In certain situations, it may be necessary to disable the kernel debugger. This operation cannot be recommended to inexperienced users due to the potential threat to the stability of the operating system. Microsoft systems Windows.

Instruction

Press the "Start" button to bring up the main menu of the system and enter cmd in the search string field to initiate the procedure to disable the kernel debugger.

call context menu found tool "Command line" by right-clicking the mouse and select the command "Run as administrator".

Specify the value Kdbgctrl.exe -d in the text field of the command line utility to disable the kernel debugging procedure in the current session and press the Enter softkey to confirm the command.

Use the bcdedit /debug off value in the command line text box to disable the processor core debugging process for all sessions on Windows Vista and Windows 7 operating systems, and then press the Enter softkey to confirm your choice.

Enter dir /ASH in the command line text box to search for the hidden secure boot.ini file located on the system drive to disable the kernel debugger for all sessions in all earlier versions operating system Microsoft Windows and open the found file in the Notepad application.

Delete parameters:

- /debug;
-debugport;
- /baudrate

and restart your computer to apply the selected changes.

Click the Continue button in the prompt dialog if you want to perform a debug operation on the system processor core and wait for the procedure to complete.

Use the gn command in the text field of the Kernel Debugger window when you receive a User break exception (Int 3) error message.

Use Debugging Mode when booting the computer in safe mode to perform enabling of the kernel debugger service.

The kernel debugger is a special software that runs at the kernel level of the entire operating system of a personal computer. The process of "debugging the kernel of the operating system" refers to the procedure for scanning for various errors in the kernel of the system. When working with Daemon Tools Often an Initialization error... Kernel debugger must be deactivated error occurs. You can fix it by disabling the kernel debugger.

You will need

• Administrator rights.

Instruction

If this warning appeared during the installation of the application, you must disable the service called Machine debug manager. To do this, launch the "Control Panel" and go to the "Administration" section. Next, click on the "Services" shortcut. Find Machine Debug Manager in the list. Click on the name with the mouse button and click "Stop".

Disable debugging processes in the "Task Manager". To do this, click right click mouse in a free area and select "Task Manager". You can press the key combination Alt + Ctrl + Delete. Click the Processes tab and disable all mdm.exe, dumprep.exe and drwatson.exe processes. If you're not comfortable looking for them in the list, click the Image Name tab to sort the list by name. As a rule, such operations are carried out manually, on behalf of the administrator of the personal computer.

The error reporting system should also be disabled so that the recording of debug information is stopped. To do this, go to the "Control Panel". Select the "System" section and click the "Advanced" button. Next, click on the "Error Reporting" button. Check the box next to "Disable Error Reporting". Then go to the "Startup and Recovery" tab and uncheck the boxes next to "Send administrative alert" and "Log event to syslog".

Remove the Daemon Tools application from autostart. To do this, click the "Start" button. Then click "Run" and enter the command msconfig. Once the system window appears, uncheck the box next to the Daemon Tools application. Disable your anti-virus software during installation of the program. If the described error occurs, the installation of the application should be restarted, after eliminating all the causes on personal computer.

Useful advice

Some of the above operations require administrator access to system resources.

You may need to launch the AVZ utility when contacting Kaspersky Lab technical support.
With the AVZ utility you can:

• receive a report on the results of the study of the system;
• execute the script provided by the expert technical support"Kaspersky Lab"
  to create a Quarantine and delete suspicious files.

The AVZ utility does not send statistics, does not process information, and does not transfer it to Kaspersky Lab. The report is saved on the computer in the form of HTML and XML files, which are available for viewing without the use of special programs.

The AVZ utility can automatically create a Quarantine and place copies of suspicious files and their metadata into it.

Objects placed in Quarantine are not processed, are not transferred to Kaspersky Lab, and are stored on the computer. We do not recommend restoring files from Quarantine, they can harm your computer.

What data is contained in the AVZ utility report

The AVZ utility report contains:

• Information about the version and release date of the AVZ utility.
• Information about the anti-virus databases of the AVZ utility and its main settings.
• Information about the version of the operating system, the date it was installed, and the user rights with which the utility was launched.
• Search results for rootkits and programs intercepting the main functions of the operating system.
• Search results for suspicious processes and details about those processes.
• Search results for common malware by their characteristic properties.
• Information about errors found during validation.
• Search results for hooks for keyboard, mouse, or window events.
• Search results for open TCP and UDP ports used by malware.
• Information about suspicious keys system registry, file names on the disk, and system settings.
• Search results for potential operating system vulnerabilities and security issues.
• Information about corrupted operating system settings.

How to execute a script using the AVZ utility

Use the AVZ utility only under the guidance of a Kapersky Lab technical support specialist as part of your request. Doing it yourself can damage the operating system and cause data loss.

1. Download the AVZ utility executable file.
2. Run avz5.exe on your computer. If a smartscreen filter Windows Defender prevented avz5.exe from starting, click More → Run anyway in the window Windows has protected your computer.
3. Go to section File→ Run script.

1. Paste in the input field the script that you received from the technical support specialist of Kapersky Lab.
2. Click Run.

1. Wait for the utility to finish and follow the further recommendations of the Kapersky Lab technical support specialist.

An excellent program for removing viruses and restoring the system is AVZ (Zaitsev's Antivirus). You can download AVZ by clicking on the orange button after generating links.And if the virus blocks the download, then try downloading the entire anti-virus suite!

The main features of AVZ are virus detection and removal.

The AVZ anti-virus utility is designed to detect and remove:

• SpyWare and AdWare modules - this is the main purpose of the utility
• Dialer (Trojan.Dialer)
• Trojans
• BackDoor modules
• Network and mail worms
• TrojanSpy, TrojanDownloader, TrojanDropper

The utility is a direct analog of TrojanHunter and LavaSoft Ad-aware 6 programs. The primary task of the program is to remove SpyWare and Trojans.

The features of the AVZ utility (in addition to the typical signature scanner) are:

• Heuristic system check firmware. Firmware searches for known SpyWare and viruses by indirect signs - based on the analysis of the registry, files on disk and in memory.
• Updated database of safe files. It includes digital signatures of tens of thousands of system files and files of known safe processes. The base is connected to all AVZ systems and works on the "friend/foe" principle - safe files are not quarantined, deletion and warnings are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services with color, the search for files on the disk can exclude known files from the search (which is very useful when searching for Trojans on the disk);
• Built-in Rootkit detection system. The search for RootKit goes without the use of signatures based on the study of basic system libraries in order to intercept their functions. AVZ can not only detect RootKit, but also correctly block the operation of UserMode RootKit for its process and KernelMode RootKit at the system level. RootKit countermeasures apply to all AVZ service functions, as a result, the AVZ scanner can detect masked processes, the registry search system "sees" masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. In my opinion, one of the main features of the RootKit countermeasure system is its performance in Win9X (the widespread opinion about the absence of RootKits running on the Win9X platform is deeply erroneous - hundreds of Trojans are known that intercept API functions to mask their presence, to distort the operation of API functions or monitor their use). Another feature is the universal KernelMode RootKit detection and blocking system, which works under Windows NT, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
• Detector keyloggers(Keylogger) and Trojan DLLs. The search for Keylogger and Trojan DLLs is based on the analysis of the system without using the signature database, which makes it possible to reliably detect previously unknown Trojan DLLs and Keylogger;
• Neuroanalyzer. In addition to the signature analyzer, AVZ contains a neuroemulator that allows you to analyze suspicious files using a neural network. Currently, the neural network is used in the keylogger detector.
• Built-in analyzer of Winsock SPI/LSP settings. Allows you to analyze settings, diagnose possible mistakes in setup and perform automatic treatment. The possibility of automatic diagnostics and treatment is useful for novice users (there is no automatic treatment in utilities like LSPFix). To study SPI/LSP manually, the program has a special LSP/SPI settings manager. The operation of the Winsock SPI/LSP analyzer is affected by an anti-rootkit;
• Built-in manager of processes, services and drivers. Designed to be explored running processes and loaded libraries, running services and drivers. The operation of the process manager is affected by the anti-rootkit (as a result, it "sees" the processes masked by the rootkit). The process manager is linked to the AVZ safe files database, recognized safe and system files are highlighted in color;
• Built-in utility for searching files on a disk. Allows you to search for a file by various criteria, the capabilities of the search system exceed the capabilities system search. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" the files masked by the rootkit and can delete them), the filter allows you to exclude from the search results files identified by AVZ as safe. Search results are available as a text log and as a table where you can mark a group of files for later deletion or quarantine
• Built-in utility for searching data in the registry. Allows you to search for keys and parameters according to a given pattern, the search results are available in the form of a text protocol and in the form of a table in which several keys can be marked for export or deletion. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" the registry keys masked by the rootkit and can delete them)
• Built-in analyzer of open TCP/UDP ports. It is affected by the anti-rootkit, in Windows XP, for each port, the process using the port is displayed. The analyzer relies on an updated database of known Trojan/Backdoor ports and known system services. The search for Trojan ports is included in the main system check algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojans tend to use this port
• Built-in analyzer of shared resources, network sessions and files opened over the network. Works in Win9X and Nt/W2K/XP.
• Built-in analyzer Downloaded Program Files (DPF) - displays DPF elements, connected to all AVZ systems.
• System recovery firmware. Firmware performs restore settings Internet Explorer, program launch settings, and other system settings corrupted by malware. Restoration is started manually, parameters to be restored are specified by the user.
• Heuristic file deletion. Its essence is that if malicious files were removed during the treatment and this option is enabled, then an automatic examination of the system is performed, covering classes, BHO, IE and Explorer extensions, all types of autorun available to AVZ, Winlogon, SPI / LSP, etc. . All found references to a deleted file are automatically purged, and information about what exactly was purged and where was entered into the log. For this cleaning, the system treatment microprogram engine is actively used;
• Checking archives. Starting from version 3.60 AVZ supports scanning of archives and compound files. On the this moment ZIP, RAR, CAB, GZIP, TAR archives are scanned; letters Email and MHT files; CHM archives
• Checking and treating NTFS streams. Checking NTFS streams is included in AVZ since version 3.75
• Control scripts. Allows the administrator to write a script that performs a set of specified operations on the user's PC. Scripts allow you to use AVZ in corporate network, including its launch during system boot.
• Process Analyzer. The analyzer uses neural networks and analysis firmware, it is enabled when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
• AVZGuard system. Designed to fight against hard-to-remove malware, in addition to AVZ, it can protect user-specified applications, such as other anti-spyware and anti-virus programs.
• Direct disk access system for working with locked files. Works on FAT16/FAT32/NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze locked files and place them in quarantine.
• AVZPM process and driver monitoring driver. Designed to track the start and stop of processes and loading / unloading drivers to search for masquerading drivers and detect distortions in the structures describing processes and drivers created by DKOM rootkits.
• Boot Cleaner driver. Designed to clean up the system (remove files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both in the process of restarting the computer, and during the treatment.

Restoring system settings.

• Repair launch options.exe .com .pif
• Reset IE settings
• Restoring Desktop Settings
• Removing all user restrictions
• Deleting a message in Winlogon
• Restoring File Explorer Settings
• Removing debuggers system processes
• Restoring Safe Mode Boot Settings
• Unlock Task Manager
• Cleaning up the host file
• Fixing SPI/LSP Settings
• Reset SPI/LSP and TCP/IP settings
• Unlocking the Registry Editor
• Clearing MountPoints keys
• Replacing DNS servers
• Removing the proxy setting for the IE/EDGE server
• Removing Google Restrictions

Program tools:

• Process Manager
• Service and Driver Manager
• Kernel space modules
• Internal DLL Manager
• Registry search
• File search
• Search by cookie
• Startup Manager
  
• Browser extension manager
• Control Panel Applet Manager (cpl)
• File Explorer Extension Manager
• Print Extension Manager
• Task Scheduler Manager
• Protocol and handler manager
• DPF manager
• Active Setup Manager
• Winsock SPI Manager
• Host File Manager
• TCP/UDP port manager
• Manager of network shares and network connections
• A set of system utilities
• Checking a file against the safe files database
• Checking a file against the Microsoft Security Catalog
• Calculating MD5 sums of files
  

Here is such a rather big set to save your computer from various infections!

Antivirus programs, even when detecting and removing malware software, do not always restore the full performance of the system. Often, after removing a virus, a computer user gets an empty desktop, a complete lack of access to the Internet (or blocking access to some sites), a non-working mouse, etc. This is usually caused by the fact that some system or user settings changed by the malware remained intact.

The utility is free, works without installation, is surprisingly functional and helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding it to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually fixing the traces of a virus, you should use the "system restore" operation available in AVZ (although the utility is very, very good as an antivirus, it's even a good idea to check disks for viruses with the utility).

To start the recovery, run the utility. Then click File - System Restore

and such a window will open in front of us

check the checkboxes we need and click "Perform the marked operations"

This firmware restores the system's response to .exe files, com, pif, scr.

Indications for use: After removing the virus, the programs stop running.

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

This firmware restores the start page in Internet Explorer

Indications for use: substitution start page

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode. This firmware restores boot settings in protected mode.

Indications for use: .

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms are blocking anti-virus software updates. You can control the contents of the Hosts file using the manager file hosts built into AVZ.

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware.

Indications for use: Internet access was lost after the malware was removed.

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows. Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, Internet access and execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

Restores system keys registry, responsible for starting the explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

Performs backup SPI / LSP settings, after which it destroys them and creates them according to the standard that is stored in the database.

Indications for use:

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Recovery is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove the malicious program, and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions are “5. Restoring desktop settings” (the operation of this firmware will reset all desktop settings and you will have to re-select desktop coloring and wallpaper) and “10. Restoring boot settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

Like

Like

tweet

There are universal programs like a Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Antivirus Zaitsev). With the help of this free You can catch antivirus and viruses, and optimize the system, and fix problems.

AVZ features

About what it is antivirus program, I already told in. About the work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.

What can be "fixed" with AVZ:

• Repair startup programs (.exe, .com, .pif files)
• Reset Internet settings Explorer to Standard
• Restore Desktop Settings
• Remove rights restrictions (for example, if a virus blocked the launch of programs)
• Remove banner or window that appears before login
• Remove viruses that can run with any program
• Unblock Task Manager and Registry Editor (if the virus has prevented them from running)
• Clear File
• Disable autorun programs from flash drives and disks
• Delete unnecessary files from hard drive
• Fix desktop issues
• And much more

It can also be used to check for security windows settings(in order to better protect against viruses), as well as optimize the system by cleaning startup.

The AVZ download page is located.

The program is free.

First, let's protect our Windows from careless actions

The AVZ program has very many functions affecting Windows work. it dangerous, because in case of an error, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

In order to be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.

This is a mandatory step, in fact, the creation of a "retreat" in case of careless actions - thanks to the restore point, it will be possible to restore the settings, the Windows registry to an earlier state.

System Windows Recovery- a mandatory component of all versions of Windows, starting with Windows ME. It is a pity that they usually do not remember about it and waste time reinstalling Windows and programs, although it was possible to just click a couple of times with the mouse and avoid all problems.

If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you configured Windows incorrectly, "tricked" with the registry, installed a program from which Windows does not boot, incorrectly used the AVZ program - "System Restore" should help.

After work, AVZ creates subfolders with backups in its folder:

/backup- backup copies of the registry are stored there.

/Infected- copies of removed viruses.

/quarantine- copies of suspicious files.

If problems started after AVZ was running (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Recovery Windows systems did not roll back the changes made, you can open registry backups from the folder backup.

How to create a restore point

Let's go to Start - Control Panel - System - System Protection:

Click "System Protection" in the "System" window.

Click the "Create" button.

The process of creating a restore point can take up to ten minutes. Then a window will appear:

The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (configuring, cleaning the system), it is better to once again create a restore point, so that in case of trouble, praise yourself for your forethought.

How to restore your computer using a restore point

There are two options for launching System Restore - from under running Windows and using the installation disc.

Option 1 - if Windows starts

Let's go to Start - All Programs - Accessories - System Tools - System Restore:

will start Choose a different restore point and press Further. A list of restore points will open. Choose the one you need:

The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.

Option 2 - If Windows won't boot

You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.

We boot from the disk (how to boot from boot disks is written) and select:

Choose "System Restore" instead of installing Windows

Repairing the system after viruses or inept actions with the computer

Before all actions, get rid of viruses, for example, using. Otherwise, there will be no sense - the corrected settings will be "broken" by the running virus again.

Restarting Programs

If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you also need to start AVZ itself, but it's pretty easy:

First we go to Control Panel- set any type of view, except for Category - Folders settings - View- uncheck Hide extensions for registered file types - OK. Now each file has extension- a few characters after the last dot in the name. Programs usually .exe and .com. To run AVZ antivirus on a computer where programs are prohibited, rename the extension to cmd or pif:

Then AVZ will start. Then in the program window itself, press File - :

Points to be noted:

1. Restore launch options.exe, .com, .pif files(actually solves the problem of running programs)

6. Remove all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of launching programs if the virus is very harmful)

9. Removing system process debuggers(it is highly desirable to note this item, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

We confirm the action, a window appears with the text "System Restore Completed". After that, it remains to restart the computer - the problem with starting programs will be solved!

Desktop startup recovery

A fairly common problem is that the desktop does not appear when the system starts.

Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, there we press File - New task(Run…) - enter explorer.exe:

OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer, you will have to repeat everything again.

In order not to do this every time, you need to restore the program launch key explorer("Explorer", which is responsible for the standard viewing of the contents of folders and the work of the Desktop). In AVZ we press File- and mark the item

Perform marked operations, confirm the action, press OK. Now when you start the computer, the desktop will start normally.

Unlock Task Manager and Registry Editor

If the virus has blocked the launch of the two above-mentioned programs, the ban can be removed through the AVZ program window. Just check two things:

11. Unlock Task Manager

17. Unlock Registry Editor

And press Perform the marked operations.

Problems with the Internet (Vkontakte, Odnoklassniki and antivirus sites do not open)

Cleaning the system from unnecessary files

Programs AVZ knows how to clean the computer from junk files. If a hard disk cleanup program is not installed on the computer, then AVZ will also do, since there are many possibilities:

More about points:

1. Clear system cache Prefetch- cleaning the folder with information about which files to upload in advance for quick launch programs. The option is useless, because Windows itself quite successfully monitors the Prefetch folder and cleans it up when required.
2. Delete Windows log files- You can clean up a variety of databases and files that store various records of events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
3. Delete memory dump files- upon occurrence critical errors Windows stops working and shows BSOD ( blue screen death), at the same time storing information about running programs and drivers to a file for further analysis by special programs to identify the culprit of the failure. The option is almost useless, as it allows you to win only a dozen megabytes free space. Clearing the memory dump files does not harm the system.
4. Clear Recent Documents List- oddly enough, the option clears the Recent Documents list. This list is in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear Recent Items List". Useful option: I noticed that clearing the list of recent documents allows the Start menu to display its menus a little faster. The system will not be damaged.
5. Clearing the TEMP Folder- The holy grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder, many programs store files for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. Unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain in free space reaches fifty gigabytes!).
6. Adobe Flash Player - cleaning up temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in combating Flash Player glitches. For example, with video and audio playback problems on the Vkontakte website. There is no harm in using.
7. Clearing the cache of the terminal client- as far as I know, this option clears temporary files Windows component titled "Remote Desktop Connection" ( remote access to computers via RDP). Option seems to be does no harm, it frees up space from a dozen megabytes at best. There is no point in using it.
8. IIS - delete log HTTP errors - long to explain what it is. Let me just say that it is better not to enable the option to clear the IIS log. In any case, it does no harm, no benefit either.
9. Macromedia Flash Player- item duplicates "Adobe Flash Player - Cleaning Temporary Files", but affects rather ancient versions of the Flash Player.
10. Java - cache clearing- gives a gain of a couple of megabytes on the hard drive. I do not use Java programs, so I did not check the consequences of enabling the option. I don't recommend turning it on.
11. Emptying the trash- the purpose of this item is absolutely clear from its name.
12. Delete system update installation logs- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless because there is no free space to win.
13. Delete Protocol windows update - similar to the previous paragraph, but other files are deleted. Also a demon useful option.
14. Clear the MountPoints database- if icons with them are not created in the Computer window when connecting a flash drive or hard drive, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
15. Internet Explorer - clear cache- clears temporary files of Internet Explorer. The option is safe and useful.
16. Microsoft office- clear cache- clears temporary files Microsoft programs Office - Word, Excel, PowerPoint and more. I can't check the security options because I don't have Microsoft Office.
17. Clearing the Cache of the CD Burning System- a useful option that allows you to delete files that you have prepared for burning to discs.
18. cleaning system folder TEMP- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and it usually frees up a little space. I don't recommend turning it on.
19. MSI - cleaning the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers didn't complete their work correctly, so clearing the Config.Msi folder is justified. However, be warned - there may be problems uninstalling programs that use .msi installers (for example, Microsoft Office).
20. Clear task scheduler logs- Scheduler Windows tasks keeps a log where it records information about completed tasks. I do not recommend enabling this item, because there is no benefit, but it will add problems - the Windows Task Scheduler is a rather buggy component.
21. Delete Windows setup protocols- winning a place is insignificant, it makes no sense to delete.
22. Windows - clear icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect system stability.
23. Google Chrome- clear cache is a very useful option. Google Chrome stores copies of pages in a folder designated for this purpose in order to open sites faster (pages are loaded from the hard drive instead of downloading via the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful in terms of freeing up hard drive space; neither Windows nor Google Chrome affects stability.
24. Mozilla Firefox- cleaning the CrashReports folder- every time with Firefox browser a problem occurs and it crashes, report files are created. This option deletes the report files. The gain of free space reaches a couple of dozen megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.

Depending on the installed programs, the number of points will be different. For example, if installed Opera browser, you can clear its cache too.

Cleaning the list of startup programs

A sure way to speed up the computer's startup and speed is to clean the autorun list. If a unnecessary programs will not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources that will not take away the programs running in the background.

AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

An ordinary user has absolutely no use for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders and run*.

AVZ displays autostart not only for your user, but also for all other profiles:

In chapter run* it is better not to disable programs located in the section HKEY_USERS- this may disrupt other user profiles and the operating system itself. In chapter Autorun folders you can turn off everything you don't need.

Lines marked in green are recognized by the antivirus as known. This includes both system programs Windows and third-party programs that are digitally signed.

All other programs are marked in black. This does not mean that such programs are viruses or anything similar, just that not all programs are digitally signed.

Don't forget to stretch the first column wider so you can see the name of the program. The usual unchecking will temporarily disable the autorun of the program (you can then tick it again), selecting the item and pressing the button with a black cross will delete the entry forever (or until the program writes itself back to autorun).

The question arises: how to determine what can be disabled and what is not? There are two solutions:

First, there is common sense: by the name of the .exe file of the program, you can make a decision. For example, Skype program when installed, it creates an entry to automatically start when the computer is turned on. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (including Skype) can remove themselves from startup by themselves, just uncheck the corresponding item in the settings of the program itself.

Secondly, you can search the Internet for information about the program. Based on the information received, it remains to decide whether to remove it from autorun or not. AVZ makes it easy to find information about points: just right-click on the item and select your favorite search engine:

By disabling unnecessary programs, you will noticeably speed up the startup of your computer. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.

Disable only those programs that you know for sure - you don't need them in autorun.

Outcome

In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for Windows optimizations, but in general it is a complex and powerful tool suitable for performing a variety of tasks. However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.

If you have any questions or comments - under the articles there is a comment block where you can write to me. I follow the comments and will try to answer you as soon as possible.

Related posts:

Like

Like

We will talk about the simplest ways to neutralize viruses, in particular, blocking the desktop Windows user 7 (Trojan.Winlock virus family). Such viruses are distinguished by the fact that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it as difficult as possible to perform any actions, except for entering a special "unlock code", for which, allegedly, it is required to transfer a certain amount to attackers by sending SMS or refill mobile phone through a payment terminal. There is only one goal here - to make the user pay, and sometimes quite decent money. A window is displayed with a formidable warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else like that, usually to scare the user. In addition, the virus does not allow you to perform any actions in the working Windows environment- blocks the pressing of special key combinations to call the menu of the Start button, the Run command, the Task Manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when loading Windows in safe mode. The situation seems hopeless, especially if there is no other computer, the ability to boot into another operating system, or from removable media (LIVE CD, ERD Commander, virus scanner). But, nevertheless, there is a way out in the vast majority of cases.

New technologies implemented in Windows Vista / Windows 7 made it much more difficult for malware to infiltrate and take complete control of the system, and also provided users with additional features it is relatively easy to get rid of them, even without antivirus software (software). We are talking about the ability to boot the system in safe mode with command line support and run from it software tools control and recovery. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of operating systems Windows families, many users simply do not use it. But in vain. AT command line Windows 7 does not have a familiar desktop (which can be blocked by a virus), but it is possible to run most programs - the registry editor, task manager, system restore utility, etc.

Removing a virus by rolling back the system to a restore point

The virus is regular program, and even if it is located on the hard drive of the computer, but does not have the ability to automatically start when the system boots and user registration, then it is as harmless as, for example, the usual text file. If the problem of blocking the automatic launch of a malicious program is solved, then the task of getting rid of malware can be considered completed. The main method of automatic launch used by viruses is through specially crafted registry entries that are created when they inject into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore from a checkpoint. Check Point is a copy of important system files stored in a special directory ("System Volume Information") and containing, among other things, copies of system files Windows Registry. Performing a system rollback to a restore point whose creation date precedes viral infection, allows you to get the state of the system registry without the entries made by the introduced virus and thereby exclude its automatic start, i.e. get rid of the infection even without using antivirus software. In this way, you can simply and quickly get rid of system infection by most viruses, including those that block the desktop. Windows desktop. Naturally, a blocker virus, using, for example, modification of boot hard disk (MBRLock virus) cannot be removed in this way, since the system rollback to the restore point does not affect the disk boot records, and it will not be possible to boot Windows in safe mode with command line support, since the virus is loaded even before the Windows bootloader. To get rid of such an infection, you will have to boot from another medium and restore the infected boot records. But there are relatively few such viruses, and in most cases, you can get rid of the infection by rolling back the system to a restore point.

1. At the very beginning of the download, press the F8 button. The Windows bootloader menu will appear on the screen. possible options system boot

2. Select the Windows boot option - "Safe Mode with Command Line Support"

After the download is complete and user registration, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed

3. Run the "System Restore" tool, for which you need to type rstrui.exe in the command line and press ENTER.

Switch the mode to "Choose a different restore point" and in the next window check the box "Show other restore points"

After selecting a Windows restore point, you can view the list of affected programs when you roll back the system:

The list of affected programs is a list of programs that were installed after the system restore point was created and that may need to be reinstalled because there will be no entries associated with them in the registry.

After clicking on the "Finish" button, the system recovery process will begin. Upon completion, it will restart Windows.

After the reboot, a message will be displayed on the screen about the success or failure of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If the desktop lock does not stop, you can use the more advanced method presented below.

Removing a virus without rolling back the system to a restore point

It is possible that the system does not have, for various reasons, restore point data, the restore procedure ended with an error, or the rollback did not give a positive result. In this case, you can use the MSCONFIG.EXE System Configuration diagnostic utility. As in the previous case, you need to boot Windows in safe mode with command line support and in the cmd.exe command line interpreter window, type msconfig.exe and press ENTER

On the General tab, you can select the following Windows startup modes:

When the system boots, only the minimum necessary system services and user programs will be launched.
Selective launch- allows you to set manual mode a list of system services and user programs that will be launched during the boot process.

To eliminate a virus, the easiest way is to use a diagnostic launch, when the utility itself determines a set of automatically starting programs. If in this mode the virus stops blocking the desktop, then you need to proceed to the next step - to determine which of the programs is a virus. To do this, you can use the selective startup mode, which allows you to enable or disable the launch of individual programs in manual mode.

The "Services" tab allows you to enable or disable the launch of system services, in the settings of which the startup type is set to "Automatic". An unchecked box in front of the service name means that it will not be started during the system boot process. At the bottom of the MSCONFIG utility window, there is a box to set the "Do not display Microsoft services" mode, when enabled, only third-party services will be displayed.

I note that the probability of infecting the system with a virus that is installed as a system service, when default settings security in the Windows Vista / Windows 7 environment is very low, and you will have to look for traces of the virus in the list of automatically starting user programs ("Startup" tab).

Just like on the Services tab, you can enable or disable the automatic launch of any program that appears in the list displayed by MSCONFIG. If a virus is activated in the system by automatically launching it using special registry keys or the contents of the Startup folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.

The msconfig utility is a simple and convenient tool for configuring the automatic start of services and applications that start in a standard way for operating systems of the Windows family. However, it is not uncommon for virus authors to use tricks that allow malware to run without the use of standard autorun points. You can most likely get rid of such a virus using the method described above to roll back the system to a restore point. If rollback is not possible and using msconfig did not lead to positive result, you can use direct registry editing.

In the process of fighting a virus, the user often has to perform a hard reset by resetting (Reset) or turning off the power. This can lead to a situation where the system starts up normally, but does not reach user registration. The computer "hangs" due to a violation of the logical data structure in some system files, which occurs when an incorrect shutdown occurs. To solve the problem, in the same way as in the previous cases, you can boot into safe mode with command line support and run the command to check the system disk

chkdsk C: /F - check disk C: with correction of detected errors (switch /F)

Because at the time of running chkdsk system disk is busy with system services and applications, chkdsk cannot gain exclusive access to it to perform tests. Therefore, the user will be presented with a warning message and a request to perform a test the next time the system is rebooted. After answering Y, information will be entered into the registry to ensure that a disk check is launched when Windows restarts. After the verification is completed, this information is deleted and a normal Windows reboot is performed without user intervention.

Eliminate the possibility of starting a virus using the registry editor.

To launch the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs used for previous versions operating systems from Microsoft. Installation by viruses of their drivers and services, reconfiguration of the WINLOGON service with connection of their own executable modules, fixing registry keys related to all users, etc. - all these methods either do not work in the Windows 7 environment or require such serious labor costs that they practically do not meet. As a rule, changes in the registry that allow the virus to run are performed only in the context of the permissions that exist for the current user, i.e. under HKEY_CURRENT_USER

In order to demonstrate the simplest mechanism for locking the desktop using a user shell substitution (shell) and the impossibility of using the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you can independently correct the registry data in order to get, for example, a command line instead of the desktop . A familiar desktop is created Windows Explorer(Explorer.exe program) run as the user's shell. This is provided by the values ​​of the Shell parameter in the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - for all users.
- for the current user.

The Shell parameter is a string with the name of the program that will be used as the shell when the user logs on to the system. Typically, there is no Shell parameter in the key for the current user (HKEY_CURRENT_USER or HKCU for short) and the value from the registry key for all users (HKEY_LOCAL_MACHINE\ or HKLM for short) is used.

This is what the registry key looks like HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon at standard installation Windows 7

If in this section add string parameter Shell set to "cmd.exe", then the next time the current user logs in, instead of the default explorer-based user shell, the cmd.exe shell will be launched and instead of the usual Windows desktop, a command prompt window will be displayed.

Naturally, any malicious program can be launched in this way and the user will receive a porn banner, a blocker and other muck instead of the desktop.
Making changes to the key for all users (HKLM. . .) requires administrative privileges, so virus programs usually modify the settings of the registry key of the current user (HKCU . . .)

If, as a continuation of the experiment, you run the msconfig utility, you can make sure that cmd.exe is not in the list of automatically launched programs as a user shell. The rollback of the system, of course, will allow you to return the initial state registry and get rid of the automatic start of the virus, but if it is impossible for some reason, only direct editing of the registry remains. To return to the standard desktop, just remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log in again) or reboot. Editing the registry can be done by running the registry editor regedit.exe from the command line or using the REG.EXE console utility. Command line example to remove the Shell option:

REG delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

The above example of changing the user's shell is by far one of the most common tricks used by viruses in the Windows 7 operating system environment. A fairly high level of security with standard system settings does not allow malware to access registry keys that were used to infect in Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (section HKCU . . .) The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use the launch of executable files (.exe) from the directory of temporary files (Temp) of the current user. When analyzing the points of automatic launch of programs in the registry, first of all, you need to pay attention to the programs located in the temporary files directory. This is usually a directory C:\USERS\username\AppData\Local\Temp. The exact path of the temporary files directory can be viewed through the control panel in the system properties - "Environment Variables". Or on the command line:

set temp
or
echo %temp%

In addition, searching the registry for the string corresponding to the directory name for temporary files or the %TEMP% variable can be used as an additional tool for virus detection. Legitimate programs never automatically start from the TEMP directory.

For a complete list of possible automatic start points, it is convenient to use a special Autoruns program from the SysinternalsSuite package.

The easiest way to remove blockers from the MBRLock family

Malicious programs can gain control over a computer not only by infecting the operating system, but also by modifying the boot sector entries of the drive from which it is booting. The virus performs boot sector data spoofing active partition with their program code so that instead of Windows, a simple program is loaded that would display a ransomware message demanding money for crooks. Since the virus takes control even before the system boots, there is only one way to bypass it - boot from another media (CD / DVD, external drive, etc.) in any operating system where it is possible to restore the program code of the boot sectors. The easiest way is to use Live CD / Live USB, which are usually provided free of charge to users by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to recovering boot sectors, these products can also perform and checking the file system for malware and deleting or disinfecting infected files. If it is not possible to use this way, then you can get by with a simple download of any Windows versions PE (installation disk, emergency recovery disk ERD Commander), which allows you to restore the normal boot of the system. Usually, even the simple ability to access the command line and execute the command is enough:

bootsect /nt60 /mbr

bootsect /nt60 /mbr E:> - restore the boot sectors of drive E: This should use the letter for the drive that is used as the boot device for the system damaged by the virus.

or for Windows prior to Windows Vista

bootsect /nt52 /mbr

The bootsect.exe utility can be located not only in system directories, but also on any removable media, can be run on any operating system of the Windows family and allows you to restore programming code boot sectors without affecting the partition table and file system. The /mbr switch is usually not needed, since it restores the program code of the MBR master boot record, which viruses do not modify (perhaps they do not modify yet).

A simple and convenient AVZ utility that can not only help, but also knows how to restore the system. Why is it necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because with the help of the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a clearer picture, I provide full list that is able to restore AVZ.

The material is taken from the guide to AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste to address bar browser).

The database currently contains the following firmware:

1.Restore launch options.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After removing the virus, the programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the start page of Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: start page change

4.Reset Internet Explorer search settings to default

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Removing all Policies (restrictions) of the current user

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

7. Removing the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

8.Restore explorer settings

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

10.Restore boot settings in SafeMode

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot in safe mode (SafeMode). This firmware must be used only in case of problems booting in protected mode .

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

12. Clearing HijackThis Ignore List

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list.

A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical Symptoms- blocking anti-virus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows.

Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, Internet access and execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

16. Restoring the Explorer launch key

Restores the system registry keys responsible for launching File Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

18. Full re-creation of SPI settings

Performs backup of SPI/LSP settings, then destroys them and creates according to the standard stored in the database.

Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15. Apply only if necessary!

19. Clear base MountPoints

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Restoration is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove malware and then restore system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions - “5.

Restore Desktop Settings" (running this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. All, waiting for the implementation :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us solve. So good luck to you.

A simple and convenient AVZ utility that can not only will help, but also knows how to restore the system. Why is it necessary?

The fact is that after the invasion of viruses (it happens that AVZ kills thousands of them), some programs refuse to work, the settings have disappeared somewhere and Windows somehow does not work quite correctly.

Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because with the help of the same AVZ utility, you can restore almost any damaged programs and data.

In order to give you a clearer picture, I provide a complete list of what can be restoredAVZ.

The material is taken from the guide toAVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into your browser address bar).

The database currently contains the following firmware:

1.Restore launch options.exe, .com, .pif files

This firmware restores the system's response to exe, com, pif, scr files.

Indications for use: After removing the virus, the programs stop running.

2. Reset Internet Explorer protocol prefix settings to standard

This firmware restores protocol prefix settings in Internet Explorer

Indications for use: when you enter an address like www.yandex.ru, it is replaced by something like www.seque.com/abcd.php?url=www.yandex.ru

3.Restoring the start page of Internet Explorer

This firmware restores the start page in Internet Explorer

Indications for use: start page change

4.Reset Internet Explorer search settings to default

This firmware restores search settings in Internet Explorer

Indications for use: When you click the "Search" button in IE, there is a call to some extraneous site

5.Restore desktop settings

This firmware restores desktop settings.

Restoration involves deleting all active ActiveDesctop elements, wallpapers, removing locks on the menu responsible for desktop settings.

Indications for use: The desktop settings tabs in the "Display Properties" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop

6.Removing all Policies (restrictions) of the current user

Windows provides a user action restriction mechanism called Policies. This technology is used by many malware because the settings are stored in the registry and are easy to create or modify.

Indications for use: File Explorer functions or other system functions are blocked.

7. Removing the message displayed during WinLogon

Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup.

This is used by a number of malicious programs, and the destruction of the malicious program does not lead to the destruction of this message.

Indications for use: An extraneous message is introduced during system boot.

8.Restore explorer settings

This firmware resets a number of File Explorer settings to default settings (the settings changed by malware are the first to be reset).

Indications for use: Explorer settings changed

9.Removing system process debuggers

Registering a system process debugger will allow the application to be launched invisibly, which is used by a number of malicious programs.

Indications for use: AVZ detects unrecognized debuggers for system processes, problems with launching system components, in particular, the desktop disappears after a reboot.

10.Restore boot settings in SafeMode

Some malware, such as the Bagle worm, corrupts the system boot settings in Protected Mode.

This firmware restores boot settings in protected mode. Indications for use: The computer does not boot in safe mode (SafeMode). This firmware must be used only in case of problems booting in protected mode .

11.Unlock Task Manager

Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, the execution of this microprogram removes the lock.

Indications for use: Task manager blocked, when you try to call the task manager, the message "Task manager has been blocked by the administrator" is displayed.

12. Clearing HijackThis Ignore List

The HijackThis utility stores a number of its settings in the registry, in particular, a list of exclusions. Therefore, in order to disguise itself from HijackThis, the malware only needs to register its executable files in the exclusion list.

A number of malicious programs are currently known to exploit this vulnerability. AVZ Firmware cleans up HijackThis utility exclusion list

Indications for use: Suspicions that the HijackThis utility does not display all information about the system.

13. Cleaning up the Hosts file

Cleaning the Hosts file comes down to finding the Hosts file, removing all significant lines from it, and adding the standard line "127.0.0.1 localhost".

Indications for use: Suspicions that the Hosts file has been modified by malware. Typical symptoms are blocking anti-virus software updates.

You can control the contents of the Hosts file using the Hosts file manager built into AVZ.

14. Automatic correction of SPl/LSP settings

Performs analysis of SPI settings and, if errors are found, automatically corrects the errors found.

This firmware can be re-run an unlimited number of times. It is recommended that you restart your computer after running this firmware. Note! This firmware cannot be run from a terminal session

Indications for use: Internet access was lost after the malware was removed.

15. Reset SPI/LSP and TCP/IP settings (XP+)

This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI/LSP and TCP/IP settings using the standard netsh utility included with Windows.

Note! You should only use a factory reset if necessary if you have unrecoverable problems with Internet access after removing malware!

Indications for use: After removing the malicious program, Internet access and execution of the firmware “14. Automatic correction of SPl/LSP settings" does not work.

16. Restoring the Explorer launch key

Restores the system registry keys responsible for launching File Explorer.

Indications for use: Explorer does not start during system boot, but it is possible to start explorer.exe manually.

17. Unlock Registry Editor

Unlocks Registry Editor by removing the policy that prevents it from running.

Indications for use: Unable to start Registry Editor, when trying, a message is displayed stating that its launch has been blocked by the administrator.

18. Full re-creation of SPI settings

Performs backup of SPI/LSP settings, then destroys them and creates according to the standard stored in the database.

Indications for use: Severe damage to SPI settings, unrepairable by scripts 14 and 15. Apply only if necessary!

19. Clear base MountPoints

Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when, after infection with a Flash virus, disks cannot be opened in Explorer

To perform the recovery, you must select one or more items and click the "Perform the marked operations" button. Clicking the OK button closes the window.

On a note:

Restoration is useless if a Trojan program is running on the system that performs such reconfigurations - you must first remove the malicious program, and then restore the system settings

On a note:

To eliminate traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to default", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to default"

On a note:

Any of the firmware can be run several times in a row without damage to the system. Exceptions - "5.

Restore Desktop Settings" (running this firmware will reset all desktop settings and you will have to reselect desktop coloring and wallpaper) and "10.

Restoring boot settings in SafeMode” (this firmware recreates the registry keys responsible for booting in safe mode).

To start the recovery, first download, unpack and run utility. Then click File - System Restore. By the way, you can also do

Check the boxes that you need and click start operations. All, waiting for the implementation :-)

In the following articles, we will consider in more detail the problems that the avz firmware system recovery will help us solve. So good luck to you.