AVZ is a virus treatment and system recovery utility. We fix and optimize using the AVZ program Avz recovery

An excellent program for removing viruses and restoring the system is AVZ (Zaitsev's Antivirus). You can download AVZ by clicking on the orange button after generating links.And if the virus blocks the download, then try downloading the entire anti-virus suite!

The main features of AVZ are virus detection and removal.

The AVZ anti-virus utility is designed to detect and remove:

• SpyWare and AdWare modules - this is the main purpose of the utility
• Dialer (Trojan.Dialer)
• Trojans
• BackDoor modules
• Network and mail worms
• TrojanSpy, TrojanDownloader, TrojanDropper

The utility is a direct analog of TrojanHunter and LavaSoft Ad-aware 6 programs. The primary task of the program is to remove SpyWare and Trojans.

The features of the AVZ utility (in addition to the typical signature scanner) are:

• Heuristic system check firmware. Firmware searches for known SpyWare and viruses by indirect signs - based on the analysis of the registry, files on disk and in memory.
• Updated database of safe files. It includes digital signatures of tens of thousands of system files and files of known safe processes. The database is connected to all AVZ systems and works on the "friend/foe" principle - safe files are not quarantined, deletion and warnings are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services with color, the search for files on the disk can exclude known files from the search (which is very useful when searching for Trojans on the disk);
• Built-in Rootkit detection system. The search for RootKit goes without the use of signatures based on the study of basic system libraries in order to intercept their functions. AVZ can not only detect RootKit, but also correctly block the operation of UserMode RootKit for its process and KernelMode RootKit at the system level. RootKit countermeasures apply to all AVZ service functions, as a result, the AVZ scanner can detect masked processes, the registry search system "sees" masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. In my opinion, one of the main features of the RootKit countermeasure system is its performance in Win9X (the widespread opinion about the absence of RootKit running on the Win9X platform is deeply erroneous - hundreds of Trojans are known to intercept API functions to mask their presence, to distort the operation of API functions or monitor their use). Another feature is the universal KernelMode RootKit detection and blocking system, which works under Windows NT, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
• Keylogger and Trojan DLL detector. The search for Keylogger and Trojan DLLs is based on the analysis of the system without using the signature database, which makes it possible to reliably detect previously unknown Trojan DLLs and Keylogger;
• Neuroanalyzer. In addition to the signature analyzer, AVZ contains a neuroemulator that allows you to analyze suspicious files using a neural network. Currently, the neural network is used in the keylogger detector.
• Built-in analyzer of Winsock SPI/LSP settings. Allows you to analyze the settings, diagnose possible errors in the settings and perform automatic treatment. The possibility of automatic diagnostics and treatment is useful for novice users (there is no automatic treatment in utilities like LSPFix). To study SPI/LSP manually, the program has a special LSP/SPI settings manager. The operation of the Winsock SPI/LSP analyzer is affected by an anti-rootkit;
• Built-in manager of processes, services and drivers. Designed to study running processes and loaded libraries, running services and drivers. The operation of the process manager is affected by the anti-rootkit (as a result, it "sees" the processes masked by the rootkit). The process manager is linked to the AVZ safe files database, recognized safe and system files are highlighted in color;
• Built-in utility for searching files on a disk. Allows you to search for a file by various criteria, the capabilities of the search system are superior to those of the system search. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" the files masked by the rootkit and can delete them), the filter allows you to exclude from the search results files identified by AVZ as safe. Search results are available as a text log and as a table where you can mark a group of files for later deletion or quarantine
• Built-in utility for searching data in the registry. Allows you to search for keys and parameters according to a given pattern, the search results are available in the form of a text protocol and in the form of a table in which several keys can be marked for export or deletion. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" the registry keys masked by the rootkit and can delete them)
• Built-in analyzer of open TCP/UDP ports. It is affected by the anti-rootkit, in Windows XP, for each port, the process using the port is displayed. The analyzer relies on an updated database of known Trojan/Backdoor ports and known system services. The search for Trojan ports is included in the main system check algorithm - when suspicious ports are detected, warnings are displayed in the log indicating which Trojans tend to use this port
• Built-in analyzer of shared resources, network sessions and files opened over the network. Works in Win9X and Nt/W2K/XP.
• Built-in analyzer Downloaded Program Files (DPF) - displays DPF elements, connected to all AVZ systems.
• System recovery firmware. Firmware restores Internet Explorer settings, program launch options, and other system settings corrupted by malware. Restoration is started manually, parameters to be restored are specified by the user.
• Heuristic file deletion. Its essence is that if malicious files were removed during the treatment and this option is enabled, then an automatic examination of the system is performed, covering classes, BHO, IE and Explorer extensions, all types of autorun available to AVZ, Winlogon, SPI / LSP, etc. . All found references to a deleted file are automatically purged, and information about what exactly was purged and where was entered into the log. For this cleaning, the system treatment microprogram engine is actively used;
• Checking archives. Starting from version 3.60 AVZ supports scanning of archives and compound files. At the moment, ZIP, RAR, CAB, GZIP, TAR archives are checked; emails and MHT files; CHM archives
• Checking and treating NTFS streams. Checking NTFS streams is included in AVZ since version 3.75
• Control scripts. Allows the administrator to write a script that performs a set of specified operations on the user's PC. Scripts allow you to use AVZ in a corporate network, including its launch during system boot.
• Process Analyzer. The analyzer uses neural networks and analysis firmware, it is enabled when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
• AVZGuard system. Designed to fight against hard-to-remove malware, in addition to AVZ, it can protect user-specified applications, such as other anti-spyware and anti-virus programs.
• Direct disk access system for working with locked files. Works on FAT16/FAT32/NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze locked files and place them in quarantine.
• AVZPM process and driver monitoring driver. Designed to track the start and stop of processes and loading / unloading drivers to search for masquerading drivers and detect distortions in the structures describing processes and drivers created by DKOM rootkits.
• Boot Cleaner driver. Designed to clean up the system (remove files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both in the process of restarting the computer, and during the treatment.

Restoring system settings.

• Repair launch options.exe .com .pif
• Reset IE settings
• Restoring Desktop Settings
• Removing all user restrictions
• Deleting a message in Winlogon
• Restoring File Explorer Settings
• Removing system process debuggers
• Restoring Safe Mode Boot Settings
• Unlock Task Manager
• Cleaning up the host file
• Fixing SPI/LSP Settings
• Reset SPI/LSP and TCP/IP settings
• Unlocking the Registry Editor
• Clearing MountPoints keys
• Replacing DNS servers
• Removing the proxy setting for the IE/EDGE server
• Removing Google Restrictions

Program tools:

• Process Manager
• Service and Driver Manager
• Kernel space modules
• Internal DLL Manager
• Registry Search
• File search
• Search by cookie
• Startup Manager
  
• Browser extension manager
• Control Panel Applet Manager (cpl)
• File Explorer Extension Manager
• Print Extension Manager
• Task Scheduler Manager
• Protocol and handler manager
• DPF Manager
• Active Setup Manager
• Winsock SPI Manager
• Host File Manager
• TCP/UDP port manager
• Manager of network shares and network connections
• A set of system utilities
• Checking a file against the safe files database
• Checking a file against the Microsoft Security Catalog
• Calculating MD5 sums of files
  

Here is such a rather big set to save your computer from various infections!

Anti-virus programs, even when detecting and removing malicious software, do not always restore the full functionality of the system. Often, after removing a virus, a computer user gets an empty desktop, a complete lack of access to the Internet (or blocking access to some sites), a non-working mouse, etc. This is usually caused by the fact that some system or user settings changed by the malware remained intact.

The utility is free, works without installation, is surprisingly functional and helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding it to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually fixing the traces of a virus, you should use the "system restore" operation available in AVZ (although the utility is very, very good as an antivirus, it's even a good idea to check disks for viruses with the utility).

To start the recovery, run the utility. Then click File - System Restore

and such a window will open in front of us

check the checkboxes we need and click "Perform the marked operations"

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After removing the virus, the programs stop running.

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: start page change

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode. This firmware restores boot settings in protected mode.

Indications for use: .

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms are blocking anti-virus software updates. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware.

Indications for use: Internet access was lost after the malware was removed.

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows. Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, Internet access and execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

Restores the system registry keys responsible for launching File Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

Performs backup of SPI/LSP settings, then destroys them and creates according to the standard stored in the database.

Indications for use:

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Restoration is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove the malicious program, and then restore the system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

Like

Like

tweet

There are universal programs like a Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Antivirus Zaitsev). With the help of this free You can catch antivirus and viruses, and optimize the system, and fix problems.

AVZ Features

I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.

What can be "fixed" with AVZ:

• Repair startup programs (.exe, .com, .pif files)
• Reset Internet Explorer settings to default
• Restore Desktop Settings
• Remove rights restrictions (for example, if a virus blocked the launch of programs)
• Remove banner or window that appears before login
• Remove viruses that can run with any program
• Unblock Task Manager and Registry Editor (if the virus has prevented them from running)
• Clear file
• Disable autorun programs from flash drives and disks
• Delete junk files from hard drive
• Fix desktop issues
• And much more

It can also be used to check the safety of Windows settings (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect our Windows from careless actions

The AVZ program has very many functions affecting the operation of Windows. it dangerous, because in case of an error, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.

This is a mandatory step, in fact, creating a "retreat" in case of careless actions - thanks to the restore point, it will be possible to restore the settings, the Windows registry to an earlier state.

Windows Recovery is a required component of all versions of Windows, starting with Windows ME. It is a pity that they usually do not remember about it and waste time reinstalling Windows and programs, although it was possible to just click a couple of times with the mouse and avoid all problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, "tricked" with the registry, installed a program from which Windows does not boot, incorrectly used the AVZ program - "System Restore" should help.

After work, AVZ creates subfolders with backups in its folder:

/backup- backup copies of the registry are stored there.

/Infected- copies of removed viruses.

/quarantine- copies of suspicious files.

If problems started after AVZ was running (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes made, you can open registry backups from the folder backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click "System Protection" in the "System" window.

Press the "Create" button.

The process of creating a restore point can take up to ten minutes. Then a window will appear:

The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point in order to praise yourself for foresight in case of trouble.

How to restore your computer using a restore point

There are two options for launching System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

will start Choose a different restore point and press Further. A list of restore points will open. Choose the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - If Windows won't boot

You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.

We boot from the disk (how to boot from boot disks is written) and select:

Choose "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no sense - the corrected settings will be "broken" by the running virus again.

Restarting Programs

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you also need to start AVZ itself, but it's pretty easy:

First we go to Control Panel- set any type of view, except for Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now each file has extension- a few characters after the last dot in the name. Programs usually .exe and .com. To run AVZ antivirus on a computer where programs are prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, press File - :

Points to be noted:

1. Restore launch options.exe, .com, .pif files(actually solves the problem of running programs)

6. Remove all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is highly desirable to note this item, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear at system startup)

We confirm the action, a window appears with the text "System Restore Completed". After that, it remains to restart the computer - the problem with starting programs will be solved!

Desktop startup recovery

A fairly common problem is that the desktop does not appear when the system starts.

Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, there we press File - New Task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer, you will have to repeat everything again.

In order not to do this every time, you need to restore the program launch key explorer("Explorer", which is responsible for the standard viewing of the contents of folders and the work of the Desktop). In AVZ we press File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start the computer, the desktop will start normally.

Unlock Task Manager and Registry Editor

If the virus has blocked the launch of the two above-mentioned programs, the ban can be removed through the AVZ program window. Just check two things:

11. Unlock Task Manager

17. Unlock Registry Editor

And press Perform the marked operations.

Problems with the Internet (Vkontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ can clean the computer from unnecessary files. If a hard disk cleanup program is not installed on the computer, then AVZ will do, since there are many possibilities:

More about points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch of programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it up when required.
2. Delete Windows log files- you can clean up a variety of databases and files that store various records of events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
3. Delete memory dump files- when critical errors occur, Windows stops its work and shows a BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for later analysis by special programs to identify the culprit of the failure. The option is almost useless, as it allows you to win only ten megabytes of free space. Clearing the memory dump files does not harm the system.
4. Clear Recent Documents List- oddly enough, the option clears the Recent Documents list. This list is in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear Recent Items List". Useful option: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. The system will not be damaged.
5. Clearing the TEMP Folder- The holy grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder, many programs store files for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. Unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player - cleaning up temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in combating Flash Player glitches. For example, with video and audio playback problems on the Vkontakte website. There is no harm in using.
7. Clearing the cache of the terminal client- as far as I know, this option clears the temporary files of the Windows component called "Remote Desktop Connection" (remote access to computers via RDP protocol). Option seems to be does no harm, it frees up space from a dozen megabytes at best. There is no point in using it.
8. IIS - Delete HTTP Error Log- long to explain what it is. Let me just say that it is better not to enable the option to clear the IIS log. In any case, it does no harm, no benefit either.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - Cleaning Temporary Files", but affects rather ancient versions of the Flash Player.
10. Java - cache clearing- gives a gain of a couple of megabytes on the hard drive. I do not use Java programs, so I did not check the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the trash- the purpose of this item is absolutely clear from its name.
12. Delete system update installation logs- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless because there is no free space to win.
13. Remove Windows Update protocol- similar to the previous paragraph, but other files are deleted. It's also a useless option.
14. Clear the MountPoints database- if icons with them are not created in the Computer window when connecting a flash drive or hard drive, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
15. Internet Explorer - clear cache- clears temporary files of Internet Explorer. The option is safe and useful.
16. Microsoft Office - clear cache- cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security options because I don't have Microsoft Office.
17. Clearing the Cache of the CD Burning System- a useful option that allows you to delete files that you have prepared for burning to discs.
18. Cleaning up the TEMP system folder- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and it usually frees up a little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers didn't complete their work correctly, so clearing the Config.Msi folder is justified. However, be warned - there may be problems uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- The Windows Task Scheduler keeps a log where it records information about completed tasks. I do not recommend enabling this item, because there is no benefit, but it will add problems - the Windows Task Scheduler is a rather buggy component.
21. Delete Windows setup protocols- winning a place is insignificant, it makes no sense to delete.
22. Windows - clear icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome - clear cache is a very useful option. Google Chrome stores copies of pages in a folder designated for this purpose in order to open sites faster (pages are loaded from the hard drive instead of downloading via the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful in terms of freeing up hard drive space; neither Windows nor Google Chrome affects stability.
24. Mozilla Firefox - Cleaning up the CrashReports folder- every time a problem occurs with the Firefox browser and it crashes, report files are generated. This option deletes the report files. The gain of free space reaches a couple of dozen megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.

Depending on the installed programs, the number of points will differ. For example, if the Opera browser is installed, you can clear its cache too.

Cleaning the list of startup programs

A sure way to speed up the computer's startup and speed is to clean the autorun list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources that will not be taken away by programs running in the background.

AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

An ordinary user has absolutely no use for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders and run*.

AVZ displays autostart not only for your user, but also for all other profiles:

In chapter run* it is better not to disable programs located in the section HKEY_USERS- this may disrupt other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

Lines marked in green are recognized by the antivirus as known. This includes both Windows system programs and digitally signed third-party programs.

All other programs are marked in black. This does not mean that such programs are viruses or anything similar, just that not all programs are digitally signed.

Don't forget to stretch the first column wider so you can see the name of the program. The usual unchecking will temporarily disable the autorun of the program (you can then tick it again), selecting the item and pressing the button with a black cross will delete the entry forever (or until the program writes itself to autorun again).

The question arises: how to determine what can be disabled and what is not? There are two solutions:

First, there is common sense: by the name of the .exe file of the program, you can make a decision. For example, Skype creates an entry during installation to automatically start when you turn on your computer. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup, just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to decide whether to remove it from autorun or not. AVZ makes it easy to find information about points: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will noticeably speed up the startup of your computer. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.

Disable only those programs that you know for sure - you don't need them in autorun.

Outcome

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing a variety of tasks. However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.

If you have any questions or comments - under the articles there is a comment block where you can write to me. I follow the comments and will try to answer you as soon as possible.

Related posts:

Like

Like

We will talk about the simplest ways to neutralize viruses, in particular, those that block the desktop of a Windows 7 user (the Trojan.Winlock family of viruses). Such viruses differ in that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it as difficult as possible to perform any actions, except for entering a special "unlock code", for which, supposedly, it is required to transfer a certain amount to attackers by sending SMS or replenishment of a mobile phone account through a payment terminal. There is only one goal here - to make the user pay, and sometimes quite decent money. A window is displayed with a formidable warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the Windows working environment - it blocks pressing special key combinations to call the Start button menu, Run command, task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, antivirus scanner). But, nevertheless, there is a way out in the vast majority of cases.

The new technologies implemented in Windows Vista / Windows 7 have made it much more difficult for malware to infiltrate and take complete control of the system, and also provide users with additional opportunities to get rid of them relatively easily, even without antivirus software (software). We are talking about the ability to boot the system in safe mode with command line support and launch monitoring and recovery software from it. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of the Windows family of operating systems, many users simply do not use it. But in vain. The Windows 7 command line does not have the usual desktop (which can be blocked by a virus), but it is possible to launch most programs - the registry editor, task manager, system restore utility, etc.

Removing a virus by rolling back the system to a restore point

A virus is a common program, and even if it is located on the computer's hard drive, but does not have the ability to automatically start when the system boots and the user logs in, then it is as harmless as, for example, a regular text file. If the problem of blocking the automatic launch of a malicious program is solved, then the task of getting rid of malware can be considered completed. The main method of automatic launch used by viruses is through specially crafted registry entries that are created when they inject into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore from a checkpoint. A checkpoint is a copy of important system files stored in a special directory ("System Volume Information") and containing, among other things, copies of the Windows system registry files. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to get the state of the system registry without the entries made by the introduced virus and thereby exclude its automatic start, i.e. get rid of the infection even without using antivirus software. In this way, you can simply and quickly get rid of the infection of the system with most viruses, including those that block the Windows desktop. Naturally, a blocking virus that uses, for example, modification of the boot sectors of a hard disk (MBRLock virus) cannot be removed in this way, since the system rollback to a restore point does not affect disk boot records, and it will not be possible to boot Windows in safe mode with command line support because the virus is loaded before the Windows bootloader. To get rid of such an infection, you will have to boot from another medium and restore the infected boot records. But there are relatively few such viruses, and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of the download, press the F8 button. The screen will display the Windows bootloader menu, with possible options for booting the system

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is complete and user registration, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Run the "System Restore" tool, for which you need to type rstrui.exe in the command line and press ENTER.

Switch the mode to "Choose a different restore point" and in the next window check the box "Show other restore points"

After selecting a Windows restore point, you can view the list of affected programs when you roll back the system:

The list of affected programs is a list of programs that were installed after the system restore point was created and that may need to be reinstalled because there will be no entries associated with them in the registry.

After clicking on the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.

After the reboot, a message will be displayed on the screen about the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use the more advanced method presented below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not have, for various reasons, restore point data, the restore procedure ended with an error, or the rollback did not give a positive result. In this case, you can use the MSCONFIG.EXE System Configuration diagnostic utility. As in the previous case, you need to boot Windows in safe mode with command line support and in the cmd.exe command line interpreter window, type msconfig.exe and press ENTER

On the General tab, you can select the following Windows startup modes:

When the system boots, only the minimum necessary system services and user programs will be launched.
Selective launch- allows you to manually set the list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of automatically starting programs. If in this mode the virus stops blocking the desktop, then you need to proceed to the next step - to determine which of the programs is a virus. To do this, you can use the selective startup mode, which allows you to enable or disable the launch of individual programs in manual mode.

The "Services" tab allows you to enable or disable the launch of system services, in the settings of which the startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be started during the system boot process. At the bottom of the MSCONFIG utility window, there is a box to set the "Do not show Microsoft services" mode, when enabled, only third-party services will be displayed.

I note that the probability of a system infection by a virus that is installed as a system service, with standard security settings in a Windows Vista / Windows 7 environment, is very small, and traces of the virus will have to be looked for in the list of automatically starting user programs (the "Startup" tab).

Just like on the Services tab, you can enable or disable the automatic launch of any program that appears in the list displayed by MSCONFIG. If a virus is activated in the system by automatically launching it using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic start of services and applications that start in a standard way for operating systems of the Windows family. However, it is not uncommon for virus authors to use tricks that allow malware to run without the use of standard autorun points. You can most likely get rid of such a virus using the method described above to roll back the system to a restore point. If a rollback is not possible and the use of msconfig did not lead to a positive result, you can use direct editing of the registry.

In the process of fighting a virus, the user often has to perform a hard reset by resetting (Reset) or turning off the power. This can lead to a situation where the system starts up normally, but does not reach user registration. The computer "hangs" due to a violation of the logical data structure in some system files that occurs when the work is incorrectly shut down. To solve the problem, in the same way as in the previous cases, you can boot into safe mode with command line support and run the command to check the system disk

chkdsk C: /F - check disk C: with correction of detected errors (switch /F)

Since the system drive is occupied by system services and applications when chkdsk is run, chkdsk cannot gain exclusive access to it to perform tests. Therefore, the user will be presented with a warning message and a request to perform a test the next time the system is rebooted. After answering Y, information will be entered into the registry to ensure that a disk check is launched when Windows restarts. After the verification is completed, this information is deleted and a normal Windows reboot is performed without user intervention.

Eliminate the possibility of starting a virus using the registry editor.

To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs used for previous versions of operating systems from Microsoft. Installation by viruses of their drivers and services, reconfiguration of the WINLOGON service with connection of their own executable modules, fixing registry keys related to all users, etc. - all these methods in the Windows 7 environment either do not work or require such serious labor costs that they practically do not meet. As a rule, changes in the registry that allow the virus to run are performed only in the context of the permissions that exist for the current user, i.e. under HKEY_CURRENT_USER

In order to demonstrate the simplest mechanism for locking the desktop using the substitution of the user's shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, independently correct the registry data in order to get, for example, a command line instead of the desktop . The familiar desktop is created by Windows Explorer (Explorer.exe program) running as the user's shell. This is provided by the values ​​of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as the shell when the user logs on to the system. Typically, there is no Shell parameter in the key for the current user (HKEY_CURRENT_USER or HKCU for short) and the value from the registry key for all users (HKEY_LOCAL_MACHINE\ or HKLM for short) is used.

This is what the registry key looks like HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with standard installation of Windows 7

If you add the Shell string parameter to this section, which takes the value "cmd.exe", then the next time the current user logs into the system, instead of the standard user shell based on Explorer, the cmd.exe shell will be launched and instead of the usual Windows desktop, a command prompt window will be displayed .

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, a blocker and other muck instead of the desktop.
Making changes to the key for all users (HKLM. . .) requires administrative privileges, so virus programs usually modify the settings of the registry key of the current user (HKCU . . .)

If, as a continuation of the experiment, you run the msconfig utility, you can make sure that cmd.exe is not in the list of automatically launched programs as a user shell. Rollback of the system, of course, will allow you to return the original state of the registry and get rid of the automatic start of the virus, but if it is impossible for some reason, only direct editing of the registry remains. To return to the standard desktop, just remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log in again) or reboot. Editing the registry can be done by running the registry editor regedit.exe from the command line or using the REG.EXE console utility. Command line example to remove the Shell option:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The above example of changing the user shell is by far one of the most common tricks used by viruses in the Windows 7 operating system environment. A fairly high level of security with standard system settings does not allow malware to access registry keys that were used to infect in Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU . . .) The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use the launch of executable files (.exe) from the directory of temporary files (Temp) of the current user. When analyzing the points of automatic launch of programs in the registry, first of all, you need to pay attention to the programs located in the temporary files directory. This is usually a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as an additional tool for virus detection. Legitimate programs never automatically start from the TEMP directory.

For a complete list of possible automatic start points, it is convenient to use the special Autoruns program from the SysinternalsSuite package.

The easiest way to remove blockers from the MBRLock family

Malicious programs can gain control over a computer not only by infecting the operating system, but also by modifying the boot sector entries of the drive from which it is booting. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded that would display a ransomware message demanding money for crooks. Since the virus takes control even before the system boots, there is only one way to bypass it - boot from another medium (CD / DVD, external disk, etc.) in any operating system where it is possible to restore the program code of the boot sectors. The easiest way is to use a Live CD / Live USB, usually provided free of charge to users by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also perform and checking the file system for malware and deleting or disinfecting infected files. If it is not possible to use this method, then you can get by with a simple download of any version of Windows PE (installation disk, ERD Commander emergency recovery disk), which allows you to restore normal system boot. Usually, even the simple ability to access the command line and execute the command is enough:

bootsect /nt60 /mbr

bootsect /nt60 /mbr E:> - restore the boot sectors of drive E: This should use the letter for the drive that is used as the boot device for the system damaged by the virus.

or for Windows prior to Windows Vista

bootsect /nt52 /mbr

The bootsect.exe utility can be located not only in system directories, but also on any removable media, can be run on any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. The /mbr switch is usually not needed, since it restores the program code of the MBR master boot record, which viruses do not modify (perhaps they do not modify yet).

A simple and convenient AVZ utility that can not only help, but also knows how to restore the system. Why is it necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because with the help of the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a clearer picture, I provide a complete list of what AVZ can restore.

The material is taken from the guide to AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into your browser's address bar).

The database currently contains the following firmware:

1.Restore launch options.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After removing the virus, the programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the start page of Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: start page change

4.Reset Internet Explorer search settings to default

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Removing all Policies (restrictions) of the current user

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

7. Removing the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

8.Restore explorer settings

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

10.Restore boot settings in SafeMode

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot in safe mode (SafeMode). This firmware must be used only in case of problems booting in protected mode .

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

12. Clearing HijackThis Ignore List

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list.

A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms are blocking anti-virus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows.

Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, Internet access and execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

16. Restoring the Explorer launch key

Restores the system registry keys responsible for launching File Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

18. Full re-creation of SPI settings

Performs backup of SPI/LSP settings, then destroys them and creates according to the standard stored in the database.

Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15. Apply only if necessary!

19. Clear base MountPoints

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Restoration is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove the malicious program, and then restore the system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions - “5.

Restore Desktop Settings” (running this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and “10.

Restoring boot settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. All, waiting for the implementation :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us solve. So good luck to you.

You may need to launch the AVZ utility when contacting Kaspersky Lab technical support.
With the AVZ utility you can:

• receive a report on the results of the study of the system;
• run a script provided by a Kaspersky Lab technical support specialist
  to create a Quarantine and delete suspicious files.

The AVZ utility does not send statistics, does not process information, and does not transfer it to Kaspersky Lab. The report is saved on the computer in the form of HTML and XML files, which are available for viewing without the use of special programs.

The AVZ utility can automatically create a Quarantine and place copies of suspicious files and their metadata into it.

Objects placed in Quarantine are not processed, are not transferred to Kaspersky Lab, and are stored on the computer. We do not recommend restoring files from Quarantine, they can harm your computer.

What data is contained in the AVZ utility report

The AVZ utility report contains:

• Information about the version and release date of the AVZ utility.
• Information about the anti-virus databases of the AVZ utility and its main settings.
• Information about the version of the operating system, the date it was installed, and the user rights with which the utility was launched.
• Search results for rootkits and programs intercepting the main functions of the operating system.
• Search results for suspicious processes and details about those processes.
• Search results for common malware by their characteristic properties.
• Information about errors found during validation.
• Search results for hooks for keyboard, mouse, or window events.
• Search results for open TCP and UDP ports used by malware.
• Information about suspicious system registry keys, disk file names, and system settings.
• Search results for potential operating system vulnerabilities and security issues.
• Information about corrupted operating system settings.

How to execute a script using the AVZ utility

Use the AVZ utility only under the guidance of a Kapersky Lab technical support specialist as part of your request. Doing it yourself can damage the operating system and cause data loss.

1. Download the AVZ utility executable file.
2. Run avz5.exe on your computer. If Windows Defender SmartScreen prevented avz5.exe from running, click More → Run anyway in the window Windows has protected your computer.
3. Go to section File→ Run script.

1. Paste in the input field the script that you received from the technical support specialist of Kapersky Lab.
2. Click Run.

1. Wait for the utility to finish and follow the further recommendations of the Kapersky Lab technical support specialist.

AVZ is a free utility designed to find and remove viruses, as well as to restore system settings after malicious programs.

Preparation for work

1. Download the AVZ utility from the official website: http://z-oleg.com/avz4.zip

2. Unzip the archive

3. Run the file from the archive avz.exe

4. Go to the menu File and choose Database update

Click Start to start the update process :

Anti-virus databases are being updated:

When the databases are updated, this message will appear. Click OK:

Virus check

To scan for viruses, check all disks on the computer on the left, check the box on the right Perform treatment, and click the button below Start:

System Restore

A very useful feature of the AVZ utility is System Restore. It will come in handy after removing malware to eliminate their traces. To start System Restore, click File -> System Restore:

Check the appropriate checkboxes and click the button Perform marked operations:

Confirm your intent:

Cleaning up browsers with AVZ

From the main menu select File.

Select an item Troubleshooting Wizard:

In field Degree of danger select All problems.

Click Start.

Check the boxes for the following:

• Clearing the TEMP folder;
• Adobe Flash Player - cleaning up temporary files;
• Macromedia Flash Player - clearing caches;
• Cleaning up the TEMP system folder;
• Clear caches of all installed browsers;

Click the button Fix flagged issues.