We fix and optimize using the AVZ program. AVZ - restore system settings and remove viruses. Setting up AVZ firmware - system recovery after viruses What is a system process debugger

Simple, easy and convenient way restoration of functionality even without the qualifications and skills for this is possible thanks to the AVZ anti-virus utility. The use of so-called “firmware” (terminology of the AVZ antivirus utility) allows you to reduce the entire process to a minimum.

In order for everything to function in your laptop, this will be ensured by a battery for asus laptop, and for the proper functioning of all the “cogs” of the operating system, AVZ functionality will not be the least important.

Help is available for most common problems that arise for the user. All firmware functionality is called from the menu "File -> System Restore".

Restoring startup parameters of .exe, .com, .pif files
Restoring the system's standard response to files with the extension exe, com, pif, scr.
After treatment for the virus, any programs and scripts stopped running.
Resetting protocol prefix settings Internet Explorer to standard
Restoring default protocol prefix settings in Internet browser Explorer
Recommendations for use: when you enter a web address, for example, www.yandex.ua, it is replaced with an address like www.seque.com/abcd.php?url=www.yandex.ua
Recovery home page Internet Explorer
Just return the start page in Internet Explorer
Recommendations for use: if the start page has been changed
Reset Internet Explorer search settings to default
Restores search settings in Internet Explorer
Recommendations for use: The "Search" button leads to "left" sites
Restoring desktop settings
Removes all active ActiveDesktop items and wallpapers, and unlocks the desktop settings menu.
Recommendations for use: displaying third-party inscriptions and/or drawings on the desktop
Removing all Policies (restrictions) current user
removing restrictions on user actions caused by changes in Policies.
Recommendations for use: Explorer functionality or other system functionality was blocked.
Removing the message output during WinLogon
Restoring the standard message when the system starts up.
Recommendations for use: During the system boot process, a third-party message is observed.
Restoring File Explorer settings
Returns all Explorer settings to their standard form.
Recommendations for use: Inappropriate Explorer settings
Removing system process debuggers
Debuggers system process are launched secretly, which is very beneficial for viruses.
Recommendations for use: for example, after booting the desktop disappears.
Restoring boot settings to safe mode(SafeMode)
Reanimates the effects of worms like Bagle, etc.
Recommendations for use: problems with loading into protected mode (SafeMode), otherwise it is not recommended to use it.
Unlocking Task Manager
Unblocks any attempts to call the task manager.
Recommendations for use: if instead of the task manager you see the message "Task Manager is blocked by the administrator"
Clearing the HijackThis utility ignore list
The HijackThis utility saves its settings in the system registry, in particular, a list of exceptions is stored there. Viruses masquerading as HijackThis are registered in this exclusion list.
Recommendations for use: You suspect that the HijackThis utility does not display all information about the system.
All uncommented lines are removed and the only meaningful line "127.0.0.1 localhost" is added.
Recommendations for use: Hosts file changed. You can check the Hosts file using the manager Hosts file, built into AVZ.
Automatic correction of SPl/LSP settings
SPI settings are analyzed and, if necessary, errors found are automatically corrected. The firmware can be safely re-run many times. After execution, a computer restart is required. Attention!!! The firmware cannot be used from a terminal session
Recommendations for use: After treatment for the virus, I lost access to the Internet.
Resetting SPI/LSP and TCP/IP settings (XP+)
The firmware runs exclusively on XP, Windows 2003 and Vista. The standard “netsh” utility from Windows is used. Described in detail in the Microsoft knowledge base - http://support.microsoft.com/kb/299357
Recommendations for use: After treatment for the virus, I lost access to the Internet and firmware No. 14 did not help.
Recovering the Explorer launch key
Restoring system registry keys responsible for launching Explorer.
Recommendations for use: After the system boots, you can only launch explorer.exe manually.
Unlocking Registry Editor
Unblocking the Registry Editor by removing the policy that prevents it from running.
Recommendations for use: When you try to launch Registry Editor, you receive a message indicating that your administrator has blocked it from running.
Complete re-creation of SPI settings
Does backup all SPI/LSP settings, then creates them to the standard, which is located in the database.
Recommendations for use: When restoring SPI settings, firmware No. 14 and No. 15 did not help you. Dangerous, use at your own peril and risk!
Clear MountPoints database
The database in the system registry for MountPoints and MountPoints2 is cleared.
Recommendations for use: for example, it is impossible to open drives in Explorer.
Replace the DNS of all connections with Google Public DNS
We change all DNS addresses of used servers to 8.8.8.8

Some useful tips:

Most problems with Hijacker can be treated with three microprograms - No. 4 “Resetting Internet Explorer search settings to standard”, No. 3 “Restoring the starting Internet pages Explorer" and No. 2 "Resetting Internet Explorer protocol prefix settings to standard."
All firmware except #5 and #10 can be safely executed multiple times.
And of course it is useless to fix anything without first removing the virus.

Anti virus programs, even when malware is detected and removed software, do not always restore full functionality of the system. Often, after removing a virus, a computer user receives an empty desktop, a complete lack of access to the Internet (or access to some sites is blocked), a non-functional mouse, etc. This is usually caused by the fact that some system or user settings changed by the malicious program remain untouched.

The utility is free, works without installation, is surprisingly functional and has helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually correcting traces of the virus, it is worth using the “system restore” operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).

To start the recovery, run the utility. Then click file - system restore

and such a window will open before us

check the boxes we need and click “Perform selected operations”

This firmware restores the system's response to exe files, com, pif, scr.

Indications for use: After the virus is removed, programs stop running.

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

Registering a system process debugger will allow you to hidden launch application, which is used by a number of malware

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode. This firmware restores boot settings in protected mode.

Indications for use: .

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. IN currently A number of malicious programs are known that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer.

Indications for use: After removing the malicious program, I lost access to the Internet.

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use:

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in cases where, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions are “5.Restoring desktop settings” (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and “10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

There are programs that are as universal as a Swiss Army knife. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With the help of this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

AVZ capabilities

About what it is antivirus program, I already told in. About AVZ's work as one-time antivirus(more precisely, an anti-rootkit) is well described in the help for it, but I will show you another side of the program: checking and restoring settings.

What can be “fixed” with AVZ:

Restore startup of programs (.exe, .com, .pif files)
Reset Internet Explorer settings to default
Restore desktop settings
Remove rights restrictions (for example, if a virus has blocked programs from launching)
Remove a banner or window that appears before you log in
Remove viruses that can run along with any program
Unblock the task manager and registry editor (if the virus has prevented them from running)
Clear file
Prohibit autorun of programs from flash drives and disks
Remove unnecessary files from hard drive
Fix desktop problems
And much more

You can also use it to check for safety Windows settings(in order to better protect against viruses), and also optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect your Windows from careless actions.

The AVZ program has Very many functions affecting Windows operation. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore settings and the Windows registry to an earlier state.

System Windows recovery- a required component of all versions of Windows, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

If the damage is serious (for example, part of the system files), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

After work, AVZ creates subfolders with backup copies in its folder:

/Backup- are stored there backups registry

/Infected- copies of deleted viruses.

/Quarantine- copies of suspicious files.

If after using AVZ problems started (for example, you thoughtlessly used the AVZ “System Restore” tool and the Internet stopped working) and Recovery Windows systems did not roll back the changes made, you can open registry backups from the folder Backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click “System Protection” in the “System” window.

Click the “Create” button.

The process of creating a restore point can take ten minutes. Then a window will appear:

A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

How to restore your computer using a restore point

There are two options for running System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Select a different restore point and press Further. A list of restore points will open. Select the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows does not boot

You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

Boot from the disk (how to boot from boot disks is written) and select:

Select "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no point - the running virus will “break” the corrected settings again.

Restoring program launches

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

First we go to Control Panel- set any type of viewing, except Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, click File - :

Points to note:

1. Restoring startup parameters of .exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

We confirm the action, a window appears with the text “System restoration completed.” Afterwards, all that remains is to restart the computer - the problem with launching programs will be solved!

Restoring the Desktop launch

Enough common problem- When the system starts, the Desktop does not appear.

Launch Desktop you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

To avoid doing this every time, you need to restore the program launch key explorer(“Conductor”, who is responsible for standard view folder contents and desktop operation). In AVZ click File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

Unlocking Task Manager and Registry Editor

If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlock task manager

17. Unlocking the registry editor

And press Perform the marked operations.

Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ knows how to clean your computer unnecessary files. If the program is not installed on your computer cleaning hard disk, then AVZ will do, fortunately there are many possibilities:

More details about the points:

Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it when required.
Delete Windows Log Files- you can clear various databases and files that store various records about events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
Delete memory dump files- when it occurs critical errors Windows stops working and shows BSOD ( blue screen death), at the same time preserving information about running programs and drivers into a file for subsequent analysis by special programs to identify the culprit of the failure. The option is almost useless, since it allows you to win only ten megabytes of free space. Clearing memory dump files does not harm the system.
Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by clicking right click on this item in the Start menu and selecting “Clear list last elements" The option is useful: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
Adobe Flash Player - clearing temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in the fight against glitches Flash Player. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
Clearing the terminal client cache- as far as I know, this option clears temporary files Windows component called "Remote Desktop Connection" ( remote access to computers by RDP protocol). Option it seems does no harm, frees up a dozen megabytes of space at best. There is no point in using it.
IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
Macromedia Flash Player- item duplicates "Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
Emptying the Trash- the purpose of this item is absolutely clear from its name.
Remove system update installation logs- Windows keeps a log installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
Delete Windows protocol Update- similar to the previous point, but other files are deleted. Also a useless option.
Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
Internet Explorer - clearing cache- cleans Internet Explorer temporary files. The option is safe and useful.
Microsoft Office- cache clearing- cleans temporary files Microsoft programs Office - Word, Excel, PowerPoint and others. I can't check the security options because I don't have Microsoft Office.
Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
Cleaning system folder TEMP- Unlike custom folder TEMP (see point 5) cleaning this folder is not always safe, and it usually frees up little space. I don't recommend turning it on.
MSI - cleaning the Config.Msi folder- This folder stores various files created by program installers. The folder is large if the installers did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
Clear task scheduler logs- Scheduler Windows tasks keeps a log where he records information about completed tasks. I don’t recommend enabling this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
Google Chrome- cache clearing- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
Mozilla Firefox- cleaning the CrashReports folder- every time when Firefox browser a problem occurs and it closes abnormally, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. On Windows stability and Mozilla Firefox has no effect.

Depending on the installed programs, the number of items will vary. For example, if installed Opera browser, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources that will not be taken up by programs running in the background.

AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

The lines identified by the antivirus as known are marked in green. This includes both Windows system programs and third party programs with a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

The question arises: how to determine what can be turned off and what cannot? There are two solutions:

Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype program When installed, it creates an entry to start automatically when you turn on the computer. If you don’t need this, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

Disable only those programs that you know for sure - you don’t need them at startup.

Bottom line

Basically, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for Windows optimization, but in general it is a complex and powerful tool suitable for performing a wide variety of tasks. However, to use AVZ on full blast, you need to know Windows thoroughly, so you can start small - namely with what I described above.

If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

We will talk about the simplest ways to neutralize viruses, in particular, those that block the desktop Windows user 7 (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it extremely difficult to perform any actions other than entering a special “unlock code”, to obtain which, allegedly, you need to transfer a certain amount to the attackers by sending an SMS or refill mobile phone through a payment terminal. The goal here is one - to force the user to pay, and sometimes quite decent money. A window appears on the screen with a threatening warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the working environment. Windows environment- blocks pressing special key combinations to call up the Start button menu, Run command, task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or with removable media(LIVE CD, ERD Commander, antivirus scanner). But, nevertheless, in the vast majority of cases there is a way out.

New technologies implemented in Windows Vista / Windows 7 have made it much more difficult for malware to infiltrate and take full control of the system, and also provide users with additional features It’s relatively easy to get rid of them, even without anti-virus software. We are talking about the ability to boot the system in safe mode with command line support and launch from it software control and recovery. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems of the Windows family, many users simply do not use it. But in vain. In the team Windows line 7 does not have the usual desktop (which may be blocked by a virus), but it is possible to launch most programs - registry editor, task manager, system recovery utility, etc.

Removing a virus by rolling back the system to a restore point

A virus is an ordinary program, and even if it is located on the computer’s hard drive, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, a regular text file. If you solve the problem of blocking the automatic launch of a malicious program, then the task of getting rid of malware can be considered completed. The main method of automatic startup used by viruses is through specially created registry entries created when they are introduced into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore using checkpoint data. A checkpoint is a copy of important system files, stored in a special directory ("System Volume Information") and containing, among other things, copies of system files Windows registry. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to obtain the state of the system registry without the entries made by the invading virus and thereby exclude its automatic start, i.e. get rid of infection even without using antivirus software. In this way, you can simply and quickly get rid of the system from being infected by most viruses, including those that block the worker Windows desktop. Naturally, a blocking virus that uses, for example, modification of boot sectors of hard disk (MBRLock virus) cannot be removed in this way, since rolling back the system to a restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support, since the virus is loaded before the Windows loader. To get rid of such an infection, you will have to boot from another medium and restore infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of loading, press the F8 button. The Windows boot loader menu will appear on the screen, with possible options system boot

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is completed and the user registers, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Run the "System Restore" tool, for which command line you need to type rstrui.exe and press ENTER.

Switch the mode to "Select another recovery point" and in the next window check the box "Show other recovery points"

After selecting a Windows restore point, you can view a list of affected programs during a system rollback:

The affected programs list is a list of programs that were installed after the system restore point was created and that may require reinstallation because their associated registry entries will be missing.

After clicking the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.

After the reboot, a message will be displayed indicating the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use a more advanced method presented below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not have recovery point data for various reasons, the recovery procedure ended with an error, or the rollback did not produce a positive result. In this case, you can use the System Configuration diagnostic utility MSCONFIG.EXE. As in the previous case, you need to do loading Windows in safe mode with command line support and in the cmd.exe command line interpreter window, type msconfig.exe and press ENTER

On the General tab, you can select the following Windows startup modes:

When the system boots, only the minimum required system services and user programs will be launched.
Selective launch- allows you to set in manual mode a list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of programs that automatically start. If in this mode the virus stops blocking the desktop, then you need to move on to the next step - determine which program is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs manually.

The "Services" tab allows you to enable or disable the launch of system services whose startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be launched during system boot. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not display Microsoft services" mode, which, when enabled, will display only third-party services.

I note that the likelihood of a system being infected by a virus that is installed as a system service, with standard security settings in Windows Vista / Windows 7, is very low, and you will have to look for traces of the virus in the list of automatically launched user programs (the "Startup" tab).

Just like in the Services tab, you can enable or disable the automatic launch of any program that is present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic startup of services and applications that start in the standard way for operating systems of the Windows family. However, virus authors often use techniques that allow them to launch malicious programs without using standard autorun points. You can most likely get rid of such a virus using the method described above by rolling back the system to a restore point. If rollback is not possible and using msconfig did not lead to positive result, you can use direct editing of the registry.

In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system starts normally, but does not reach user registration. The computer hangs due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in previous cases, you can boot into safe mode with command line support and run the check system disk command

chkdsk C: /F - check drive C: and correct detected errors (key /F)

Because at the time of running chkdsk system disk occupied by system services and applications, the chkdsk program cannot gain exclusive access to it to perform testing. Therefore, the user will be presented with a warning message and asked to perform testing the next time the system is rebooted. After answering Y, information will be entered into the registry to ensure that the disk check will start when Windows restarts. After the check is completed, this information is deleted and Windows restarts normally without user intervention.

Eliminating the possibility of a virus running using the Registry Editor.

To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs programs used for previous versions operating systems from Microsoft. Viruses installing their own drivers and services, reconfiguring the WINLOGON service with connecting their own executable modules, correcting registry keys that are relevant to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor costs that they are practically impossible to meet. Typically, changes to the registry that enable a virus to run are made only in the context of the permissions that exist for the current user, i.e. in the HKEY_CURRENT_USER section

In order to demonstrate the simplest mechanism for blocking a desktop using a substitution of the user shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you yourself correct the registry data in order to get, for example, a command line instead of a desktop . A familiar desktop is created Windows Explorer(Explorer.exe program) launched as the user's shell. This is ensured by the values of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as the shell when the user logs in. Typically, in the section for the current user (HKEY_CURRENT_USER or abbreviated as HKCU), the Shell parameter is missing and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE\ or abbreviated as HKLM)

This is what the registry key looks like HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with standard Windows installation 7

If in this section add the Shell string parameter taking the value "cmd.exe", then the next time the current user logs into the system, instead of the standard user shell based on Explorer, the cmd.exe shell will be launched and instead of the usual Windows desktop, the command line window will be displayed.

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker, and other nasty things instead of a desktop.
Making changes to the key for all users (HKLM...) requires administrative privileges, so virus programs usually modify the settings of the current user's registry key (HKCU...)

If, to continue the experiment, you run the msconfig utility, you can make sure that cmd.exe is not included as a user shell in the list of automatically launched programs. A system rollback will naturally allow you to return the initial state registry and get rid of automatic start virus, but if for some reason it is impossible, all that remains is direct editing of the registry. To return to the standard desktop, simply remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log in again) or reboot. You can edit the registry by running the registry editor regedit.exe from the command line or using the console utility REG.EXE. Example command line to remove the Shell parameter:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The given example of substituting the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system environment. Enough high level security with standard system settings does not allow malicious programs to access registry keys that were used to infect in Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use launching executable files (.exe) from the current user's temporary files directory (Temp). When analyzing the automatic launch points of programs in the registry, first of all you need to pay attention to the programs located in the temporary files directory. Usually this is a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in system properties - " Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as additional means to detect viruses. Legitimate programs never automatically launch from the TEMP directory.

To obtain a complete list of possible automatic start points, it is convenient to use special program Autoruns from the SysinternalsSuite package.

The simplest ways to remove blockers of the MBRLock family

Malicious programs can gain control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which the boot is performed. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded, which displays a ransomware message on the screen demanding money for the crooks. Since the virus gains control before the system boots, there is only one way to bypass it - boot from another media (CD/DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use a Live CD / Live USB, as a rule, provided to users free of charge by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also scan the file system for malware and remove or treatment of infected files. If it is not possible to use this method, then you can get by with simply loading any Windows versions PE ( installation disk, disk disaster recovery ERD Commander), which allows you to restore normal loading systems. Usually just being able to access the command line and run the command is enough:

bootsect /nt60 /mbr

bootsect /nt60 /mbr E:> - restore boot sectors of drive E: The letter for the drive that is used as the boot device for the system damaged by the virus should be used here.

or for Windows prior to Windows Vista

bootsect /nt52 /mbr

The bootsect.exe utility can be located not only in system directories, but also on any removable media, can be executed in any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. The /mbr switch is usually not needed, since it restores the main program code boot entry MBR, which viruses do not modify (perhaps they do not modify it yet).

A simple and convenient AVZ utility that can not only help, but can also restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any corrupted programs and data.

In order to give you a more clear picture, I provide full list that can restore AVZ.

Material taken from the reference book AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into address bar browser).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove malware and then restore system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

A simple and convenient AVZ utility that can not only will help, but also knows how to restore the system. Why is this necessary?

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I provide a complete list of what can be restoredAVZ.

Material taken from the reference bookAVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms include blocking antivirus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

An excellent program for removing viruses and restoring the system is AVZ (Zaitsev Anti-Virus). You can download AVZ by clicking on the orange button after generating links.And if a virus blocks the download, then try downloading the entire anti-virus set!

The main capabilities of AVZ are virus detection and removal.

AVZ antivirus utility is designed to detect and remove:

SpyWare and AdWare modules are the main purpose of the utility
Dialer (Trojan.Dialer)
Trojan programs
BackDoor modules
Network and mail worms
TrojanSpy, TrojanDownloader, TrojanDropper

The utility is a direct analogue of the TrojanHunter and LavaSoft Ad-aware 6 programs. The primary task of the program is to remove SpyWare and Trojan programs.

Features of the AVZ utility (in addition to the standard signature scanner) are:

Heuristic system check microprograms. Firmware searches for known SpyWare and viruses based on indirect signs - based on analysis of the registry, files on disk and in memory.
Updated database of secure files. It includes digital signatures of tens of thousands of system files and files of known secure processes. The base is connected to everyone AVZ systems and works on the “friend/foe” principle - safe files are not quarantined, deletion and warnings are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services in color; searching for files on the disk can exclude known files from the search (which is very useful when searching for Trojan programs on the disk);
Built-in Rootkit detection system. RootKit search occurs without using signatures based on a study of basic system libraries for interception of their functions. AVZ can not only detect RootKit, but also correctly block UserMode RootKit for its process and KernelMode RootKit at the system level. The RootKit countermeasures apply to all AVZ service functions; as a result, the AVZ scanner can detect masked processes, the registry search system “sees” masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. In my opinion, one of the main features of the RootKit countermeasures system is its functionality in Win9X (the widespread opinion about the absence of RootKit working on the Win9X platform is deeply erroneous - hundreds of Trojan programs are known that intercept API functions to mask their presence and distort the work API functions or monitoring their use). Another feature is the universal detection and blocking system KernelMode RootKit, compatible with Windows NT, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
Keylogger and Trojan DLL detector. The search for Keylogger and Trojan DLLs is carried out based on system analysis without using a signature database, which allows you to confidently detect previously unknown Trojan DLLs and Keylogger;
Neuroanalyzer. In addition to the signature analyzer, AVZ contains a neuroemulator, which allows you to examine suspicious files using a neural network. Currently, the neural network is used in a keylogger detector.
Built-in Winsock SPI/LSP settings analyzer. Allows you to analyze settings and diagnose possible mistakes in settings and perform automatic treatment. The ability to automatically diagnose and treat is useful for novice users (utilities like LSPFix do not have automatic treatment). To study SPI/LSP manually, the program has a special LSP/SPI settings manager. The Winsock SPI/LSP analyzer is covered by the anti-rootkit;
Built-in manager of processes, services and drivers. Designed to study running processes and loaded libraries, running services and drivers. The work of the process manager is covered by the anti-rootkit (as a result, it “sees” processes masked by the rootkit). The process manager is linked to the AVZ safe file database; identified safe and system files are highlighted in color;
Built-in utility for searching files on disk. Allows you to search a file using various criteria; the capabilities of the search system exceed those of the system search. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” files masked by the rootkit and can delete them); the filter allows you to exclude files identified by AVZ as safe from the search results. Search results are available as a text log and as a table in which you can mark a group of files for later deletion or quarantine
Built-in utility for searching data in the registry. Allows you to search for keys and parameters according to a given pattern; search results are available in the form of a text protocol and in the form of a table in which you can mark several keys for their export or deletion. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” registry keys masked by the rootkit and can delete them)
Built-in analyzer of open TCP/UDP ports. It is covered by an anti-rootkit; in Windows XP, the process using the port is displayed for each port. The analyzer is based on an updated database of ports of known Trojan/Backdoor programs and known system services. The search for Trojan program ports is included in the main system scanning algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojan programs are likely to use this port
Built-in analyzer of shared resources, network sessions and files opened over the network. Works in Win9X and Nt/W2K/XP.
Built-in Downloaded Program Files (DPF) analyzer - displays DPF elements, connected to all AVZ systems.
System recovery firmware. Firmware performs recovery Internet settings Explorer, program launch options and others system parameters damaged by malware. Restoration is started manually, the parameters to be restored are specified by the user.
Heuristic file deletion. Its essence is that if malicious files were deleted during treatment and this option is enabled, then an automatic system scan is performed, covering classes, BHO, IE and Explorer extensions, all types of autorun available to AVZ, Winlogon, SPI/LSP, etc. . All found links to a deleted file are automatically cleared, with information about what exactly was cleared and where it was recorded in the log. For this cleaning, the system treatment firmware engine is actively used;
Checking archives. Starting from version 3.60, AVZ supports scanning archives and compound files. Currently, archives in ZIP, RAR, CAB, GZIP, TAR formats are checked; letters Email and MHT files; CHM archives
Checking and treating NTFS streams. Checking NTFS streams is included in AVZ starting from version 3.75
Control scripts. Allows the administrator to write a script that executes dialing on the user’s PC specified operations. Scripts allow you to use AVZ on a corporate network, including its launch during system boot.
Process analyzer. The analyzer uses neural networks and analysis firmware; it is turned on when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
AVZGuard system. Designed to combat hard-to-remove malware, it can, in addition to AVZ, protect user-specified applications, for example, other anti-spyware and anti-virus programs.
Direct disk access system for working with locked files. Works on FAT16/FAT32/NTFS, supported on all operating systems NT line, allows the scanner to analyze blocked files and quarantine them.
Driver for monitoring processes and drivers AVZPM. Designed to monitor the start and stop of processes and loading/unloading of drivers to search for masquerading drivers and detect distortions in the structures describing processes and drivers created by DKOM rootkits.
Boot Cleaner Driver. Designed to perform system cleaning (removing files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both during the process of restarting the computer and during treatment.