AVZ is a utility for virus treatment and system recovery. Setting up AVZ firmware - system recovery after viruses How to execute a script using the AVZ utility

16.08.2019

Dedicated AVZ, I want to share with you some more knowledge on the capabilities of this wonderful utility.

Today we will talk about system recovery tools, which can often save your computer’s life after infection with viruses and other horrors of life, as well as solve a number of systemic problems arising as a result of certain errors.
It will be useful for everyone.

Introductory

Before we begin, traditionally, I want to offer you two formats of material, namely: video format or text. Here's the video:

Well, the text below. See for yourself which option is closer to you.

General description of the program functionality

What kind of recovery means are these? This is a set of firmware and scripts that help return certain system functions to working condition. Which for example? Well, let's say, return either the registry editor, clear the hosts file or reset IE settings. In general, I give it in full and with a description (so as not to reinvent the wheel):

1. Restoring startup parameters of .exe, .com, .pif files
Indications for use: after removing the virus, programs stop running.
2. Reset protocol prefix settings Internet Explorer to standard
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
3. Recovery home page Internet Explorer
Indications for use: replacing the start page
4. Reset settings Internet search Explorer to standard
Indications for use: When you click the "Search" button in IE, you are accessing some third-party site
5. Restore desktop settings
This firmware restores desktop settings. Recovery involves deleting all active elements ActiveDesctop, wallpaper, unlocking the menu responsible for desktop settings.
Indications for use: The desktop settings tabs in the "Properties: Screen" window have disappeared, extraneous inscriptions or pictures are displayed on the desktop
6. Removing all Policies (restrictions) current user.
Indications for use: Conductor functions or other system functions are blocked.
7. Removing the message displayed during WinLogon
Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.
Indications for use: During system boot, an extraneous message is entered.
8. Restore File Explorer settings
Indications for use: Changed conductor settings
9. Removing debuggers system processes

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.
10. Restoring boot settings in SafeMode
Some malware, in particular Bagle worm, damage the system boot settings in protected mode. This firmware restores boot settings in protected mode.
Indications for use: The computer does not boot in SafeMode. Use this firmware only if you have problems booting into protected mode.
11. Unlock task manager
Indications for use: Blocking the task manager; when you try to call the task manager, the message “Task manager is blocked by the administrator” is displayed.
12. Clearing the ignore list of the HijackThis utility
The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list
Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning the Hosts file
Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard "127.0.0.1 localhost" line.
Indications for use: Suspicions that Hosts file modified by malware. Typical symptoms - blocking updates antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run unlimited amount once. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session
Indications for use: After removing the malicious program, access to the Internet was lost.
This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. You can read more about resetting settings in the Microsoft knowledge base - Please note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!
Indications for use: After removing the malicious program, access to the Internet was lost and running the firmware “14. Automatic correction of SPl/LSP settings” does not produce results.”
Indications for use: During system boot, Explorer does not start, but launching explorer.exe manually is possible.
Indications for use: It is impossible to start the registry editor; when you try, a message is displayed stating that its launch is blocked by the administrator.
Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!
Cleans up the MountPoints and MountPoints2 database in the registry.
Indications for use: This operation often helps in cases where, after infection with a Flash virus, disks do not open in Explorer
On a note:
On a note:
To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"
On a note:
Any of the firmware can be executed several times in a row without damaging the system. The exceptions are "5. Restoring desktop settings" (this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting into safe mode).

Useful, isn't it?
Now about how to use it.

Loading, starting, using

Actually, everything is simple.

Download from here(or from somewhere else) antivirus utility AVZ.
Unpack the archive with it somewhere convenient for you
Go to the folder where we unpacked the program and run it there avz.exe.
In the program window select "File" - "System Restore".
We tick the necessary items and press the button " Perform marked operations".
We are waiting and enjoying the result.

That's how things are.

Afterword

I must say that it works like a charm and eliminates a number of unnecessary movements. So to speak, everything is at hand, fast, simple and effective.

Thank you for your attention;)

Thank you for your help in preparing the material to the computer masters. service center Launch.RF. You can order laptop and netbook repairs from these guys in Moscow.

Malicious programs are introduced into the operating system of a personal computer and cause significant damage to the entire volume of data. On this moment Over time, pest programs are created for different purposes, so their actions are aimed at adjusting various structures of the operating system of a personal computer.

Problems with the Internet and malfunctions in the operation of devices connected to the PC are common and the consequences are obvious to the user.

Even if the pest was detected and destroyed, this does not exclude the loss of information and other problems that arise in subsequent work. The list of options can be endless, most often the user discovers a complete or partial blocking of access to the World Wide Web, a failure to operate external devices(mouse, flash card), empty desktop, etc.

The listed consequences are observed due to the changes that the pest program made to the system files of the personal computer. Such changes are not eliminated with the elimination of the virus; they need to be corrected independently, or with the help of specialists. In fact, work of this kind does not require special training, and any advanced user can perform it after studying the appropriate instructions.

In the practice of organizing the recovery of an operating system, several approaches are distinguished, depending on the reasons that led to the failure. Let's consider each of the options in detail. A simple method available to every user is to roll back the OS to a restore point when the operation of the personal computer met the user’s requirements. But very often this solution is unsatisfactory, or it cannot be implemented for objective reasons.

How to restore the OS if logging into the PC is impossible?

Launching System Restore proceeds as follows. Start Menu\Control Panel\System Restore. At this address we select the recovery point we need and start the process. After some time, the work will be completed and the computer is ready for normal operation. The technique is quite applicable to eliminating some types of viruses, since changes also occur at the registry level. This option for restoring the operating system is considered the simplest and is included in the set of standard Windows tools. Step-by-step instruction and help with detailed comments on the process will help you master the technique of restoring the functionality of your computer, even if the user does not feel entirely confident as a PC administrator.

Another common OS recovery option is to launch the procedure from external media. This option is complicated by some issues, for example, you need to have a system image on a flash card or disk and make sure you have such a copy in advance. In addition, it is often necessary to have certain skills in working with BIOS system. An image of the operating system on external media is the best option if recovery is impossible because a virus has blocked login to the computer. There are other options.

It is impossible to use standard Windows tools to restore the OS if, for example, login is impossible, or there are other reasons preventing the operation from being performed in standard mode. The situation can be resolved using the ERD Commander (ERDC) tool.

Let's look at the situation step by step to see how the program works. The first step is to download the program. The second step is to launch the Syst em Restore Wizard tool, it is with its help that the OS is rolled back to a specified recovery position.

As a rule, each tool has several checkpoints in reserve, and in eighty percent of cases the performance of the personal computer will be completely restored.

Using AVZ utility tools

The tool discussed below does not require any special user skills in operation. The software product was developed by Oleg Zaitsev and is designed to search and destroy all types of viruses and malware. But in addition to the main function, the utility restores most system settings that have been attacked or changed by malicious viruses.

What problems can the presented program solve? The main thing is recovery system files and settings that have been attacked by viruses. The utility deals with damaged program drivers that refuse to start after recovery. When problems arise in browsers or when access to the Internet is blocked and many other troubles.

We activate the recovery operation at File\System Restore and select the operation that is necessary. The figure shows the interface of the microprograms that the utility operates; we will give a description of each of them.

As you can see, the set of operations is represented by 21 items, and the name of each of them explains its purpose. Note that the program’s capabilities are quite diverse and it can be considered a universal tool for resuscitating not only the system itself, but also eliminating the consequences of viruses working with system data.

The first parameter is used if, as a result of a virus attack and the OS recovery procedure, programs necessary for the user refuse to work. As a rule, this happens if a pest has penetrated program files and drivers and made any changes to the information recorded there.

The second parameter is necessary when viruses replace domains when entering them into the browser search engine. This substitution is the first level of adjustment of the interaction between system files of the operating system and the Internet. Such a program function, as a rule, eliminates the changes made without a trace, without trying to detect them, but simply exposing full formatting the entire volume of prefixes and protocols data, replacing them with standard settings.

The third option resumes setting the Internet browser start page. As in the previous case, by default the program corrects problems in the Internet Explorer browser.

The fourth parameter corrects the work search engine and sets the standard operating mode. Again, the procedure concerns the browser installed Windows default.

If there is a problem related to the functioning of the desktop (the appearance of banners, pictures, extraneous entries on it), activate the fifth point of the program. Such consequences of the action of malware were very popular a couple of years ago and caused a lot of problems for users, but even now it is possible that such dirty tricks can penetrate the PC operating system.

The sixth point is necessary if the malicious program has limited the user’s actions when executing a number of commands. These restrictions can be of a different nature, and since access settings are stored in the registry, malware most often uses this information to correct the user’s work with his PC.

If a third-party message appears when loading the OS, this means that a malicious program was able to infiltrate the settings Windows startup N.T. Restoring the OS, which destroyed the virus, does not clear this message. In order to remove it, you need to activate the seventh parameter of the AVZ utility menu.

The eighth menu option, as the name suggests, restores Explorer settings.

Sometimes the problem manifests itself in the form of interruptions in the operation of system components, for example, during the startup of the personal computer OS, the desktop disappears. The AVZ utility diagnoses these structures and makes the necessary adjustments using item nine of the tools menu.

Problems loading the OS in safe mode can be resolved in step ten. It is easy to detect the need to activate this multiprogram item of the utility discussed here. They appear during any attempts to work in security mode.

If the task manager is blocked, then you need to activate menu item eleven. Viruses on behalf of the administrator make changes to the activation of this section of the operating system, and instead of the working window, a message appears stating that work with the task manager is blocked.

The HijackThis utility uses storage of a list of exceptions in the registry as one of its main functions. For a virus, it is enough to penetrate the utility database and register files in the registry list. After this, it can independently recover an unlimited number of times. The utility's registry is cleaned by activating the twelfth item in the AVZ settings menu.

The next, thirteenth point, allows you to clear the Hosts file; this file, modified by a virus, can cause difficulties when working with the network, block some resources, and interfere with updating anti-virus program databases. Working with this file will be discussed in more detail below. Unfortunately, almost all virus programs try to edit this file, which is due, firstly, to the ease of making such changes, and the consequences can be more than significant, and after the viruses are removed, the information entered in the file can be a direct gateway for penetration into OS new pests and spyware.

If access to the Internet is blocked, this usually means there are errors in the SPI settings. They will be corrected if you activate menu item fourteen. It is important that this settings item cannot be used from a terminal session.

Similar functions are included in the fifteenth menu item, but its activation is only possible when working in operating systems such as XP, Windows 2003, Vista. You can use this multi-program if attempts to correct the situation with logging into the network using the previous setting did not bring the desired result.

The capabilities of the sixteenth menu item are aimed at restoring system registry keys that are responsible for launching the Internet browser.

The next step in working to restore OS settings after a virus attack is to unlock the registry editor. As a rule, the external manifestation is that it is impossible to load the program for working with the Network.

The following four points are recommended only if the damage to the operating system is so catastrophic that, by and large, it makes no difference whether they can be eliminated using such methods or as a result it will be necessary to reinstall the entire system.

So, the eighteenth item recreates the original SPI settings. The nineteenth item clears the Mount Points /2 registry.

The twentieth paragraph deletes everything static routes. Finally, the last, twenty-first point erases all DNS connections.

As you can see, the utility's capabilities cover almost all areas into which a spruce malware program can penetrate and leave its active trace, which is not so easy to detect.

Since antivirus applications do not guarantee 100% protection of your PC’s operating system, we recommend having such a program in your arsenal of anti-virus tools. computer viruses all types and forms.

As a result of disinfection of the personal computer OS, the devices connected to it do not work.

One of popular ways camouflage spyware– this is the installation of your own virus driver in addition to the real software. In this situation, the actual driver is most often the mouse or keyboard file. Accordingly, after the virus is destroyed, its trace remains in the registry, for this reason the device to which the pest was able to attach stops working.

A similar situation occurs when the Kaspersky Anti-Virus uninstallation process does not work correctly. This is also due to the specifics of installing the program, when its installation on a PC uses the auxiliary driver klmouflt. In the situation with Kaspersky, this driver must be found and completely removed from the personal computer system in accordance with all the rules.

If the keyboard and mouse refuse to function in desired mode, first of all you need to restore the registry keys.

Keyboard :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Cont rol\Class\(4D36E 96B-E325-11CE-BF C1-08002BE10318)
UpperFilters=kbd class

Mouse :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Cont rol\Class\(4D36E 96F-E325-11CE-BF C1-08002BE10318)
UpperFilters=mou class

The problem of inaccessible sites

The consequences of a malware attack may be the inaccessibility of some resources on the Internet. And these consequences are the result of changes that viruses managed to make to the system. The problem is detected immediately or after some time, but if as a result of the actions of pest programs it appears after some time, it will not be difficult to eliminate it.

There are two options for blocking and the most common is adjusting the hosts file. The second option is creating false static routes. Even if the virus is destroyed, the changes it made to these tools will not be eliminated.

The document in question is located in the system folder on drive C. Its address and location can be found here: C:\Windows\System 32\drivers\etc\hosts. For quick search Typically, they use the command line from the Start menu.

If the file cannot be found using the specified procedure, this may mean that:

The virus program has changed its location in the registry;

The file document has a "hidden" option.

In the latter case, we change the search characteristics. At: Folder Options / View we find the line “Show hidden files” and check the box opposite, expanding the search range.

The hosts file contains information that converts the letter name of a site's domain into its IP address, so malware programs write adjustments in it that can redirect the user to other resources. If this happens, then when you enter the address of the desired site, a completely different one opens. In order to return these changes to the initial state and fix it, you need to find this file and analyze its contents. Even an inexperienced user will be able to see what exactly the virus has changed, but if this causes certain difficulties, you can restore the default settings, thereby eliminating all changes made to the file.

As for correcting routes, the principle of action is the same. However, in the process of interaction between the PC operating system and the Internet, priority always remains with the hosts file, so restoring it is enough for work to be carried out in standard mode.

The difficulty arises if required file impossible to find, since the virus changes its location in the system folders. Then you need to correct the registry key.

HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\serv ices\Tcpip\Param eters\DataBasePa th

Viruses belonging to the Win32/Vundo group are superior to most of their malicious counterparts in their ingenuity regarding the transformation of hosts files. They change the file name itself, erasing the Latin letter o and replacing the sign with a Cyrillic letter. Such a file no longer converts domain names of sites into IP addresses, and even if the user restores this file, the result of the work will remain the same. How to find a genuine file? If there are doubts that the object we need is real, we perform the following procedure. The first step is to activate the display hidden files mode. Let's examine the catalogue, it looks like it is shown in the picture.

There are two identical files presented here, but since the OS does not allow the use of identical names, it is obvious that we are dealing with a false document. It’s easy to determine which one is correct and which one is wrong. The virus creates a voluminous file and undergoes numerous adjustments, so the result of its sabotage is shown in the figure hidden file volume 173 KB.

If you open a document file, the information in it will contain the following lines:

31.214.145.172 vk.com - a string that can replace the IP address of the site

127.0.0.1 avast.com - a file line written by a virus to deny access to the antivirus program website

We already noted above that you can also block individual resources by creating incorrect routes in the routing table. Let's look at the sequence of actions to see how the situation can be resolved.

If the hosts file does not have malicious adjustments, and working with the resource is impossible, the problem lies in the route table. A few words about the essence of the interaction of these tools. If the correct adaptive domain address is specified in the hosts file, then redirection to this address occurs to an existing resource. As a rule, the IP address does not belong to the address range of the local subnet, so redirection occurs through the router gateway, which is determined by the Internet connection settings.

If you adjust the route entries for a specific IP address, then automatic connection will occur based on this entry. Provided that there is no such route, or the gateway is not working, the connection will not occur and the resource will remain unavailable. Thus, the virus can delete an entry in the route table and block absolutely any website.

Routes created for specific sites remain in the HKLM registry database. The route is updated when the route add software command is activated or the data is manually adjusted. When there are no static routes, the table section is empty. You can view a list of routing data by using the route print command. It will look like this:

Active routes:

The table presented above is standard for a PC with a single network card and network connection settings:

IP address 192.168.0.0

mask 255.255.255.0

default gateway 192.168.0.1

The entry presented above includes the network IP address with encoding 192.168.0.0 and the subnet mask with encoding 255.255.255.0. If you decipher this data, then the information is as follows. The mask includes the entire volume of nodes with an equivalent high part of the address. According to the metric system, the first three bytes of the subnet mask are 1 in all operating systems ah PC (exceptions are decimal, where the value is 255, and hexadecimal, where the value is 0*FF). The low-order part of the address of the received nodes is a value in the range 1-254.

In accordance with the information presented above, the low address is encoded - 192.168.0.0, this code is the network address. The highest address with encoding 192.168.0.255 is characterized as a broadcast address. And if the first code excludes its use for data exchange, then the second code is precisely intended to perform these functions. Their nodes exchange data packets using routes.

Let's imagine the following configuration:

IP address - 192.168.0.0

Network mask - 255.255.255.0

Gateway - 192.168.0.3

Interface - 192.168.0.3

Metrica - 1

The information is logically deciphered as follows: in the address range from 192.168.0.0 - 192.168.0.255, we use the code as a gateway and interface to exchange information network card(192.168.0.3). All this means that the information is transferred directly to the recipient himself.

When the end address condition does not match the specified range 192.168.0.0-192. 168.0.255, it will not be possible to transmit information directly. The server protocol sends the data to the router, which forwards it to another network. If static routes are not specified, the default router address remains the same as the gateway address. Information is sent to this address, then to the network, and along the routes specified in the table, until the recipient receives the packet. In general terms, the data transfer process looks exactly like this. Let's present an illustration of the entries in a standard router table. In the example there are only a few records, but their number can reach tens or hundreds of lines.

Based on the example data, we will describe the process of redirecting to Internet resource addresses. During contact with Internet resource addresses located in the specified range from 74.55.40.0 to 74.55.40.255, the router code is equal to the network number 192.168.0.0, and accordingly cannot be used in the process of exchanging information data. The IP protocol diagnoses the address (74.55.40.226), which is not included in the individual address packet local network and accesses the registered static routes.

The situation is when this route is not registered, the information packet is sent to the gateway identification address set by default in the example.

Because the route shown in the example is a high priority route, it requires a specific gateway rather than a one-size-fits-all standard. Since there is no gateway that satisfies the request in the table, the server with network address 74.55.40.226 will remain out of reach. And under the conditions specified in the example with the subnet mask code, all addresses in the range 74.55.40.0 - 74.55.40.255 will be blocked. It is this range that includes the network path to the antivirus website software installed on a personal computer that will not receive necessary updates virus databases and will not function properly.

The more such data in the route table, the large quantity resources are blocked. In the practice of specialists, virus programs created up to four hundred lines of this type, thereby blocking the work of about a thousand network resources. Moreover, the owners of viruses are not particularly interested in the fact that in an effort to ban some particular resource, they exclude dozens of other sites from possible access. This is the main mistake of unscrupulous programmers, since the number of unavailable resources reveals the very possibility of blocking data transfer. So, for example, if the exclusion circle includes the most popular social media, and the user cannot log into the VKontakte or Odnoklassniki website, then suspicion arises regarding proper operation PC with network.

Correcting the situation is not difficult; the route command and the delete key are used for this purpose. We find false entries in the table and uninstall them. A small note: all operations are feasible only if the user has administrator rights, but the virus can make changes to the route only if it has infiltrated the network through account administrator of a personal computer. Let's give examples of such tasks.

route delete 74.55.40.0 - entry that deletes the first option of the route line;

route delete 74.55.74.0 - an entry that deletes the second option of the route line.

The number of such lines must be the total number of false routes.

If you take a simpler approach to the procedure, then you need to use the output redirection operation. This is done by entering the task route print > C:\routes.txt. Activating a command creates a situation where system disk a file document called routes.txt is created, it contains a table with route data.

The table list contains DOS character codes. These characters are unreadable and have no meaning for the operation. By adding the route delete task at the beginning of each route, we delete each false entry. These look something like this:

route delete 84.50.0.0

route delete 84.52.233.0

route delete 84.53.70.0

route delete 84.53.201.0

route delete 84.54.46.0

Next, you need to change the file extension; options for replacing such an extension are cmd or bat. New file launched by double-clicking the right mouse button. You can simplify the task using the popular file manager FAR, which works as follows. The editor, which is called by the F 4 function key, highlights the right side of the route record with special markings. Using the key combination CTRL +F 7, all spaces are automatically replaced with a character with an empty value, and the space in turn is set to the starting position of the line. The new combination of the specified keys sets the route delete task to the location we need.

When there are a lot of false routes in the data table and correcting them manually seems to be a long and tedious process, it is recommended to use the route task together with the F key.

This key removes all non-hop routes, and also completely uninstalls routes with an endpoint and broadcast address. The first and last ones have a digital code 255.255.255.255; the second 127.0.0.0. In other words, all false information written into the table by the virus will be uninstalled. But at the same time, the records of static routes and the user's own default gateway data will be destroyed, so they will need to be restored, since the network will remain inaccessible. Or we can monitor the process of cleaning the data table and stop it when we intend to delete the record we need.

The AVZ antivirus program can also be used to adjust the router settings. The specific multiprogram that deals with this process is the twentieth TCP configuration item.

The last option for blocking user access to IP addresses of sites that are used by virus programs is to use DNS server address spoofing. In this option, the connection to the network occurs through a malicious server. But such situations are quite rare.

After completing all the work, you need to reboot your personal computer.

Once again I thank the masters of the computer service center Launch.RF for their help in preparing the material - http://launch.rf/information/territory/Kolomenskaya/, from whom you can order the repair of laptops and netbooks in Moscow.

Recovering encrypted files- this is a problem faced by a large number of users personal computers who have fallen victim to various encryption viruses. The number of malware in this group is very large and is increasing every day. Only in Lately We encountered dozens of ransomware variants: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, etc.

Of course, you can restore encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often, the cost of decryption is very significant, and you also need to know that some ransomware viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just annoying to pay to restore your own files.

Ways to recover encrypted files for free

There are several ways to recover encrypted files using absolutely free and proven programs such as ShadowExplorer and PhotoRec. Before and during recovery, try to use the infected computer as little as possible, this way you increase your chances of successful file recovery.

The instructions described below must be followed step by step, if anything does not work out for you, then STOP, ask for help by writing a comment on this article or creating new topic on our.

1. Remove ransomware virus

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types active ransomware viruses and will easily remove them from your computer, BUT they cannot restore encrypted files.

1.1. Remove ransomware using Kaspersky Virus Removal Tool

Click on the button Scan to run a scan of your computer for the presence of a ransomware virus.

Wait for this process to complete and remove any malware found.

1.2. Remove ransomware using Malwarebytes Anti-malware

Download the program. After the download is complete, run the downloaded file.

The program update procedure will start automatically. When it ends press the button Run scan. Malwarebytes Anti-malware will begin scanning your computer.

Immediately after scanning your computer, Malwarebytes Anti-malware will open a list of found components of the ransomware virus.

Click on the button Remove selected to clean your computer. While malware is being removed, Malwarebytes Anti-malware may require you to restart your computer to continue the process. Confirm this by selecting Yes.

After the computer starts again, Malwarebytes Anti-malware will automatically continue the cleaning process.

2. Recover encrypted files using ShadowExplorer

ShadowExplorer is a small utility that allows you to restore shadow copies of files that are created automatically by the operating system. Windows system(7-10). This will allow you to restore your encrypted files to their original state.

Download the program. The program is in a zip archive. Therefore, right-click on the downloaded file and select Extract all. Then open the ShadowExplorerPortable folder.

Launch ShadowExplorer. Select the disc you need and the creation date shadow copies, respectively, numbers 1 and 2 in the figure below.

Right-click on the directory or file you want to restore a copy of. From the menu that appears, select Export.

And lastly, select the folder where the recovered file will be copied.

3. Recover encrypted files using PhotoRec

PhotoRec is free program, created to recover deleted and lost files. Using it, you can restore original files that ransomware viruses deleted after creating their encrypted copies.

Download the program. The program is in the archive. Therefore, right-click on the downloaded file and select Extract all. Then open the testdisk folder.

Find QPhotoRec_Win in the list of files and run it. A program window will open showing all the partitions of the available disks.

In the list of partitions, select the one on which the encrypted files are located. Then click on the File Formats button.

By default, the program is configured to recover all file types, but to speed up the work, it is recommended to leave only the file types that you need to recover. When you have completed your selection, click OK.

At the bottom of the QPhotoRec program window, find the Browse button and click it. You need to select the directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a flash drive or external drive).

To start the procedure for searching and restoring original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is complete, click the Quit button. Now open the folder you have chosen to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3, etc. How more files will be found by the program, the more catalogs there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need, among large quantity restored, use the built-in system Windows search(by file content), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort option, since QPhotoRec attempts to restore this property when restoring a file.

A virus is a type of malicious software that penetrates system memory areas, code of other programs, and boot sectors. It is capable of deleting important data from a hard drive, USB drive or memory card.

Most users do not know how to recover files after a virus attack. In this article, we want to tell you how to do it in a quick and easy way. We hope that this information will be useful to you. There are two main methods you can use to easily remove the virus and recover deleted data after a virus attack.

Delete the virus using the command prompt

1) Click the “Start” button. Enter CMD in the search bar. You will see the “Command Prompt” at the top of the pop-up window. Press Enter.

2) Run the Command prompt and type in: “attrib –h –r –s /s /d driver_name\*.*”

After this step, Windows will start recovering the virus-infected hard drive, memory card or USB. It will take some time for the process to be completed.

To start Windows recovery, click the “Start” button. Type Restore in the search bar. In the next window click “Start System Restore” → “Next” and select the desired restore point.

Another variant of the path is “Control Panel” → “System” → “System Protection”. A recovery preparation window will appear. Then the computer will reboot and a message will appear saying “System Restore completed successfully.” If it did not solve your problem, then try rolling back to another restore point. That’s all to be said about the second method.

Magic Partition Recovery: Restoring Missing Files and Folders after a Virus Attack

For reliable recovery of files deleted by viruses, use Magic Partition Recovery. The program is based on direct low-level access to the disk. Therefore, it will bypass the virus blocking and read all your files.

Download and install the program, then analyze the disk, flash drive or memory card. After the analysis, the program displays the list of folders on the selected disk. Having selected the necessary folder on the left, you can view it in the right section.

Thus, the program provides the ability to view the contents of the disk in the same way as with the standard Windows Explorer. In addition to existing files, deleted files and folders will be displayed. They will be marked with a special red cross, making it much easier to recover deleted files.

If you have lost your files after virus attack, Magic Partition Recovery will help you restore everything without much effort.

A simple and convenient AVZ utility that can not only help, but can also restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I provide full list that can restore AVZ.

Material taken from the reference book AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe files, com, pif, scr.

Indications for use: After the virus is removed, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs backup SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove malware and then restore system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

An excellent program for removing viruses and restoring the system is AVZ (Zaitsev Anti-Virus). You can download AVZ by clicking on the orange button after generating links.And if a virus blocks the download, then try downloading the entire anti-virus set!

The main capabilities of AVZ are virus detection and removal.

AVZ antivirus utility is designed to detect and remove:

SpyWare and AdWare modules are the main purpose of the utility
Dialer (Trojan.Dialer)
Trojan programs
BackDoor modules
Network and mail worms
TrojanSpy, TrojanDownloader, TrojanDropper

The utility is a direct analogue of the TrojanHunter and LavaSoft Ad-aware 6 programs. The primary task of the program is SpyWare removal and Trojan programs.

Features of the AVZ utility (in addition to the standard signature scanner) are:

Heuristic system check microprograms. Firmware searches for known SpyWare and viruses based on indirect signs - based on analysis of the registry, files on disk and in memory.
Updated database of secure files. It includes digital signatures of tens of thousands of system files and files of known secure processes. The base is connected to everyone AVZ systems and works on the “friend/foe” principle - safe files are not quarantined, deletion and warnings are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services in color; searching for files on the disk can exclude known files from the search (which is very useful when searching for Trojan programs on the disk);
Built-in Rootkit detection system. The RootKit search is carried out without the use of signatures, based on a study of basic system libraries to intercept their functions. AVZ can not only detect RootKit, but also correctly block UserMode RootKit for its process and KernelMode RootKit at the system level. The RootKit countermeasures apply to all AVZ service functions; as a result, the AVZ scanner can detect masked processes, the registry search system “sees” masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. In my opinion, one of the main features of the RootKit countermeasures system is its functionality in Win9X (the widespread opinion about the absence of RootKit working on the Win9X platform is deeply erroneous - hundreds of Trojan programs are known that intercept API functions to mask their presence, to distort the operation of API functions or to monitor their use). Another feature is the universal detection and blocking system KernelMode RootKit, compatible with Windows NT, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
Keylogger and Trojan DLL detector. The search for Keylogger and Trojan DLLs is carried out based on system analysis without using a signature database, which allows you to confidently detect previously unknown Trojan DLLs and Keylogger;
Neuroanalyzer. In addition to the signature analyzer, AVZ contains a neuroemulator, which allows you to examine suspicious files using a neural network. Currently, the neural network is used in a keylogger detector.
Built-in Winsock SPI/LSP settings analyzer. Allows you to analyze settings and diagnose possible mistakes in settings and perform automatic treatment. The ability to automatically diagnose and treat is useful for novice users (utilities like LSPFix do not have automatic treatment). To study SPI/LSP manually, the program has a special LSP/SPI settings manager. The Winsock SPI/LSP analyzer is covered by the anti-rootkit;
Built-in manager of processes, services and drivers. Designed to study running processes and loaded libraries, running services and drivers. The work of the process manager is covered by the anti-rootkit (as a result, it “sees” processes masked by the rootkit). The process manager is linked to the AVZ safe file database; identified safe and system files are highlighted in color;
Built-in utility for searching files on disk. Allows you to search a file using various criteria; the capabilities of the search system exceed those of the system search. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” files masked by the rootkit and can delete them), the filter allows you to exclude files identified by AVZ as safe from the search results. Search results are available as a text log and as a table in which you can mark a group of files for later deletion or quarantine
Built-in utility for searching data in the registry. Allows you to search for keys and parameters according to a given pattern; search results are available in the form of a text protocol and in the form of a table in which you can mark several keys for their export or deletion. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” registry keys masked by the rootkit and can delete them)
Built-in analyzer of open TCP/UDP ports. It is covered by an anti-rootkit; in Windows XP, the process using the port is displayed for each port. The analyzer is based on an updated database of ports of known Trojan/Backdoor programs and known system services. The search for Trojan program ports is included in the main system scanning algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojan programs are likely to use this port
Built-in analyzer of shared resources, network sessions and files opened over the network. Works in Win9X and Nt/W2K/XP.
Built-in Downloaded Program Files (DPF) analyzer - displays DPF elements, connected to all AVZ systems.
System recovery firmware. Firmware performs recovery Internet settings Explorer, program launch options, and other system settings that are damaged by malware. Restoration is started manually, the parameters to be restored are specified by the user.
Heuristic file deletion. Its essence is that if malicious files were deleted during treatment and this option is enabled, then an automatic system scan is performed, covering classes, BHO, IE and Explorer extensions, all types of autorun available to AVZ, Winlogon, SPI/LSP, etc. . All found links to a deleted file are automatically cleared, with information about what exactly was cleared and where it was recorded in the log. For this cleaning, the system treatment firmware engine is actively used;
Checking archives. Starting from version 3.60, AVZ supports scanning archives and compound files. Currently, archives in ZIP, RAR, CAB, GZIP, TAR formats are checked; letters Email and MHT files; CHM archives
Checking and treating NTFS streams. Checking NTFS streams is included in AVZ starting from version 3.75
Control scripts. Allow the administrator to write a script that performs a set of specified operations on the user’s PC. Scripts allow you to use AVZ in corporate network, including its launch during system boot.
Process analyzer. The analyzer uses neural networks and analysis firmware; it is turned on when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
AVZGuard system. Designed to combat hard-to-remove malware, it can, in addition to AVZ, protect user-specified applications, for example, other anti-spyware and anti-virus programs.
Direct disk access system for working with locked files. Works on FAT16/FAT32/NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze locked files and quarantine them.
Driver for monitoring processes and drivers AVZPM. Designed to monitor the start and stop of processes and loading/unloading of drivers to search for masquerading drivers and detect distortions in the structures describing processes and drivers created by DKOM rootkits.
Boot Cleaner Driver. Designed to perform system cleaning (removing files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both during the process of restarting the computer and during treatment.

Restoring system parameters.

Restoring startup parameters.exe .com .pif
Reset IE settings
Restoring desktop settings
Remove all user restrictions
Deleting a message in Winlogon
Restoring File Explorer settings
Removing system process debuggers
Restoring Safe Mode boot settings
Unblocking the task manager
Cleaning the host file
Correcting SPI/LSP settings
Resetting SPI/LSP and TCP/IP settings
Unlocking Registry Editor
Cleaning MountPoints Keys
Replacing DNS servers
Removing the proxy setting for the IE/EDGE server
Removing Google Restrictions

Program tools:

Process Manager
Services and Driver Manager
Kernel space modules
Internal DLL Manager
Search the registry
Search files
Search by Coocie
Startup Manager
Browser Extension Manager
Control Panel Applet Manager (cpl)
Explorer Extensions Manager
Print Extension Manager
Task Scheduler Manager
Protocol and Handler Manager
DPF Manager
Active Setup Manager
Winsock SPI Manager
Hosts File Manager
TCP/UDP Port Manager
Network Shares and Network Connections Manager
A set of system utilities
Checking a file against the database of safe files
Checking a file against the Microsoft Security Catalog
Calculating MD5 sums of files

Here is a rather large kit to save your computer from various infections!

Simple, easy and convenient way restoration of functionality even without the qualifications and skills for this is possible thanks to the AVZ anti-virus utility. The use of so-called “firmware” (terminology antivirus utility AVZ) allows you to reduce the entire process to a minimum.

In order for everything to function in your laptop, this will be ensured by a battery for asus laptop, and for the proper functioning of all the “cogs” of the operating system, AVZ functionality will not be the least important.

Help is possible with most typical problems appearing before the user. All firmware functionality is called from the menu "File -> System Restore".

Restoring startup parameters of .exe, .com, .pif files
Restoring the system's standard response to files with the extension exe, com, pif, scr.
After treatment for the virus, any programs and scripts stopped running.
Resetting Internet Explorer protocol prefix settings to default
Restoring default protocol prefix settings in Internet browser Explorer
Recommendations for use: when you enter a web address, for example, www.yandex.ua, it is replaced with an address like www.seque.com/abcd.php?url=www.yandex.ua
Restoring the Internet Explorer start page
Just return the start page in Internet Explorer
Recommendations for use: if the start page has been changed
Reset Internet Explorer search settings to default
Restores search settings in Internet Explorer
Recommendations for use: The "Search" button leads to "left" sites
Restoring desktop settings
Removes all active ActiveDesktop items and wallpapers, and unlocks the desktop settings menu.
Recommendations for use: displaying third-party inscriptions and/or drawings on the desktop
Removing all Policies (restrictions) of the current user
removing restrictions on user actions caused by changes in Policies.
Recommendations for use: Explorer functionality or other system functionality was blocked.
Removing the message output during WinLogon
Restoring the standard message when the system starts up.
Recommendations for use: During the system boot process, a third-party message is observed.
Restoring File Explorer settings
Returns all Explorer settings to their standard form.
Recommendations for use: Inappropriate Explorer settings
Removing system process debuggers
System process debuggers are launched secretly, which is very beneficial for viruses.
Recommendations for use: for example, after booting the desktop disappears.
Restoring boot settings in SafeMode
Reanimates the effects of worms like Bagle, etc.
Recommendations for use: problems with loading into protected mode (SafeMode), otherwise it is not recommended to use it.
Unlocking Task Manager
Unblocks any attempts to call the task manager.
Recommendations for use: if instead of the task manager you see the message "Task Manager is blocked by the administrator"
Clearing the ignore list of the HijackThis utility
The HijackThis utility saves in system registry your settings, in particular, a list of exceptions is stored there. Viruses masquerading as HijackThis are registered in this exclusion list.
Recommendations for use: You suspect that the HijackThis utility does not display all information about the system.
All uncommented lines are removed and the only meaningful line "127.0.0.1 localhost" is added.
Recommendations for use: Hosts file changed. You can check the Hosts file using the Hosts file manager built into AVZ.
Automatic correction of SPl/LSP settings
SPI settings are analyzed and, if necessary, errors found are automatically corrected. The firmware can be safely re-run many times. After execution, a computer restart is required. Attention!!! The firmware cannot be used from a terminal session
Recommendations for use: After treatment for the virus, I lost access to the Internet.
Resetting SPI/LSP and TCP/IP settings (XP+)
The firmware runs exclusively on XP, Windows 2003 and Vista. The standard “netsh” utility from Windows is used. Described in detail in the Microsoft knowledge base - http://support.microsoft.com/kb/299357
Recommendations for use: After treatment for the virus, I lost access to the Internet and firmware No. 14 did not help.
Recovering the Explorer launch key
Restoring system registry keys responsible for launching Explorer.
Recommendations for use: After the system boots, explorer.exe can only be launched manually.
Unlocking Registry Editor
Unblocking the Registry Editor by removing the policy that prevents it from running.
Recommendations for use: When you try to launch Registry Editor, you receive a message indicating that your administrator has blocked it from running.
Complete re-creation of SPI settings
Makes a backup copy of all SPI/LSP settings, after which it creates them to the standard, which is located in the database.
Recommendations for use: When restoring SPI settings, firmware No. 14 and No. 15 did not help you. Dangerous, use at your own peril and risk!
Clear MountPoints database
The database in the system registry for MountPoints and MountPoints2 is cleared.
Recommendations for use: for example, it is impossible to open drives in Explorer.
Replace the DNS of all connections with Google Public DNS
We change everything DNS addresses used servers on 8.8.8.8

Some useful tips:

Most problems with Hijacker can be treated with three microprograms - No. 4 “Resetting Internet Explorer search settings to standard”, No. 3 “Restoring Internet Explorer start page” and No. 2 “Resetting Internet Explorer protocol prefix settings to standard”.
All firmware except #5 and #10 can be safely executed multiple times.
And of course it is useless to fix anything without first removing the virus.

AVZ is a free utility designed to search for and remove viruses, as well as to restore system settings after the actions of malicious programs.

Preparing for work

1. Download the AVZ utility from the official website: http://z-oleg.com/avz4.zip

2. Unpack the archive

3. Run the file from the archive avz.exe

4. Go to the menu File and select Database update

Click Start to start the update process :

The anti-virus database is being updated:

When the databases are updated, this message will appear. Click OK:

Virus check

To scan for viruses, check all computer drives on the left and check the box on the right Carry out treatment, and click the button below Start:

System Restore

Very useful function AVZ utility is system recovery. It will come in handy after removing malware to eliminate traces of it. To start System Restore, click File -> System Restore:

Check the required boxes and click the button Perform marked operations:

Confirm your intent:

Cleaning browsers with AVZ

From the main menu select File.

Select an item Troubleshooting Wizard:

In field Danger level select All the problems.

Click Start.

Check the following boxes:

Clearing the TEMP folder;
Adobe Flash Player— cleaning temporary files;
Macromedia Flash Player - clearing caches;
Cleaning system folder TEMP;
Clearing caches of all installed browsers;

Click the button Fix flagged issues.

System Restore is a special feature of AVZ that allows you to restore a number of system settings damaged by malware.

System recovery firmware is stored in the anti-virus database and updated as needed.

Recommendation: Use system recovery only in a situation where there is a clear understanding that it is required. Before using it, it is recommended to do backup copy or system rollback point.

Note: System restore operations write automatic backup data as REG files in the Backup directory. working folder AVZ.

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

Possible risks: are minimal, but it is recommended to use

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

Possible risks: minimal

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

Possible risks: minimal

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, you are directed to some third-party site

Possible risks: minimal

5.Restore desktop settings

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

Possible risks: user settings will be deleted, the desktop will appear as default

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

Possible risks: for operating systems different versions There are default policies, and resetting policies to some standard values is not always optimal. To fix frequently changed harmful problems the policy should use a troubleshooting wizard that is safe in terms of possible system failures

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

Possible risks: No

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

Possible risks: are minimal; the most common damage to settings found in malware is found and corrected by the Troubleshooting Wizard.

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

Possible risks: minimal, possible disruption of programs that use the debugger for legitimate purposes (for example, replacing the standard task manager)

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode. This firmware restores boot settings in protected mode.

Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode.

Possible risks: high as recovery typical configuration does not guarantee a SafeMode fix. In Security Captivity, the Troubleshooting Wizard finds and fixes specific broken SafeMode configuration entries

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

Possible risks: troubleshooting wizard

12.Clearing the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

Possible risks: minimal, please note that the settings to ignore HijackThis will be deleted

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard "127.0.0.1 localhost" line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

Possible risks: average, please note that the Hosts file may contain useful entries

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

Possible risks: average, it is recommended to create a backup before starting

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. You can read more about resetting settings in the Microsoft knowledge base - http://support.microsoft.com/kb/299357

Indications for use: After removing the malicious program, access to the Internet was lost and running the firmware "14. Automatic correction of SPl/LSP settings" does not produce any results.

Possible risks: high, it is recommended to create a backup before starting

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

Possible risks: minimum

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

Possible risks: minimal, a similar check is performed by the Troubleshooting Wizard

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!Use this operation only if necessary, in cases where other SPI recovery methods have not helped !

Possible risks: very high, it is recommended to create a backup before starting!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry.

Indications for use: This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

Possible risks: minimum

20.Remove static routes

Performs removal of all static routes.

Indications for use: This operation helps if some sites are blocked using incorrect static routes.

Possible risks: average. It is important to note that for some services to work on a number of Internet providers, static routes may be necessary and after such deletion they will have to be restored according to the instructions on the Internet provider’s website.

21.Replace the DNS of all connections with Google Public DNS

Replaces all in settings network adapters DNS servers to public DNS from Google. Helps if a Trojan program has replaced the DNS with its own.

Indications for use: DNS spoofing by malware.

Possible risks: average. Please note that not all providers allow you to use a DNS other than their own.

To perform a recovery, you must select one or more items and click the "Perform selected operations" button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be executed several times in a row without significant damage to the system. Exceptions are "5. Restoring desktop settings" (this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting into safe mode), as well as 15 and 18 (resetting and recreating SPI settings).