AVZ - restore system settings and remove viruses. Configuring AVZ firmware - system recovery after viruses. AVZ - restore system settings and remove viruses Restore system parameters

The main features of AVZ are the detection and removal of viruses.

Antivirus utility AVZ is designed to detect and remove:

• SpyWare and AdWare modules are the main purpose of the utility
• Dialer (Trojan.Dialer)
• Trojan horses
• BackDoor modules
• Network and mail worms
• TrojanSpy, TrojanDownloader, TrojanDropper

The utility is a direct analogue of TrojanHunter and LavaSoft Ad-aware 6. The primary task of the program is to remove SpyWare and Trojans.

The features of the AVZ utility (in addition to the typical signature scanner) are:

• Firmware for heuristic system check. Firmware searches for known SpyWare and viruses by indirect indications - based on the analysis of the registry, files on disk and in memory.
• Updated database of safe files. It includes digital signatures of tens of thousands system files and files of known safe processes. The base is connected to all AVZ systems and works on the "friend / foe" principle - safe files are not quarantined, deletion and warning messages are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services with color; searching for files on the disk can exclude known files from the search (which is very useful when searching for Trojans on the disk);
• Built-in Rootkit detection system. The search for RootKit goes without using signatures based on the study of basic system libraries for intercepting their functions. AVZ can not only detect RootKit, but also correctly block the UserMode RootKit for its process and KernelMode RootKit at the system level. RootKit counteraction applies to all AVZ service functions, as a result, the AVZ scanner can detect masked processes, the search system in the registry "sees" masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. One of the main features of the RootKit countermeasure system, in my opinion, is its operability in Win9X (the widespread opinion about the absence of RootKit running on the Win9X platform is deeply mistaken - there are hundreds of Trojans known to intercept API functions to mask their presence, to distort the operation of API functions or monitor using them). Another feature is the KernelMode RootKit, a universal detection and blocking system that works under Windows NT, Windows 2000 pro / server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
• Detector keyloggers(Keylogger) and Trojan DLLs. The search for Keylogger and Trojan DLLs is carried out on the basis of system analysis without using a signature database, which makes it possible to reliably detect in advance unknown Trojan DLL and Keylogger;
• Neuroanalyzer. Pomino signature analyzer AVZ contains a neuroemulator that allows you to conduct research suspicious files using a neural network. Currently, the neural network is used in the keylogger detector.
• Built-in analyzer Winsock SPI / LSP settings. Allows you to analyze settings, diagnose possible mistakes in setting and make automatic treatment. The possibility of automatic diagnostics and treatment is useful for novice users (there is no automatic treatment in utilities such as LSPFix). To study SPI / LSP manually, the program has a special LSP / SPI settings manager. The Winsock SPI / LSP analyzer is covered by an anti-rootkit;
• Built-in manager of processes, services and drivers. Designed to study running processes and loaded libraries, running services and drivers. The operation of the process manager is affected by the anti-rootkit (as a result, it "sees" the processes masked by the rootkit). The process manager is linked to the AVZ safe file database, the identified safe and system files are highlighted;
• Built-in utility to find files on disk. It allows you to search for a file by various criteria, the capabilities of the search system are superior to those of the system search. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" files masked by the rootkit and can delete them), the filter allows excluding files recognized by AVZ as safe from the search results. Search results are available in the form of a text protocol and in the form of a table, in which you can mark a group of files for subsequent deletion or quarantine
• Built-in utility for searching data in the registry. It allows you to search for keys and parameters according to a specified pattern, the search results are available in the form of a text protocol and in the form of a table, in which you can mark several keys for their export or deletion. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" the registry keys masked by the rootkit and can delete them)
• Built-in analyzer for open TCP / UDP ports. It is subject to the anti-rootkit effect; in Windows XP, the process using the port is displayed for each port. The analyzer relies on an updated database of ports of known Trojan / Backdoor programs and known system services. Searching for ports of Trojans is included in the main system check algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojans tend to use this port
• Built-in analyzer common resources, network sessions and files opened over the network. Works in Win9X and Nt / W2K / XP.
• Built-in analyzer Downloaded Program Files (DPF) - displays DPF elements, connected to all AVZ systems.
• System recovery firmware. Firmware carries out restoration of settings Internet Explorer, application launch parameters and other system parameters damaged by malware. Recovery is started manually, the parameters to be restored are specified by the user.
• Heuristic file deletion. Its essence lies in the fact that if during the treatment, malicious files were deleted and this option is enabled, then the system is automatically examined, covering classes, BHO, IE and Explorer extensions, all available AVZ types of autorun, Winlogon, SPI / LSP, etc. ... All found links to a remote file are automatically cleaned up, and information is entered into the log about what exactly and where was cleaned up. For this cleaning, the system treatment microprogram engine is actively used;
• Checking archives. Starting from version 3.60 AVZ supports scanning archives and compound files. Currently, archives in ZIP, RAR, CAB, GZIP, TAR formats are being checked; letters Email and MHT files; CHM archives
• Checking and disinfecting NTFS streams. Checking NTFS streams is included in AVZ since version 3.75
• Management scripts. Allows the administrator to write a script that performs a set of specified operations on the user's PC. Scripts allow you to use AVZ in corporate network, including its launch during system boot.
• Process analyzer. The analyzer uses neural networks and analysis firmware; it turns on when advanced analysis is enabled at the maximum level of heuristics and is designed to search for suspicious processes in memory.
• AVZGuard system. Designed to combat hard-to-remove malicious programs, in addition to AVZ, it can protect user-specified applications, for example, other anti-spyware and antivirus programs.
• Direct disk access system for working with locked files. Works on FAT16 / FAT32 / NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze locked files and place them in quarantine.
• Process monitoring driver and AVZPM drivers. Designed to track the start and stop of processes and load / unload drivers to find cloaked drivers and detect corruptions in the structures describing processes and drivers created by DKOM rootkits.
• Boot Cleaner driver. Designed to perform system cleaning (removing files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both during computer restart and during disinfection.

Restore system parameters.

• Restoring Startup Options.exe .com .pif
• Reset IE Settings
• Restoring Desktop Preferences
• Removing all user restrictions
• Deleting a message in Winlogon
• Restore File Explorer Settings
• Removing system process debuggers
• Restoring Safe Mode Boot Settings
• Unlocking Task Manager
• Cleaning up the host file
• Correcting SPI / LSP settings
• Resetting SPI / LSP and TCP / IP Settings
• Unlocking Registry Editor
• Clearing MountPoints Keys
• Replacing DNS servers
• Remove proxy setting for IE / EDGE server
• Remove Google restrictions

Program tools:

• Process manager
• Service and Driver Manager
• Kernel space modules
• Internal DLL manager
• Search in the registry
• Search for files
• Search Coocie
• Startup manager
  
• Browser extension manager
• Control Panel Applet Manager (cpl)
• Explorer Extension Manager
• Print Extension Manager
• Task Scheduler Manager
• Protocol and Handler Manager
• DPF Manager
• Active Setup Manager
• Winsock SPI Manager
• Hosts File Manager
• TCP / UDP Port Manager
• Network Shares and Network Connections Manager
• System utilities set
• Checking a file against a database of safe files
• File scan against Microsoft security catalog
• Calculating MD5 file sums
  

Here is such a big set for saving your computer from various infections!

Tweet

There are programs as universal as the Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Zaitsev's anti-virus). With the help of this free you can catch antivirus and viruses, and optimize the system, and fix the problems.

AVZ features

I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.

What can be "fixed" with AVZ:

• Restore startup programs (.exe, .com, .pif files)
• Reset Internet settings Explorer to standard
• Restore Desktop Preferences
• Remove restrictions on rights (for example, if a virus blocked the launch of programs)
• Remove banner or window that appears before login
• Remove viruses that can run along with any program
• Unblock Task Manager and Registry Editor (if the virus has prevented them from starting)
• Clear file
• Prevent autostart of programs from flash drives and disks
• Delete unnecessary files from hard disk
• Fix Desktop Issues
• And much more

You can also use it to check the security of Windows settings (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's secure our Windows from careless actions

The AVZ program has very many functions affecting Windows work... it dangerous, because in case of a mistake, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

To be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.

This is a mandatory step, in fact, creating a "escape route" in case of careless actions - thanks to a restore point, it will be possible to restore the settings, windows registry to an earlier state.

System Windows recovery- an obligatory component of all Windows versions starting with Windows ME. It's a pity that they usually don't remember about it and waste time reinstalling Windows and programs, although you could just click the mouse a couple of times and avoid all the problems.

If the damage is serious (for example, some of the system files have been deleted), then System Restore will not help. In other cases - if you misconfigured Windows, "tricky" with the registry, installed a program from which Windows does not boot, misused the AVZ program - "System Restore" should help.

After work, AVZ creates subfolders with backups in its folder:

/ Backup- backup copies of the registry are stored there.

/ Infected- copies of deleted viruses.

/ Quarantine- copies of suspicious files.

If after the work of AVZ problems started (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes, you can open the registry backups from the folder Backup.

How to create a restore point

Go to Start - Control Panel - System - System Protection:

Click "System Protection" in the "System" window.

Press the button "Create".

The process of creating a restore point can take up to ten minutes. Then a window will appear:

The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point in order to praise yourself for your prudence in case of trouble.

How to restore a computer using a restore point

There are two options for starting System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Go to Start - All Programs - Accessories - System Tools - System Restore:

Will start Choose a different restore point and press Further. A list of restore points will open. We choose the one that is needed:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - if Windows won't boot

You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.

We boot from disk (how to boot from bootable disks, it is written) and select:

Choose "System Restore" instead of installing Windows

Fixing the system after viruses or inept actions with the computer

Before any action, get rid of viruses, for example, using. Otherwise, there will be no sense - the launched virus will "break" the corrected settings again.

Restoring startup programs

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to run AVZ itself, but it's pretty easy:

First we go to Control Panel- set any kind of view, except for Category - Folders settings - View- remove the checkbox from Hide extensions for registered file types - OK. Now you can see each file extension- several characters after the last period in the name. For programs, this is usually .exe and .com... To run AVZ antivirus on a computer where the launch of programs is prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then, in the program window itself, click File - :

It should be noted points:

1. Restoring startup parameters for.exe, .com, .pif files(actually, it solves the problem of launching programs)

6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of launching programs if the virus is caught very harmful)

9. Removing system process debuggers(It is highly desirable to mark this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear at system startup)

Restoring Desktop Launch

Enough frequent problem- the desktop does not appear when the system starts.

Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, press there File - New task (Run ...) - introduce explorer.exe:

In order not to do this every time, you need to restore the program launch key. explorer("Explorer", which is responsible for the standard view of the contents of folders and the work of the Desktop). In AVZ we press File- and mark the item

Unlocking Task Manager and Registry Editor

If the virus blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

11. Unlocking the task manager

17. Unlock Registry Editor

And press Perform the marked operations.

Internet problems (Vkontakte, Odnoklassniki and antivirus sites do not open)

This component can check four categories of problems with different severity levels (each severity differs in the number of settings):

Systemic problems- this includes security settings. By ticking the found items and pressing the button Fix reported issues, some loopholes for viruses will be closed. There is also back side medals - increasing safety, decreasing comfort. For example, if you prohibit autorun from removable media and CD-ROM, when inserting flash drives and disks, a window with a choice of actions will not appear (view the contents, start the player, etc.) - you will have to open the Computer window and start viewing the contents of the disc manually. That is, viruses will not start automatically, and a convenient prompt will not appear. Depending on the Windows settings, everyone will see their list of system vulnerabilities here.

Browser settings and tweaks- Internet Explorer security settings are checked. As far as I know, the settings of other browsers ( Google chrome, Opera, Mozilla Firefox and others) are not checked. Even if you do not use Internet Explorer to work with the Internet, I advise you to run a scan - the components of this browser are often used in various programs and are a potential "security hole" that should be closed.

Cleaning the system- partially duplicates the previous category, but does not affect the place where data about user actions is stored.

I recommend checking your system in categories Systemic problems and Browser settings and tweaks by choosing the degree of danger Moderate problems... If the viruses did not touch the settings, then most likely you will be offered only one item - "autorun from removable media is allowed" (flash drives). If you check the box and thus prohibit the autorun of programs from flash drives, then you will at least partially protect your computer from viruses spread on flash drives. More complete protection is achieved only with and working.

Cleaning the system from unnecessary files

Programs AVZ knows how to clean the computer from unnecessary files... If the hard disk cleaning program is not installed on the computer, then AVZ will do, since there are many possibilities:

More about points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance to quickly launch programs. This option is useless because Windows itself quite successfully monitors the Prefetch folder and cleans it up when needed.
2. Delete Windows log files- you can clear a variety of databases and files that store various records of events occurring in the operating system. This option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
3. Delete memory dump files- when critical Windows errors interrupts its work and shows BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for further analysis special programs to identify the culprit. The option is almost useless, as it allows you to win only ten megabytes free space... Cleaning the memory dump files does not harm the system.
4. Clear the list of Recent documents- oddly enough, the option clears the list of Recent documents. This list is on the Start menu. You can also clear the list manually by pressing right click on this item in the Start menu and choosing "Clear list last items". Useful option: I've noticed that clearing the list of recent documents allows the Start menu to display its menus a little bit faster. It won't hurt the system.
5. Clearing the TEMP folder- The Holy Grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder many programs store files for temporary use, forgetting to "clean up after themselves" later. A typical example is archivers. They will unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain of free space reaches fifty gigabytes!).
6. Adobe flash Player - cleaning temporary files- "Flash Player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in the fight against glitches Flash Player... For example, problems with video and audio playback on the Vkontakte website. There is no harm from use.
7. Clearing the terminal client cache- as far as I know, this option cleans up temporary files Windows component called "Remote Desktop Connection" ( remote access to computers via RDP). Option seems to be does no harm, frees up space with a dozen megabytes at best. There is no point in using it.
8. IIS - deleting HTTP error log- take a long time to explain what it is. Let me just say that it is better not to enable the IIS log flush option. In any case, no harm, no benefit.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - cleaning temporary files", but affects rather ancient versions of Flash Player.
10. Java - clearing cache- gives a gain of a couple of megabytes on your hard disk. I do not use Java programs, so I did not check the consequences of enabling this option. I do not advise you to turn it on.
11. Emptying the recycle bin- the purpose of this item is absolutely clear from its name.
12. Delete installation logs of system updates- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless, because there is no gain in free space.
13. Delete protocol Windows Update - similar to the previous point, but other files are deleted. Also a demon useful option.
14. Clear MountPoints Base- if when connecting a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
15. Internet Explorer - clear cache- cleans up temporary Internet Explorer files. The option is safe and useful.
16. Microsoft Office- clearing the cache- cleans up temporary files Microsoft programs Office - Word, Excel, PowerPoint and others. I can't check the security option because I don't have Microsoft Office.
17. Clearing the CD Writing System Cache is a useful option that allows you to delete files that you have prepared for writing to discs.
18. Cleaning system folder TEMP- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and usually a little space is freed up. I do not advise you to turn it on.
19. MSI - clearing the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers did not terminate correctly, so clearing the Config.Msi folder is worthwhile. Nevertheless, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear Task Scheduler Logs- Scheduler Windows tasks keeps a log where it records information about completed tasks. I do not recommend including this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
21. Remove Windows Installation Logs- winning a place is insignificant, there is no point in deleting.
22. Windows - clearing the icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect the stability of the system.
23. Google Chrome - clear cache is a very useful option. Google Chrome stores copies of pages in a dedicated folder to quickly open sites (pages are loaded from the hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive, it does not affect the stability of either Windows or Google Chrome.
24. Mozilla Firefox - clearing the CrashReports folder- every time with Firefox browser a problem occurs and it closes abnormally, and report files are generated. This option deletes the report files. The gain of free space reaches a couple of tens of megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.

Depending on the installed programs, the number of items will differ. For example, if set Opera browser, it will be possible to clear its cache too.

Cleaning the list of startup programs

A surefire way to make your computer turn on and speed up is to clear the startup list. If unnecessary programs will not start, the computer will not only turn on faster, but also work faster too - due to the freed up resources, which will not be taken by the programs running in the background.

AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

An ordinary user has absolutely no need for such powerful functionality, so I urge do not turn off everything... It is enough to look at only two points - Startup folders and Run *.

AVZ displays autorun not only for your user, but also for all other profiles:

In chapter Run * it is better not to disable the programs located in the section HKEY_USERS- this may disrupt other user profiles and operating system... In chapter Startup folders you can turn off everything that you do not need.

Lines recognized by the antivirus as known are marked in green. This includes as system programs Windows and third-party digitally signed programs.

All other programs are marked in black. This does not mean that such programs are viruses or something similar, just not all programs are digitally signed.

Do not forget to stretch the first column wider to show the name of the program. The usual unchecking will temporarily disable the autostart of the program (you can then check the checkbox again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself to autorun again).

The question arises: how to determine what can be disabled and what cannot? There are two solutions:

First, there is common sense: you can make a decision by the name of the program file. For example, Skype program during installation creates an entry to automatically start when the computer is turned on. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (and Skype among them) are able to remove themselves from startup by themselves, it is enough to uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on an item and select your favorite search engine:

By disabling unnecessary programs, you will noticeably speed up your computer startup. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.

Disable only those programs that you know for sure - you do not need them in autostart.

Outcome

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for Windows optimization, but it is actually a complex and powerful tool, suitable for performing the most different tasks... However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.

If you have any questions or comments - under the articles there is a block of comments, where you can write to me. I am following the comments and will try to answer you as soon as possible.

In certain situations, it may be necessary to disable the kernel debugger. This operation cannot be recommended inexperienced users due to the potential threat to the stability of the operating system Microsoft Windows.

Instructions

Click the "Start" button to bring up the main menu of the system and enter the value cmd in the search bar field to initiate the procedure for disabling the kernel debugger.

Call the context menu of the found "Command Line" tool by right-clicking and specify the "Run as administrator" command.

Specify the value Kdbgctrl.exe -d in the utility text box command line to disable kernel debugging in the current session and press the softkey labeled Enter to confirm execution of the command.

Use the bcdedit / debug off value in the command line text box to disable the processor core debugging process for all sessions on operating systems Windows Vista and Windows 7 and press function key Enter to confirm your choice.

Enter dir / ASH in the command line text box to search for the hidden protected boot.ini file located at system disk, to implement the procedure for disabling the kernel debugger for all sessions in all more early versions operating system Microsoft Windows and open the found file in Notepad.

Delete parameters:

- / debug;
- debugport;
- / baudrate

and restart your computer to apply the selected changes.

Click the Continue button in the prompt dialog box if you want to debug the system processor core and wait for the procedure to complete.

Use the gn command in the text box of the Kernel Debugger window when you see a User break exception (Int 3) error message.

Use Debugging Mode when booting your computer into safe mode to perform the enablement of the kernel debugger service.

The kernel debugger is a special software, which works at the kernel level of the entire operating system of a personal computer. The process of "debugging the operating system kernel" refers to the procedure for scanning various errors in the system kernel. When working with Daemon tools an error often occurs Initialization error ... Kernel debugger must be deactivated. You can fix it by disabling the kernel debugger.

You will need

• Administrator rights.

Instructions

If this warning appears during the installation of the application, you must turn off the service called Machine debug manager. To do this, start the "Control Panel" and go to the "Administrative Tools" section. Next, click on the "Services" shortcut. Find Machine Debug Manager in the list. Click on the name with the mouse button and press "Stop".

Disable debugger processes in the "Task Manager". To do this, right-click in a free area and select the "Task Manager" item. You can press the Alt + Ctrl + Delete key combination. Go to the Processes tab and disable all mdm.exe, dumprep.exe, and drwatson.exe processes. If you are not comfortable looking for them in the list, click the Image Name tab to sort the list by name. As a rule, such operations are carried out manually, on behalf of the administrator of a personal computer.

It is also worth turning off the error reporting system so that debugging information recording is stopped. To do this, go to the "Control Panel". Select the "System" section and click the "Advanced" button. Then click on the "Error Report" button. Check the box next to Disable Error Reporting. Then go to the Startup and Recovery tab and uncheck the boxes next to Send Administrative Alert and Write Event to System Log.

Remove the Daemon Tools application from autorun. To do this, click the "Start" button. Then click "Run" and enter the msconfig command. Once the system window appears, uncheck the box next to the Daemon Tools application. Disable your anti-virus software during installation. If the described error occurs, the application installation should be restarted, after eliminating all the reasons for personal computer.

Helpful advice

Some of the above operations require administrator access to system resources.

System Restore is a special AVZ function that allows you to restore a number of system settings damaged by malware.

System recovery firmware is stored in the anti-virus database and updated as needed.

Recommendation: Apply System Restore only in a situation where there is a clear understanding of what it is required. Before using it, it is recommended to do backup or the system rollback point.

Note: System restore operations record automatic backup data as REG files in the Backup directory of the AVZ working folder.

Currently, the database contains the following firmware:

1.Restoring startup parameters for.exe, .com, .pif files

This firmware restores the system's response to exe files, com, pif, scr.

Indications for use: after removing the virus, programs stop running.

Possible risks: are minimal, but it is recommended to use

2.Reset Internet Explorer protocol prefix settings to standard

This firmware restores the protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru

Possible risks: minimal

3.Restoration start page Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: spoofing the start page

Possible risks: minimal

4.Reset Internet Explorer search settings to standard

This firmware restores Internet Explorer search settings

Indications for use: When you click the "Search" button in IE, there is a call to some third-party site

Possible risks: minimal

5.Restoring Desktop Settings

This firmware restores the desktop settings. Recovery means removing all active ActiveDesctop elements, wallpaper, removing locks on the menu that is responsible for desktop settings.

Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

Possible risks: user settings will be deleted, the desktop will return to default

6.Delete all Policies (restrictions) of the current user

Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs because settings are stored in the registry and are not difficult to create or modify.

Indications for use: Explorer or other system functions are blocked.

Possible risks: operating systems different versions there are default policies, and resetting policies to some default is not always optimal. Use a crash-safe troubleshooting wizard to fix policies that are frequently changed by malicious issues.

7.Delete the message displayed during WinLogon

Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malware and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

Possible risks: No

8.Restoring Explorer Settings

This firmware resets a number of Explorer settings to the standard ones (the settings that are changed by malware are first reset).

Indications for use: Explorer settings changed

Possible risks: Minimal, damage to settings most typical for malicious programs is found and fixed by the troubleshooting wizard.

9.Remove system process debuggers

Registering a system process debugger will allow the application to be launched stealthily, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.

Possible risks: minimal, it is possible that programs that use the debugger for legitimate purposes may malfunction (for example, replacing the standard task manager)

10.Restoring Boot Settings in SafeMode

Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode. This firmware restores boot settings in secure mode.

Indications for use: The computer does not boot in SafeMode. This firmware should be used only in case of problems with booting in protected mode.

Possible risks: high because restoring a typical configuration does not guarantee a SafeMode fix. Captured by security, the Troubleshooting Wizard finds and fixes specific corrupted SafeMode configuration entries

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Blocking the task manager, when you try to call the task manager, the message "The task manager is blocked by the administrator" is displayed.

Possible risks: troubleshooting wizard

12.Clear the ignore list of the HijackThis utility

The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

Possible risks: minimal, please note that the settings for ignoring HijackThis will be removed

13. Cleaning up the Hosts file

Clearing the Hosts file is as simple as finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that Hosts file modified by malware. Typical Symptoms - Blocked Updates antivirus software... You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

Possible risks: medium, please note that the Hosts file may contain useful entries

14. Automatic correction of SPl / LSP settings

It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer. Note! This firmware cannot be launched from a terminal session

Indications for use: Internet access was lost after the malware was removed.

Possible risks: medium, it is recommended to create a backup before starting

15. Reset SPI / LSP and TCP / IP settings (XP +)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows. You can read more about factory reset in the Microsoft knowledge base - http://support.microsoft.com/kb/299357

Indications for use: After deleting the malicious program, Internet access and the execution of the firmware "14. Automatic correction of SPl / LSP settings" have no effect.

Possible risks: high, it is recommended to create a backup before starting

16. Recovering the Explorer startup key

Restores system registry keys responsible for starting Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.

Possible risks: minimum

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from starting.

Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.

Possible risks: minimal, a similar check is done by the troubleshooting wizard

18. Complete re-creation of SPI settings

Performs backup SPI / LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.

Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15.

Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!Apply this operation only if necessary, when other SPI recovery methods did not help !

Possible risks: very high, it is recommended to create a backup before starting!

19. Clear Base MountPoints

Clears the MountPoints and MountPoints2 database in the registry.

Indications for use: This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.

Possible risks: minimum

20.Delete static routes

Deletes all static routes.

Indications for use: This operation helps if some sites are blocked using incorrect static routes.

Possible risks: average. It is important to note that for the operation of some services for a number of Internet providers, static routes may be required and after such removal, they will have to be restored according to the instructions on the Internet provider's website.

21. Replace DNS of all connections with Google Public DNS

Replaces in the setting of all network adapters DNS servers to public DNS from Google. Helps if a Trojan has changed DNS for its own.

Indications for use: DNS spoofing by malware.

Possible risks: average. Please note that not all ISPs allow you to use DNS other than their own.

To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.

On a note:

Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be executed several times in a row without significant damage to the system. The exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and "10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for loading into safe mode), as well as 15 and 18 (reset and re-create SPI settings).

You may need to launch the AVZ utility when contacting Kaspersky Lab technical support.
Using the AVZ utility, you can:

• get a report on the results of the study of the system;
• execute a script provided by a specialist technical support Kaspersky Lab
  to create Quarantine and remove suspicious files.

The AVZ utility does not send statistics, does not process information and does not transmit it to Kaspersky Lab. The report is saved on the computer in the form of HTML and XML files, which are available for viewing without the use of special programs.

The AVZ utility can automatically create Quarantine and place copies of suspicious files and their metadata in it.

Objects placed in Quarantine are not processed, are not transferred to Kaspersky Lab and are stored on the computer. We do not recommend restoring files from Quarantine, they can harm your computer.

What data is contained in the report of the AVZ utility

The AVZ utility report contains:

• Information about the version and release date of the AVZ utility.
• Information about anti-virus databases utility AVZ and its basic settings.
• Information about the version of the operating system, the date it was installed and the user rights with which the utility was launched.
• Search results for rootkits and interceptors of the main functions of the operating system.
• Search results for suspicious processes and information about these processes.
• Search results for common malicious programs based on their specific properties.
• Information about errors found during validation.
• Search results for interceptors for keyboard, mouse, or window events.
• Search results for open TCP and UDP ports that are used by malware.
• Information about suspicious system registry keys, file names on disk, and system settings.
• Search results for potential vulnerabilities and security issues in the operating system.
• Information about corrupted settings of the operating system.

How to execute a script using the AVZ utility

Use the AVZ utility only under the guidance of a technical support specialist from Kaper's Laboratory within the framework of your request. Unauthorized actions can damage the operating system and cause loss of data.

1. Download the executable file of the AVZ utility.
2. Run avz5.exe on your computer. If SmartScreen Filter Windows Defender prevented avz5.exe from starting, click More details → Run anyway in the window Windows system protected your computer.
3. Go to section File→ Execute script.

1. Paste in the input field the script that you received from the technical support specialist of "Kaper's Laboratory".
2. Click on Run.

1. Wait for the utility to finish working and follow the further recommendations of the technical support specialist of Kaper's Laboratory.