You may need to launch the AVZ utility when contacting Kaspersky Lab technical support.
With the AVZ utility you can:

  • receive a report on the results of the study of the system;
  • execute the script provided by the expert technical support"Kaspersky Lab"
    to create a Quarantine and delete suspicious files.

The AVZ utility does not send statistics, does not process information, and does not transfer it to Kaspersky Lab. The report is saved on the computer in the form of HTML and XML files, which are available for viewing without the use of special programs.

The AVZ utility can automatically create a Quarantine and place copies of suspicious files and their metadata into it.

Objects placed in Quarantine are not processed, are not transferred to Kaspersky Lab, and are stored on the computer. We do not recommend restoring files from Quarantine, they can harm your computer.

What data is contained in the AVZ utility report

The AVZ utility report contains:

  • Information about the version and release date of the AVZ utility.
  • Information about the anti-virus databases of the AVZ utility and its main settings.
  • Information about the version of the operating system, the date it was installed, and the user rights with which the utility was launched.
  • Search results for rootkits and programs intercepting the main functions of the operating system.
  • Search results for suspicious processes and details about those processes.
  • Search results for common malware by their characteristic properties.
  • Information about errors found during validation.
  • Search results for hooks for keyboard, mouse, or window events.
  • Search results for open TCP and UDP ports used by malware.
  • Information about suspicious keys system registry, file names on the disk, and system settings.
  • Search results for potential operating system vulnerabilities and security issues.
  • Information about corrupted operating system settings.

How to execute a script using the AVZ utility

Use the AVZ utility only under the guidance of a Kapersky Lab technical support specialist as part of your request. Doing it yourself can damage the operating system and cause data loss.

  1. Download the AVZ utility executable file.
  2. Run avz5.exe on your computer. If a smartscreen filter Windows Defender prevented avz5.exe from starting, click MoreRun anyway in the window Windows has protected your computer.
  3. Go to section FileRun script.
  1. Paste in the input field the script that you received from the technical support specialist of Kapersky Lab.
  2. Click Run.

  1. Wait for the utility to finish and follow the further recommendations of the Kapersky Lab technical support specialist.

System Restore is a special feature of AVZ that allows you to restore a number of system settings corrupted by malware.

System recovery firmware is stored in the anti-virus database and updated as needed.

Recommendation: System Restore should be used only in a situation where there is an exact understanding that it is required. Before using it, it is recommended to make a backup copy or a system rollback point.

Note: System restore operations write automatic backup data as REG files in the Backup directory of the AVZ working folder.

The database currently contains the following firmware:

1.Restore launch options.exe, .com, .pif files

This firmware restores the system's response to .exe files, com, pif, scr.

Indications for use: After removing the virus, the programs stop running.

Possible risks: minimal, but recommended

2.Reset protocol prefix settings Internet Explorer to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

Possible risks: minimal

3.Recovery start page Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: start page change

Possible risks: minimal

4.Reset Internet Explorer search settings to default

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

Possible risks: minimal

5.Restore desktop settings

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Properties: display" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

Possible risks: user settings will be deleted, the desktop will return to the default view

6.Removing all Policies (restrictions) of the current user

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

Possible risks: operating systems of different versions have default policies, and resetting policies to some standard values ​​is not always optimal. To fix policies that are frequently changed by malware problems, you should use the troubleshooting wizard that is safe from possible system failures.

7. Removing the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

Possible risks: No

8.Restore explorer settings

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

Possible risks: are minimal, the most characteristic for malware damage to settings is found and fixed by the Troubleshooting Wizard.

9.Removing system process debuggers

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

Possible risks: are minimal, it is possible to disrupt the operation of programs that use the debugger for legitimate purposes (for example, replacing the standard task manager)

10.Restore boot settings in SafeMode

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode. This firmware restores boot settings in protected mode.

Indications for use: The computer does not boot in safe mode (SafeMode). This firmware must be used only in case of problems booting in protected mode.

Possible risks: high, since restoring the default configuration does not guarantee that SafeMode will be fixed. In Security Captivity, the Troubleshooting Wizard finds and fixes specific corrupted SafeMode setting entries

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

Possible risks: troubleshooting wizard

12. Clearing HijackThis Ignore List

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list. AT this moment A number of malicious programs are known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

Possible risks: minimal, note that HijackThis ignore settings will be removed

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard string "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms - update blocking antivirus programs. You can control the contents of the Hosts file using the manager file hosts built into AVZ.

Possible risks: medium, note that the Hosts file may contain useful entries

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session

Indications for use: Internet access was lost after the malware was removed.

Possible risks: medium, before starting it is recommended to create a backup copy

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows. Details about resetting settings can be found in the Microsoft Knowledge Base - http://support.microsoft.com/kb/299357

Indications for use: After the removal of the malicious program, Internet access was lost and the execution of the firmware "14. Automatic correction of SPl/LSP settings" does not work.

Possible risks: high, before starting it is recommended to create a backup

16. Restoring the Explorer launch key

Restores system keys registry, responsible for starting the explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

Possible risks: minimal

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

Possible risks: minimal, a similar check is made by the troubleshooting wizard

18. Full re-creation of SPI settings

Performs backup SPI / LSP settings, after which it destroys them and creates them according to the standard that is stored in the database.

Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15.

Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!Apply this operation only if necessary, in the case when other SPI recovery methods did not help !

Possible risks: very high, before starting it is recommended to create a backup copy!

19. Clear base MountPoints

Cleans up the MountPoints and MountPoints2 database in the registry.

Indications for use: This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

Possible risks: minimal

20.Remove Static Routes

Deletes all static routes.

Indications for use: This operation helps if some sites are blocked by incorrect static routes.

Possible risks: medium. It is important to note that some ISPs may require static routes for some services to work, and after such a deletion, they will have to be restored according to the instructions on the ISP's website.

21.Replace DNS of all connections with Google Public DNS

Replaces all settings network adapters DNS servers to public DNS from Google. Helps if the Trojan has replaced DNS with its own.

Indications for use: DNS spoofing by malware.

Possible risks: medium. Please note that not all providers allow you to use a DNS other than their own.

To perform recovery, you must select one or more items and click the "Perform selected operations" button. Clicking the "OK" button closes the window.

On a note:

Restoration is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove malware and then restore system settings

On a note:

To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to default", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to default"

On a note:

Any of the microprograms can be executed several times in a row without significant damage to the system. The exceptions are "5. Restoring Desktop Settings" (this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and "10. Restoring Boot Settings in SafeMode" (this firmware recreates the registry keys responsible for booting to safe mode), as well as 15 and 18 (reset and recreate SPI settings).

AVZ is free utility, designed to search for and remove viruses, as well as to restore system settings after the actions of malicious programs.

Preparation for work

1. Download the AVZ utility from the official website: http://z-oleg.com/avz4.zip

2. Unzip the archive

3. Run the file from the archive avz.exe

4. Go to the menu File and choose Database update

Click Start to start the update process :

Anti-virus databases are being updated:

When the databases are updated, this message will appear. Click OK:

Virus check

To scan for viruses, check all disks on the computer on the left, check the box on the right Perform treatment, and click the button below Start:

System Restore

Highly useful feature AVZ utility is System Restore. It will come in handy after removing malware to eliminate their traces. To start System Restore, click File -> System Restore:

Check the appropriate checkboxes and click the button Perform marked operations:

Confirm your intent:

Cleaning up browsers with AVZ

From the main menu select File.

Select an item Troubleshooting Wizard:

In field Degree of danger select All problems.

Click Start.

Check the boxes for the following:

  • Clearing the TEMP folder;
  • Adobe Flash Player - cleaning temporary files;
  • Macromedia Flash Player - clearing caches;
  • Cleaning up the TEMP system folder;
  • Clear caches of all installed browsers;

Click the button Fix flagged issues.

tweet

There are universal programs like a Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Antivirus Zaitsev). With the help of this free You can catch antivirus and viruses, and optimize the system, and fix problems.

AVZ features

I already talked about the fact that this is an antivirus program in. About the work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.

What can be "fixed" with AVZ:

  • Repair startup programs (.exe, .com, .pif files)
  • Reset Internet settings Explorer to Standard
  • Restore Desktop Settings
  • Remove rights restrictions (for example, if a virus blocked the launch of programs)
  • Remove banner or window that appears before login
  • Remove viruses that can run with any program
  • Unblock Task Manager and Registry Editor (if the virus has prevented them from running)
  • Clear file
  • Disable autorun programs from flash drives and disks
  • Delete unnecessary files from hard drive
  • Fix desktop issues
  • And much more

It can also be used to check the safety of Windows settings (in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is at .

The program is free.

First, let's protect our Windows from careless actions

The AVZ program has very many functions affecting Windows work. it dangerous, because in case of an error, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.

This is a mandatory step, in fact, the creation of a "retreat path" in case of careless actions - thanks to the restore point, it will be possible to restore the settings, Windows registry to an earlier state.

The Windows Recovery System is an essential component of all Windows versions starting with Windows ME. It is a pity that they usually do not remember about it and waste time reinstalling Windows and programs, although it was possible to just click a couple of times with the mouse and avoid all problems.

If the damage is severe (for example, part of the system files), then "System Restore" will not help. In other cases - if you configured Windows incorrectly, "tricked" with the registry, installed a program from which Windows does not boot, incorrectly used the AVZ program - "System Restore" should help.

After work, AVZ creates subfolders with backups in its folder:

/backup- are stored backups register.

/Infected- copies of removed viruses.

/quarantine- copies of suspicious files.

If problems started after AVZ was running (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes made, you can open registry backups from the folder backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click "System Protection" in the "System" window.

Click the "Create" button.

The process of creating a restore point can take up to ten minutes. Then a window will appear:

The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (configuring, cleaning the system), it is better to once again create a restore point, so that in case of trouble, praise yourself for your forethought.

How to restore your computer using a restore point

There are two options for launching System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

will start Choose a different restore point and press Further. A list of restore points will open. Choose the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - If Windows won't boot

You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.

We boot from the disk (how to boot from boot disks, it is written) and select:

Choose "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no sense - the corrected settings will be "broken" by the running virus again.

Restarting Programs

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you also need to start AVZ itself, but it's pretty easy:

First we go to Control Panel- set any type of view, except for Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now each file has extension- a few characters after the last dot in the name. Programs usually .exe and .com. To run AVZ antivirus on a computer where programs are prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, press File - :

Points to be noted:

1. Restore launch options.exe, .com, .pif files(actually solves the problem of running programs)

6. Remove all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of starting programs if the virus is very harmful)

9. Removing system process debuggers(it is highly desirable to note this item, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

, confirm the action, a window appears with the text "System Restore Completed". After that, it remains to restart the computer - the problem with starting programs will be solved!

Desktop startup recovery

A fairly common problem is that the desktop does not appear when the system starts.

Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, there we press File - New Task (Run...) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer, you will have to repeat everything again.

In order not to do this every time, you need to restore the program launch key explorer("Explorer", which is responsible for the standard viewing of the contents of folders and the work of the Desktop). In AVZ we press File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start the computer, the desktop will start normally.

Unlock Task Manager and Registry Editor

If the virus has blocked the launch of the two above-mentioned programs, the ban can be removed through the AVZ program window. Just check two things:

11. Unlock Task Manager

17. Unlock Registry Editor

And press Perform the marked operations.

Problems with the Internet (Vkontakte, Odnoklassniki and antivirus sites do not open)

This component can check four categories of problems with different degrees of severity (each degree differs in the number of settings):

System problems- this includes security settings. By ticking the found items and clicking the button Fix flagged issues, some loopholes for viruses will be blocked. There is also a reverse side of the coin - increasing safety, reducing comfort. For example, if you disable autorun from removable media and CD-ROMs, when inserting flash drives and disks, a window with a choice of actions will not appear (view the contents, start the player, etc.) - you will have to open the Computer window and start viewing the contents of the disk manually. That is, viruses will not start automatically, and a convenient hint will not appear. Depending on the Windows settings, everyone will see here their list of system vulnerabilities.

Browser settings and tweaks- Internet Explorer security settings are checked. As far as I know, the settings of other browsers ( Google Chrome, Opera, Mozilla Firefox and others) are not checked. Even if you do not use Internet Explorer to surf the Internet, I advise you to run a check - the components of this browser are often used in various programs and are a potential "security hole" that should be closed.

Cleaning the system- partially duplicates the previous category, but does not affect the places where data about user actions are stored.

I recommend checking your system in categories System problems and Browser settings and tweaks by selecting the degree of danger Moderate problems. If the viruses did not touch the settings, then most likely you will be offered only one item - “autorun from removable media is allowed” (flash drives). If you check the box and thus prohibit autorun programs from flash drives, then you will at least partially protect your computer from viruses distributed on flash drives. More complete protection is achieved only with and working.

Cleaning the system from unnecessary files

Programs AVZ knows how to clean the computer from junk files. If the hard disk cleanup program is not installed on the computer, then AVZ will do, since there are many possibilities:

More about points:

  1. Clear system cache Prefetch- cleaning the folder with information about which files to upload in advance for quick start programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it up when required.
  2. Delete Windows log files- you can clean up a variety of databases and files that store various records of events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
  3. Delete memory dump files- in the event of a critical Windows errors interrupts its work and shows BSOD ( blue screen death), at the same time storing information about running programs and drivers to a file for further analysis special programs to identify the culprit of the failure. The option is almost useless, as it allows you to win only ten megabytes of free space. Clearing the memory dump files does not harm the system.
  4. Clear Recent Documents List- oddly enough, the option clears the Recent Documents list. This list is in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear Recent Items List". Useful option: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. The system will not be damaged.
  5. Clearing the TEMP Folder- The holy grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder, many programs store files for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. Unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain in free space reaches fifty gigabytes!).
  6. Adobe Flash Player - cleaning up temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in combating Flash Player glitches. For example, with video and audio playback problems on the Vkontakte website. There is no harm in using.
  7. Clearing the cache of the terminal client- as far as I know, this option clears temporary files Windows component titled "Remote Desktop Connection" ( remote access to computers via RDP). Option seems to be does no harm, it frees up space from a dozen megabytes at best. There is no point in using it.
  8. IIS - Delete HTTP Error Log- long to explain what it is. Let me just say that it is better not to enable the option to clear the IIS log. In any case, it does no harm, no benefit either.
  9. Macromedia Flash Player- item duplicates "Adobe Flash Player - Cleaning Temporary Files", but affects rather ancient versions of the Flash Player.
  10. Java - cache clearing- gives a gain of a couple of megabytes on the hard drive. I do not use Java programs, so I did not check the consequences of enabling the option. I don't recommend turning it on.
  11. Emptying the trash- the purpose of this item is absolutely clear from its name.
  12. Delete system update installation logs- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless because there is no free space to win.
  13. Delete Protocol windows update - similar to the previous paragraph, but other files are deleted. It's also a useless option.
  14. Clear the MountPoints database- if icons with them are not created in the Computer window when connecting a flash drive or hard drive, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
  15. Internet Explorer - clear cache- clears temporary files of Internet Explorer. The option is safe and useful.
  16. Microsoft office- clear cache- clears temporary files Microsoft programs Office - Word, Excel, PowerPoint and more. I can't check the security options because I don't have Microsoft Office.
  17. Clearing the Cache of the CD Burning System- a useful option that allows you to delete files that you have prepared for burning to discs.
  18. Cleaning up the TEMP system folder- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and it usually frees up a little space. I don't recommend turning it on.
  19. MSI - cleaning the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers didn't complete their work correctly, so clearing the Config.Msi folder is justified. However, be warned - there may be problems uninstalling programs that use .msi installers (for example, Microsoft Office).
  20. Clear task scheduler logs- Scheduler Windows tasks keeps a log where it records information about completed tasks. I do not recommend enabling this item, because there is no benefit, but it will add problems - the Windows Task Scheduler is a rather buggy component.
  21. Delete Windows setup protocols- winning a place is insignificant, it makes no sense to delete.
  22. Windows - clear icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect system stability.
  23. Google Chrome - clear cache is a very useful option. Google Chrome stores copies of pages in a folder designated for this purpose in order to open sites faster (pages are loaded from the hard drive instead of downloading via the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful in terms of freeing up hard drive space; neither Windows nor Google Chrome affects stability.
  24. Mozilla Firefox - Cleaning up the CrashReports folder- every time with Firefox browser a problem occurs and it crashes, report files are created. This option deletes the report files. The gain of free space reaches a couple of dozen megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.

Depending on the installed programs, the number of points will be different. For example, if installed Opera browser, you can clear its cache too.

Cleaning the list of startup programs

A sure way to speed up the computer's startup and speed is to clean the autorun list. If a unnecessary programs will not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources that will not take away the programs running in the background.

AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

An ordinary user has absolutely no use for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders and run*.

AVZ displays autostart not only for your user, but also for all other profiles:

In chapter run* it is better not to disable programs located in the section HKEY_USERS- this may disrupt other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

Lines marked in green are recognized by the antivirus as known. This includes both systemic Windows programs, and third-party programs that have a digital signature.

All other programs are marked in black. This does not mean that such programs are viruses or anything similar, just that not all programs are digitally signed.

Don't forget to stretch the first column wider so you can see the name of the program. The usual unchecking will temporarily disable the autorun of the program (you can then tick it again), selecting the item and pressing the button with a black cross will delete the entry forever (or until the program writes itself back to autorun).

The question arises: how to determine what can be disabled and what is not? There are two solutions:

First, there is common sense: by the name of the .exe file of the program, you can make a decision. For example, Skype creates an entry during installation to automatically start when you turn on your computer. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup by themselves, just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to decide whether to remove it from autorun or not. AVZ makes it easy to find information about points: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will noticeably speed up the startup of your computer. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.

Disable only those programs that you know for sure - you don't need them in autorun.

Outcome

In principle, what I wrote about in the article is akin to driving nails with a microscope - the AVZ program is suitable for optimizing Windows, but in general it is a complex and powerful tool suitable for performing a variety of tasks. However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.

If you have any questions or comments - under the articles there is a comment block where you can write to me. I follow the comments and will try to answer you as soon as possible.

16.08.2019

dedicated AVZ, I want to share with you some more knowledge on the capabilities of this wonderful utility.

Today we will talk about system recovery tools, which can often save your computer's life after being infected with viruses and other horrors of life, as well as solve a number of systemic problems arising as a result of certain errors.
It will be useful for everyone.

introductory

Before proceeding, traditionally, I want to offer you two formats of material, namely: video format or text. Video here:

Well, the text is below. See for yourself which option is closer to you.

General description of the program functionality

What are these recovery tools? This is a set of microprograms and scripts that help to return to working condition certain functions of the system. Which for example? Well, let's say, return or the registry editor, clear the hosts file or reset IE settings. In general, I give in full and with a description (so as not to reinvent the wheel):

  • 1. Restore launch options.exe, .com, .pif files
    Indications for use: after the removal of the virus, programs stop running.
  • 2. Reset Internet Explorer protocol prefix settings to default
    Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru
  • 3. Restoring the Internet Explorer start page
    Indications for use: replacement of the start page
  • 4. Reset Internet Explorer search settings to default
    Indications for use: When you click the "Search" button in IE, an external site is accessed
  • 5. Restore desktop settings
    This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.
    Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
  • 6. Remove all Policies (restrictions) current user.
    Indications for use: The functions of the explorer or other functions of the system are blocked.
  • 7. Deleting the message displayed during WinLogon
    Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.
    Indications for use: An extraneous message is introduced during system boot.
  • 8. Restoring File Explorer Settings
    Indications for use: Changed explorer settings
  • 9. Removing system process debuggers

    Indications for use: AVZ detects unrecognized system process debuggers, problems with launching system components, in particular, the desktop disappears after a reboot.
  • 10. Restoring Boot Settings to SafeMode
    Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode. This firmware restores boot settings in protected mode.
    Indications for use: The computer does not boot in safe mode (SafeMode). Use this firmware only if you have problems booting in protected mode.
  • 11. Unlock Task Manager
    Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.
  • 12. Clearing HijackThis Ignore List
    The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list
    Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
  • 13. Cleaning up the Hosts file
    Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard string "127.0.0.1 localhost".
    Indications for use: Suspicions that the Hosts file has been modified by a malicious program. Typical symptoms are blocking anti-virus software updates. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

  • Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session
    Indications for use: After removing the malicious program, access to the Internet was lost.

  • This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows. Details about resetting settings can be found in the Microsoft Knowledge Base - Please note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!
    Indications for use: After removing the malicious program, access to the Internet was lost and the execution of the firmware "14. Automatic correction of SPl / LSP settings" does not work.

  • Indications for use: During system boot, explorer does not start, but manual launch of explorer.exe is possible.

  • Indications for use: It is impossible to start the registry editor, when you try, a message is displayed stating that its launch was blocked by the administrator.

  • Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15. Use only if necessary!

  • Cleans up the MountPoints and MountPoints2 database in the registry.
    Indications for use: This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer
  • On a note:
    On a note:
    To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to default", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to default"
    On a note    :
    Any of the firmware can be run several times in a row without damage to the system. The exceptions are "5. Restore Desktop Settings" (working with this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and "10. Restore Boot Settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

Helpful, isn't it?
Now about how to use.

Download launch, use

Actually everything is simple.

  1. Downloading from here(or from somewhere else) an anti-virus utility AVZ.
  2. Unpack the archive with it somewhere convenient for you
  3. We follow the folder where we unpacked the program and run it there avz.exe.
  4. In the program window, select "File" - "System Restore".
  5. Check the checkboxes for the items you want and click on the button. Perform marked operations".
  6. We are waiting and enjoying the result.

Here are the things.

Afterword

I must say that it works with a bang and eliminates a number of unnecessary gestures. So to speak, everything is at hand, quickly, simply and efficiently.

Thank you for your attention;)

I thank the masters of the Zapuskay.RF computer service center for their help in preparing the material. You can order repair of laptops and netbooks in Moscow from these guys.

Malicious programs that are introduced into the operating system of a personal computer cause significant harm to the entire amount of data. On the this moment time, pest programs have been created since different purposes, therefore, their actions are aimed at adjusting the various structures of the operating system of a personal computer.

Common and obvious consequences to the user are problems with the Internet, disruptions in the operation of devices connected to the PC.

Even if the pest was detected and destroyed, this does not exclude the loss of information and other problems that arise in subsequent work. You can list the options endlessly, most often the user finds a complete or partial blocking of access to the World Wide Web, failure to work external devices(mouse, flash card), empty desktop and more.

The listed consequences are observed due to the changes that the pest program has made to the system files of a personal computer. Such changes are not eliminated with the elimination of the virus, they must be corrected independently, or resort to the help of specialists. In fact, this kind of work does not require special training, and any advanced user can perform it by studying the appropriate instructions.

In the practice of organizing the recovery of the operating system, there are several approaches, depending on the reasons that led to the failure. Let's consider each of the options in detail. An easy way available to every user is to roll back the OS to a restore point when the operation of the personal computer met the user's requirements. But very often this solution is unsatisfactory, or it is impossible to implement it for objective reasons.

How to restore the OS if the PC login is not possible?

Starting System Restore is as follows. Start Menu \ Control Panel \ System Restore. At this address, select the recovery point we need and start the process. After a while, the work will be completed and the computer is ready for normal operation. The technique is quite applicable to eliminate certain types of viruses, since changes also occur at the registry level. This option for restoring the operating system is considered the simplest and is included in the set of standard Windows tools. Step-by-step instruction and help with detailed comments on the process will help you master the technique of restoring the health of your computer, even if the user does not feel completely confident as a PC administrator.

Another common OS recovery option is to run the procedure from external media. This option is complicated by some points, for example, you need to have a system image on a flash card or disk and take care of having such a copy in advance. In addition, it is often necessary to have certain skills in working with the BIOS system. An image of the operating system on external media is the best option if recovery is not possible, since a virus has blocked the computer from entering the system. There are other options.

Use standard Windows tools to restore the OS is impossible, for example, if the login is not possible, or there are other reasons preventing the operation from being performed in the standard mode. The situation is resolved using the ERD Commander (ERDC) tool.

How the program functions, we will analyze the situation sequentially. The first step is downloading the program. The second step is to launch the Syst em Restore Wizard tool, it is with its help that the OS is rolled back to given position recovery.

As a rule, each tool has several control points, and in eighty percent of cases, the performance of a personal computer will be completely reanimated.

Using AVZ Utility Tools

The tool considered below does not require any special skills and abilities of the user. Software developed by Oleg Zaitsev and designed to find and destroy all types of viruses and malware. But in addition to the main function, the utility restores most of the system settings that have been attacked or changed by malware viruses.

What problems can the presented program solve? The main thing is the restoration of system files and settings that have been attacked by viruses. The utility copes with damaged program drivers that refuse to start after recovery. When there are problems working in browsers or in case of blocking access to the Internet and many other troubles.

We activate the restore operation at File \ System Restore and select the operation that is needed. The figure shows the interface of microprograms that the utility operates with, we will give a description of each of them.

As you can see, the set of operations is represented by 21 items, and the name of each of them explains its purpose. Note that the capabilities of the program are quite diverse and it can be considered a universal tool in the resuscitation of not only the system itself, but also the elimination of the consequences of viruses working with system data.

The first parameter is used if the consequences of a virus attack and the OS recovery procedures refuse to work the programs necessary for the user. As a rule, this happens if the pest has penetrated the files and program drivers and made any changes to the information recorded there.

The second parameter is necessary when the viruses performed the substitution of domains when entering them into the browser's search engine. Such a substitution is the first level of adjustment of the interaction between the system files of the operating system and the Internet. Such a function of the program, as a rule, eliminates the changes made without a trace, without trying to detect them, but simply by completely formatting the entire amount of prefix and protocol data, replacing them with standard settings.

The third parameter resumes setting up the Internet browser's start page. As in the previous case, by default the program corrects problems Internet browser explorer.

The fourth parameter corrects the work search engine and sets the standard mode of operation. Again, the procedure concerns the browser installed by Windows by default.

In case of a problem related to the functioning of the desktop (the appearance of banners, pictures, extraneous entries on it), the fifth item of the program is activated. Such consequences of the action of malicious programs were very popular a couple of years ago and caused a lot of problems for users, but even now such dirty tricks can penetrate the PC operating system.

The sixth point is necessary if the malware has restricted the user's actions when executing a number of commands. These restrictions can be of a different nature, and since access settings are stored in the registry, malicious programs most often use this information to adjust the user's work with their PC.

If a third-party message appears when loading the OS, this means that the harmful program was able to infiltrate the settings Windows startup NT. An OS restore that killed the virus does not remove this message. In order to remove it, you must activate the seventh parameter of the AVZ utility menu.

The eighth menu option, as the name suggests, restores Explorer settings.

Sometimes the problem manifests itself in the form of interruptions in the operation of system components, for example, during the startup of the PC OS, the desktop disappears. The AVZ utility diagnoses these structures and makes the necessary adjustments using item nine of the tools menu.

Problems booting the OS in safe mode are resolved by point ten. It is easy to detect the need to activate this item of the multiprogram of the utility considered here. They are shown at any attempts to carry out work in a safety mode.

If the task manager is blocked, then menu item eleven must be activated. Viruses on behalf of the administrator make changes to the activation this section operating system, and instead of the working window, a message appears stating that work with the task manager is blocked.

The HijackThis utility, as one of its main functions, uses the storage of a list of exclusions in the registry. For a virus, it is enough to penetrate the utility's database and register files in the registry list. After that, it can self-repair an unlimited number of times. The utility's registry is cleaned by activating the twelfth item of the AVZ settings menu.

The next, thirteenth point, allows you to clear the Hosts file, this file modified by a virus can cause difficulties when working with the network, block some resources, and interfere with updating the databases of anti-virus programs. Working with this file will be discussed in more detail below. Unfortunately, almost all virus programs seek to edit this file, which is due, firstly, to the simplicity of making such changes, and the consequences can be more than significant, and after the removal of viruses, the information entered in the file can be a direct gateway to penetration into OS new pests and spies.

If access to the Internet is blocked, then this, as a rule, means there are errors in the SPI settings. Their correction will occur if you activate the menu item fourteen. It is important that this setting item cannot be used from the terminal session.

Similar functions are included in the fifteenth menu item, but its activation is possible only with work in such operating systems as XP, Windows 2003, Vista. You can use this multiprogram if attempts to correct the situation with entering the network using the previous setting did not bring the desired result.

The possibilities of the sixteenth menu item are aimed at restoring the system registry keys that are responsible for launching the Internet browser.

The next step in the work of restoring OS settings after a virus attack is to unlock the registry editor. As a rule, an external manifestation - it is impossible to download a program for working with the Network.

The following four points are recommended only if the damage to the operating system is so catastrophic that, by and large, it makes no difference whether they are eliminated using such methods or, as a result, you need to reinstall the entire system.

So, the eighteenth paragraph recreates initial settings S.P.I. The nineteenth item clears the Mount Points /2 registry.

The twentieth item removes all static routes. Finally, the last, twenty-first item erases all DNS connections.

As you can see, the presented capabilities of the utility cover almost all areas into which a malicious program can penetrate and leave its active trail, which is not so easy to detect.

Since anti-virus applications do not guarantee 100% protection of your PC's operating system, we recommend that you have such a program in your arsenal of tools to combat computer viruses of all kinds and forms.

As a result of the treatment of the PC OS, the devices connected to it do not work.

One of the most popular camouflage spyware is the installation of its own virus driver in addition to the real software. In this situation, the actual driver is most often the mouse or keyboard file. Accordingly, after the virus is destroyed, its trace remains in the registry, for this reason the device to which the pest was able to join stops working.

A similar situation is observed with incorrect work in the process of removing Kaspersky Anti-Virus. This is also related to the specifics of the installation of the program, when its installation on a PC uses the auxiliary klmouflt driver. In the situation with Kaspersky, this driver must be found and completely removed from the personal computer system in accordance with all the rules.

If the keyboard and mouse refuse to function in the desired mode, the first step is to restore the registry keys.

Keyboard :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Control\Class\(4D36E 96B-E325-11CE-BF C1-08002BE10318)
UpperFilters=kbd class

Mouse :
HKEY_LOCAL_MACHI NE\SYSTEM\Curren tControlSet\Control\Class\(4D36E 96F-E325-11CE-BF C1-08002BE10318)
UpperFilters=mou class

The problem of inaccessible sites

The consequences of a malware attack may be the unavailability of certain resources on the Internet. And these consequences are the result of changes that viruses managed to make to the system. The problem is detected immediately or after some time, but if, as a result of the actions of pest programs, it manifested itself after some time, it will not be difficult to eliminate it.

There are two options for blocking, and the most common is updating the hosts file. The second option is to create fake static routes. Even if the virus is killed, the changes it made to these tools will not be removed.

The document in question is located in the system folder on drive C. Its address and location can be found here: C:\Windows\System 32\drivers\etc\hosts . For a quick search, as a rule, use the command line from the Start menu.

If the file cannot be found using the specified procedure, this may mean that:

The virus program changed its location in the registry;

The file document has a "hidden" option.

In the latter case, we change the characteristics of the search. At the address: Folder Options / View we find the line "Show hidden files" and set the label opposite, expanding the search range.

The hosts file contains information about converting the literal name of the site's domain into its IP address, so malware programs write adjustments in it that can redirect the user to other resources. If this happens, then when you enter the address of the desired site, a completely different one opens. In order to return these changes to the initial state and fix, need to find given file and analyze its content. Even an inexperienced user will be able to see what exactly corrected the virus, but if this causes certain difficulties, you can restore the default settings, thereby eliminating all changes made to the file.

As for correcting routes, the principle of action is the same. However, in the process of interaction between the PC operating system and the Internet, the priority always remains with the hosts file, so restoring it is enough for work to be carried out in standard mode.

The difficulty arises if desired file cannot be found, as the virus changes its location in system folders. Then you need to fix the registry key.

HKEY_LOCAL_MACHI NE\SYSTEM\CurrentControlSet\serv ices\Tcpip\Parameters\DataBasePa th

Viruses belonging to the Win32/Vundo group are smarter than most of their malicious cousins ​​when it comes to transforming hosts files. They change the file name itself, deleting the Latin letter o and replacing the sign with a Cyrillic letter. Such a file is no longer involved in converting domain names of sites into IP addresses, and even if the user restores this file, the result of the work will remain the same. How to find the real file? If there are doubts that the object we need is real, we perform the following procedure. The first step is to activate the display mode of hidden files. We examine the catalog, it looks like it is shown in the figure.

Here are two identical files, but since the OS does not allow the use of identical names, it is obvious that we are dealing with a false document. Determining which one is correct and which is not is easy. The virus creates a voluminous file with numerous adjustments, so the result of its wrecking in the figure is represented by a hidden file of 173 KB.

If you open a document file, the information in it will contain the following lines:

31.214.145.172 vk.com - a string that can replace the site's IP address

127.0.0.1 avast.com - a file line written by a virus to prevent access to the site of the anti-virus program

We have already noted above that it is also possible to block individual resources by creating incorrect routes in the routing table. How to resolve the situation, consider the sequence of actions.

If the hosts file does not have malicious modifications, and it is impossible to work with the resource, the problem lies in the route table. A few words about the essence of the interaction of these tools. If the correct adaptive domain address is specified in the hosts file, then a redirect to this address to an existing resource occurs. As a rule, the IP address does not belong to the range of addresses of the local subnet, therefore, forwarding occurs through the router's gateway, which is determined by the Internet connection settings.

If we adjust the route entries for a particular IP address, then automatic connection will be based on this entry. Provided there is no such route, or the gateway is down, the connection will fail and the resource will remain unavailable. Thus, a virus can delete an entry in the route table and block absolutely any site.

Routes created for specific sites remain in the HKLM registry database. Route updating occurs when the route add program command is activated or the data is manually corrected. When there are no static routes, the table section is empty. You can view a list of routing data by using the route print command. Will render it like this:

Active routes:

The above table is standard for a PC with a single network card and network connection settings:

IP address 192.168.0.0

mask 255.255.255.0

default gateway 192.168.0.1

The entry above includes the network IP address, coded 192.168.0.0, and the subnet mask, coded 255.255.255.0. If you decipher this data, then the information is as follows. The mask includes the entire scope of nodes with an equivalent high-order part of the address. According to the metric system, the first three bytes of the subnet mask are 1 in all PC operating systems (the exceptions are decimal, where the value is 255, and hexadecimal, where the value is 0*FF). The low end of the received host address is a value in the range 1-254.

In accordance with the information presented above, the lowest address has an encoding - 192.168.0.0, this code is the network address. The high-order address, encoded 192.168.0.255, is characterized as a broadcast address. And if the first code excludes its use for data exchange, then the second code is just designed to perform these functions. Their nodes exchange data packets using routes.

Imagine the following configuration:

IP address - 192.168.0.0

Netmask - 255.255.255.0

Gateway - 192.168.0.3

Interface - 192.168.0.3

Metric - 1

The information is logically decoded as follows: in the address range from 192.168.0.0 - 192.168.0.255 to exchange information as a gateway and interface, we use the code network card(192.168.0.3). All this means that the information goes directly to the addressee.

When the end address condition does not match the given range 192.168.0.0-192. 168.0.255, it will not be possible to transfer information directly. The server protocol sends the data to the router, which forwards it to another network. If no static routes are specified, the default router address remains the same as the gateway address. Information is sent to this address, then to the network, and along the routes specified in the table, until the addressee receives the packet. In general terms, the data transfer process looks like this. Let's imagine an illustration of the entries in the standard router table. In the example, there are only a few entries, but their number can reach tens or hundreds of lines.



 Based on the example data, we will describe the process of redirecting to the addresses of an Internet resource in. During contact with Internet resource addresses located in the specified range from 74.55.40.0 to 74.55.40.255, the router code is equal to the network number 192.168.0.0, and therefore cannot be used in the process of exchanging information data. The IP protocol diagnoses an address (74.55.40.226) that is not included in the packet of addresses of an individual local network and refers to the prescribed static routes.

The situation when this route is not specified, the information packet is sent to the gateway identification address set in the default example.

Since the route shown in the example has a high priority, it needs a specific gateway, not a standard that fits all. Since there is no gateway that satisfies the request in the table, the server with the network address 74.55.40.226 will remain out of range. And under the conditions prescribed in the example with the subnet mask code, all addresses in the range 74.55.40.0 - 74.55.40.255 will be blocked. It is this range that includes the network path to the site of anti-virus software installed on a personal computer, which will not receive the necessary virus database updates and will not function properly.

The more such data in the route table, the more resources are blocked. In the practice of specialists, virus programs created up to four hundred lines of this type, thereby blocking the work of about a thousand network resources. Moreover, the owners of viruses are not particularly interested in the fact that, in an effort to ban a particular resource, they exclude dozens of other sites from possible access. This is the main mistake of unscrupulous programmers, since the amount of unavailable resources reveals the very possibility of blocking data transfer. So, for example, if the most popular social networks, and the user cannot enter the VKontakte or Odnoklassniki website, then a suspicion arises about the correct operation of the PC with the network.

Correcting the situation is not difficult; for this purpose, the route command and the delete key are used. We find false entries in the table and uninstall. A small note, all operations are feasible only if the user has administrator rights, but the virus can also make changes to the route only if it has infiltrated the network through the personal computer administrator account. We give examples of such tasks.

route delete 74.55.40.0 - entry that deletes the first version of the route string;

route delete 74.55.74.0 - an entry that deletes the second version of the route string.

The number of such lines should be the total number of false routes.

If the approach to the procedure is simpler, then it is necessary to apply the operation of redirecting the output. This is done by entering the task route print > C:\routes.txt. Command activation creates a situation where system drive a file document called routes.txt is created that contains a table with route data.

The table list contains DOS character codes. These characters are unreadable and have no meaning for the operation. By adding a route delete task at the beginning of each route, we remove each false entry. These look like this:

route delete 84.50.0.0

route delete 84.52.233.0

route delete 84.53.70.0

route delete 84.53.201.0

route delete 84.54.46.0

Next, you need to change the file extension, the options for replacing such an extension are cmd or bat. A new file is launched with a double click right button mice. You can simplify the task with the help of the popular FAR file manager, which works as follows. The editor, which is called by the function key F 4, highlights the right part of the route entry with a special marking. Using the key combination CTRL + F 7, all spaces are automatically swapped to a character with an empty value, and the space, in turn, is set to the starting position of the line. The new combination of the specified keys sets the route delete task to the place we need.

When there are a lot of false routes in the data table and correcting them manually seems to be a long and tedious process, it is recommended to use the route task together with the F key.

This switch removes all non-node routes and also completely uninstalls routes from end point and broadcast address. The first and last have the digital code 255.255.255.255; the second 127.0.0.0. In other words, all false information written into the table by the virus will be uninstalled. But at the same time, the records of static routes written by the user themselves and the data of the main gateway will be destroyed, so they will need to be restored, since the network will remain inaccessible. Or monitor the process of cleaning the data table and stop it if you intend to delete the record we need.

The AVZ antivirus program can also be used to adjust the router settings. The specific multiprogram involved in this process is the twentieth item of the TCP configuration.

The last option for blocking user access to IP addresses of sites that are used by virus programs is to use DNS server address spoofing. In this case, the connection to the network occurs through a malicious server. But such situations are quite rare.

After the behavior of all work, it is necessary to reboot the personal computer.

Thank you again for your help in preparing the material for the masters of the Zapuskay.RF computer service center - http://launch.rf/information/territory/Kolomenskaya/, from whom you can order laptop and netbook repairs in Moscow.

Recovery of encrypted files- this is a problem faced by a large number of users personal computers that fell victim to various ransomware viruses. The number of malicious programs in this group is very large and it is increasing every day. Just recently, we have come across dozens of ransomware options: CryptoLocker, Crypt0l0cker, Alpha Crypt, TeslaCrypt, CoinVault, Bit Crypt, CTB-Locker, TorrentLocker, HydraCrypt, better_call_saul, crittt, etc.

Of course, you can recover encrypted files simply by following the instructions that the creators of the virus leave on the infected computer. But most often the cost of decryption is very significant, you also need to know that some encryption viruses encrypt files in such a way that it is simply impossible to decrypt them later. And of course, it's just unpleasant to pay for the restoration of your own files.

Ways to recover encrypted files for free

There are several ways to recover encrypted files using completely free and proven programs such as ShadowExplorer and PhotoRec. Before and during recovery, try to use the infected computer as little as possible, thus you increase your chances of a successful file recovery.

The instruction described below must be followed step by step, if something does not work for you, then STOP, ask for help by writing a comment on this article or creating new theme on our.

1. Remove ransomware virus

Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware and will easily remove them from your computer, BUT they cannot recover encrypted files.

1.1. Remove ransomware with Kaspersky Virus Removal Tool

Click the button Scan to start scanning your computer for ransomware.

Wait for the end of this process and remove the malware found.

1.2. Remove ransomware with Malwarebytes Anti-malware

Download the program. After the download is complete, run the downloaded file.

The program update procedure will start automatically. When it's over press the button Run check. Malwarebytes Anti-malware will start scanning your computer.

Immediately after the scan of the computer is completed, Malwarebytes Anti-malware will open a list of found components of the ransomware virus.

Click the button Delete selected to clean up your computer. During malware removal, Malwarebytes Anti-malware may require you to restart your computer to continue the process. Confirm this by selecting Yes.

After the computer restarts, Malwarebytes Anti-malware will automatically continue the disinfection process.

2. Recover encrypted files using ShadowExplorer

ShadowExplorer is a small utility that allows you to restore shadow copies of files that are created automatically by the operating system. Windows system(7-10). This will allow you to restore the original state of the encrypted files.

Download the program. The program is in a zip archive. Therefore, right-click on the downloaded file and select Extract all. Then open the ShadowExplorerPortable folder.

Launch ShadowExplorer. Select the disk you need and the date the shadow copies were created, respectively, numbers 1 and 2 in the figure below.

Right-click on the directory or file you want to restore a copy of. Select Export from the menu that appears.

Lastly, select the folder where the recovered file will be copied.

3. Recover encrypted files using PhotoRec

PhotoRec is free program, created to recover deleted and lost files. Using it, you can restore source files, which ransomware viruses removed after creating their encrypted copies.

Download the program. The program is in the archive. Therefore, right-click on the downloaded file and select Extract all. Then open the testdisk folder.

Find QPhotoRec_Win in the list of files and run it. A program window will open in which all partitions of available disks will be shown.

In the list of partitions, select the one containing the encrypted files. Then click on the File Formats button.

By default, the program is set to recover all types of files, but to speed up the work it is recommended to leave only the types of files that you need to recover. When you have completed your selection, press the OK button.

At the bottom of the QPhotoRec window, find the Browse button and click it. You need to select a directory where the recovered files will be saved. It is advisable to use a disk that does not contain encrypted files that require recovery (you can use a USB flash drive or an external drive).

To start the procedure for searching and restoring the original copies of encrypted files, click the Search button. This process takes quite a long time, so be patient.

When the search is finished, click the Quit button. Now open the folder you chose to save the recovered files.

The folder will contain directories named recup_dir.1, recup_dir.2, recup_dir.3 and so on. How more files finds the program, the more directories there will be. To find the files you need, check all directories one by one. To make it easier to find the file you need among a large number of recovered ones, use the built-in system Windows Search(by the contents of the file), and also do not forget about the function of sorting files in directories. You can select the date the file was modified as a sort parameter, because QPhotoRec attempts to restore this property when restoring a file.

A virus is a type of malicious software that penetrates system memory areas, code of other programs, and boot sectors. It is capable of deleting important data from a hard drive, USB drive or memory card.

Most users do not know how to recover files after a virus attack. In this article, we want to tell you how to do it in a quick and easy way. We hope that this information will be useful to you. There are two main methods you can use to easily remove the virus and recover deleted data after a virus attack.

Delete the virus using the command prompt

1) Click the “Start” button. Enter CMD in the search bar. You will see the “Command Prompt” at the top of the pop-up window. Press enter.

2) Run the Command prompt and type in: “attrib –h –r –s /s /d driver_name\*.*”



After this step, Windows will start recovering the virus-infected hard drive, memory card or USB. It will take some time for the process to be completed.

to start windows recovery, click the “Start” button. Type Restore in the search bar. In the next window click “Start System Restore” → “Next” and select the desired restore point.



Another variant of the path is “Control Panel” → “System” → “System Protection”. A recovery preparation window will appear. Then the computer will reboot and a message will appear saying “System Restore completed successfully.” If it did not solve your problem, then try rolling back to another restore point. That's all to be said about the second method.

Magic Partition Recovery: Restoring Missing Files and Folders after a Virus Attack

For reliable recovery of files deleted by viruses , use Magic Partition Recovery. The program is based on direct low-level access to the disk. Therefore, it will bypass the virus blocking and read all your files.

Download and install the program, then analyze the disk, flash drive or memory card. After the analysis, the program displays the list of folders on the selected disk. Having selected the necessary folder on the left, you can view it in the right section.



Thus, the program provides the ability to view the contents of the disk in the same way as with the standard Windows Explorer. In addition to existing files, deleted files and folders will be displayed. They will be marked with a special red cross, making it much easier to recover deleted files.

If you have lost your files after virus attack, Magic Partition Recovery will help you restore everything without much effort.

A simple and convenient AVZ utility that can not only help, but also knows how to restore the system. Why is it necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because with the help of the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a clearer picture, I provide a complete list of what AVZ can restore.

The material is taken from the guide to AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste to address bar browser).

The database currently contains the following firmware:

1.Restore launch options.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After removing the virus, the programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the start page of Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: start page change

4.Reset Internet Explorer search settings to default

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Removing all Policies (restrictions) of the current user

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

7. Removing the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

8.Restore explorer settings

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

10.Restore boot settings in SafeMode

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot in safe mode (SafeMode). This firmware must be used only in case of problems booting in protected mode .

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task Manager blocked, when you try to call the Task Manager, the message "Task Manager has been blocked by the administrator" is displayed.

12. Clearing HijackThis Ignore List

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list.

A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms are blocking anti-virus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows.

Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malware, access to the Internet and the execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

16. Restoring the Explorer launch key

Restores the system registry keys responsible for launching File Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

18. Full re-creation of SPI settings

Performs backup of SPI/LSP settings, then destroys them and creates according to the standard stored in the database.

Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15. Apply only if necessary!

19. Clear base MountPoints

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Recovery is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove the malicious program, and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions - “5.

Restore Desktop Settings" (running this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and "10.

Restoring Boot Settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do


Check the boxes that you need and click start operations. All, waiting for the implementation :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us solve. So good luck to you.