We fix and optimize using the AVZ program. AVZ - restore system settings and remove viruses. Configuring AVZ firmware - system recovery after viruses Avz recovery

A simple and convenient AVZ utility that can not only will help, but also knows how to restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills them in thousands), some programs refuse to work, the settings have all disappeared and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a clearer picture, I provide a complete list of what can be restoredAVZ.

Material taken from the handbook onAVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently, the database contains the following firmware:

1.Restoring startup parameters for.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: after removing the virus, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring Internet Explorer Start Page

This firmware restores the start page in Internet Explorer

Indications for use: spoofing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores Internet Explorer search settings

Indications for use: When you click the "Search" button in IE, there is a call to some third-party site

5.Restoring Desktop Settings

This firmware restores the desktop settings.

Recovery means removing all ActiveDesctop active elements, wallpaper, removing locks on the menu that is responsible for desktop settings.

Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Delete all Policies (restrictions) of the current user

Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs, since the settings are stored in the registry and are not difficult to create or modify.

Indications for use: Explorer or other system functions are blocked.

7.Delete the message displayed during WinLogon

Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.

Indications for use: An extraneous message is introduced during system boot.

8.Restoring Explorer Settings

This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).

Indications for use: Explorer settings changed

9.Remove system process debuggers

Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.

10.Restoring Boot Settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode.

This firmware restores boot settings in secure mode. Indications for use: The computer does not boot in SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock Task Manager

Task manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.

12.Clear the ignore list of the HijackThis utility

A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are the blocking of antivirus software updates.

You can control the content of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl / LSP settings

It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer. Note! This firmware cannot be launched from a terminal session

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI / LSP and TCP / IP settings (XP +)

Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!

Indications for use: After the malware was removed, access to the Internet and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.

16. Recovering the Explorer startup key

Restores system registry keys responsible for starting Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.

17. Unlocking Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.

18. Complete re-creation of SPI settings

It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.

Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!

19. Clear Base MountPoints

Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.

To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer Search Settings to Standard", "Restore Internet Explorer Start Page", "Reset Internet Explorer Protocol Prefix Settings to Standard"

On a note:

Any of the firmware can be executed several times in a row without affecting the system. Exceptions - “5.

Restoring Desktop Settings "(running this firmware will reset all desktop settings and you will have to re-select the desktop color and wallpaper) and" 10.

Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).

To start recovery, first download, unpack and run utility... Then click the file - system restore. By the way, you can still execute

We mark the checkboxes that you need and click to start operations. Everything, we are waiting for completion :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us to solve. So good luck to you.

Dedicated to AVZ, I want to share with you some more knowledge on the capabilities of this wonderful utility.

Today we will talk about system recovery tools, which can often save your computer's life after being infected with viruses and other horrors of life, as well as solve a number of system problems that arise as a result of certain errors.
It will be useful to everyone.

Introductory

Before starting, traditionally, I want to offer you two formats of material, namely: video or text. Video here:

Well, the text is below. See for yourself which option is closer to you.

General description of the program functionality

What are these recovery tools? This is a set of firmware and scripts that help to restore certain system functions to a working state. Which for example? Well, let's say bring back or the Registry Editor, clear the hosts file, or reset IE settings. In general, I give it in full and with a description (so as not to reinvent the wheel):

1. Restoring startup parameters for.exe, .com, .pif files
This firmware restores the system's response to exe, com, pif, scr files.
Indications for use: after removing the virus, programs stop running.
2. Resetting Internet Explorer protocol prefixes to standard
This firmware restores the protocol prefix settings in Internet Explorer
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
3. Restoring the start page of Internet Explorer
This firmware restores the start page in Internet Explorer
Indications for use: substitution of the start page
4. Reset Internet Explorer search settings to standard
This firmware restores Internet Explorer search settings
Indications for use: When you click the "Search" button in IE, there is an appeal to some third-party site
5. Restoring desktop settings
This firmware restores the desktop settings. Recovery means removing all active ActiveDesctop elements, wallpaper, removing locks on the menu that is responsible for desktop settings.
Indications for use: The desktop settings tabs in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
6. Removal of all Policies (restrictions) current user.
Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs, since the settings are stored in the registry and are not difficult to create or modify.
Indication for use: The conductor functions or other system functions are blocked.
7. Deleting the message displayed during WinLogon
Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.
Indications for use: An extraneous message is introduced during system boot.
8. Restore Explorer Settings
This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).
Indication for use: Changed conductor settings
9. Removing system process debuggers
Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs.
Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.
10. Restoring boot settings in SafeMode
Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode. This firmware restores boot settings in secure mode.
Indications for use: The computer does not boot in SafeMode. Use this firmware only in case of problems with booting in protected mode.
11. Unlocking the task manager
Task manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.
Indications for use: Blocking the task manager, when you try to call the task manager, the message "The task manager is blocked by the administrator" is displayed.
12. Clearing the ignore list of the HijackThis utility
The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility
Indications for Use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning up the Hosts file
Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".
Indication for Use: Suspicions that the Hosts file has been modified by a malicious program. Typical symptoms are the blocking of antivirus software updates. You can control the content of the Hosts file using the Hosts file manager built into AVZ.
14. Automatic correction of SPl / LSP settings
It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer. Note! This firmware cannot be launched from a terminal session
Indications for use: Internet access was lost after the malware was removed.
15. Reset SPI / LSP and TCP / IP settings (XP +)
This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows. You can read more about factory reset in the Microsoft Knowledge Base - Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!
Indications for use: After the malware was removed, Internet access and firmware execution were lost. 14. Automatic correction of SPl / LSP settings is “ineffective”.
16. Recovering the Explorer startup key
Restores system registry keys responsible for starting Explorer.
Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.
17. Unlocking Registry Editor
Unlocks Registry Editor by removing the policy that prevents it from running.
Indications for use: It is impossible to start the registry editor, when you try, a message appears stating that its launch was blocked by the administrator.
18. Complete re-creation of SPI settings
It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.
Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!
19. Clear Base MountPoints
Clears the MountPoints and MountPoints2 database in the registry.
Indications for use: This operation often helps in the case when disks do not open in the explorer after being infected with the Flash virus
On a note :
Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings
On a note :
To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer Search Settings to Standard", "Restore Internet Explorer Start Page", "Reset Internet Explorer Protocol Prefix Settings to Standard"
On a note :
Any of the firmware can be executed several times in a row without affecting the system. The exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for loading into safe mode).

Useful, isn't it?
Now how to use it.

Loading start, use

Actually, everything is simple.

Download the AVZ antivirus utility from here (or from somewhere else).
We unpack the archive with it somewhere where it is convenient for you
We go to the folder where we unpacked the program and run avz.exe there.
In the program window, select "File" - " System Restore".
We tick the necessary items and press the button " Perform marked operations".
We are waiting and enjoying the result.

Here are the things.

Afterword

I must say that it works with a bang and eliminates a number of unnecessary body movements. So to speak, everything is at hand, quickly, simply and efficiently.

Thank you for the attention;)

16.08.2019

Dedicated AVZ, I want to share with you some more knowledge on the capabilities of this wonderful utility.

Introductory

Before starting, traditionally, I want to offer you two formats of material, namely: video or text. Video here:

Well, the text is below. See for yourself which option is closer to you.

General description of the program functionality

1. Restoring startup parameters for.exe, .com, .pif files
Indications for use: after removing the virus, programs stop running.
2. Resetting Internet Explorer protocol prefixes to standard
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
3. Restoring the start page of Internet Explorer
Indications for use: substitution of the start page
4. Reset Internet Explorer search settings to standard
Indications for use: When you click the "Search" button in IE, there is a call to some third-party site
5. Restoring desktop settings
This firmware restores the desktop settings. Recovery means removing all ActiveDesctop active elements, wallpaper, removing locks on the menu that is responsible for desktop settings.
Indications for use: The desktop settings tabs in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
6. Removal of all Policies (restrictions) current user.
Indication for use: The conductor functions or other system functions are blocked.
7. Deleting the message displayed during WinLogon
Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.
Indications for use: An extraneous message is introduced during system boot.
8. Restore Explorer Settings
Indication for use: Changed conductor settings
9. Removing system process debuggers

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.
10. Restoring boot settings in SafeMode
Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode. This firmware restores boot settings in secure mode.
Indications for use: The computer does not boot in SafeMode. Use this firmware only in case of problems with booting in protected mode.
11. Unlocking the task manager
Indications for use: Blocking the task manager, when you try to call the task manager, the message "The task manager is blocked by the administrator" is displayed.
12. Clearing the ignore list of the HijackThis utility
The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility
Indications for Use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning up the Hosts file
Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".
Indication for Use: Suspicions that the Hosts file has been modified by a malicious program. Typical symptoms are the blocking of antivirus software updates. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer. Note! This firmware cannot be run from a terminal session
Indications for use: Internet access was lost after the malware was removed.
This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows. You can read more about factory reset in the Microsoft Knowledge Base - Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!
Indications for use: After the malware was removed, Internet access and firmware execution were lost. 14. Automatic correction of SPl / LSP settings is “ineffective”.
Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.
Indications for use: It is impossible to start the registry editor, when you try, a message appears stating that its launch was blocked by the administrator.
Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!
Clears the MountPoints and MountPoints2 database in the registry.
Indications for use: This operation often helps in the case when disks do not open in the explorer after being infected with the Flash virus
On a note:
On a note:
To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer Search Settings to Standard", "Restore Internet Explorer Start Page", "Reset Internet Explorer Protocol Prefix Settings to Standard"
On a note:
Any of the firmware can be executed several times in a row without affecting the system. The exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for loading into safe mode).

Useful, isn't it?
Now how to use it.

Loading start, use

Actually, everything is simple.

Downloading from here(or anywhere else) antivirus utility AVZ.
We unpack the archive with it somewhere where it is convenient for you
We go to the folder where we unpacked the program and run there avz.exe.
In the program window, select "File" - "System Restore".
We tick the necessary items and press the button " Perform marked operations".
We are waiting and enjoying the result.

Here are the things.

Afterword

I must say that it works with a bang and eliminates a number of unnecessary body movements. So to speak, everything is at hand, quickly, simply and efficiently.

Thank you for the attention;)

Thank you for the help in preparing the material of the masters of the computer service center Launch.RF. You can order laptop and netbook repairs from these guys in Moscow.

Malicious programs are introduced into the operating system of a personal computer, causing significant harm to the entire amount of data. At this point in time, malicious programs are created for different purposes, so their actions are aimed at correcting various structures of the operating system of a personal computer.

Common and obvious consequences for the user are problems with the Internet, disruptions in the operation of devices connected to the PC.

Even if the pest was detected and destroyed, this does not exclude the loss of information and other problems that arise in subsequent work. You can endlessly enumerate the options, most often the user detects a complete or partial blocking of access to the World Wide Web, a refusal in the operation of external devices (mouse, flash card), an empty desktop, and so on.

The listed consequences are observed due to the changes that the pest program made to the system files of the personal computer. Such changes are not eliminated with the elimination of the virus, they need to be corrected on their own, or resort to the help of specialists. In fact, this kind of work does not require special training, and any advanced user can perform it, having studied the corresponding instructions.

In the practice of organizing the recovery of the operating system, several approaches are distinguished, depending on the reasons that led to the failure. Let's consider each of the options in detail. A simple way available to every user is to roll back the OS to a restore point when the work of the personal computer meets the user's requirements. But very often this decision is unsatisfactory, or it is impossible to implement it for objective reasons.

How to restore the OS if the PC cannot be logged in?

System recovery starts as follows. Start Menu \ Control Panel \ System Restore. At this address, we select the restore point we need and start the process. After a while, the work will be completed and the computer is ready for normal operation. The technique is quite applicable to eliminate some types of viruses, since changes occur at the registry level. This option for restoring the operating system is considered the simplest and is included in the set of standard Windows tools. Step-by-step instructions and help with detailed comments on the process will help you master the technique of restoring the health and the computer, even if the user does not feel completely confident as a PC administrator.

Another common OS recovery option is to start the procedure from external media. This option is complicated by some points, for example, it is necessary to have an image of the system on a flash card or disk and take care of having such a copy in advance. In addition, it is often necessary to have certain skills in working with the BIOS. An image of the operating system on external media is the best option if recovery is impossible, since the virus has blocked the entry into the computer system. There are other options.

It is impossible to use standard Windows tools to restore the OS if, for example, you cannot log in, or there are other reasons that prevent the operation from being performed in standard mode. The situation can be resolved using the ERD Commander (ERDC) tool.

How the program works, let's analyze the situation sequentially. The first step is to download the program. The second step is to launch the Syst em Restore Wizard, it is with its help that the OS is rolled back to the specified recovery position.

As a rule, each tool has several checkpoints in stock, and in eighty percent of cases, the performance of a personal computer will be completely reanimated.

Using the AVZ Utility Tools

The tool considered below does not require any special skills and abilities of the user in operation. The software product was developed by Oleg Zaitsev and is designed to search and destroy all types of viruses and malware. But besides the main function, the utility restores most of the system settings that have been attacked or modified by the malicious viruses.

What problems can the presented program solve? The main thing is to restore system files and settings that have been attacked by viruses. The utility copes with damaged program drivers that refuse to start after recovery. When problems arise in browsers or in the case of blocking access to the Internet and many other troubles.

We activate the restore operation at File \ System Restore and select the operation that is needed. The figure shows the interface of the firmware used by the utility, we will give a description of each of them.

As you can see, the set of operations is represented by 21 items, and the name of each of them explains its purpose. Note that the capabilities of the program are quite diverse and it can be considered a universal tool in the reanimation of not only the system itself, but also the elimination of the consequences of the work of viruses with system data.

The first parameter is used if, as a result of a virus attack and the OS recovery procedures, the programs necessary for the user refuse to work. As a rule, this happens if the pest has penetrated the files and program drivers and made any changes to the information recorded there.

The second parameter is required when viruses have substituted domains when they are entered into a browser search engine. Such a substitution is the first level of correcting the interaction of system files of the operating system and the Internet. Such a function of the program, as a rule, eliminates the changes made without a trace, without trying to detect them, but simply subjecting the entire volume of prefix and protocol data to full formatting, replacing them with standard settings.

The third parameter resumes the configuration of the start page of the Internet browser. As in the previous case, by default the program corrects the problems of the Internet Explorer browser.

The fourth parameter adjusts the work of the search engine and sets the standard operating mode. Again, the procedure concerns the default browser installed by Windows.

In case of a problem related to the functioning of the desktop (the appearance of banners, pictures, extraneous entries on it), the fifth point of the program is activated. Such consequences of the action of malicious programs were very popular a couple of years ago and caused a lot of problems for users, but even now it is possible that such dirty tricks can penetrate the PC operating system.

The sixth point is necessary if the program-harmful spruce limited the user's actions when executing a number of commands. These restrictions can be of various nature, and since access settings are stored in the registry, malicious programs most often use this information to adjust the user's work with their PC.

If a third-party message appears when loading the OS, it means that the malicious program was able to infiltrate the Windows NT startup parameters. OS recovery that destroyed the virus does not clear this message. In order to remove it, you must activate the seventh parameter of the AVZ utility menu.

The eighth menu option, as the name suggests, restores the Explorer settings.

Sometimes the problem manifests itself in the form of interruptions in the operation of system components, for example, during the startup of the operating system of a personal computer, the desktop disappears. The AVZ utility diagnoses these structures and makes the necessary adjustments using item nine of the tools menu.

Problems with loading the OS in safe mode are eliminated with point ten. It is easy to detect the need to activate this item of the multiprogram of the utility considered here. They appear in any attempt to carry out work in security mode.

If the task manager is blocked, then you must activate the eleven menu item. Viruses on behalf of the administrator make changes to the activation of this section of the operating system, and instead of the working window, a message appears stating that work with the task manager is blocked.

Utility HijackThis uses storing the list of exclusions in the registry as one of its main functions. For a virus, it is enough to penetrate the utility database and register the files in the registry list. After that, it can self-repair itself an unlimited number of times. The utility registry is cleaned by activating the twelfth item of the AVZ settings menu.

The next, thirteenth point, allows you to clear the Hosts file, this file modified by a virus can cause difficulties when working with the network, block some resources, interfere with updating the databases of anti-virus programs. Working with this file will be discussed in more detail below. Unfortunately, almost all virus programs strive to edit this file, which is associated, firstly, with the simplicity of making such changes, and the consequences can be more than significant and after the viruses are removed the information entered in the file can be a direct gateway to penetrate OS new pests and spies.

If Internet access is blocked, this usually means there are errors in the SPI settings. Their correction will occur if you activate menu item fourteen. It is important that this setting item cannot be used from a terminal session.

Similar functions are included in the fifteenth menu item, but its activation is possible only with operation in such operating systems as XP, Windows 2003, Vista. You can use this multiprogram if attempts to correct the situation with logging into the network using the previous setting did not bring the desired result.

The capabilities of the sixteenth menu item are aimed at restoring the system registry keys that are responsible for starting the Internet browser.

The next step in restoring OS settings after a virus attack is to unlock the Registry Editor. As a rule, external manifestation - it is impossible to download the program for working with the Network.

The following four points are recommended only if the damage to the operating system is so catastrophic that, by and large, it makes no difference whether they will be eliminated using such methods or, as a result, the entire system will need to be reinstalled.

So, the eighteenth point recreates the original SPI settings. Clause nineteen clears the Mount Points / 2 register.

The twentieth step removes all static routes. Finally, the last, twenty-first point erases all DNS connections.

As you can see, the utility's capabilities cover almost all areas into which a spruce-damaging program can penetrate and leave its active trail, which is not so easy to detect.

Since anti-virus applications do not guarantee one hundred percent protection of your PC's operating system, we recommend that you have such a program in the arsenal of tools for combating computer viruses of all types and forms.

As a result of disinfection of the OS of a personal computer, the devices connected to it do not work.

One of the popular ways to disguise spyware is to install your own virus driver in addition to the real software. In this situation, the real driver is most often the file of the mouse or keyboard. Accordingly, after the virus is destroyed, its trace remains in the registry, for this reason the device to which the pest was able to join stops working.

A similar situation is observed with incorrect work in the process of uninstalling Kaspersky Anti-Virus. This is also related to the specifics of the installation of the program, when its installation on a PC uses the auxiliary driver klmouflt. In a situation with Kaspersky, this driver must be found and completely removed from the personal computer system in accordance with all the rules.

If the keyboard and mouse refuse to function in the desired mode, the first step is to restore the registry keys.

Keyboard :
HKEY_LOCAL_MACHI NE \ SYSTEM \ Curren tControlSet \ Cont rol \ Class \ (4D36E 96B-E325-11CE-BF C1-08002BE10318)
UpperFilters = kbd class

Mouse :
HKEY_LOCAL_MACHI NE \ SYSTEM \ Curren tControlSet \ Cont rol \ Class \ (4D36E 96F-E325-11CE-BF C1-08002BE10318)
UpperFilters = mou class

The problem of inaccessible sites

The consequences of a malware attack can be the inaccessibility of some resources on the Internet. And these consequences are the result of changes that viruses have managed to make to the system. The problem is detected immediately or after a while, however, if, as a result of the actions of the pest programs, it manifests itself after some time, it will not be difficult to eliminate it.

There are two blocking options, and the most common is to adjust the hosts file. The second option is to create false static routes. Even if the virus is destroyed, the changes it makes to these tools will not be removed.

The document in question is located in the system folder on drive C. Its address and location can be found here: C: \ Windows \ System 32 \ drivers \ etc \ hosts. For a quick search, as a rule, use the command line from the Start menu.

If the file cannot be found using the specified order of actions, this may mean that:

The virus program changed its location in the registry;

The file document has a "hidden" option.

In the latter case, we change the search characteristics. At the address: Folder Options / View, we find the line "Show hidden files" and set the label opposite, expanding the search range.

The hosts file contains information on converting the literal name of the site's domain into its IP address, so the programs that harm the spruce prescribe adjustments in it that can redirect the user to other resources. If this happened, then when you enter the address of the desired site, a completely different one opens. In order to return these changes to their original state and fix it, you need to find this file and analyze its contents. Even an inexperienced user will see what exactly the virus has corrected, but if this causes certain difficulties, you can restore the default settings, thereby eliminating all changes made to the file.

As for fixing routes, the principle is the same here. However, in the process of interaction between the PC operating system and the Internet, the priority always remains with the hosts file, so its restoration is sufficient for the work to be carried out in standard mode.

The difficulty arises if the required file cannot be found, since the virus changes its location in the system folders. Then you need to fix the registry key.

HKEY_LOCAL_MACHI NE \ SYSTEM \ Curren tControlSet \ serv ices \ Tcpip \ Param eters \ DataBasePa th

The viruses of the Win32 / Vundo group are superior to most of their malicious counterparts in the cleverness of converting hosts files. They change the name of the file itself, erasing the Latin letter o and replacing the sign with the Cyrillic letter. Such a file is no longer engaged in converting domain names of sites into IP addresses, and even if the user restores this file, the result of the work will remain the same. How do I find the genuine file? If there are doubts that the object we need is real, we perform the following procedure. The first step is to activate the hidden files display mode. Let's examine the directory, it looks like it is shown in the figure.

Here are two identical files, but since the OS does not allow the use of identical names, it is obvious that we are dealing with a false document. Determining which one is correct and which is not is simple. The virus creates a large file and numerous adjustments, so the result of its sabotage is shown in the figure as a 173 KB hidden file.

If you open a document file, the information in it will contain the following lines:

31.214.145.172 vk.com - a string that can replace the IP address of the site

127.0.0.1 avast.com - a file line written by a virus in order to prohibit access to the site of the anti-virus program

We have already noted above that it is possible to block individual resources by creating incorrect routes in the routing table. How can the situation be resolved, consider the sequence of actions.

If the hosts file does not have malicious adjustments, and it is impossible to work with the resource, the problem lies in the route table. A few words about the essence of the interaction of these tools. If the correct adaptive domain address is registered in the hosts file, then a redirection occurs at this address to an existing resource. As a rule, the IP address does not belong to the address range of the local subnet, therefore forwarding occurs through the router's gateway, which is determined by the Internet connection settings.

If you correct the route records for a specific IP address, then automatic connection will occur based on this record. Provided that there is no such route, or the gateway is not working, the connection will not occur and the resource will remain unavailable. Thus, a virus can delete an entry in the route table and block absolutely any site.

Routes created for specific sites remain in the HKLM registry database. The route is updated when the route add program command is activated or when the data is manually corrected. When there are no routes statically, then the table section is empty. You can view a list of routing information using the route print command. It will smooth it out like this:

Active routes:

The above table is standard for a PC with a single network card, and network connection settings:

IP address 192.168.0.0

mask 255.255.255.0

default gateway 192.168.0.1

The above entry includes the IP address of the network encoded as 192.168.0.0 and the subnet mask encoded as 255.255.255.0. If you decipher this data, then the information is as follows. The mask includes the entire volume of nodes with an equivalent upper part of the address. According to the metric system, the first three bytes of the subnet mask are equal to 1 in all PC operating systems (except for decimal, where the value is 255 and hexadecimal, where the value is 0 * FF). The least significant part of the received host address is a value in the range of 1-254.

According to the information presented above, the lowest address is encoded - 192.168.0.0, this code is the network address. The high-order address, encoded 192.168.0.255, is characterized as a broadcast address. And if the first code excludes its use for data exchange, then the second code is just intended to perform these functions. Their nodes exchange data packets using routes.

Let's imagine the following configuration:

IP address - 192.168.0.0

Net mask - 255.255.255.0

Gateway - 192.168.0.3

Interface - 192.168.0.3

Metric - 1

The information is logically deciphered as follows: in the range of addresses from 192.168.0.0 - 192.168.0.255 to exchange information as a gateway and interface, we use the network card code (192.168.0.3). All this means that the information goes directly to the addressee himself.

When the end address condition does not match the specified range 192.168.0.0-192. 168.0.255, you will not be able to transfer information directly. The server protocol sends data to the router, which forwards it to another network. If no static routes are specified, the default router address remains the same as the gateway address. Information is sent to this address, then to the network, and along the routes specified in the table, until the addressee receives the packet. In general terms, the data transfer process looks like this. Here's an illustration of the entries in a standard router table. There are only a few records in the example, but their number can reach tens and hundreds of lines.

Based on the data in the example, we will describe the process of forwarding to the addresses of the Internet resource in. When contacting Internet resource addresses in the specified range from 74.55.40.0 to 74.55.40.255, the router code is equal to the network number 192.168.0.0, and therefore cannot be used in the process of information data exchange. The IP-protocol diagnoses the address (74.55.40.226), which is not included in the packet of addresses of the individual local network and refers to the prescribed static routes.

The situation when this route is not registered, the information packet is sent to the identification address of the gateway, set in the example by default.

Since the route presented in the example has a high priority, therefore, it needs a specific gateway, and not a standard that is suitable for everyone. Since there is no gateway satisfying the request in the table, the server with the network address 74.55.40.226 will remain out of the access zone. And under the conditions prescribed in the example with the subnet mask code, all addresses in the 74.55.40.0 - 74.55.40.255 range will be blocked. It is this range that includes the network path to the site of antivirus software installed on a personal computer, which will not receive the necessary virus database updates and will not function properly.

The more such data in the route table, the more resources are blocked. In the practice of specialists, virus programs created up to four hundred lines of this type, thereby blocking the work of about a thousand network resources. Moreover, the owners of viruses are not particularly interested in the fact that trying to ban a particular resource, they exclude dozens of other sites from possible access. This is the main mistake of unscrupulous programmers, since the amount of unavailable resources reveals the very probability of blocking data transmission. So, for example, if the most popular social networks are included in the circle of exclusion, and the user cannot enter the VKontakte or Odnoklassniki website, then a suspicion arises regarding the correct operation of the PC with the network.

It is not difficult to fix the situation, for this purpose the route command and the delete key are used. Find false entries in the table and uninstall. A small note, all operations are feasible only if the user has administrator rights, but the virus can make changes to the route only if it has entered the network through the administrator's account of the personal computer. Here are some examples of such tasks.

route delete 74.55.40.0 - an entry that deletes the first variant of the route line;

route delete 74.55.74.0 - an entry that deletes the second variant of the route string.

The number of such lines should be equal to the total number of false routes.

If it is easier to approach the procedure, then it is necessary to apply the operation of redirecting the output. This is done by entering the route print> C: \ routes.txt task. Activation of the command creates a situation when a file document named routes.txt is created on the system disk, it contains a table with route data.

The table list contains DOS characters. These symbols are unreadable and have no meaning for the work to be done. By adding a route delete task at the beginning of each route, we delete each false entry. These look something like this:

route delete 84.50.0.0

route delete 84.52.233.0

route delete 84.53.70.0

route delete 84.53.201.0

route delete 84.54.46.0

Next, you need to change the file extension, the options for replacing such an extension are cmd or bat. The new file is launched by double-clicking the right mouse button. To simplify the task, you can use the popular file manager FAR, which works as follows. The editor, called by the F 4 function key, highlights the right side of the route record with a special marking. Using the CTRL + F 7 key combination, all spaces are automatically transformed to a character with an empty value, and the space, in turn, is set to the starting position of the line. The new combination of the specified keys sets the route delete task to the place we need.

When there are a lot of false routes in the data table and it is a long and tedious process to correct them manually, it is recommended to use the route task together with the F key.

This key removes all non-nodal routes, as well as completely uninstalls routes with an endpoint and broadcast address. The first and the last have a digital code 255.255.255.255; the second is 127.0.0.0. In other words, all false information written in the table by the virus will be uninstalled. But at the same time, the records of static routes written by the user on their own and the data of the default gateway will be destroyed, so they will need to be restored, since the network will remain inaccessible. Or track the process of clearing the data table and stop it if you intend to delete the record we need.

AVZ antivirus program can also be used to adjust the settings of the router. The specific multiprogram dealing with this process is the twentieth TCP configuration item.

The last option to block user access to the IP addresses of sites that are used by virus programs is the use of spoofing the DNS server address. In this case, the connection to the network occurs through a malicious server. But such situations are rare enough.

After the behavior of all the work, you need to reboot the personal computer.

Once again, thank you for the help in preparing the material of the masters of the computer service center Launch.RF - http://zapuskay.rf/information/territory/kolomenskaya/, from whom you can order laptop and netbook repairs in Moscow.

Recovering encrypted files is a problem faced by a large number of personal computer users who have fallen prey to various ransomware viruses. The number of malicious programs in this group is very large and it is increasing every day. Only recently have we encountered dozens of encryption options: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, etc.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often the cost of decryption is very significant, you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just frustrating to pay to recover your own files.

Ways to recover encrypted files for free

There are several ways to recover encrypted files using absolutely free and proven programs such as ShadowExplorer and PhotoRec. Before and during recovery, try to use the infected computer as little as possible, so you increase your chances of successful file recovery.

The instructions described below must be followed step by step, if something does not work out for you, then STOP, ask for help by writing a comment on this article or by creating a new topic on ours.

1. Remove ransomware virus

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and easily remove them from your computer, BUT they cannot recover encrypted files.

1.1. Remove ransomware virus using Kaspersky Virus Removal Tool

Click on the button Scan to start a scan of your computer for the ransomware virus.

Wait until the end of this process and remove the found malware.

1.2. Remove ransomware virus with Malwarebytes Anti-malware

Download the program. After the download is complete, run the downloaded file.

The program update procedure will start automatically. When it's over press the button Run check... Malwarebytes Anti-malware will scan your computer.

Immediately after completing the scan of your computer, Malwarebytes Anti-malware will open a list of the ransomware components found.

Click on the button Delete selected to clean your computer. During malware removal, Malwarebytes Anti-malware may require you to restart your computer to continue the process. Confirm this by choosing Yes.

Once the computer is restarted, Malwarebytes Anti-malware will automatically continue the disinfection process.

2. Recover encrypted files using ShadowExplorer

ShadowExplorer is a small utility that allows you to restore shadow copies of files that are created automatically by the Windows operating system (7-10). This will allow you to restore the encrypted files to their original state.

Download the program. The program is in a zip archive. Therefore, right-click on the downloaded file and select Extract All. Then open the ShadowExplorerPortable folder.

Start ShadowExplorer. Select the disk you need and the date the shadow copies were created, respectively numbers 1 and 2 in the figure below.

Right-click on the directory or file you want to restore a copy of. Select Export from the menu that appears.

Finally, select the folder where the recovered file will be copied.

3. Recover encrypted files using PhotoRec

PhotoRec is a free program designed to recover deleted and lost files. Using it, you can restore the original files that ransomware viruses deleted after creating their encrypted copies.

Download the program. The program is in the archive. Therefore, right-click on the downloaded file and select Extract All. Then open the testdisk folder.

Find QPhotoRec_Win in the list of files and run it. The program window will open in which all partitions of the available disks will be shown.

In the list of partitions, select the one containing the encrypted files. Then click on the File Formats button.

By default, the program is configured to recover all types of files, but to speed up the work, it is recommended to leave only the types of files that you need to recover. After completing your selection, click OK.

At the bottom of the QPhotoRec window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files requiring recovery (you can use a USB flash drive or an external disk).

To start the procedure for searching and restoring the original copies of encrypted files, click the Search button. This process takes a long time, so be patient.

When the search is over, click the Quit button. Now open the folder that you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. The more files the program finds, the more directories there will be. To find the files you need, check all the directories sequentially. To make it easier to find the file you need, among the large number of recovered files, use the built-in Windows search system (by file content), and also do not forget about the function of sorting files in directories. You can select the file modified date as the sort option, because QPhotoRec tries to restore this property when restoring the file.

A virus is a type of malicious software that penetrates system memory areas, code of other programs, and boot sectors. It is capable of deleting important data from a hard drive, USB drive or memory card.

Most users do not know how to recover files after a virus attack. In this article, we want to tell you how to do it in a quick and easy way. We hope that this information will be useful to you. There are two main methods you can use to easily remove the virus and recover deleted data after a virus attack.

Delete the virus using the command prompt

1) Click the “Start” button. Enter CMD in the search bar. You will see the “Command Prompt” at the top of the pop-up window. Press Enter.

2) Run the Command prompt and type in: “attrib –h –r –s / s / d driver_name \ *. *”

After this step, Windows will start recovering the virus-infected hard drive, memory card or USB. It will take some time for the process to be completed.

To start Windows recovery, click the “Start” button. Type Restore in the search bar. In the next window click “Start System Restore” → “Next” and select the desired restore point.

Another variant of the path is “Control Panel” → “System” → “System Protection”. A recovery preparation window will appear. Then the computer will reboot and a message will appear saying “System Restore completed successfully.” If it did not solve your problem, then try rolling back to another restore point. That’s all to be said about the second method.

Magic Partition Recovery: Restoring Missing Files and Folders after a Virus Attack

For reliable recovery of files deleted by viruses, use Magic Partition Recovery. The program is based on direct low-level access to the disk. Therefore, it will bypass the virus blocking and read all your files.

Download and install the program, then analyze the disk, flash drive or memory card. After the analysis, the program displays the list of folders on the selected disk. Having selected the necessary folder on the left, you can view it in the right section.

Thus, the program provides the ability to view the contents of the disk in the same way as with the standard Windows Explorer. In addition to existing files, deleted files and folders will be displayed. They will be marked with a special red cross, making it much easier to recover deleted files.

If you have lost your files after virus attack, Magic Partition Recovery will help you restore everything without much effort.

A simple and convenient utility AVZ, which can not only help, but also knows how to restore the system. Why is this necessary?

In order to give you a clearer picture, I provide a complete list of what AVZ can recover.

Material taken from the handbook on AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently, the database contains the following firmware:

1.Restoring startup parameters for.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: after removing the virus, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring Internet Explorer Start Page

This firmware restores the start page in Internet Explorer

Indications for use: spoofing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores Internet Explorer search settings

Indications for use: When you click the "Search" button in IE, there is a call to some third-party site

5.Restoring Desktop Settings

This firmware restores the desktop settings.

Recovery means removing all ActiveDesctop active elements, wallpaper, removing locks on the menu that is responsible for desktop settings.

Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Delete all Policies (restrictions) of the current user

Indications for use: Explorer or other system functions are blocked.

7.Delete the message displayed during WinLogon

Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.

Indications for use: An extraneous message is introduced during system boot.

8.Restoring Explorer Settings

This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).

Indications for use: Explorer settings changed

9.Remove system process debuggers

Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.

10.Restoring Boot Settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode.

11.Unlock Task Manager

Task manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.

12.Clear the ignore list of the HijackThis utility

A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are the blocking of antivirus software updates.

You can control the content of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl / LSP settings

It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found.

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI / LSP and TCP / IP settings (XP +)

Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!

Indications for use: After the malware was removed, access to the Internet and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.

16. Recovering the Explorer startup key

Restores system registry keys responsible for starting Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.

17. Unlocking Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.

18. Complete re-creation of SPI settings

It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.

Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!

19. Clear Base MountPoints

Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.

To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings

On a note:

Any of the firmware can be executed several times in a row without affecting the system. Exceptions - “5.

Restoring Desktop Settings "(running this firmware will reset all desktop settings and you will have to re-select the desktop color and wallpaper) and" 10.

Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).

To start recovery, first download, unpack and run utility... Then click the file - system restore. By the way, you can still execute

We mark the checkboxes that you need and click to start operations. Everything, we are waiting for completion :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us to solve. So good luck to you.

Antivirus programs, even when detecting and removing malicious software, do not always restore the full performance of the system. Often, after removing a virus, a computer user gets an empty desktop, a complete lack of access to the Internet (or blocking access to some sites), an inoperative mouse, etc. This is caused, as a rule, by the fact that some system or user settings changed by the malware have remained intact.

The utility is free, works without installation, is amazingly functional and helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to dig into the system, manually correcting traces of the virus, you should use the "system restore" operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).

To start recovery, run the utility. Then click the file - system restore

and such a window will open in front of us

mark the checkboxes we need and click "Perform marked operations"

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: after removing the virus, programs stop running.

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: spoofing the start page

This firmware restores Internet Explorer search settings

Indications for use: When you click the "Search" button in IE, there is a call to some third-party site

This firmware restores the desktop settings. Recovery means removing all ActiveDesctop active elements, wallpaper, removing locks on the menu that is responsible for desktop settings.

Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs, since the settings are stored in the registry and are not difficult to create or modify.

Indications for use: Explorer or other system functions are blocked.

Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.

Indications for use: An extraneous message is introduced during system boot.

This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).

Indications for use: Explorer settings changed

Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.

Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode. This firmware restores boot settings in secure mode.

Indications for use: .

Task manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are the blocking of antivirus software updates. You can control the content of the Hosts file using the Hosts file manager built into AVZ.

It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer.

Indications for use: Internet access was lost after the malware was removed.

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows. Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!

Indications for use: After the malware was removed, access to the Internet and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.

Restores system registry keys responsible for starting Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.

It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.

Indications for use:

Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.

To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer Search Settings to Standard", "Restore Internet Explorer Start Page", "Reset Internet Explorer Protocol Prefix Settings to Standard"

On a note:

Any of the firmware can be executed several times in a row without affecting the system. Exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).

There are programs as universal as the Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Zaitsev's anti-virus). With the help of this free antivirus and viruses can be caught, and the system can be optimized, and the problems can be fixed.

AVZ features

I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.

What can be "fixed" with AVZ:

Restore startup programs (.exe, .com, .pif files)
Reset Internet Explorer Preferences to Standard
Restore Desktop Preferences
Remove restrictions on rights (for example, if a virus blocked the launch of programs)
Remove banner or window that appears before login
Remove viruses that can run along with any program
Unblock Task Manager and Registry Editor (if the virus has prevented them from starting)
Clear file
Prevent autostart of programs from flash drives and disks
Delete unnecessary files from your hard drive
Fix Desktop Issues
And much more

You can also use it to check the security of Windows settings (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's secure our Windows from careless actions

The AVZ program has very many functions affecting the operation of Windows. it dangerous, because in case of an error, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

To be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.

This is a mandatory step, in fact, creating a "escape route" in case of careless actions - thanks to the restore point, you can restore the settings, the Windows registry to an earlier state.

Windows Recovery is an essential component of all versions of Windows, starting with Windows ME. It's a pity that they usually don't remember about it and waste time reinstalling Windows and programs, although you could just click the mouse a couple of times and avoid all the problems.

If the damage is serious (for example, some of the system files have been deleted), then "System Restore" will not help. In other cases - if you misconfigured Windows, "tricked" with the registry, installed a program from which Windows does not boot, misused the AVZ program - "System Restore" should help.

After work, AVZ creates subfolders with backups in its folder:

/ Backup- backup copies of the registry are stored there.

/ Infected- copies of deleted viruses.

/ Quarantine- copies of suspicious files.

If after the work of AVZ problems started (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes made, you can open the registry backups from the folder Backup.

How to create a restore point

Go to Start - Control Panel - System - System Protection:

Click "System Protection" in the "System" window.

Press the button "Create".

The process of creating a restore point can take up to ten minutes. Then a window will appear:

The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point in order to praise yourself for your prudence in case of trouble.

How to restore a computer using a restore point

There are two options for running System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Choose a different restore point and press Further. A list of restore points will open. We choose the one that is needed:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows won't boot

You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.

We boot from disk (how to boot from bootable disks, it is written) and select:

Choose "System Restore" instead of installing Windows

Fixing the system after viruses or inept actions with the computer

Before any action, get rid of viruses, for example, with. Otherwise, there will be no sense - the launched virus will "break" the corrected settings again.

Restoring startup programs

If the virus blocked the launch of any programs, then AVZ will help you. Of course, you still need to run AVZ itself, but it's pretty easy:

First we go to Control Panel- set any kind of view, except for Category - Folders settings - View- remove the checkbox from Hide extensions for registered file types - OK. Now you can see each file extension- several characters after the last period in the name. For programs, this is usually .exe and .com... To run AVZ antivirus on a computer where the launch of programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then, in the program window itself, click File - :

It should be noted points:

1. Restoring startup parameters for.exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of launching programs if the virus is caught very harmful)

9. Removing system process debuggers(It is highly desirable to mark this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear at system startup)

We confirm the action, a window appears with the text "System restore completed". After that, it remains to restart the computer - the problem with starting programs will be solved!

Restoring Desktop Launch

A fairly common problem is that when the system starts, the Desktop does not appear.

Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, press there File - New task (Run ...) - introduce explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer, you will have to repeat everything again.

In order not to do this every time, you need to restore the program launch key. explorer("Explorer", which is responsible for the standard view of the contents of folders and the work of the Desktop). In AVZ, click File- and mark the item

Perform marked operations, confirm the action, press OK. Now, when you start your computer, the desktop will start normally.

Unlocking Task Manager and Registry Editor

If the virus blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlocking the task manager

17. Unlocking Registry Editor

And press Perform the marked operations.

Internet problems (Vkontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ knows how to clean the computer from unnecessary files. If the hard disk cleaning program is not installed on the computer, then AVZ will do, since there are many possibilities:

More about items:

Clear system cache Prefetch- cleaning the folder with information about which files to load in advance to quickly launch programs. This option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it up when needed.
Delete Windows log files- you can clear a variety of databases and files that store various records of events occurring in the operating system. This option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
Delete memory dump files- when critical errors occur, Windows interrupts its work and shows BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for further analysis by special programs to identify the culprit of the failure. This option is almost useless, as it allows you to win only ten megabytes of free space. Cleaning the memory dump files does not harm the system.
Clear the list of Recent documents- oddly enough, the option clears the list of Recent documents. This list is on the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear the list of recent items". Useful option: I've noticed that clearing the list of recent documents allows the Start menu to display its menus a little bit faster. It won't hurt the system.
Clearing the TEMP folder- The Holy Grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder many programs store files for temporary use, forgetting to "clean up after themselves" later. A typical example is archivers. They will unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain of free space reaches fifty gigabytes!).
Adobe Flash Player - cleaning temporary files- "Flash Player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in the fight against Flash Player glitches. For example, problems with video and audio playback on the Vkontakte website. There is no harm from use.
Clearing the terminal client cache- as far as I know, this option cleans up the temporary files of a Windows component called "Remote Desktop Connection" (remote access to computers via RDP). Option seems to be does no harm, frees up space with a dozen megabytes at best. There is no sense to use.
IIS - deleting HTTP error log- take a long time to explain what it is. Let me just say that it is better not to enable the IIS log cleanup option. In any case, it does no harm, no benefit either.
Macromedia Flash Player- item duplicates "Adobe Flash Player - cleaning temporary files", but affects rather ancient versions of Flash Player.
Java - clearing cache- gives a gain of a couple of megabytes on your hard drive. I do not use Java programs, so I did not check the consequences of enabling this option. I do not recommend turning it on.
Emptying the recycle bin- the purpose of this item is absolutely clear from its name.
Delete installation logs of system updates- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless, because there is no gain in free space.
Remove Windows Update Protocol- similar to the previous point, but other files are deleted. Also a useless option.
Clear MountPoints Base- if when connecting a USB flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
Internet Explorer - clear cache- cleans up temporary Internet Explorer files. The option is safe and useful.
Microsoft Office - clear cache- cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security option because I don't have Microsoft Office.
Clearing the CD Writing System Cache is a useful option that allows you to delete files that you have prepared for writing to discs.
Clearing the system TEMP folder- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and usually a little space is freed up. I do not advise you to turn it on.
MSI - clearing the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers did not terminate correctly, so clearing the Config.Msi folder is worthwhile. Nevertheless, I warn you - there may be problems with uninstalling programs using .msi installers (for example, Microsoft Office).
Clear Task Scheduler Logs- Windows Task Scheduler stores a log where it records information about completed tasks. I do not recommend including this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
Remove Windows Installation Logs- winning a place is insignificant, there is no point in deleting.
Windows - clearing the icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect the stability of the system.
Google Chrome - clear cache is a very useful option. Google Chrome stores copies of pages in a dedicated folder in order to quickly open sites (pages are loaded from the hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive, it does not affect the stability of either Windows or Google Chrome.
Mozilla Firefox - clearing the CrashReports folder- whenever a problem occurs with Firefox and it crashes, report files are generated. This option deletes the report files. The gain of free space reaches a couple of tens of megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.

Depending on the installed programs, the number of items will differ. For example, if the Opera browser is installed, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to make your computer turn on and speed up is to clear the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources, which will not be taken by the programs running in the background.

AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

An ordinary user has absolutely no need for such powerful functionality, so I urge do not turn off everything... It is enough to look at only two points - Startup folders and Run *.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run * it is better not to disable the programs located in the section HKEY_USERS- this can disrupt other user profiles and the operating system itself. In chapter Startup folders you can turn off whatever you don't need.

Lines recognized by the antivirus as known are marked in green. This includes both Windows system programs and digitally signed third-party programs.

All other programs are marked in black. This does not mean that such programs are viruses or something similar, just not all programs are digitally signed.

Do not forget to stretch the first column wider to show the name of the program. The usual unchecking will temporarily disable the autostart of the program (you can then check the checkbox again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself to autorun again).

The question arises: how to determine what can be disabled and what cannot? There are two solutions:

First, there is common sense: you can make a decision by the name of the program file. For example, during installation, Skype creates an entry to start automatically when you turn on your computer. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (and Skype among them) are able to remove themselves from startup by themselves, it is enough to uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on an item and select your favorite search engine:

By disabling unnecessary programs, you will noticeably speed up computer startup. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.

Disable only those programs that you know for sure - you do not need them in autorun.

Outcome

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing a variety of tasks. However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.

If you have any questions or comments, there is a block of comments under the articles, where you can write to me. I am following the comments and will try to answer you as soon as possible.

Related entries:

We will talk about the simplest ways to neutralize viruses, in particular, those blocking the user's desktop in Windows 7 (the Trojan.Winlock virus family). Such viruses differ in that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it as difficult as possible to perform any actions, except for entering a special "unlock code", for which, allegedly, it is required to transfer a certain amount to the attackers by sending SMS or replenishment of a mobile phone account through a payment terminal. The goal here is one - to get the user to pay, and sometimes quite a decent amount of money. A window appears on the screen with a formidable warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else of this kind, as a rule, to scare the user. In addition, the virus does not allow you to perform any actions in the Windows working environment - it blocks pressing of special key combinations for invoking the Start button menu, Run command, Task Manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when booting Windows in Safe Mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, antivirus scanner). But, nevertheless, there is a way out in the overwhelming majority of cases.

New technologies implemented in Windows Vista / Windows 7 made it much more difficult for malware to introduce and take the system under full control, and also provided users with additional opportunities to get rid of them relatively easily, even without having antivirus software (software). We are talking about the ability to boot the system in safe mode with command line support and run control and recovery software from it. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of Windows operating systems, many users simply do not use it. But in vain. The Windows 7 command line does not have the usual desktop (which can be blocked by a virus), but it is possible to launch most programs - the registry editor, task manager, system restore utility, etc.

Removing a virus by rolling the system back to a restore point

A virus is an ordinary program, and even if it is located on the hard disk of a computer, but does not have the ability to automatically start when the system boots and the user logs in, then it is just as harmless as, for example, a regular text file. If the problem of blocking the automatic launch of a malicious program is solved, then the task of getting rid of the malware can be considered completed. The main automatic startup method used by viruses is through specially crafted registry entries created when they are injected into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore from checkpoint data. A checkpoint is a copy of important system files stored in a special directory ("System Volume Information") and containing, among other things, copies of the Windows registry files. Rolling back the system to a restore point, the creation date of which precedes the virus infection, allows you to get the state of the system registry without the entries that were made by the injected virus and thereby exclude its automatic start, i.e. get rid of the infection even without using antivirus software. In this way, you can simply and quickly get rid of the infection of the system by most viruses, including those that block the Windows desktop. Naturally, a blocker virus that uses, for example, the modification of the boot sectors of the hard disk (MBRLock virus) cannot be removed in this way, since the system rollback to the restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support. because the virus is loaded even before the Windows bootloader. To get rid of such an infection, you will have to boot from another media and restore the infected boot records. But there are relatively few such viruses, and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of the download, press the F8 button. The Windows bootloader menu will be displayed on the screen, with possible options for booting the system

2. Select the Windows boot option - "Safe Mode with Command Prompt"

After the download is complete and the user is registered, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Launch System Restore by typing rstrui.exe at the command prompt and pressing ENTER.

Switch the mode to "Choose another restore point" and in the next window check the box "Show other restore points"

After selecting a Windows restore point, you can see a list of affected programs when the system is rolled back:

Affected programs list is a list of programs that were installed after the system restore point was created and that may need to be reinstalled because there will be no registry entries associated with them.

After clicking on the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.

After rebooting, a message will be displayed on the screen about the successful or unsuccessful result of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If your desktop does not stop locking, you can use the more advanced method below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not contain, for various reasons, data of recovery points, the recovery procedure ended with an error, or the rollback did not give a positive result. In this case, you can use the MSCONFIG.EXE system configuration diagnostic utility. As in the previous case, you need to boot Windows in safe mode with command line support and type msconfig.exe in the cmd.exe command line interpreter window and press ENTER

On the General tab, you can select the following Windows startup modes:

When the system boots, only the minimum required system services and user programs will start.
Selective launch- allows you to manually set a list of system services and user programs that will be launched during the boot process.

To eliminate the virus, the easiest way is to use the diagnostic launch, when the utility itself detects a set of automatically starting programs. If in this mode the blocking of the desktop by the virus stops, then you need to go to the next stage - to determine which of the programs is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs in manual mode.

The "Services" tab allows you to enable or disable the startup of system services, in the settings of which the startup type is set to "Automatic". An unchecked checkbox in front of the service name means that it will not be started during the system boot process. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not show Microsoft services" mode, when enabled, only third-party services will be displayed.

Note that the probability of a virus that is installed as a system service infecting the system is very low with standard security settings in Windows Vista / Windows 7, and you will have to look for traces of the virus in the list of automatically launched user programs (Startup tab).

Just like on the "Services" tab, you can enable or disable the automatic launch of any program present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the "Startup" folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic start of services and applications that start in a standard way for operating systems of the Windows family. However, virus authors often use techniques that allow malicious programs to run without using standard startup points. To get rid of such a virus with a high degree of probability, you can use the method described above to roll back the system to a restore point. If rollback is not possible and the use of msconfig did not lead to a positive result, you can use direct editing of the registry.

In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system boot starts normally, but does not reach user registration. The computer "hangs" due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, just as in the previous cases, you can boot into safe mode with command line support and run the command to check the system disk

chkdsk C: / F - check the C: drive with correcting any errors found (switch / F)

Since at the time chkdsk starts, the system disk is occupied by system services and applications, the chkdsk program cannot gain exclusive access to it for testing. Therefore, the user will be prompted with a warning message and a prompt to perform testing the next time the system is rebooted. After answering Y, information will be entered into the registry, ensuring that the disk check starts when Windows restarts. After checking, this information is deleted and a normal Windows restart is performed without user intervention.

Eliminate the possibility of starting a virus using the registry editor.

To start the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs used for previous versions of Microsoft operating systems. Installing their own drivers and services by viruses, reconfiguring the WINLOGON service with connecting its own executable modules, fixing registry keys related to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor that they practically do not meet. As a rule, changes to the registry that allow the virus to run are made only in the context of the permissions that exist for the current user, i.e. under HKEY_CURRENT_USER

In order to demonstrate the simplest mechanism for locking the desktop using the substitution of the user's shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you can tweak the registry data yourself in order to get, for example, a command line instead of the desktop ... The familiar desktop is created by Windows Explorer (Explorer.exe) launched as the user's shell. This is provided by the values of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as a shell when the user logs on to the system. Usually, the Shell parameter is absent in the key for the current user (HKEY_CURRENT_USER or HKCU) and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE \ or HKLM in abbreviated form)

This is what the registry key looks like HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon with standard Windows 7 installation

If you add the Shell string parameter to this section, which takes the value "cmd.exe", then the next time the current user logs into the system, instead of the standard user's shell based on the Explorer, the cmd.exe shell will be launched and instead of the usual Windows desktop, a command prompt window will be displayed ...

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, a blocker and other nasty things instead of a desktop.
To make changes to the key for all users (HKLM ...

If, during the experiment, you run the msconfig utility, you can make sure that cmd.exe is not present as a user shell in the lists of automatically launched programs. System rollback, of course, will allow you to restore the original state of the registry and get rid of the automatic start of the virus, but if it is impossible for some reason, all that remains is direct editing of the registry. To return to the standard desktop, simply remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log back in) or reboot. You can edit the registry by running the registry editor regedit.exe from the command line or using the console utility REG.EXE. Command line example to remove the Shell parameter:

REG delete "HKCU \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon" / v Shell

The given example of changing the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system. A fairly high level of security with standard system settings prevents malicious programs from gaining access to registry keys that were used to infect in Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (HKCU key...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use the launch of executable files (.exe) from the temporary files (Temp) directory of the current user. When analyzing the points of automatic launch of programs in the registry, first of all, you need to pay attention to the programs located in the directory of temporary files. This is usually a directory C: \ USERS \ username \ AppData \ Local \ Temp... The exact path of the directory of temporary files can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo% temp%

In addition, searching the registry for the appropriate directory name for temporary files or the% TEMP% variable can be used as an additional means of detecting viruses. Legitimate programs never run automatically from the TEMP directory.

For a complete list of possible autostart points, it is convenient to use the special Autoruns program from the SysinternalsSuite package.

Simplest ways to remove blockers from the MBRLock family

Malicious programs can take control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which it is being booted. The virus replaces the data of the boot sector of the active partition with its program code so that instead of Windows it loads a simple program that would display a ransomware message demanding money for the crooks. Since the virus gains control even before the system boots, there is only one way to bypass it - to boot from another medium (CD / DVD, external drive, etc.) in any operating system where it is possible to recover the program code of boot sectors. The easiest way is to use Live CD / Live USB, usually provided for free by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) and scanning the file system for malware, removing or disinfecting infected files. If it is not possible to use this method, then you can get by with a simple boot of any version of Windows PE (installation disk, ERD Commander rescue disk), which allows you to restore the normal boot of the system. Usually, even a simple ability to access the command line and execute the command is sufficient:

bootsect / nt60 / mbr

bootsect / nt60 / mbr E:> - restore boot sectors of drive E: The letter for the drive that is used as the boot device of the system damaged by the virus should be used here.

or for Windows earlier than Windows Vista

bootsect / nt52 / mbr

The bootsect.exe utility can be located not only in the system catalogs, but also on any removable media, it can be executed in the environment of any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. As a rule, the / mbr switch is not needed, since it restores the program code of the MBR, which viruses do not modify (perhaps they do not modify yet).

A simple and convenient utility AVZ, which can not only help, but also knows how to restore the system. Why is this necessary?

In order to give you a clearer picture, I provide a complete list of what AVZ can recover.

Material taken from the handbook on AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently, the database contains the following firmware:

1.Restoring startup parameters for.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: after removing the virus, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring Internet Explorer Start Page

This firmware restores the start page in Internet Explorer

Indications for use: spoofing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores Internet Explorer search settings

Indications for use: When you click the "Search" button in IE, there is a call to some third-party site

5.Restoring Desktop Settings

This firmware restores the desktop settings.

Recovery means removing all ActiveDesctop active elements, wallpaper, removing locks on the menu that is responsible for desktop settings.

Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Delete all Policies (restrictions) of the current user

Indications for use: Explorer or other system functions are blocked.

7.Delete the message displayed during WinLogon

Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.

Indications for use: An extraneous message is introduced during system boot.

8.Restoring Explorer Settings

This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).

Indications for use: Explorer settings changed

9.Remove system process debuggers

Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.

10.Restoring Boot Settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode.

11.Unlock Task Manager

Task manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.

12.Clear the ignore list of the HijackThis utility

A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are the blocking of antivirus software updates.

You can control the content of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl / LSP settings

It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found.

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI / LSP and TCP / IP settings (XP +)

Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!

Indications for use: After the malware was removed, access to the Internet and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.

16. Recovering the Explorer startup key

Restores system registry keys responsible for starting Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.

17. Unlocking Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.

18. Complete re-creation of SPI settings

It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.

Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!

19. Clear Base MountPoints

Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.

To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings

On a note:

Any of the firmware can be executed several times in a row without affecting the system. Exceptions - “5.

Restoring Desktop Settings "(running this firmware will reset all desktop settings and you will have to re-select the desktop color and wallpaper) and" 10.

Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).

To start recovery, first download, unpack and run utility... Then click the file - system restore. By the way, you can still execute

We mark the checkboxes that you need and click to start operations. Everything, we are waiting for completion :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us to solve. So good luck to you.