session
  Indications for use: After removing the malicious program, access to the Internet was lost.
• 
  This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. You can read more about resetting settings in the Microsoft knowledge base - Please note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!
  Indications for use: After removing the malicious program, access to the Internet was lost and running the firmware “14. Automatic correction of SPl/LSP settings” does not produce results.”
• 
  Indications for use: During system boot, Explorer does not start, but launching explorer.exe manually is possible.
• 
  Indications for use: It is impossible to start the registry editor; when you try, a message is displayed stating that its launch is blocked by the administrator.
• 
  Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!
• 
  Cleans up the MountPoints and MountPoints2 database in the registry.
  Indications for use: This operation often helps when, after infection with a Flash virus, disks do not open in Explorer
• On a note:
  On a note:
  To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"
  On a note:
  Any of the firmware can be executed several times in a row without damaging the system. The exceptions are "5. Restoring desktop settings" (this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting into safe mode).

Useful, isn't it?
Now about how to use it.

Loading, starting, using

Actually, everything is simple.

1. Download from here(or from somewhere else) antivirus utility AVZ.
2. Unpack the archive with it somewhere convenient for you
3. Go to the folder where we unpacked the program and run it there avz.exe.
4. In the program window select "File" - "System Restore".
5. We tick the necessary items and press the button " Perform marked operations".
6. We are waiting and enjoying the result.

That's how things are.

Afterword

I must say that it works like a charm and eliminates a number of unnecessary movements. So to speak, everything is at hand, fast, simple and effective.

Thank you for your attention;)

Thank you for your help in preparing the material to the computer masters. service center Launch.RF. You can order laptop and netbook repairs from these guys in Moscow.

Malicious programs are introduced into the operating system of a personal computer and cause significant damage to the entire volume of data. On this moment Over time, pest programs are created for different purposes, so their actions are aimed at adjusting various structures of the operating system of a personal computer.

Problems with the Internet and malfunctions in the operation of devices connected to the PC are common and the consequences are obvious to the user.

Even if the pest was detected and destroyed, this does not exclude the loss of information and other problems that arise in subsequent work. The list of options can be endless, most often the user discovers a complete or partial blocking of access to the World Wide Web, a failure to operate external devices(mouse, flash card), empty desktop, etc.

The listed consequences are observed due to the changes made by the program - the pest in system files personal computer. Such changes are not eliminated with the elimination of the virus; they need to be corrected independently, or with the help of specialists. In fact, work of this kind does not require special training, and any advanced user can perform it after studying the appropriate instructions.

In the practice of organizing the recovery of an operating system, several approaches are distinguished, depending on the reasons that led to the failure. Let's consider each of the options in detail. A simple method available to every user is to roll back the OS to a restore point when the operation of the personal computer met the user’s requirements. But very often this solution is unsatisfactory, or it cannot be implemented for objective reasons.

How to restore the OS if logging into the PC is impossible?

Launching System Restore proceeds as follows. Start Menu\Control Panel\System Restore. At this address we select the recovery point we need and start the process. After some time, the work will be completed and the computer is ready for normal operation. The technique is quite applicable to eliminating some types of viruses, since changes also occur at the registry level. This option for restoring the operating system is considered the simplest and is included in the set of standard Windows tools. Step-by-step instructions and help with detailed comments on the process will help you master the technique of restoring the functionality of your computer, even if the user does not feel entirely confident as a PC administrator.

Another common OS recovery option is to launch the procedure from external media. This option is complicated by some issues, for example, you need to have a system image on a flash card or disk and make sure you have such a copy in advance. In addition, it is often necessary to have certain skills in working with the BIOS system. An image of the operating system on external media is the best option if recovery is impossible because a virus has blocked login to the computer. There are other options.

It is impossible to use standard Windows tools to restore the OS if, for example, login is impossible, or there are other reasons preventing the operation from being performed in standard mode. The situation can be resolved using the ERD Commander (ERDC) tool.

Let's look at the situation step by step to see how the program works. The first step is to download the program. The second step is to launch the Syst em Restore Wizard tool, it is with its help that the OS is rolled back to a specified recovery position.

As a rule, each tool has several checkpoints in reserve, and in eighty percent of cases the performance of the personal computer will be completely restored.

Using AVZ utility tools

The tool discussed below does not require any special user skills in operation. The software product was developed by Oleg Zaitsev and is designed to search and destroy all types of viruses and malware. But besides the main function, the utility restores most system settings that have been attacked or modified by harmful viruses.

What problems can the presented program solve? The main thing is to restore system files and settings that have been attacked by viruses. The utility deals with damaged program drivers that refuse to start after recovery. When problems arise in browsers or when access to the Internet is blocked and many other troubles.

We activate the recovery operation at File\System Restore and select the operation that is necessary. The figure shows the interface of the microprograms that the utility operates; we will give a description of each of them.

As you can see, the set of operations is represented by 21 items, and the name of each of them explains its purpose. Note that the program’s capabilities are quite diverse and it can be considered a universal tool for resuscitating not only the system itself, but also eliminating the consequences of viruses working with system data.

The first parameter is used if, as a result of a virus attack and the OS recovery procedure, programs necessary for the user refuse to work. As a rule, this happens if a pest has penetrated program files and drivers and made any changes to the information recorded there.

The second parameter is necessary when viruses replace domains when entering them into the browser search engine. This substitution is the first level of adjustment of the interaction between system files of the operating system and the Internet. Such a program function, as a rule, eliminates the changes made without a trace, without trying to detect them, but simply exposing full formatting the entire volume of prefixes and protocols data, replacing them with standard settings.

The third option resumes setting the Internet browser start page. As in the previous case, by default the program corrects problems Internet browser Explorer.

The fourth parameter corrects the work search engine and sets the standard operating mode. Again, the procedure concerns the browser installed Windows default.

If there is a problem related to the functioning of the desktop (the appearance of banners, pictures, extraneous entries on it), activate the fifth point of the program. Such consequences of the action of malware were very popular a couple of years ago and caused a lot of problems for users, but even now it is possible that such dirty tricks can penetrate the PC operating system.

The sixth point is necessary if the malicious program has limited the user’s actions when executing a number of commands. These restrictions can be of a different nature, and since access settings are stored in the registry, malware most often uses this information to correct the user’s work with his PC.

If a third-party message appears when loading the OS, this means that the malware was able to infiltrate the Windows NT startup settings. Restoring the OS, which destroyed the virus, does not clear this message. In order to remove it, you need to activate the seventh parameter of the AVZ utility menu.

The eighth menu option, as the name suggests, restores Explorer settings.

Sometimes the problem manifests itself in the form of interruptions in the operation of system components, for example, during the startup of the personal computer OS, the desktop disappears. The AVZ utility diagnoses these structures and makes the necessary adjustments using item nine of the tools menu.

Problems loading the OS in safe mode can be resolved in step ten. It is easy to detect the need to activate this multiprogram item of the utility discussed here. They appear during any attempts to work in security mode.

If the task manager is blocked, then you need to activate menu item eleven. Viruses on behalf of the administrator make changes to the activation of this section of the operating system, and instead of the working window, a message appears stating that work with the task manager is blocked.

The HijackThis utility uses storage of a list of exceptions in the registry as one of its main functions. For a virus, it is enough to penetrate the utility database and register files in the registry list. After this, it can independently recover an unlimited number of times. The utility's registry is cleaned by activating the twelfth item in the AVZ settings menu.

The next, thirteenth point, allows you to clear the Hosts file; this file, modified by a virus, can cause difficulties when working with the network, block some resources, and interfere with updating anti-virus program databases. Working with this file will be discussed in more detail below. Unfortunately, almost all virus programs try to edit this file, which is due, firstly, to the ease of making such changes, and the consequences can be more than significant, and after the viruses are removed, the information entered in the file can be a direct gateway for penetration into OS new pests and spyware.

If access to the Internet is blocked, this usually means there are errors in the SPI settings. They will be corrected if you activate menu item fourteen. It is important that this settings item cannot be used from a terminal session.

Similar functions are included in the fifteenth menu item, but its activation is only possible when working in operating systems such as XP, Windows 2003, Vista. You can use this multi-program if attempts to correct the situation with logging into the network using the previous setting did not bring the desired result.

The capabilities of the sixteenth menu item are aimed at restoring system registry keys that are responsible for launching the Internet browser.

The next step in working to restore OS settings after a virus attack is to unlock the registry editor. As a rule, the external manifestation is that it is impossible to load the program for working with the Network.

The following four points are recommended only if the damage to the operating system is so catastrophic that, by and large, it makes no difference whether they can be eliminated using such methods or as a result it will be necessary to reinstall the entire system.

So, the eighteenth paragraph recreates initial settings SPI. The nineteenth item clears the Mount Points /2 registry.

The twentieth point removes all static routes. Finally, the last, twenty-first point erases all DNS connections.

As you can see, the utility's capabilities cover almost all areas into which a spruce malware program can penetrate and leave its active trace, which is not so easy to detect.

Since antivirus applications do not guarantee 100% protection of your PC’s operating system, we recommend having such a program in your arsenal of anti-virus tools. computer viruses all types and forms.

As a result of disinfection of the personal computer OS, the devices connected to it do not work.

One popular way to disguise spyware is to install its own virus driver in addition to the real software. In this situation, the actual driver is most often the mouse or keyboard file. Accordingly, after the virus is destroyed, its trace remains in the registry, for this reason the device to which the pest was able to attach stops working.

A similar situation is observed when incorrect operation in the process of uninstalling Kaspersky Anti-Virus. This is also due to the specifics of installing the program, when its installation on a PC uses the auxiliary driver klmouflt. In the situation with Kaspersky, this driver must be found and completely removed from the personal computer system in accordance with all the rules.

If the keyboard and mouse refuse to function in desired mode, first of all you need to restore the registry keys.

Keyboard :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Cont rol\Class\(4D36E 96B-E325-11CE-BF C1-08002BE10318)
UpperFilters=kbd class

Mouse :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Cont rol\Class\(4D36E 96F-E325-11CE-BF C1-08002BE10318)
UpperFilters=mou class

The problem of inaccessible sites

The consequences of a malware attack may be the inaccessibility of some resources on the Internet. And these consequences are the result of changes that viruses managed to make to the system. The problem is detected immediately or after some time, but if as a result of the actions of pest programs it appears after some time, it will not be difficult to eliminate it.

There are two options for blocking and the most common is adjusting the hosts file. The second option is to create false static routes. Even if the virus is destroyed, the changes it made to these tools will not be eliminated.

The document in question is located in the system folder on drive C. Its address and location can be found here: C:\Windows\System 32\drivers\etc\hosts. To quickly search, you usually use the command line from the Start menu.

If the file cannot be found using the specified procedure, this may mean that:

The virus program has changed its location in the registry;

The file document has a "hidden" option.

In the latter case, we change the search characteristics. At: Folder Options / View we find the line “Show hidden files” and check the box opposite, expanding the search range.

The hosts file contains information that converts the letter name of a site's domain into its IP address, so malware programs write adjustments in it that can redirect the user to other resources. If this happens, then when you enter the address of the desired site, a completely different one opens. In order to return these changes to their original state and correct them, you need to find this file and analyze its contents. Even an inexperienced user will be able to see what exactly the virus has changed, but if this causes certain difficulties, you can restore the default settings, thereby eliminating all changes made to the file.

As for correcting routes, the principle of action is the same. However, in the process of interaction between the PC operating system and the Internet, priority always remains with the hosts file, so restoring it is enough for work to be carried out in standard mode.

The difficulty arises if required file impossible to find, since the virus changes its location in the system folders. Then you need to correct the registry key.

HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\serv ices\Tcpip\Param eters\DataBasePa th

Viruses belonging to the Win32/Vundo group are superior to most of their malicious counterparts in their ingenuity regarding the transformation of hosts files. They change the file name itself, erasing the Latin letter o and replacing the sign with a Cyrillic letter. Such a file no longer converts domain names of sites into IP addresses, and even if the user restores this file, the result of the work will remain the same. How to find a genuine file? If there are doubts that the object we need is real, we perform the following procedure. The first step is to activate the display hidden files mode. Let's examine the catalogue, it looks like it is shown in the picture.

There are two identical files presented here, but since the OS does not allow the use of identical names, it is obvious that we are dealing with a false document. It’s easy to determine which one is correct and which one is wrong. The virus creates a voluminous file and undergoes numerous adjustments, so the result of its sabotage is shown in the figure hidden file volume 173 KB.

If you open a document file, the information in it will contain the following lines:

31.214.145.172 vk.com - a string that can replace the IP address of the site

127.0.0.1 avast.com - a file line written by a virus to deny access to the antivirus program website

We already noted above that you can also block individual resources by creating incorrect routes in the routing table. Let's look at the sequence of actions to see how the situation can be resolved.

If the hosts file does not have malicious adjustments, and working with the resource is impossible, the problem lies in the route table. A few words about the essence of the interaction of these tools. If the correct adaptive domain address is specified in the hosts file, then redirection to this address occurs to an existing resource. As a rule, the IP address does not belong to the address range of the local subnet, so redirection occurs through the router gateway, which is determined by the Internet connection settings.

If you adjust the route entries for a specific IP address, then automatic connection will occur based on this entry. Provided that there is no such route, or the gateway is not working, the connection will not occur and the resource will remain unavailable. Thus, the virus can delete an entry in the route table and block absolutely any website.

Routes created for specific sites remain in the HKLM registry database. The route is updated when the route add software command is activated or the data is manually adjusted. When there are no static routes, the table section is empty. You can view a list of routing data by using the route print command. It will look like this:

Active routes:

The table presented above is standard for a PC with a single network card and network connection settings:

IP address 192.168.0.0

mask 255.255.255.0

default gateway 192.168.0.1

The entry presented above includes the network IP address with encoding 192.168.0.0 and the subnet mask with encoding 255.255.255.0. If you decipher this data, then the information is as follows. The mask includes the entire volume of nodes with an equivalent high part of the address. In the metric system, the first three bytes of the subnet mask are 1 on all PC operating systems (except for decimal, where the value is 255, and hexadecimal, where the value is 0*FF). The low-order part of the address of the received nodes is a value in the range 1-254.

In accordance with the information presented above, the low address is encoded - 192.168.0.0, this code is the network address. The highest address with encoding 192.168.0.255 is characterized as a broadcast address. And if the first code excludes its use for data exchange, then the second code is precisely intended to perform these functions. Their nodes exchange data packets using routes.

Let's imagine the following configuration:

IP address - 192.168.0.0

Network mask - 255.255.255.0

Gateway - 192.168.0.3

Interface - 192.168.0.3

Metrica - 1

The information is logically deciphered as follows: in the address range from 192.168.0.0 - 192.168.0.255, we use the code as a gateway and interface to exchange information network card(192.168.0.3). All this means that the information is transferred directly to the recipient himself.

When the end address condition does not match the specified range 192.168.0.0-192. 168.0.255, it will not be possible to transmit information directly. The server protocol sends the data to the router, which forwards it to another network. If static routes are not specified, the default router address remains the same as the gateway address. Information is sent to this address, then to the network, and along the routes specified in the table, until the recipient receives the packet. In general terms, the data transfer process looks exactly like this. Let's present an illustration of the entries in a standard router table. In the example there are only a few records, but their number can reach tens or hundreds of lines.

Based on the example data, we will describe the process of redirecting to Internet resource addresses. During contact with Internet resource addresses located in the specified range from 74.55.40.0 to 74.55.40.255, the router code is equal to the network number 192.168.0.0, and accordingly cannot be used in the process of exchanging information data. The IP protocol diagnoses the address (74.55.40.226), which is not included in the individual address packet local network and accesses the registered static routes.

The situation is when this route is not registered, the information packet is sent to the gateway identification address set by default in the example.

Because the route shown in the example is a high priority route, it requires a specific gateway rather than a one-size-fits-all standard. Since there is no gateway that satisfies the request in the table, the server with network address 74.55.40.226 will remain out of reach. And under the conditions specified in the example with the subnet mask code, all addresses in the range 74.55.40.0 - 74.55.40.255 will be blocked. It is this range that includes the network path to the site of anti-virus software installed on a personal computer, which will not receive the necessary virus database updates and will not function properly.

The more such data in the route table, the more resources are blocked. In the practice of specialists, virus programs created up to four hundred lines of this type, thereby blocking the work of about a thousand network resources. Moreover, the owners of viruses are not particularly interested in the fact that in an effort to ban some particular resource, they exclude dozens of other sites from possible access. This is the main mistake of unscrupulous programmers, since the number of unavailable resources reveals the very possibility of blocking data transfer. So, for example, if the exclusion circle includes the most popular social media, and the user cannot log into the VKontakte or Odnoklassniki website, then suspicion arises regarding the correct operation of the PC with the network.

Correcting the situation is not difficult; the route command and the delete key are used for this purpose. We find false entries in the table and uninstall them. A small note: all operations are feasible only if the user has administrator rights, but the virus can make changes to the route only if it has infiltrated the network through account administrator of a personal computer. Let's give examples of such tasks.

route delete 74.55.40.0 - entry that deletes the first option of the route line;

route delete 74.55.74.0 - an entry that deletes the second option of the route line.

The number of such lines must be the total number of false routes.

If you take a simpler approach to the procedure, then you need to use the output redirection operation. This is done by entering the task route print > C:\routes.txt. Activating the command creates a situation where a file document called routes.txt is created on the system disk; it contains a table with route data.

The table list contains DOS character codes. These characters are unreadable and have no meaning for the operation. By adding the route delete task at the beginning of each route, we delete each false entry. These look something like this:

route delete 84.50.0.0

route delete 84.52.233.0

route delete 84.53.70.0

route delete 84.53.201.0

route delete 84.54.46.0

Next, you need to change the file extension; options for replacing such an extension are cmd or bat. New file launched by double-clicking the right mouse button. You can simplify the task using the popular file manager FAR, which works as follows. The editor, which is called by the F 4 function key, highlights the right side of the route record with special markings. Using the key combination CTRL +F 7, all spaces are automatically replaced with a character with an empty value, and the space in turn is set to the starting position of the line. The new combination of the specified keys sets the route delete task to the location we need.

When there are a lot of false routes in the data table and correcting them manually seems to be a long and tedious process, it is recommended to use the route task together with the F key.

This key removes all non-hop routes, and also completely uninstalls routes with an endpoint and broadcast address. The first and last ones have a digital code 255.255.255.255; the second 127.0.0.0. In other words, all false information written into the table by the virus will be uninstalled. But at the same time, the records of static routes and the user's own default gateway data will be destroyed, so they will need to be restored, since the network will remain inaccessible. Or we can monitor the process of cleaning the data table and stop it when we intend to delete the record we need.

The AVZ antivirus program can also be used to adjust the router settings. The specific multiprogram that deals with this process is the twentieth TCP configuration item.

The last option for blocking user access to IP addresses of sites that are used by virus programs is to use address spoofing DNS server. In this option, the connection to the network occurs through a malicious server. But such situations are quite rare.

After completing all the work, you need to reboot your personal computer.

Once again I thank the masters of the computer service center Launch.RF for their help in preparing the material - http://launch.rf/information/territory/Kolomenskaya/, from whom you can order the repair of laptops and netbooks in Moscow.

Recovering encrypted files- this is a problem faced by a large number of users personal computers who have fallen victim to various encryption viruses. The number of malware in this group is very large and is increasing every day. Only recently we have come across dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, etc.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

Ways to recover encrypted files for free

There are several ways to recover encrypted files using absolutely free and proven programs such as ShadowExplorer and PhotoRec. Before and during recovery, try to use the infected computer as little as possible, this way you increase your chances of successful file recovery.

The instructions described below must be followed step by step, if anything does not work out for you, then STOP, ask for help by writing a comment on this article or creating a new topic on ours.

1. Remove ransomware virus

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and will easily remove them from your computer, BUT they cannot recover encrypted files.

1.1. Remove ransomware using Kaspersky Virus Removal Tool

Click on the button Scan to run a scan of your computer for the presence of a ransomware virus.

Wait for this process to complete and remove any malware found.

1.2. Remove ransomware using Malwarebytes Anti-malware

Download the program. After the download is complete, run the downloaded file.

The program update procedure will start automatically. When it ends press the button Run scan. Malwarebytes Anti-malware will begin scanning your computer.

Immediately after scanning your computer, Malwarebytes Anti-malware will open a list of found components of the ransomware virus.

Click on the button Delete selected to clean your computer. While malware is being removed, Malwarebytes Anti-malware may require you to restart your computer to continue the process. Confirm this by selecting Yes.

After the computer starts again, Malwarebytes Anti-malware will automatically continue the cleaning process.

2. Recover encrypted files using ShadowExplorer

ShadowExplorer is a small utility that allows you to restore shadow copies of files that are created automatically by the Windows operating system (7-10). This will allow you to restore your encrypted files to their original state.

Download the program. The program is located in zip archive. Therefore, right-click on the downloaded file and select Extract all. Then open the ShadowExplorerPortable folder.

Launch ShadowExplorer. Select the disc you need and the creation date shadow copies, respectively, numbers 1 and 2 in the figure below.

Right-click on the directory or file you want to restore a copy of. From the menu that appears, select Export.

And lastly, select the folder where the recovered file will be copied.

3. Recover encrypted files using PhotoRec

PhotoRec is free program, created to recover deleted and lost files. Using it, you can restore original files that ransomware viruses deleted after creating their encrypted copies.

Download the program. The program is in the archive. Therefore, right-click on the downloaded file and select Extract all. Then open the testdisk folder.

Find QPhotoRec_Win in the list of files and run it. A program window will open showing all the partitions of the available disks.

In the list of partitions, select the one on which the encrypted files are located. Then click on the File Formats button.

By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. How more files will be found by the program, the more catalogs there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in system Windows search(by file content), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

A virus is a type of malicious software that penetrates system memory areas, code of other programs, and boot sectors. It is capable of deleting important data from a hard drive, USB drive or memory card.

Most users do not know how to recover files after a virus attack. In this article, we want to tell you how to do it in a quick and easy way. We hope that this information will be useful to you. There are two main methods you can use to easily remove the virus and recover deleted data after a virus attack.

Delete the virus using the command prompt

1) Click the “Start” button. Enter CMD in the search bar. You will see the “Command Prompt” at the top of the pop-up window. Press Enter.

2) Run the Command prompt and type in: “attrib –h –r –s /s /d driver_name\*.*”

After this step, Windows will start recovering the virus-infected hard drive, memory card or USB. It will take some time for the process to be completed.

To start Windows recovery, click the “Start” button. Type Restore in the search bar. In the next window click “Start System Restore” → “Next” and select the desired restore point.

Another variant of the path is “Control Panel” → “System” → “System Protection”. A recovery preparation window will appear. Then the computer will reboot and a message will appear saying “System Restore completed successfully.” If it did not solve your problem, then try rolling back to another restore point. That’s all to be said about the second method.

Magic Partition Recovery: Restoring Missing Files and Folders after a Virus Attack

For reliable recovery of files deleted by viruses, use Magic Partition Recovery. The program is based on direct low-level access to the disk. Therefore, it will bypass the virus blocking and read all your files.

Download and install the program, then analyze the disk, flash drive or memory card. After the analysis, the program displays the list of folders on the selected disk. Having selected the necessary folder on the left, you can view it in the right section.

Thus, the program provides the ability to view the contents of the disk in the same way as with the standard Windows Explorer. In addition to existing files, deleted files and folders will be displayed. They will be marked with a special red cross, making it much easier to recover deleted files.

If you have lost your files after virus attack, Magic Partition Recovery will help you restore everything without much effort.

A simple and convenient AVZ utility that can not only help, but can also restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I am providing a complete list of what AVZ can restore.

Material taken from the reference book AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list.

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

Tweet

There are programs that are as universal as a Swiss Army knife. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With the help of this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

AVZ capabilities

I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you another side of the program: checking and restoring settings.

What can be “fixed” with AVZ:

• Restore startup of programs (.exe, .com, .pif files)
• Reset Internet Explorer settings to default
• Restore desktop settings
• Remove rights restrictions (for example, if a virus has blocked programs from launching)
• Remove a banner or window that appears before you log in
• Remove viruses that can run along with any program
• Unblock the task manager and registry editor (if the virus has prevented them from running)
• Clear file
• Prohibit autorun of programs from flash drives and disks
• Remove unnecessary files from your hard drive
• Fix desktop problems
• And much more

You can also use it to check Windows settings for security (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect your Windows from careless actions.

The AVZ program has Very many functions affecting the operation of Windows. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore settings and the Windows registry to an earlier state.

Windows Recovery System is a required component of all versions of Windows, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

After work, AVZ creates subfolders with backup copies in its folder:

/Backup- backup copies of the registry are stored there.

/Infected- copies of deleted viruses.

/Quarantine- copies of suspicious files.

If problems started after running AVZ (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes made, you can open registry backups from the folder Backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click “System Protection” in the “System” window.

Click the “Create” button.

The process of creating a restore point can take ten minutes. Then a window will appear:

A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

How to restore your computer using a restore point

There are two options for launching System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Select a different restore point and press Further. A list of restore points will open. Select the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows does not boot

You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

Boot from the disk (how to boot from boot disks is written) and select:

Select "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no point - the running virus will “break” the corrected settings again.

Restoring program launches

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

First we go to Control Panel- set any type of viewing, except Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, click File - :

Points to note:

1. Restoring startup parameters of .exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

, confirm the action, a window appears with the text “System restoration completed.” Afterwards, all that remains is to restart the computer - the problem with launching programs will be solved!

Restoring the Desktop launch

A fairly common problem is that the desktop does not appear when the system starts.

Launch Desktop you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

To avoid doing this every time, you need to restore the program launch key explorer(“Explorer”, which is responsible for standard viewing of the contents of folders and the operation of the Desktop). In AVZ click File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

Unlocking Task Manager and Registry Editor

If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlock task manager

17. Unlocking the registry editor

And press Perform the marked operations.

Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

This component can check four categories of problems with varying degrees of severity (each degree differs in the number of settings):

System problems - This includes security settings. By ticking the found items and pressing the button Fix flagged issues, some virus loopholes will be closed. There is also a flip side to the coin - while increasing safety, comfort decreases. For example, if you disable autorun from removable media and CD-ROMs, when you insert flash drives and disks, a window with a choice of actions (view the contents, launch the player, etc.) will not appear - you will have to open the Computer window and start viewing the contents of the disk manually. That is, viruses will not start automatically, and a convenient prompt will not appear. Depending on Windows settings, everyone will see their own list of system vulnerabilities here.

Browser settings and tweaks- Internet Explorer security settings are checked. As far as I know, the settings of other browsers (Google Chrome, Opera, Mozilla Firefox and others) are not checked. Even if you do not use Internet Explorer to surf the Internet, I advise you to run a scan - components of this browser are often used in various programs and are a potential “security hole” that should be closed.

Cleaning the system- partially duplicates the previous category, but does not affect the places where data about user actions is stored.

I recommend checking your system in categories System problems And Browser settings and tweaks by selecting the degree of danger Moderate problems. If the viruses did not touch the settings, then most likely you will be offered only one option - “autostart is allowed from removable media” (flash drives). If you check the box and thus prohibit the autorun of programs from flash drives, then you will at least partially protect your computer from viruses distributed on flash drives. More complete protection is achieved only with and working.

Cleaning the system from unnecessary files

Programs AVZ knows how to clean your computer from unnecessary files. If you don’t have a hard drive cleaning program installed on your computer, then AVZ will do, since there are many possibilities:

More details about the points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch of programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it when required.
2. Delete Windows Log Files- you can clear various databases and files that store various records about events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
3. Delete memory dump files- in case of critical Windows errors interrupts its work and displays BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for subsequent analysis by special programs to identify the culprit of the failure. The option is almost useless, since it allows you to win only ten megabytes of free space. Clearing memory dump files does not harm the system.
4. Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting “Clear list of recent items.” The option is useful: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
5. Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player - clearing temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) this option helps in dealing with Flash Player glitches. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
7. Clearing the terminal client cache- as far as I know, this option clears temporary files of a Windows component called “Remote Desktop Connection” (remote access to computers via RDP). Option it seems does no harm, frees up a dozen megabytes of space at best. There is no point in using it.
8. IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
10. Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the Trash- the purpose of this item is absolutely clear from its name.
12. Remove system update installation logs- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
13. Remove Windows Update Protocol- similar to the previous point, but other files are deleted. Also a useless option.
14. Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
15. Internet Explorer - clearing cache- cleans Internet Explorer temporary files. The option is safe and useful.
16. Microsoft Office - clearing cache- cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security options because I don't have Microsoft Office.
17. Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
18. Cleaning the system TEMP folder- unlike the user TEMP folder (see point 5), cleaning this folder is not always safe, and usually frees up little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- This folder stores various files created by program installers. The folder is large if the installers did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- Windows Task Scheduler keeps a log where it records information about completed tasks. I don’t recommend enabling this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
21. Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
22. Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome - clearing cache- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
24. Mozilla Firefox - Cleaning up the CrashReports folder- every time a problem occurs with the Firefox browser and it crashes, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. Does not affect the stability of Windows and Mozilla Firefox.

Depending on the installed programs, the number of items will differ. For example, if the Opera browser is installed, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources that will not be taken up by programs running in the background.

AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

The lines identified by the antivirus as known are marked in green. This includes both system Windows programs, and third-party programs that have a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

The question arises: how to determine what can be turned off and what cannot? There are two solutions:

Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype, when installed, creates an entry to automatically start when you turn on the computer. If you don’t need this, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

Disable only those programs that you know for sure - you don’t need them at startup.

Bottom line

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing a wide variety of tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely, what I described above.

If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

Modern antiviruses have acquired various additional functionality so much so that some users have questions while using them. In this lesson we will tell you about all key features AVZ antivirus operation.

Let's look at what AVZ is in as much detail as possible using practical examples. The following functions deserve the main attention of the average user.

Checking the system for viruses

Any antivirus should be able to detect malware on your computer and deal with it (treat or remove it). It is natural that this function is also present in AVZ. Let's see in practice what such a check is like.

1. Let's launch AVZ.
2. A small utility window will appear on the screen. In the area marked in the screenshot below, you will find three tabs. They all relate to the process of searching for vulnerabilities on a computer and contain different options.



3. On the first tab "Search area" you need to tick those folders and sections of hard drives you want to scan. A little lower you will see three lines that allow you to enable additional options. We put marks in front of all positions. This will allow you to perform a special heuristic analysis and additionally scan running processes and identify even potentially dangerous software.



4. After that, go to the tab "File Types". Here you can choose what data the utility should scan.
5. If you are doing a regular check, then just check the box "Potentially dangerous files". If viruses have taken deep roots, then you should choose "All files".
6. In addition to regular documents, AVZ also easily scans archives, something that many other antiviruses cannot boast of. In this tab you can enable or disable this check. We recommend unchecking the checkbox for scanning large archives if you want to achieve maximum results.
7. In total, your second tab should look like this.



8. Next we go to the last section "Search Options".
9. At the very top you will see a vertical slider. Move it all the way up. This will allow the utility to respond to all suspicious objects. In addition, we include checking API and RootKit interceptors, searching for keyloggers, and checking SPI/LSP settings. The general appearance of your last tab should be something like this.



10. Now you need to configure the actions that AVZ will take when a particular threat is detected. To do this, you first need to check the box next to the line "Carry out treatment" in the right area of ​​the window.



11. Next to each type of threat, we recommend setting the parameter "Delete". The only exceptions are threats like "HackTool". Here we recommend leaving the parameter "Treat". In addition, check the two lines below the list of threats.



12. The second parameter will allow the utility to copy the unsafe document to a specially designated location. You can then view all the contents, and then safely delete them. This is done so that you can exclude from the list of infected data those that are not actually infected (activators, key generators, password generators, and so on).
13. When all the settings and search parameters have been set, you can begin the scanning itself. To do this, click the corresponding button "Start".



14. The verification process will begin. Her progress will be displayed in a special area "Protocol".
15. After some time, which depends on the amount of data being scanned, the scanning will be completed. A message indicating the completion of the operation will appear in the log. The total time spent on analyzing files will also be indicated, as well as statistics on scanning and identified threats.



16. By clicking on the button marked in the image below, you will be able to see in a separate window all the suspicious and dangerous objects that were identified by AVZ during the scan.



17. The path to the dangerous file, its description and type will be indicated here. If you check the box next to the name of such software, you can move it to quarantine or completely remove it from your computer. When the operation is complete, press the button "OK" at the bottom.



18. After cleaning your computer, you can close the program window.

System functions

In addition to standard malware scanning, AVZ can perform a lot of other functions. Let's look at those that may be useful to the average user. In the main menu of the program at the very top, click on the line "File". The result will be context menu, which contains all the available helper functions.

The first three lines are responsible for starting, stopping and pausing the scan. These are analogues of the corresponding buttons in the AVZ main menu.

System Research

This function will allow the utility to collect all information about your system. This does not mean the technical part, but the hardware. Such information includes a list of processes, various modules, system files and protocols. After you click on the line "System Research", a separate window will appear. Here you can specify what information AVZ should collect. After checking all the necessary boxes, you should click the button "Start" at the bottom.


After this, a save window will open. In it you can select the location of the document with detailed information, as well as indicate the name of the file itself. Please note that all information will be saved as HTML file. It opens in any web browser. Having specified the path and name for the saved file, you need to click the button "Save".


As a result, the process of scanning the system and collecting information will start. At the very end, the utility will display a window in which you will be asked to immediately view all the collected information.

System Restore

By using this set functions, you can return operating system elements to their original form and reset various settings. Most often, malware tries to block access to the Registry Editor, Task Manager and write its values ​​in the Hosts system document. You can unlock such elements using the option "System Restore". To do this, just click on the name of the option itself, and then check the boxes for the actions that need to be performed.


After this you need to press the button “Perform marked operations” in the lower area of ​​the window.

A window will appear on the screen in which you must confirm the action.


After some time, you will see a message indicating that all tasks have completed. Just close this window by clicking the button "OK".

Scripts

In the list of parameters there are two lines related to working with scripts in AVZ - "Standard scripts" And "Run script".

Clicking on a line "Standard scripts", you will open a window with a list of ready-made scripts. All you need to do is tick the boxes that you want to run. After this, click the button at the bottom of the window "Run".


In the second case, you will launch the script editor. Here you can write it yourself or download it from your computer. Don't forget to click the button after writing or uploading "Run" in the same window.

Database update

This item is the most important of the entire list. By clicking on the corresponding line, you will open the AVZ database update window.

We do not recommend changing settings in this window. Leave everything as it is and press the button "Start".


After some time, a message will appear on the screen indicating that the database update is complete. All you have to do is close this window.

Viewing the contents of the Quarantine and Infected folders

By clicking on these lines in the list of options, you can view all potentially dangerous files that AVZ detected while scanning your system.

In the windows that open, you can permanently delete such files or restore them if they actually do not pose a threat.


Please note that in order for suspicious files to be placed in these folders, you must check the appropriate boxes in the system scanning settings.

This is the last option from this list that the average user may need. As the name suggests, these parameters allow you to save the preliminary antivirus configuration (search method, scanning mode, etc.) to your computer, and also load it back.

When saving, you will only need to specify the file name, as well as the folder in which you want to save it. When loading a configuration, simply select the desired file with settings and click the button "Open".

Exit

It would seem that this is an obvious and well-known button. But it is worth mentioning that in some situations - when particularly dangerous software is detected - AVZ blocks all methods of closing itself, except for this button. In other words, you will not be able to close the program with a keyboard shortcut "Alt+F4" or by clicking on the banal cross in the corner. This is done so that viruses cannot interfere with the correct operation of AVZ. But by clicking this button, you can close the antivirus if necessary for sure.

In addition to the options described, there are also others in the list, but they most likely will not be needed by ordinary users. Therefore, we did not focus on them. If you still need help regarding the use of functions that are not described, write about it in the comments. And we move on.

List of services

In order to see the full list of services offered by AVZ, you need to click on the line "Service" at the very top of the program.

As in the last section, we will go over only those that may be useful to the average user.

Process Manager

By clicking on the very first line from the list, you will open a window "Process Manager". In it you can see a list of all executable files that are running on a computer or laptop at a given time. In the same window you can read a description of the process, find out its manufacturer and the full path to the executable file itself.


You can also terminate a particular process. To do this, just select the required process from the list, then click on the corresponding button in the form of a black cross with right side window.


This service is an excellent replacement for the standard Task Manager. The service acquires particular value in situations where "Task Manager" blocked by a virus.

Services and Driver Manager

This is the second service in the general list. By clicking on the line with the same name, you will open the window for managing services and drivers. You can switch between them using a special switch.

In the same window, each item is accompanied by a description of the service itself, status (enabled or disabled), as well as the location of the executable file.


You can select the required item, after which you will have the options of enabling, disabling or completely removing the service/driver. These buttons are located at the top of the work area.

Startup manager

This service will allow you to fully customize autorun settings. Moreover, unlike standard managers, this list also includes system modules. By clicking on the line with the same name, you will see the following.


In order to disable the selected element, you only need to uncheck the box next to its name. In addition, it is possible to completely delete the required entry. To do this, simply select the desired line and click on the button at the top of the window in the form of a black cross.

Please note that a deleted value cannot be returned. Therefore, be extremely careful not to erase vital system startup records.

Hosts File Manager

We mentioned a little above that the virus sometimes writes its own values ​​into the system file "Hosts". And in some cases, malware also blocks access to it so that you cannot correct the changes made. This service will help you in such situations.

By clicking on the line shown in the image above in the list, you will open a manager window. You cannot add your own values ​​here, but you can delete existing ones. To do this, select the desired line with the left mouse button, and then press the delete button, which is located in the upper area of ​​the work area.


After this, a small window will appear in which you need to confirm the action. To do this, just press the button "Yes".


When the selected line is deleted, you just need to close this window.

Be careful not to delete lines whose purpose you don't know. To file "Hosts" Not only viruses, but also other programs can write their values.

System utilities

With AVZ you can also launch the most popular system utilities. You can see their list if you hover your mouse over the line with the corresponding name.


By clicking on the name of a particular utility, you will launch it. After this, you can make changes to the registry (regedit), configure the system (msconfig) or check system files (sfc).

These are all the services we wanted to mention. Beginner users are unlikely to need a protocol manager, extensions, or other additional services. Such functions are more suitable for more advanced users.

AVZGuard

This function was developed to combat the most cunning viruses that using standard methods do not delete. It simply adds malware to a list of untrusted software that is prohibited from performing its operations. To enable this function you need to click on the line "AVZGuard" in the upper AVZ area. In the drop-down window, click on the item "Enable AVZGuard".

Be sure to close everything third party applications before enabling this feature, otherwise they will also be included in the list of untrusted software. The operation of such applications may be disrupted in the future.

All programs that are marked as trusted will be protected from deletion or modification. And the work of untrusted software will be suspended. This will allow you to safely remove dangerous files using a standard scan. After this, you should disable AVZGuard back. To do this, click again on a similar line at the top of the program window, and then click on the button to disable the function.

AVZPM

The technology indicated in the name will monitor all started, stopped and modified processes/drivers. To use it, you must first enable the corresponding service.

Click on the AVZPM line at the top of the window.
In the drop-down menu, click on the line “Install the advanced process monitoring driver”.


Within a few seconds, the necessary modules will be installed. Now, when changes are detected in any processes, you will receive a corresponding notification. If you no longer need such monitoring, you will need to simply click on the line marked in the image below in the previous drop-down window. This will unload all AVZ processes and remove previously installed drivers.

Please note that the AVZGuard and AVZPM buttons may be grayed out and inactive. This means that you have installed operating system x64. Unfortunately, the mentioned utilities do not work on an OS with this bit depth.

This brings this article to its logical conclusion. We tried to tell you how to use the most popular features in AVZ. If you still have questions after reading this lesson, you can ask them in the comments to this post. We will be happy to pay attention to each question and try to give the most detailed answer.