Setting up AVZ firmware - system recovery after viruses. AVZ - restore system settings and remove viruses. Configuring AVZ firmware - system recovery after viruses Remove ransomware using Malwarebytes Anti-malwa

Antivirus programs, even when detecting and removing malicious software, do not always restore full functionality of the system. Often, after removing a virus, a computer user receives an empty desktop, a complete lack of access to the Internet (or access to some sites is blocked), a non-functional mouse, etc. This is usually caused by the fact that some system or user settings changed by the malicious program remain untouched.

The utility is free, works without installation, is surprisingly functional and has helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually correcting traces of the virus, it is worth using the “system restore” operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).

To start the recovery, run the utility. Then click file - system restore

and such a window will open before us

check the boxes we need and click “Perform selected operations”

This firmware restores the system's response to exe files, com, pif, scr.

Indications for use: After the virus is removed, programs stop running.

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: substitution home page

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

This firmware restores desktop settings. Recovery involves deleting all active elements ActiveDesctop, wallpaper, unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified debuggers system processes, problems arise with launching system components, in particular, the desktop disappears after a reboot.

Some malware, in particular Bagle worm, damage the system boot settings in protected mode. This firmware restores boot settings in protected mode.

Indications for use: .

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the manager Hosts file, built into AVZ.

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run unlimited amount once. After running this firmware, it is recommended to restart your computer.

Indications for use: After removing the malicious program, I lost access to the Internet.

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows. Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

Performs backup SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use:

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore startup Internet pages Explorer", "Resetting Internet Explorer protocol prefix settings to default"

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions are “5.Restoring desktop settings” (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and “10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting into safe mode).

Like

Like

Tweet

There are programs that are as universal as a Swiss Army knife. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With the help of this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

AVZ capabilities

About what it is antivirus program, I already told in. About AVZ's work as one-time antivirus(more precisely, an anti-rootkit) is well described in the help for it, but I will show you another side of the program: checking and restoring settings.

What can be “fixed” with AVZ:

• Restore startup of programs (.exe, .com, .pif files)
• Reset Internet settings Explorer to standard
• Restore desktop settings
• Remove rights restrictions (for example, if a virus has blocked programs from launching)
• Remove a banner or window that appears before you log in
• Remove viruses that can run along with any program
• Unblock the task manager and registry editor (if the virus has prevented them from running)
• Clear file
• Prohibit autorun of programs from flash drives and disks
• Remove unnecessary files from hard drive
• Fix desktop problems
• And much more

You can also use it to check Windows settings for security (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect your Windows from careless actions.

The AVZ program has Very many functions affecting Windows operation. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore the settings, Windows registry to an earlier state.

System Windows recovery- a mandatory component of all Windows versions, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

After work, AVZ creates subfolders with backup copies in its folder:

/Backup- are stored there backups registry

/Infected- copies of deleted viruses.

/Quarantine- copies suspicious files.

If after using AVZ problems started (for example, you thoughtlessly used the AVZ “System Restore” tool and the Internet stopped working) and Recovery Windows systems did not roll back the changes made, you can open registry backups from the folder Backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click “System Protection” in the “System” window.

Click the “Create” button.

The process of creating a restore point can take ten minutes. Then a window will appear:

A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

How to restore your computer using a restore point

There are two options for running System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Select a different restore point and press Further. A list of restore points will open. Select the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows does not boot

You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

Boot from the disk (how to boot from boot disks is written) and select:

Select "System Restore" instead Windows installations

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no point - the running virus will “break” the corrected settings again.

Restoring program launches

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

First we go to Control Panel- set any type of viewing, except Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, click File - :

Points to note:

1. Restoring startup parameters of .exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

We confirm the action, a window appears with the text “System restoration completed.” Afterwards, all that remains is to restart the computer - the problem with launching programs will be solved!

Restoring the Desktop launch

Enough common problem- When the system starts, the Desktop does not appear.

Launch Desktop you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

To avoid doing this every time, you need to restore the program launch key explorer(“Explorer”, which is responsible for standard viewing of the contents of folders and the operation of the Desktop). In AVZ click File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

Unlocking Task Manager and Registry Editor

If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlock task manager

17. Unlocking the registry editor

And press Perform the marked operations.

Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ knows how to clean your computer unnecessary files. If you don’t have a hard drive cleaning program installed on your computer, then AVZ will do, since there are many options:

More details about the points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch of programs. The option is useless, because Windows itself quite successfully monitors Prefetch folder and cleans it when required.
2. Delete Windows Log Files- you can clear various databases and files that store various records of events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
3. Delete memory dump files- in case of critical Windows errors interrupts its work and shows BSOD ( blue screen death), at the same time preserving information about running programs and drivers to a file for subsequent analysis special programs to identify the culprit of the failure. The option is almost useless, since it allows you to win only ten megabytes of free space. Clearing memory dump files does not harm the system.
4. Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting “Clear list of recent items.” The option is useful: I noticed that clearing the list recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
5. Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. Typical example- archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player- cleaning temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) this option helps in dealing with Flash Player glitches. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
7. Clearing the terminal client cache- as far as I know, this option clears temporary files Windows component called "Remote Desktop Connection" ( remote access to computers via RDP protocol). Option it seems does no harm, frees up a dozen megabytes of space at best. There is no point in using it.
8. IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
9. Macromedia Flash Player- item duplicates « Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
10. Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the Trash- the purpose of this item is absolutely clear from its name.
12. Remove system update installation logs- Windows keeps a log installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
13. Delete Windows protocol Update- similar to the previous point, but other files are deleted. Also a useless option.
14. Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
15. Internet Explorer - clearing cache- clears temporary Internet files Explorer. The option is safe and useful.
16. Microsoft Office- cache clearing- cleans temporary files Microsoft programs Office - Word, Excel, PowerPoint and others. I can’t check the security options because I don’t have Microsoft Office.
17. Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
18. Cleaning system folder TEMP- unlike the user TEMP folder (see point 5), cleaning this folder is not always safe, and usually frees up little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- This folder stores various files created by program installers. The folder is large if the installers did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- Windows Task Scheduler keeps a log where it records information about completed tasks. I don’t recommend turning on this item, because there is no benefit, but it will add problems - Planner Windows jobs Quite a buggy component.
21. Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
22. Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome- cache clearing- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
24. Mozilla Firefox- cleaning the CrashReports folder- every time a problem occurs with the Firefox browser and it crashes, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. Does not affect the stability of Windows and Mozilla Firefox.

Depending on the installed programs, the number of items will vary. For example, if installed Opera browser, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs will not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources, which will not be taken up by programs running in the background.

AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system. In chapter Autorun folders you can turn off everything you don't need.

The lines identified by the antivirus as known are marked in green. This includes both system Windows programs, and third-party programs that have a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

The question arises: how to determine what can be turned off and what cannot? There are two solutions:

Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype program When installed, it creates an entry to start automatically when you turn on the computer. If you don't need this, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

Disable only those programs that you know for sure - you don’t need them at startup.

Bottom line

Basically, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for Windows optimization, but in general it is complex and powerful tool, suitable for the most different tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely with what I described above.

If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

Related posts:

Like

Like

We will talk about the simplest ways to neutralize viruses, in particular, those that block the desktop Windows user 7 (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it extremely difficult to perform any actions other than entering a special “unlock code”, to obtain which, allegedly, you need to transfer a certain amount to the attackers by sending an SMS or refill mobile phone through a payment terminal. The goal here is one - to force the user to pay, and sometimes quite decent money. A window appears on the screen with a threatening warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the working environment. Windows environment- blocks pressing special key combinations to call up the Start button menu, Run command, task manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, anti-virus scanner). But, nevertheless, in the vast majority of cases there is a way out.

New technologies implemented in Windows Vista / Windows 7 have made it much more difficult for malware to penetrate and take full control of the system, and also provided users with additional opportunities to get rid of them relatively easily, even without anti-virus software (software). We are talking about the ability to boot the system in safe mode with command line support and launch from it software control and recovery. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems Windows family, many users simply do not use it. But in vain. IN command line Windows 7 does not have the usual desktop (which may be blocked by a virus), but it is possible to launch most programs - registry editor, task manager, system recovery utility, etc.

Removing a virus by rolling back the system to a restore point

A virus is an ordinary program, and even if it is located on the computer’s hard drive, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, a regular text file. If you solve the problem of blocking the automatic launch of a malicious program, then the task of getting rid of malware can be considered completed. The main method of automatic startup used by viruses is through specially created registry entries created when they are introduced into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore using checkpoint data. A checkpoint is a copy of important system files, stored in a special directory ("System Volume Information") and containing, among other things, copies of files system registry Windows. Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to obtain the state of the system registry without the entries made by the invading virus and thereby exclude its automatic start, i.e. get rid of infection even without using antivirus software. In this way, you can simply and quickly get rid of the system from being infected by most viruses, including those that block the worker Windows desktop. Naturally, a blocking virus using, for example, a modification boot sectors hard drive (MBRLock virus) cannot be removed in this way, since rolling back the system to a restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support, since the virus is loaded even before Windows boot loader. To get rid of such an infection, you will have to boot from another medium and restore infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of loading, press the F8 button. The Windows boot loader menu will appear on the screen, with possible options system boot

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is completed and the user registers, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Run the System Restore tool by typing rstrui.exe in the command line and pressing ENTER.

Switch the mode to "Select another recovery point" and in the next window check the box "Show other recovery points"

After selecting a Windows restore point, you can view a list of affected programs during a system rollback:

The affected programs list is a list of programs that were installed after the system restore point was created and that may require reinstallation because their associated registry entries will be missing.

After clicking the "Finish" button, the system recovery process will begin. Upon completion it will be executed reboot Windows.

After the reboot, a message will be displayed indicating the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use a more advanced method presented below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not have recovery point data for various reasons, the recovery procedure ended with an error, or the rollback did not produce a positive result. In this case, you can use the System Configuration diagnostic utility MSCONFIG.EXE. As in the previous case, you need to do loading Windows in safe mode with command line support and in the cmd.exe command line interpreter window, type msconfig.exe and press ENTER

On the General tab, you can select the following Windows startup modes:

When the system boots, only the minimum required system services and user programs will be launched.
Selective launch- allows you to manually specify a list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of programs that automatically start. If in this mode the virus stops blocking the desktop, then you need to move on to the next step - determine which program is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch of individual programs manually.

The "Services" tab allows you to enable or disable the launch of system services whose startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be launched during system boot. At the bottom of the MSCONFIG utility window there is a field for setting the "Do not display Microsoft services" mode, which, when enabled, will display only third-party services.

I note that the likelihood of a system being infected by a virus that is installed as a system service, with standard security settings in Windows Vista / Windows 7, is very low, and you will have to look for traces of the virus in the list of automatically launched user programs (the "Startup" tab).

Just like in the Services tab, you can enable or disable the automatic launch of any program that is present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic startup of services and applications that start in the standard way for operating systems of the Windows family. However, virus authors often use techniques that allow them to launch malicious programs without using standard autorun points. You can most likely get rid of such a virus using the method described above by rolling back the system to a restore point. If a rollback is not possible and using msconfig did not lead to a positive result, you can use direct editing of the registry.

In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system starts normally, but does not reach user registration. The computer hangs due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in previous cases, you can boot into safe mode with command line support and run the check system disk command

chkdsk C: /F - check drive C: and correct detected errors (key /F)

Because at the time of running chkdsk system disk occupied by system services and applications, the chkdsk program cannot gain exclusive access to it to perform testing. Therefore, the user will be presented with a warning message and asked to perform testing the next time the system is rebooted. After answering Y, information will be entered into the registry to ensure that the disk check will start when Windows restarts. After the check is completed, this information is deleted and Windows restarts normally without user intervention.

Eliminating the possibility of a virus running using the Registry Editor.

To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs programs used for previous versions operating systems from Microsoft. Viruses installing their own drivers and services, reconfiguring the WINLOGON service with connecting their own executable modules, correcting registry keys that are relevant to all users, etc. - all these methods either do not work in Windows 7 or require such serious labor costs that they are practically impossible to meet. Typically, changes to the registry that enable a virus to run are made only in the context of the permissions that exist for the current user, i.e. in the HKEY_CURRENT_USER section

In order to demonstrate the simplest mechanism for blocking a desktop using a substitution of the user shell (shell) and the inability to use the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you yourself correct the registry data in order to get, for example, a command line instead of a desktop . A familiar desktop is created Windows Explorer(Explorer.exe program) launched as the user's shell. This is ensured by the values ​​of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as the shell when the user logs in. Typically, in the section for the current user (HKEY_CURRENT_USER or abbreviated as HKCU), the Shell parameter is missing and the value from the registry key for all users is used (HKEY_LOCAL_MACHINE\ or abbreviated as HKLM)

This is what the registry key looks like HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with a standard Windows 7 installation

If you add the Shell string parameter taking the value “cmd.exe” to this section, then the next time the current user logs into the system, instead of the standard Explorer-based user shell, the cmd.exe shell will be launched and instead of the usual Windows desktop, the command line window will be displayed .

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker, and other nasty things instead of a desktop.
Making changes to the key for all users (HKLM...) requires administrative privileges, so virus programs usually modify the settings of the current user's registry key (HKCU...)

If, to continue the experiment, you run the msconfig utility, you can make sure that cmd.exe is not included as a user shell in the list of automatically launched programs. A system rollback will naturally allow you to return the initial state registry and get rid of the automatic start of the virus, but if for some reason it is impossible, the only option is to directly edit the registry. To return to the standard desktop, simply remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log in again) or reboot. You can edit the registry by running the registry editor regedit.exe from the command line or using the console utility REG.EXE. Example command line to remove the Shell parameter:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The given example of substituting the user's shell is today one of the most common techniques used by viruses in the Windows 7 operating system environment. A fairly high level of security with standard system settings prevents malicious programs from gaining access to registry keys that were used to infect in Windows XP and later earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (HKCU section...) Second important factor- the difficulty of writing program files to system directories. It is for this reason that most viruses in Windows 7 use launching executable files (.exe) from the current user's temporary files directory (Temp). When analyzing the automatic launch points of programs in the registry, first of all you need to pay attention to the programs located in the temporary files directory. Usually this is a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as an additional tool for detecting viruses. Legitimate programs never automatically launch from the TEMP directory.

To obtain a complete list of possible automatic start points, it is convenient to use the special Autoruns program from the SysinternalsSuite package.

The simplest ways to remove blockers of the MBRLock family

Malicious programs can gain control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which the boot is performed. The virus replaces the boot sector data of the active partition with its program code so that instead of Windows, a simple program is loaded, which displays a ransomware message on the screen demanding money for the crooks. Since the virus gains control before the system boots, there is only one way to bypass it - boot from another media (CD/DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use Live CD / Live USB, usually provided to users free of charge by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also perform and checking the file system for malware and removing or disinfecting infected files. If it is not possible to use this method, then you can get by by simply downloading any version of Windows PE ( installation disk, ERD Commander emergency recovery disk), which allows you to restore normal system booting. Usually just being able to access the command line and run the command is enough:

bootsect /nt60 /mbr

bootsect /nt60 /mbr E:> - restore boot sectors of drive E: The letter for the drive that is used as the boot device for the system damaged by the virus should be used here.

or for Windows prior to Windows Vista

bootsect /nt52 /mbr

The bootsect.exe utility can be located not only in system directories, but also on any removable media, can be executed in any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system. The /mbr key, as a rule, is not needed, since it restores the program code of the MBR master boot record, which viruses do not modify (perhaps they do not modify it yet).

A simple and convenient AVZ utility that can not only help, but can also restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I provide full list that can restore AVZ.

Material taken from the reference book AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list.

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove malware and then restore system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.

Launch AVZ utilities may be required when contacting Kaspersky Lab technical support.
Using the AVZ utility you can:

• receive a report on the results of the system study;
• execute a script provided by a specialist technical support Kaspersky Lab
  to create Quarantine and delete suspicious files.

The AVZ utility does not send statistics, does not process information, and does not transmit it to Kaspersky Lab. The report is saved on your computer as files HTML formats and XML, which are available for viewing without the use of special programs.

The AVZ utility can automatically create a Quarantine and place copies of suspicious files and their metadata into it.

Objects placed in Quarantine are not processed, are not transferred to Kaspersky Lab, and are stored on the computer. We do not recommend restoring files from Quarantine; they can harm your computer.

What data is contained in the AVZ utility report

The AVZ utility report contains:

• Information about the version and release date of the AVZ utility.
• Information about the anti-virus databases of the AVZ utility and its basic settings.
• Information about the version of the operating system, the date of its installation and the user rights with which the utility was launched.
• Search results for rootkits and programs that intercept the main functions of the operating system.
• searching results suspicious processes and information about these processes.
• Search results for common malware based on their characteristic properties.
• Information about errors found during the scan.
• Search results for programs that intercept keyboard, mouse, or window events.
• Search results for open TCP and UDP ports that are used by malware.
• Information about suspicious system registry keys, disk file names, and system settings.
• Search results for potential operating system vulnerabilities and security issues.
• Information about damaged operating system settings.

How to execute a script using the AVZ utility

Use the AVZ utility only under the guidance of a Kapersky Lab technical support specialist as part of your request. Doing it yourself may damage the operating system and cause data loss.

1. Download the executable file of the AVZ utility.
2. Run avz5.exe on your computer. If the SmartScreen filter Windows Defender prevented avz5.exe from starting, click More details → Execute anyway in the window Windows has protected your computer.
3. Go to section File→ Execute script.

1. Paste into the input field the script that you received from the Kapersky Laboratory technical support specialist.
2. Click Launch.

1. Wait until the utility finishes and follow the further recommendations of the Kapersky Lab technical support specialist.

AVZ is free utility, designed to search for and remove viruses, as well as to restore system settings after the actions of malicious programs.

Preparing for work

1. Download the AVZ utility from the official website: http://z-oleg.com/avz4.zip

2. Unpack the archive

3. Run the file from the archive avz.exe

4. Go to the menu File and select Database update

Click Start to start the update process :

The anti-virus database is being updated:

When the databases are updated, this message will appear. Click OK:

Virus check

To scan for viruses, check all computer drives on the left and check the box on the right Carry out treatment, and click the button below Start:

System Restore

Very useful function AVZ utility is system recovery. It will come in handy after removing malware to eliminate traces of it. To start System Restore, click File -> System Restore:

Check the required boxes and click the button Perform marked operations:

Confirm your intent:

Cleaning browsers with AVZ

From the main menu select File.

Select an item Troubleshooting Wizard:

In field Danger level select All the problems.

Click Start.

Check the following boxes:

• Clearing the TEMP folder;
• Adobe Flash Player - cleaning temporary files;
• Macromedia Flash Player - clearing caches;
• Cleaning the system TEMP folder;
• Clearing caches of all installed browsers;

Click the button Fix flagged issues.

Tweet

There are programs that are as universal as a Swiss Army knife. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With the help of this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

AVZ capabilities

I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you another side of the program: checking and restoring settings.

What can be “fixed” with AVZ:

• Restore startup of programs (.exe, .com, .pif files)
• Reset Internet Explorer settings to default
• Restore desktop settings
• Remove rights restrictions (for example, if a virus has blocked programs from launching)
• Remove a banner or window that appears before you log in
• Remove viruses that can run along with any program
• Unblock the task manager and registry editor (if the virus has prevented them from running)
• Clear file
• Prohibit autorun of programs from flash drives and disks
• Remove unnecessary files from your hard drive
• Fix desktop problems
• And much more

You can also use it to check Windows settings for security (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect your Windows from careless actions.

The AVZ program has Very many functions affecting the operation of Windows. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore settings and the Windows registry to an earlier state.

Windows Recovery System is a required component of all versions of Windows, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

After work, AVZ creates subfolders with backup copies in its folder:

/Backup- backup copies of the registry are stored there.

/Infected- copies of deleted viruses.

/Quarantine- copies of suspicious files.

If problems started after running AVZ (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes made, you can open registry backups from the folder Backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click “System Protection” in the “System” window.

Click the “Create” button.

The process of creating a restore point can take ten minutes. Then a window will appear:

A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

How to restore your computer using a restore point

There are two options for launching System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Select a different restore point and press Further. A list of restore points will open. Select the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows does not boot

You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

Boot from the disk (how to boot from boot disks is written) and select:

Select "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no point - the running virus will “break” the corrected settings again.

Restoring program launches

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

First we go to Control Panel- set any type of viewing, except Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, click File - :

Points to note:

1. Restoring startup parameters of .exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

, confirm the action, a window appears with the text “System restoration completed.” Afterwards, all that remains is to restart the computer - the problem with launching programs will be solved!

Restoring the Desktop launch

A fairly common problem is that the desktop does not appear when the system starts.

Launch Desktop you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

To avoid doing this every time, you need to restore the program launch key explorer(“Explorer”, which is responsible for standard viewing of the contents of folders and the operation of the Desktop). In AVZ click File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

Unlocking Task Manager and Registry Editor

If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlock task manager

17. Unlocking the registry editor

And press Perform the marked operations.

Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

This component can check four categories of problems with varying degrees of severity (each degree differs in the number of settings):

System problems - This includes security settings. By ticking the found items and pressing the button Fix flagged issues, some virus loopholes will be closed. There is also a flip side to the coin - while increasing safety, comfort decreases. For example, if you disable autorun from removable media and CD-ROMs, when you insert flash drives and disks, a window with a choice of actions (view the contents, launch the player, etc.) will not appear - you will have to open the Computer window and start viewing the contents of the disk manually. That is, viruses will not start automatically, and a convenient prompt will not appear. Depending on the Windows settings, everyone will see here their own list of system vulnerabilities.

Browser settings and tweaks- Internet Explorer security settings are checked. As far as I know, the settings of other browsers (Google Chrome, Opera, Mozilla Firefox and others) are not checked. Even if you do not use Internet Explorer to surf the Internet, I advise you to run a check - components of this browser are often used in various programs and are a potential security hole that should be plugged.

Cleaning the system- partially duplicates the previous category, but does not affect the places where data about user actions is stored.

I recommend checking your system in categories System problems And Browser settings and tweaks by selecting the degree of danger Moderate problems. If the viruses did not touch the settings, then most likely you will be offered only one option - “autostart is allowed from removable media” (flash drives). If you check the box and thus prohibit the autorun of programs from flash drives, then you will at least partially protect your computer from viruses distributed on flash drives. More complete protection is achieved only with and working.

Cleaning the system from unnecessary files

Programs AVZ knows how to clean your computer from unnecessary files. If you don’t have a hard drive cleaning program installed on your computer, then AVZ will do, since there are many possibilities:

More details about the points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch of programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it when required.
2. Delete Windows Log Files- you can clear various databases and files that store various records of events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
3. Delete memory dump files- when it occurs critical errors Windows interrupts its operation and displays BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for subsequent analysis by special programs to identify the culprit of the failure. The option is almost useless, since it allows you to win only ten megabytes of free space. Clearing memory dump files does not harm the system.
4. Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting “Clear list of recent items.” The option is useful: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
5. Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player - clearing temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) this option helps in dealing with Flash Player glitches. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
7. Clearing the terminal client cache- as far as I know, this option clears temporary files of a Windows component called “Remote Desktop Connection” (remote access to computers via RDP). Option it seems does no harm, frees up a dozen megabytes of space at best. There is no point in using it.
8. IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
10. Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the Trash- the purpose of this item is absolutely clear from its name.
12. Remove system update installation logs- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
13. Delete protocol Windows Update - similar to the previous point, but other files are deleted. Also a useless option.
14. Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
15. Internet Explorer - clearing cache- cleans Internet Explorer temporary files. The option is safe and useful.
16. Microsoft Office - clearing cache- cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security options because I don't have Microsoft Office.
17. Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
18. Cleaning the system TEMP folder- unlike the user TEMP folder (see point 5), cleaning this folder is not always safe, and usually frees up little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- This folder stores various files created by program installers. The folder is large if the installers did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- Windows Task Scheduler keeps a log where it records information about completed tasks. I don’t recommend enabling this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
21. Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
22. Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome - clearing cache- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
24. Mozilla Firefox - Cleaning up the CrashReports folder- every time a problem occurs with the Firefox browser and it crashes, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. Does not affect the stability of Windows and Mozilla Firefox.

Depending on the installed programs, the number of items will differ. For example, if the Opera browser is installed, you can clear its cache too.

Cleaning the list of startup programs

A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources that will not be taken up by programs running in the background.

AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

The lines identified by the antivirus as known are marked in green. This includes both system programs Windows and third-party programs that have a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

The question arises: how to determine what can be turned off and what cannot? There are two solutions:

Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype, when installed, creates an entry to automatically start when you turn on the computer. If you don’t need this, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

Disable only those programs that you know for sure - you don’t need them at startup.

Bottom line

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing a wide variety of tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely with what I described above.

If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

A simple and convenient AVZ utility that can not only will help, but also knows how to restore the system. Why is this necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have all disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a more clear picture, I provide a complete list of what can be restoredAVZ.

Material taken from the reference bookAVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).

Currently the database contains the following firmware:

1.Restoring startup parameters of .exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After the virus is removed, programs stop running.

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the Internet Explorer start page

This firmware restores the start page in Internet Explorer

Indications for use: replacing the start page

4.Reset Internet Explorer search settings to standard

This firmware restores search settings in Internet Explorer

Indications for use: When you click the “Search” button in IE, you are directed to some third-party site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.

Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop

6.Deleting all Policies (restrictions) of the current user

Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.

Indications for use: Explorer functions or other system functions are blocked.

7.Deleting the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

A number of malicious programs take advantage of this, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is entered during system boot.

8.Restoring Explorer settings

This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow you to launch an application hidden, which is what is used by a number of malicious programs

Indications for use: AVZ detects unidentified system process debuggers, problems arise with launching system components, in particular, the desktop disappears after a reboot.

10.Restoring boot settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .

11.Unlock task manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.

Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.

12.Clearing the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to camouflage itself from HijackThis, the malicious program only needs to register its executable files in the exclusion list.

There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning the Hosts file

Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.

Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms include blocking antivirus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Note! This firmware cannot be run from a terminal session

Indications for use: After removing the malicious program, I lost access to the Internet.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using the standard netsh utility included in Windows.

Note! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.

16. Recovering the Explorer launch key

Restores system registry keys responsible for launching Explorer.

Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.

17. Unlocking the registry editor

Unblocks the Registry Editor by removing the policy that prevents it from running.

Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.

18. Complete re-creation of SPI settings

Performs a backup copy of SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!

19. Clear MountPoints database

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer

To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if the system is running a Trojan that performs such reconfigurations - you must first remove the malicious program and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”

On a note:

Any of the firmware can be executed several times in a row without damaging the system. Exceptions - “5.

Restoring desktop settings" (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. That's it, we look forward to completion :-)

In the following articles we will look in more detail at the problems that avz system recovery firmware will help us solve. So good luck to you.