In certain situations, it may be necessary to disable the kernel debugger. This operation cannot be recommended to inexperienced users due to the potential threat to the stability of the operating room. microsoft systems Windows.
Instructions
Click the "Start" button to bring up the main menu of the system and enter the value cmd in the search bar field to initiate the procedure for disabling the kernel debugger.
Call context menu found the "Command Line" tool by right-clicking and specifying the command "Run as administrator".
Specify Kdbgctrl.exe -d in the command line utility text box to disable kernel debugging in the current session and press the Enter function key to confirm the command.
Use the bcdedit / debug off value in the command line text box to disable the processor core debugging process for all sessions on Windows Vista and Windows 7, and press the function key Enter to confirm your choice.
Enter dir / ASH in the command line text box to search for a hidden protected boot.ini file on the system drive to disable the kernel debugger for all sessions in all earlier versions operating system Microsoft Windows and open the found file in Notepad.
Delete parameters:
- / debug;
- debugport;
- / baudrate
and restart your computer to apply the selected changes.
Click the Continue button in the prompt dialog box if you want to debug the system processor core and wait for the procedure to complete.
Use the gn command in the text box of the Kernel Debugger window when you see a User break exception (Int 3) error message.
Use Debugging Mode when booting the computer in Safe Mode to enable the kernel debugger service.
The kernel debugger is special software that runs at the kernel level of the entire operating system of a personal computer. The process of "debugging the operating system kernel" refers to the procedure for scanning various errors in the system kernel. When working with Daemon Tools, an error often occurs Initialization error... Kernel debugger must be deactivated. You can fix it by disabling the kernel debugger.
You will need
- Administrator rights.
Instructions
If this warning appears while installing the application, you must turn off the service called Machine debug manager. To do this, start the "Control Panel" and go to the "Administrative Tools" section. Then click on the "Services" shortcut. Find Machine Debug Manager in the list. Click on the name with the mouse button and press "Stop".
Disable debugger processes in the "Task Manager". To do this, right-click in a free area and select "Task Manager". You can press the Alt + Ctrl + Delete key combination. Go to the Processes tab and disable all mdm.exe, dumprep.exe and drwatson.exe processes. If you are not comfortable looking for them in the list, click the Image Name tab to sort the list by name. As a rule, such operations are carried out manually, on behalf of the administrator of a personal computer.
The error reporting system should also be disabled so that recording debug information has been discontinued. To do this, go to the "Control Panel". Select the "System" section and click the "Advanced" button. Then click on the "Error Report" button. Check the box next to Disable Error Reporting. Then go to the Startup and Recovery tab and uncheck the boxes next to Send Administrative Alert and Write Event to System Log.
Remove the Daemon Tools application from autorun. To do this, click the "Start" button. Then click "Run" and enter the msconfig command. Once the system window appears, uncheck the box next to the Daemon Tools application. Disable your anti-virus software during installation. If the described error occurs, the application installation should be restarted, after eliminating all the reasons for personal computer.
Helpful advice
Some of the above operations require administrator access to system resources.
An excellent program for removing viruses and restoring the system - AVZ (Zaitsev Anti-Virus). You can download AVZ by clicking on the orange button after generating links.And if a virus blocks the download, then try downloading the entire antivirus suite!The main features of AVZ are the detection and removal of viruses.
Antivirus utility AVZ is designed to detect and remove:
- SpyWare and AdWare modules are the main purpose of the utility
- Dialer (Trojan.Dialer)
- Trojan horses
- BackDoor modules
- Network and mail worms
- TrojanSpy, TrojanDownloader, TrojanDropper
The utility is a direct analogue of TrojanHunter and LavaSoft Ad-aware 6. The primary task of the program is to remove SpyWare and Trojans.
The features of the AVZ utility (in addition to the typical signature scanner) are:
- Heuristic system scan firmware. Firmware searches for known SpyWare and viruses by indirect indications - based on the analysis of the registry, files on disk and in memory.
- Updated database of safe files. It includes digital signatures of tens of thousands of system files and files of known safe processes. The base is connected to all AVZ systems and works on the "friend / foe" principle - safe files are not quarantined, deletion and warning messages are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services with color, searching for files on the disk can exclude known files from the search (which is very useful when searching for Trojans on the disk);
- Built-in Rootkit detection system. The search for RootKit goes without using signatures based on the study of the basic system libraries for intercepting their functions. AVZ can not only detect RootKit, but also correctly block the UserMode RootKit for its process and KernelMode RootKit at the system level. RootKit counteraction applies to all AVZ service functions, as a result, the AVZ scanner can detect masked processes, the registry search system "sees" masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. One of the main features of the RootKit countermeasure system, in my opinion, is its operability in Win9X (the widespread opinion about the absence of RootKit running on the Win9X platform is deeply mistaken - there are hundreds of Trojans known to intercept API functions to mask their presence, to distort the operation of API functions or monitor using them). Another feature is the KernelMode RootKit, a universal detection and blocking system that works under Windows NT, Windows 2000 pro / server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
- Detector keyloggers (Keylogger) and Trojan DLLs. The search for Keylogger and Trojan DLLs is carried out on the basis of system analysis without using a signature database, which makes it possible to reliably detect in advance unknown Trojan DLL and Keylogger;
- Neuroanalyzer. The AVZ signature analyzer contains a neuro-emulator that allows you to study suspicious files using a neural network. Currently, the neural network is used in the keylogger detector.
- Built-in analyzer Winsock SPI / LSP settings. Allows you to analyze settings, diagnose possible mistakes in setting up and make automatic treatment. The possibility of automatic diagnostics and treatment is useful for novice users (there is no automatic treatment in utilities like LSPFix). To study SPI / LSP manually, the program has a special LSP / SPI settings manager. The Winsock SPI / LSP analyzer is covered by an anti-rootkit;
- Built-in manager of processes, services and drivers. Designed to study running processes and loaded libraries, running services and drivers. The operation of the process manager is affected by the anti-rootkit (as a result, it "sees" the processes masked by the rootkit). The process manager is linked to the AVZ safe file database, the identified safe and system files are highlighted;
- Built-in utility to find files on disk. It allows you to search for a file by various criteria, the capabilities of the search system are superior to those of the system search. The operation of the search system is affected by the anti-rootkit (as a result, the search "sees" files masked by the rootkit and can delete them), the filter allows you to exclude from the search results files recognized by AVZ as safe. Search results are available in the form of a text protocol and in the form of a table, where you can mark a group of files for later deletion or quarantine
- Built-in utility for searching data in the registry. It allows you to search for keys and parameters according to a given pattern, the search results are available in the form of a text protocol and in the form of a table, in which you can mark several keys for their export or deletion. The search system is affected by the anti-rootkit (as a result, the search "sees" the registry keys masked by the rootkit and can delete them)
- Built-in analyzer for open TCP / UDP ports. It is subject to the anti-rootkit effect; in Windows XP, the process using the port is displayed for each port. The analyzer relies on an updatable database of ports of known Trojan / Backdoor programs and known system services. Searching for ports of Trojans is included in the main system check algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojans tend to use this port
- Built-in analyzer for shared resources, network sessions and files opened over the network. Works in Win9X and Nt / W2K / XP.
- Built-in analyzer Downloaded Program Files (DPF) - displays DPF elements, connected to all AVZ systems.
- System recovery firmware. Firmware repairs Internet Explorer settings, startup settings, and other system settings that are corrupted by malware. Recovery is started manually, the parameters to be restored are specified by the user.
- Heuristic file deletion. Its essence is that if during the treatment, malicious files were deleted and this option is enabled, then the system is automatically examined, covering classes, BHO, IE and Explorer extensions, all available AVZ types of autorun, Winlogon, SPI / LSP, etc. ... All found links to a remote file are automatically cleaned up, and information is entered into the log about what exactly and where was cleaned up. For this cleaning, the system treatment firmware engine is actively used;
- Checking archives. Starting from version 3.60 AVZ supports scanning archives and compound files. Currently, archives in ZIP, RAR, CAB, GZIP, TAR formats are being checked; e-mails and MHT files; CHM archives
- Checking and disinfecting NTFS streams. Checking NTFS streams is included in AVZ since version 3.75
- Management scripts. Allows the administrator to write a script that performs a set of specified operations on the user's PC. Scripts allow using AVZ in corporate network, including its launch during system boot.
- Process analyzer. The analyzer uses neural networks and analysis firmware; it turns on when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
- AVZGuard system. Designed to combat hard-to-remove malicious programs, in addition to AVZ, it can protect user-specified applications, for example, other anti-spyware and anti-malware virus programs.
- Direct disk access system for working with locked files. Works on FAT16 / FAT32 / NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze locked files and place them in quarantine.
- Process monitoring driver and AVZPM drivers. Designed to track the start and stop of processes and load / unload drivers to find cloaked drivers and detect corruptions in the structures describing processes and drivers created by DKOM rootkits.
- Boot Cleaner driver. Designed to perform system cleaning (removing files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both during computer restart and during disinfection.
Restore system parameters.
- Restoring startup options.exe .com .pif
- Reset IE Settings
- Restoring Desktop Preferences
- Remove all user restrictions
- Deleting a message in Winlogon
- Restore Explorer Settings
- Removing system process debuggers
- Restoring Safe Mode Boot Settings
- Unlocking Task Manager
- Cleaning up the host file
- Correcting SPI / LSP settings
- Resetting SPI / LSP and TCP / IP Settings
- Unlocking Registry Editor
- Clearing MountPoints Keys
- Replacing DNS servers
- Remove proxy setting for IE / EDGE server
- Remove Google restrictions
Program tools:
- Process manager
- Service and Driver Manager
- Kernel space modules
- Internal DLL manager
- Search in the registry
- Find files
- Search Coocie
- Startup Manager
- Browser extension manager
- Control panel applet manager (cpl)
- Explorer Extension Manager
- Print Extension Manager
- Task Scheduler Manager
- Protocol and Handler Manager
- DPF Manager
- Active Setup Manager
- Winsock SPI Manager
- Hosts File Manager
- TCP / UDP Port Manager
- Network Shares and Network Connections Manager
- System utilities set
- Checking a file against a database of safe files
- File scan against Microsoft security catalog
- Calculate MD5 file sums
Here is such a big set for saving your computer from various infections!
Modern antiviruses are overgrown with various additional functionalities so much that some users have questions in the process of using them. In this lesson we will tell you about all key features AVZ antivirus work.
Let's take a closer look at practical examples of what AVZ is. The following functions deserve the main attention of the average user.
Checking the system for viruses
Any antivirus must be able to detect malware on a computer and deal with it (cure or delete). Naturally, this function is also present in AVZ. Let's see in practice what such a check is.
- Launch AVZ.
- A small utility window will appear on the screen. In the area marked in the screenshot below, you will find three tabs. They all relate to the process of searching for vulnerabilities on a computer and contain different options.
- On the first tab "Search area" you need to tick those folders and sections hard diskthat you want to scan. Below you will see three lines that allow you to enable additional options... We put marks in front of all positions. This will make it possible to perform a special heuristic analysis, scan additional running processes and identify even potentially dangerous software.
- After that, go to the tab "File types"... Here you can choose which data the utility should scan.
- If you are doing an ordinary check, then it is enough to check the box "Potentially Dangerous Files"... If viruses have taken root deeply, then you should choose "All files".
- In addition to ordinary documents, AVZ easily scans archives, which many other antiviruses cannot boast of. In this tab, this check is just enabled or disabled. We recommend that you uncheck the box opposite the line for checking large archives if you want to achieve the maximum result.
- In total, your second tab should look like this.
- Next, go to the last section "Search options".
- At the very top, you will see a vertical slider. Move it all the way up. This will allow the utility to respond to all suspicious objects. In addition, we include checking for API and RootKit interceptors, searching for keyloggers and checking SPI / LSP settings. General form your last tab should be something like this.
- Now you need to configure the actions that AVZ will take when it detects a particular threat. To do this, first you need to put a checkmark in front of the line "Perform treatment" in the right pane of the window.
- For each type of threat, we recommend setting the parameter "Delete"... The only exceptions are threats like "HackTool"... Here we recommend leaving the parameter "Treat"... Also, check the boxes next to the two lines below the list of threats.
- The second parameter will allow the utility to copy the unsafe document to a designated location. You can then view all the contents, and then safely delete. This is done so that you can exclude from the list of infected data those that in fact are not such (activators, generators of keys, passwords, and so on).
- When all the settings and search parameters are set, you can start scanning itself. To do this, press the appropriate button "Start".
- The verification process begins. Her progress will be displayed in a special area "Protocol".
- After some time, which depends on the amount of data being checked, the scan will end. A message about the completion of the operation will appear in the log. The total time spent on analyzing files, as well as statistics on scanning and detected threats, will also be displayed.
- By clicking on the button marked in the image below, you can see in a separate window all suspicious and dangerous objects that were identified by AVZ during the scan.
- The path to the dangerous file, its description and type will be indicated here. If you check the box next to the name of such software, you can move it to quarantine or completely remove it from your computer. Upon completion of the operation, press the button "OK" at the bottom.
- After cleaning your computer, you can close the program window.
System functions
In addition to standard malware checking, AVZ can perform a ton of other functions. Let's look at those that may be useful to the average user. In the main menu of the program at the very top, click on the line "File"... As a result, a context menu appears, which contains all the available auxiliary functions. 
The first three lines are responsible for starting, stopping and pausing the scan. These are analogs of the corresponding buttons in the main AVZ menu. 
System investigation
This function will allow the utility to collect all information about your system. This does not mean the technical part, but the hardware part. This information includes a list of processes, various modules, system files, and protocols. After you click on the line "System Research", a separate window will appear. In it you can specify what information AVZ should collect. After checking all the necessary checkboxes, you should click the button "Start" at the bottom. 
This will open the save window. In it you can select the location of the document with detailed information, and also indicate the name of the file itself. Please note that all information will be saved as an HTML file. It can be opened with any web browser. After specifying the path and name for the saved file, you need to click the button "Save".
As a result, the process of scanning the system and collecting information will start. At the very end, the utility will display a window in which you will be asked to immediately view all the collected information. 
System Restore
With this set of functions, you can return the elements of the operating system to their original form and reset various settings... Most often, malware tries to block access to the registry editor, Task Manager and write its values \u200b\u200bto the Hosts system document. You can unblock such elements using the option "System Restore"... To do this, just click on the name of the option itself, then check the boxes for the actions that need to be performed. 
After that, you must press the button "Perform marked operations" at the bottom of the window.
A window will appear on the screen in which you should confirm the actions. 
After a while, you will see a message about the completion of all tasks. Just close such a window by clicking the button "OK".
Scripts
There are two lines in the parameter list related to working with scripts in AVZ - "Standard scripts" and "Execute script".
By clicking on the line "Standard scripts", you will open a window with a list of ready-made scripts. You will only need to tick the boxes that you want to run. After that, click at the bottom of the window button "Run".
In the second case, you start the script editor. Here you can write it yourself or download it from your computer. Do not forget to press the button after writing or downloading "Run" in the same window. 
Database update
This item is important from the entire list. By clicking on the corresponding line, you will open the window for updating the AVZ database. 
We do not recommend changing the settings in this window. Leave everything as it is and press the button "Start".
After a while, a message will appear on the screen stating that the database update is complete. You just have to close this window. 
Viewing the contents of the quarantine and Infected folders
By clicking on these lines in the list of options, you can view all potentially dangerous files that AVZ detected during the scan of your system. 
In the windows that open, you can permanently delete such files or restore them if they do not really pose a threat. 
Please note that in order for suspicious files to be placed in these folders, you must check the appropriate boxes in the system scan settings. 
This is the last option from of this list, which may be needed by an ordinary user. As the name implies, these parameters allow you to save a preliminary antivirus configuration (search method, scan mode, and so on) to your computer, and also load it back. 
When saving, you only need to specify the name of the file, as well as the folder where you want to save it. When loading a configuration, you just need to select the required file with settings and press the button "Open".
Output
It would seem that this is an obvious and well-known button. But it is worth mentioning that in some situations - upon detection of a particularly dangerous software - AVZ blocks all self-closing methods, except for this button. In other words, you cannot close the program with the keyboard shortcut Alt + F4 or by clicking on the banal cross in the corner. This is done to prevent viruses from interfering with the correct operation of AVZ. But by clicking this button, you can close the antivirus for sure if necessary. 
In addition to the options described, there are others in the list, but they are most likely not needed by ordinary users. Therefore, we did not focus on them. If you still need help on using undescribed functions, write about it in the comments. And we move on.
List of services
In order to see the full list of services offered by AVZ, you need to click on the line "Service" at the very top of the program. 
As in the previous section, we will go over only those of them that may be useful to an ordinary user.
Process manager
By clicking on the very first line from the list, you will open a window "Process Manager"... In it you can see a list of all executable files that are running on a computer or laptop in this moment time. In the same window, you can read the description of the process, find out its manufacturer and the full path to the executable file itself. 
You can also complete this or that process. To do this, just select the required process from the list, and then click on the corresponding button in the form of a black cross on the right side of the window. 
This service is an excellent replacement for the standard Task Manager. The service acquires particular value in situations when "Task Manager" blocked by a virus.
Service and Driver Manager
This is the second service in the general list. By clicking on the line with the same name, you will open the window for managing services and drivers. You can switch between them using a special switch. 
In the same window, each item is accompanied by a description of the service itself, status (enabled or disabled), as well as the location of the executable file. 
You can select the desired item, after which you will have access to the options to enable, disable or complete removal service / driver. These buttons are located at the top of the work area. 
Startup manager
This service will allow you to fully customize the autorun settings. Moreover, unlike standard managers, this list also includes system modules. By clicking on the line with the same name, you will see the following. 
In order to disable the selected item, you just need to uncheck the box next to its name. In addition, it is possible to completely delete the required entry. To do this, simply select the desired line and click on the button in the form of a black cross at the top of the window. 
Please note that the deleted value cannot be returned. Therefore, be extremely careful not to erase vital system startup records.
Hosts File Manager
We mentioned a little above that the virus sometimes writes its own values \u200b\u200bto the system file "Hosts"... And in some cases, malware also blocks access to prevent you from fixing it. changes made... This service will help you in such situations. 
By clicking on the line shown in the image above in the list, you will open the manager window. You cannot add your own values \u200b\u200bhere, but you can delete existing ones. To do this, select the desired line with the left mouse button, and then press the delete button, which is located in the upper area of \u200b\u200bthe working area. 
After that, a small window will appear in which you need to confirm the action. To do this, just press the button "Yes".
When the selected line is deleted, you just need to close this window.
Be careful not to delete lines you don't know what they were doing. To file "Hosts" not only viruses, but also other programs can write their values.
System utilities
With AVZ, you can also run the most popular system utilities... You can see their list if you hover your mouse over the line with the corresponding name. 
By clicking on the name of a utility, you launch it. After that you can make changes in the registry (regedit), configure the system (msconfig) or check the system files (sfc).
These are all the services we wanted to mention. Novice users are unlikely to need a protocol manager, extensions, and other additional services. Such functions are more suitable for more advanced users.
AVZGuard
This feature was designed to combat the most cunning viruses that standard ways do not delete. It simply puts malware on the list of untrusted software that is prohibited from performing its operations. To enable this function, you need to click on the line "AVZGuard" in the upper AVZ area. In the drop-down window, click on the item "Enable AVZGuard".
Be sure to close everything third party applications before enabling this function, as otherwise they will also be included in the list of untrusted software. In the future, the work of such applications may be broken.
All programs that will be marked as trusted will be protected from removal or modification. And the work of untrusted software will be suspended. This will allow you to safely remove dangerous files using a standard scan. After that, you should turn off AVZGuard back. To do this, click again on the similar line at the top of the program window, and then click on the button to disable the function. 
AVZPM
The technology indicated in the name will monitor all started, stopped and modified processes / drivers. To use it, you must first enable the corresponding service.
Click on the AVZPM line at the top of the window.
In the drop-down menu, click on the line "Install Advanced Process Monitoring Driver".
The required modules will be installed within a few seconds. Now, if changes are detected in any processes, you will receive a corresponding notification. If you no longer need such monitoring, you will need to simply click on the line marked in the image below in the previous drop-down box. This will unload all AVZ processes and remove previously installed drivers. 
Please note that the AVZGuard and AVZPM buttons may be grayed out and inactive. This means that you have an x64 operating system installed. Unfortunately, the mentioned utilities do not work on OS with this bit depth.
On this, this article has come to its logical conclusion. We tried to tell you how to use the most popular features in AVZ. If you still have questions after reading this lesson, you can ask them in the comments to this post. We will be happy to pay attention to each question and try to give the most detailed answer.
Antivirus programs, even when detecting and removing malicious software, do not always restore the full performance of the system. Often, after removing a virus, a computer user gets an empty desktop, a complete lack of Internet access (or blocking access to some sites), an inoperative mouse, etc. This is caused, as a rule, by the fact that some system or user settings changed by the malware have remained intact.
The utility is free, works without installation, is amazingly functional and helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to dig into the system, manually correcting traces of the virus, you should use the "System Restore" operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).
To start recovery, run the utility. Then click the file - system restore
and such a window will open before us
mark the checkboxes we need and click "Perform marked operations"
This firmware restores the system's response to exe files, com, pif, scr.
Indications for use: after removing the virus, programs stop running.
This firmware restores the protocol prefix settings in Internet Explorer
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url\u003dwww.yandex.ru
This firmware restores the start page in Internet Explorer
Indications for use: spoofing the start page
This firmware restores Internet Explorer search settings
Indications for use: When you click the "Search" button in IE, there is an appeal to some third-party site
This firmware restores the desktop settings. Recovery means removing all active ActiveDesctop elements, wallpapers, removing locks on the menu that is responsible for desktop settings.
Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs because settings are stored in the registry and are not difficult to create or modify.
Indications for use: Explorer or other system functions are blocked.
Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and killing the malware does not destroy the message.
Indications for use: An extraneous message is introduced during system boot.
This firmware resets a number of Explorer settings to the standard ones (first of all, the settings changed by malware are reset).
Indications for use: Explorer settings changed
Debugger registration system process will enable hidden launch application that is used by a number of malware
Indications for use: AVZ detects unrecognized debuggers of system processes, problems with launching system component, in particular, after a reboot, the desktop disappears.
Some malware, in particular the Bagle worm, corrupts the boot settings of the protected mode. This firmware restores boot settings in secure mode.
Indications for use: .
Task Manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this firmware releases the lock.
Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.
The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list. A number of malicious programs are currently known to exploit this vulnerability. AVZ firmware clears the exclusion list of the HijackThis utility
Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning up the Hosts file
Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".
Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are antivirus software updates being blocked. You can control the contents of the Hosts file using the manager Hosts filebuilt into AVZ.
It analyzes the SPI settings and, if any errors are found, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended to restart your computer.
Indications for use: Internet access was lost after the malware was removed.
This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and re-creating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows. Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!
Indications for use: After removing the malicious program, Internet access and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.
Restores system registry keys responsible for starting Explorer.
Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.
Unlocks Registry Editor by removing the policy that prevents it from running.
Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.
Performs backup SPI / LSP settings, after which it destroys them and creates them according to the standard that is stored in the database.
Indications for use:
Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when the disks do not open in the explorer after being infected with the Flash virus
To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.
On a note:
Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings
On a note:
To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer Search Settings to Standard", "Restore Internet Explorer Start Page", "Reset Internet Explorer Protocol Prefix Settings to Standard"
On a note:
Any of the firmware can be executed several times in a row without affecting the system. Exceptions are "5. Restoring desktop settings" (the operation of this firmware will reset all desktop settings and you will have to re-select the desktop color and wallpaper) and "10. Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).
Like
Like
Tweet
There are programs as universal as the Swiss knife. The hero of my article is just such a "universal". His name is AVZ (Zaitsev's anti-virus). With the help of this free antivirus and viruses can be caught, and the system can be optimized, and problems can be fixed.
AVZ features
That it is antivirus program, I already told in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.
What can be "fixed" with AVZ:
- Restore startup programs (.exe, .com, .pif files)
- Reset internet settings Explorer to standard
- Restore Desktop Preferences
- Remove restrictions on rights (for example, if a virus blocked the launch of programs)
- Remove banner or window that appears before login
- Remove viruses that can run along with any program
- Unblock Task Manager and Registry Editor (if the virus has prevented them from starting)
- Clear file
- Prevent autostart of programs from flash drives and disks
- Delete unnecessary files from your hard drive
- Fix Desktop Issues
- And much more
It can also be used to check for safety. windows settings (in order to better protect against viruses), as well as optimize the system by cleaning the startup.
The AVZ download page is located.
The program is free.
First, let's secure our Windows from careless actions
AVZ program has highly many functions that affect the operation of Windows. it dangerous, because in case of an error, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.
In order to be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.
This is a mandatory step, in fact, creating a "escape route" in case of careless actions - thanks to a restore point, you can restore the settings, the Windows registry to an earlier state.
System windows recovery - a required component of all versions of Windows, starting with Windows ME. It is a pity that they usually do not remember about him and waste time reinstalling Windows and programs, although you could just click the mouse a couple of times and avoid all the problems.
If the damage is serious (for example, some system files have been deleted), then System Restore will not help. In other cases - if you misconfigured Windows, "tricky" with the registry, installed a program from which Windows does not boot, misused the AVZ program - "System Restore" should help.
After work, AVZ creates subfolders with backups in its folder:
/ Backup - are stored there backups registry.
/ Infected - copies of deleted viruses.
/ Quarantine - copies of suspicious files.
If after the work of AVZ problems started (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes, you can open the registry backups from the folder Backup.
How to create a restore point
Go to Start - Control Panel - System - System Protection:
Click "System Protection" in the "System" window.
Press the button "Create".
The process of creating a restore point can take up to ten minutes. Then a window will appear:
The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (setting, cleaning the system), it is better to once again create a restore point so that in case of trouble you can praise yourself for your prudence.
How to restore a computer using a restore point
There are two options for running System Restore - from running Windows and using the installation disc.
Option 1 - if Windows starts
Go to Start - All Programs - Accessories - System Tools - System Restore:
Will start Choose a different restore point and press Further.A list of restore points will open. We choose the one that is needed:
The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.
Option 2 - if Windows won't boot
You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.
We boot from disk (how to boot from bootable disks, it is written) and select:
Choose "System Restore" instead of installing Windows
Fixing the system after viruses or inept actions with the computer
Before all actions, get rid of viruses, for example, with. Otherwise, there will be no sense - the virus will "break" the corrected settings again.
Restoring startup programs
If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you also need to run AVZ itself, but it's pretty easy:
First we go to Control Panel - set any view type, except for Category - Folders settings - View - remove the checkbox from Hide extensions for registered file types - OK.Now you can see each file expansion - several characters after the last period in the name. For programs, this is usually .exe and .com... To run AVZ antivirus on a computer where the launch of programs is prohibited, rename the extension to cmd or pif:
Then AVZ will start. Then, in the program window itself, click File - :
It should be noted points:
1. Restoring startup parameters for.exe, .com, .pif files (actually, it solves the problem of launching programs)
6. Removing all Policies (restrictions) of the current user (in some rare cases, this item also helps to solve the problem of launching programs if the virus is caught very harmful)
9. Removing debuggers of system processes (It is highly desirable to mark this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts up)
We confirm the action, a window appears with the text "System restore completed". After that, it remains to restart the computer - the problem with starting programs will be solved!
Restoring Desktop Launch
Enough frequent problem - the desktop does not appear when the system starts.
Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, press there File - New task (Run ...) - introduce explorer.exe:
In order not to do this every time, you need to restore the program launch key explorer ("Explorer", which is responsible for the standard view of the contents of folders and the work of the Desktop). In AVZ press File - and mark the item
Unlocking Task Manager and Registry Editor
If the virus blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:
11. Unlocking the task manager
17. Unlock Registry Editor
And press Perform the marked operations.
Internet problems (Vkontakte, Odnoklassniki and antivirus sites do not open)
Cleaning the system from unnecessary files
Programs AVZ knows how to clean the computer from unnecessary files... If the hard disk cleaning program is not installed on the computer, then AVZ will do, since there are many possibilities:
More about items:
- Clear system cache Prefetch - cleaning the folder with information about which files to load in advance to quickly launch programs. This option is useless because Windows itself quite successfully monitors the Prefetch folder and cleans it up when needed.
- Delete files windows logs - you can clear a variety of databases and files that store various records of events occurring in the operating system. This option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
- Delete memory dump files - in the event of critical windows errors interrupts its work and shows BSOD ( blue screen death), at the same time saving information about running programs and drivers to a file for further analysis by special programs to identify the culprit of the failure. This option is almost useless, as it allows you to win only ten megabytes of free space. Cleaning the memory dump files does not harm the system.
- Clear the list of Recent documents - oddly enough, the option clears the list of Recent documents. This list is on the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear list of recent items". Useful option: I've noticed that clearing the list of recent documents allows the Start menu to display its menus a little bit faster. It won't hurt the system.
- Clearing the TEMP folder - The Holy Grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder many programs store files for temporary use, forgetting to "clean up after themselves" later. A typical example is archivers. Unpack files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain of free space reaches fifty gigabytes!).
- Adobe Flash Player - cleaning temporary files - "Flash Player" can save files for temporary use. You can delete them. Sometimes (rarely) the option helps in the fight against Flash Player glitches. For example, problems with video and audio playback on the Vkontakte website. There is no harm from use.
- Clearing the terminal client cache - as far as I know, this option cleans up the temporary files of a Windows component called Remote Desktop Connection ( remote access to computers via RDP). Option like does no harm, frees up space with a dozen megabytes at best. There is no sense to use.
- IIS - deleting HTTP error log - take a long time to explain what it is. Let me just say that it is better not to enable the IIS log cleanup option. In any case, it does no harm, no benefit either.
- Macromedia Flash Player - item duplicates "Adobe Flash Player - cleaning temporary files", but affects rather ancient versions of Flash Player.
- Java - clearing cache - gives a gain of a couple of megabytes on your hard disk. I do not use Java programs, so I did not check the consequences of enabling this option. I do not recommend turning it on.
- Emptying the recycle bin - the purpose of this item is absolutely clear from its name.
- Delete installation logs of system updates - Windows keeps a log installed updates... Enabling this option clears the log. The option is useless, because there is no gain in free space.
- Delete windows protocol Update - similar to the previous point, but other files are deleted. Also a useless option.
- Clear MountPoints Base - if when connecting a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
- Internet Explorer - Clear Cache - cleans up temporary Internet Explorer files. The option is safe and useful.
- Microsoft Office - clearing the cache - cleans temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security option because I don't have Microsoft Office.
- Clearing the CD Writing System Cache is a useful option that allows you to delete files that you have prepared for writing to discs.
- Clearing the system TEMP folder - unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and usually a little space is freed up. I do not recommend turning it on.
- MSI - clearing the Config.Msi folder - this folder contains various filescreated by program installers. The folder is large if the installers did not terminate correctly, so clearing the Config.Msi folder is worthwhile. Nevertheless, I warn you - there may be problems with uninstalling programs using .msi installers (for example, Microsoft Office).
- Clear Task Scheduler Logs - Windows Task Scheduler stores a log where it records information about completed tasks. I do not recommend including this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
- Remove Windows Installation Logs - winning a place is insignificant, it makes no sense to delete.
- Windows - clearing the icon cache - useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect system stability.
- Google chrome - clearing the cache is a very useful option. Google Chrome stores copies of pages in a dedicated folder to quickly open sites (pages are loaded from the hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive, it does not affect the stability of either Windows or Google Chrome.
- Mozilla Firefox - clearing the CrashReports folder - every time with firefox browser a problem happens and it closes abnormally, and report files are generated. This option deletes the report files. The gain of free space reaches a couple of tens of megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.
Depending on the installed programs, the number of items will differ. For example, if set opera browser, you can clear its cache too.
Cleaning the list of startup programs
A surefire way to speed up your computer startup and speed is to clear the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources, which will not be taken by the programs running in the background.
AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:
An ordinary user has absolutely no need for such powerful functionality, so I urge do not turn off everything... It is enough to look at only two points - Autorun folders and Run *.
AVZ displays autorun not only for your user, but also for all other profiles:
In chapter Run * it is better not to disable the programs located in the section HKEY_USERS - this can disrupt other user profiles and the operating system itself. In chapter Autorun folders you can turn off whatever you don't need.
Lines recognized by the antivirus as known are marked in green. This includes both Windows system programs and digitally signed third-party programs.
All other programs are marked in black. This does not mean that such programs are viruses or something similar, just not all programs are digitally signed.
Do not forget to stretch the first column wider to show the name of the program. The usual unchecking will temporarily disable the autostart of the program (you can then check the checkbox again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself to autorun again).
The question arises: how to determine what can be disabled and what not? There are two solutions:
First, there is common sense: you can make a decision by the name of the program file. For example, skype program during installation creates an entry for automatic start when you turn on your computer. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (including Skype) are able to remove themselves from startup by themselves, just uncheck the corresponding item in the settings of the program itself.
Secondly, you can search the Internet for information about the program. Based on the information received, it remains to decide whether to remove it from autorun or not. AVZ makes it easy to find information about items: you just need to right-click on the item and select your favorite search engine:
By disabling unnecessary programs, you will noticeably speed up computer startup. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.
Disable only those programs that you know for sure - you do not need them in autorun.
Outcome
In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in fact it is a complex and powerful tool suitable for performing a variety of tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely, with what I described above.
If you have any questions or comments - under the articles there is a block of comments where you can write to me. I am following the comments and will try to answer you as soon as possible.
Related entries:
Like
Like
We will talk about the simplest ways to neutralize viruses, in particular, blocking the desktop windows user 7 (the Trojan.Winlock virus family). Such viruses differ in that they do not hide their presence in the system, but, on the contrary, demonstrate it, making it as difficult as possible to perform any actions, except for entering a special "unlock code", for which, allegedly, it is required to transfer a certain amount to the attackers via SMS or refill mobile phone through the payment terminal. The goal here is one - to get the user to pay, and sometimes pretty decent money. A window appears on the screen with a formidable warning about blocking the computer for using unlicensed software or visiting unwanted sites, and something else of this kind, usually to scare the user. In addition, the virus does not allow you to perform any actions in the Windows working environment - it blocks pressing of special key combinations for calling the Start button menu, Run command, Task Manager, etc. The mouse pointer cannot be moved outside the virus window. As a rule, the same picture is observed when booting Windows in Safe Mode. The situation seems hopeless, especially if there is no other computer, the ability to boot in another operating system, or from removable media (LIVE CD, ERD Commander, antivirus scanner). But, nevertheless, there is a way out in the overwhelming majority of cases.
New technologies implemented in Windows Vista / Windows 7 made it much more difficult for malware to introduce and take full control of the system, and also provided users with additional opportunities to get rid of them relatively easily, even without having antivirus software (software). It's about the ability to boot the system in safe mode with command line support and run from it software tools control and recovery. Obviously, out of habit, due to the rather poor implementation of this mode in previous versions of Windows operating systems, many users simply do not use it. But in vain. In command windows prompt 7 does not have the usual desktop (which can be blocked by a virus), but it is possible to launch most programs - registry editor, task manager, system restore utility, etc.
Removing a virus by rolling the system back to a restore point
A virus is an ordinary program, and even if it is located on the computer's hard drive, but does not have the ability to automatically start when the system boots and the user is registered, then it is just as harmless as, for example, an ordinary one text file... If the problem of blocking the automatic launch of a malicious program is solved, then the task of getting rid of the malware can be considered completed. The main automatic startup method used by viruses is through specially crafted registry entries created when they are injected into the system. If you delete these entries, the virus can be considered neutralized. The easiest way is to perform a system restore from checkpoint data. A checkpoint is a copy of important system files stored in a special directory ("System Volume Information") and containing, among other things, copies of system files. windows registry... Performing a system rollback to a restore point, the creation date of which precedes the virus infection, allows you to get the state of the system registry without the entries that were made by the invaded virus and thereby exclude its automatic start, i.e. get rid of the infection even without using antivirus software. In this way, you can simply and quickly get rid of the infection of the system with most viruses, including those that block the worker windows desktop... Naturally, a blocker virus using, for example, a modification of boot sectors of hard The disk (MBRLock virus) cannot be removed in this way, since the system rollback to the restore point does not affect the boot records of the disks, and it will not be possible to boot Windows in safe mode with command line support, since the virus loads even before the Windows boot loader. To get rid of such an infection, you will have to boot from a different media and restore the infected boot records. But there are relatively few such viruses and in most cases, you can get rid of the infection by rolling back the system to a restore point.
1. At the very beginning of the download, press the F8 button. The Windows bootloader menu appears on the screen, with possible options system boot
2. Select the Windows boot option - "Safe Mode with Command Prompt"
After the download is complete and the user is registered, instead of the usual Windows desktop, the cmd.exe command processor window will be displayed
3. Run the "System Restore" tool, for which in command line you need to type rstrui.exe and press ENTER.
Switch the mode to "Choose another restore point" and in the next window check the box "Show other restore points"
After selecting a Windows restore point, you can see a list of affected programs when the system is rolled back:
Affected Programs List is a list of programs that were installed after the system restore point was created and that may need to be reinstalled because there will be no registry entries associated with them.
After clicking on the "Finish" button, the system recovery process will begin. Upon completion, Windows will restart.
After rebooting, a message will be displayed on the screen about the successful or unsuccessful result of the rollback and, if successful, Windows will return to the state that corresponded to the date the restore point was created. If your desktop does not stop locking, you can use the more advanced method below.
Removing a virus without rolling back the system to a restore point
It is possible that the system does not contain, for various reasons, recovery point data, the recovery procedure ended with an error, or the rollback did not give a positive result. In this case, you can use the MSCONFIG.EXE system configuration diagnostic utility. As in the previous case, you need to do boot Windows in safe mode with command line support and in the cmd.exe command line interpreter window type msconfig.exe and press ENTER
On the General tab, you can select the following Windows startup modes:
When the system boots, only the minimum required system services and user programs will start.
Selective launch - allows you to manually set a list of system services and user programs that will be launched during the boot process.
To eliminate the virus, the easiest way is to use the diagnostic launch, when the utility itself detects a set of automatically starting programs. If the virus stops blocking the desktop in this mode, then you need to go to the next step - to determine which of the programs is a virus. To do this, you can use the selective launch mode, which allows you to enable or disable the launch individual programs in manual mode.
The "Services" tab allows you to enable or disable the startup of system services, in the settings of which the startup type is set to "Automatic". An unchecked checkbox in front of the service name means that it will not be started during system boot. At the bottom of the MSCONFIG utility window, there is a field for setting the "Do not display Microsoft services" mode, when enabled, only third-party services will be displayed.
Note that the probability of a virus that is installed as a system service infecting the system with standard security settings in Windows Vista / Windows 7 is very low, and you will have to look for traces of the virus in the list of automatically launched user programs (Startup tab).
Just like on the "Services" tab, you can enable or disable the automatic launch of any program present in the list displayed by MSCONFIG. If a virus is activated in the system by automatic launch using special registry keys or the contents of the "Startup" folder, then using msconfig you can not only neutralize it, but also determine the path and name of the infected file.
The msconfig utility is a simple and convenient tool for configuring the automatic start of services and applications that start in a standard way for Windows operating systems. However, virus authors often use techniques that allow malware to run without using standard startup points. To get rid of such a virus with a high degree of probability, you can use the method described above to roll back the system to a restore point. If the rollback is not possible and the use of msconfig did not lead to a positive result, you can use direct editing of the registry.
In the process of fighting a virus, the user often has to perform a hard reboot by resetting (Reset) or turning off the power. This can lead to a situation where the system boot starts normally, but does not reach user registration. The computer "hangs" due to a violation of the logical data structure in some system files, which occurs during an incorrect shutdown. To solve the problem, in the same way as in the previous cases, you can boot into safe mode with command line support and run the command to check the system disk
chkdsk C: / F - check the C: drive with correcting any errors found (switch / F)
Since at the time of chkdsk launch system disk busy with system services and applications, chkdsk cannot gain exclusive access to it to perform testing. Therefore, the user will be prompted with a warning message and a prompt to perform testing on the next system reboot. After answering Y, information will be entered into the registry, ensuring that the disk check starts when Windows restarts. After checking, this information is deleted and a normal Windows restart is performed without user intervention.
Eliminate the possibility of starting a virus using the registry editor.
To start the registry editor, as in the previous case, you need to boot Windows in safe mode with command line support, type regedit.exe in the command line interpreter window and press ENTER Windows 7, with standard system security settings, is protected from many methods of launching malicious programs used for previous versions operating systems from Microsoft. Installing their own drivers and services by viruses, reconfiguring the WINLOGON service with connecting their own executable modules, fixing registry keys related to all users, etc. - all these methods either do not work in Windows 7 environment or require such serious labor that they practically do not meet. As a rule, changes to the registry that allow the virus to run are made only in the context of the permissions that exist for the current user, i.e. under HKEY_CURRENT_USER
In order to demonstrate the simplest mechanism for locking the desktop using the substitution of the user's shell (shell) and the impossibility of using the MSCONFIG utility to detect and remove a virus, you can conduct the following experiment - instead of a virus, you can independently correct the registry data in order to get, for example, a command line instead of the desktop ... The familiar desktop is created by Windows Explorer (Explorer.exe) launched as the user's shell. This is provided by the values \u200b\u200bof the Shell parameter in the registry keys
HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon - for all users.
- for the current user.
The Shell parameter is a string with the name of the program that will be used as a shell when the user logs on to the system. Usually, the Shell parameter is absent in the key for the current user (HKEY_CURRENT_USER or HKCU) and the value from the registry key for all users (HKEY_LOCAL_MACHINE \\ or HKLM in abbreviated form) is used
This is what the registry key looks like HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon with standard windows installation 7
If you add the Shell string parameter to this section, which takes the value "cmd.exe", then the next time the current user logs into the system, instead of the standard user shell based on the Explorer, the cmd.exe shell will be launched and instead of the usual Windows desktop, a command prompt window will be displayed ...
Naturally, any malicious program can be launched in this way and the user will receive a porn banner, blocker and other nasty instead of the desktop.
To make changes to the key for all users (HKLM...), You need administrative privileges, therefore virus programs, as a rule, modify the parameters of the registry key of the current user (HKCU...)
If, during the experiment, you run the msconfig utility, you can make sure that cmd.exe is not present as a user's shell in the lists of automatically launched programs. System rollback, of course, will allow you to restore the original state of the registry and get rid of the automatic start of the virus, but if it is impossible for some reason, all that remains is direct editing of the registry. To return to the standard desktop, simply remove the Shell parameter, or change its value from "cmd.exe" to "explorer.exe" and re-register the user (log out and log back in) or reboot. You can edit the registry by running the registry editor regedit.exe from the command line or using the REG.EXE console utility. Command line example to remove the Shell parameter:
REG delete "HKCU \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon" / v Shell
The given example of changing the user's shell is currently one of the most common techniques used by viruses in the Windows 7 operating system. A fairly high level of security with standard system settings prevents malicious programs from gaining access to registry keys that were used for infection in Windows XP and earlier versions. Even if the current user is a member of the Administrators group, access to the vast majority of registry settings used for infection requires running the program as an administrator. It is for this reason that malware modifies registry keys that the current user is allowed to access (HKCU key...). The second important factor is the difficulty of writing program files to system directories. It is for this reason that most viruses in the Windows 7 environment use executable files (.exe) from the current user's temporary files (Temp) directory. When analyzing the points of automatic launch of programs in the registry, first of all, you need to pay attention to the programs located in the directory of temporary files. This is usually a directory C: \\ USERS \\ username \\ AppData \\ Local \\ Temp... The exact path of the directory of temporary files can be viewed through the control panel in the system properties - "Environment variables". Or on the command line:
set temp
or
echo% temp%
In addition, searching the registry for the appropriate directory name for temporary files or the% TEMP% variable can be used as an additional means of detecting viruses. Legitimate programs never run automatically from the TEMP directory.
For a complete list of possible trigger points, it is convenient to use special program Autoruns from the SysinternalsSuite package.
Simplest ways to remove blockers from the MBRLock family
Malicious programs can take control of a computer not only by infecting the operating system, but also by modifying the boot sector records of the disk from which it is being loaded. The virus replaces the data of the boot sector of the active partition with its program code so that instead of Windows it loads a simple program that would display a ransomware message demanding money for the crooks. Since the virus gains control even before the system boots, there is only one way to bypass it - to boot from another medium (CD / DVD, external drive, etc.) in any operating system where it is possible to restore the program code of boot sectors. The easiest way is to use the Live CD / Live USB, usually provided for free by most antivirus companies (Dr Web Live CD, Kaspersky Rescue Disk, Avast! Rescue Disk, etc.) In addition to restoring boot sectors, these products can also scan the file system for malware, removing or disinfecting infected files. If it is not possible to use this method, then you can get by with a simple download of any windows versions PE ( installation disk, ERD Commander rescue disk) to restore normal system boot. Usually, even a simple ability to access the command line and execute the command is sufficient:
bootsect / nt60 / mbr
bootsect / nt60 / mbr E:\u003e - restore boot sectors of drive E: The letter for the drive that is used as the boot device of the system damaged by the virus should be used here.
or for Windows earlier than Windows Vista
bootsect / nt52 / mbr
The bootsect.exe utility can be located not only in the system directories, but also on any removable media, can be executed in an environment of any operating system of the Windows family and allows you to restore the program code of boot sectors without affecting the partition table and file system... As a rule, the / mbr switch is not needed, since it restores the program code of the MBR, which viruses do not modify (perhaps not yet).
A simple and handy utility AVZ, which can not only help, but also knows how to restore the system. Why is this necessary?
The fact is that after the invasion of viruses (it happens that AVZ kills them in thousands), some programs refuse to work, the settings all disappeared somewhere and Windows somehow does not work quite correctly.
Most often, in this case, users simply reinstall the system. But as practice shows, this is not at all necessary, because using the same AVZ utility, you can restore almost any damaged programs and data.
In order to give you a clearer picture, I provide a complete list of what AVZ can recover.
Material taken from the handbook on AVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste in address bar browser).
Currently, the database contains the following firmware:
1.Restoring startup parameters for.exe, .com, .pif files
This firmware restores the system's response to exe, com, pif, scr files.
Indications for use: after removing the virus, programs stop running.
2.Reset Internet Explorer protocol prefix settings to standard
This firmware restores the protocol prefix settings in Internet Explorer
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url\u003dwww.yandex.ru
3.Restoring Internet Explorer Start Page
This firmware restores the start page in Internet Explorer
Indications for use: spoofing the start page
4.Reset Internet Explorer search settings to standard
This firmware restores Internet Explorer search settings
Indications for use: When you click the "Search" button in IE, there is an appeal to some third-party site
5.Restoring Desktop Settings
This firmware restores the desktop settings.
Recovery means removing all active ActiveDesctop elements, wallpaper, removing locks on the menu that is responsible for desktop settings.
Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
6.Delete all Policies (restrictions) of the current user
Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs because settings are stored in the registry and are not difficult to create or modify.
Indications for use: Explorer or other system functions are blocked.
7.Delete the message displayed during WinLogon
Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup.
A number of malicious programs take advantage of this, and killing the malware does not destroy the message.
Indications for use: An extraneous message is introduced during system boot.
8.Restoring Explorer Settings
This firmware resets a number of Explorer settings to standard ones (first of all, the settings changed by malware are reset).
Indications for use: Explorer settings changed
9.Remove system process debuggers
Registering a system process debugger will allow the application to run hidden, which is used by a number of malicious programs
Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a restart, the desktop disappears.
10.Restoring Boot Settings in SafeMode
Some malware, in particular the Bagle worm, corrupts the boot settings of the protected mode.
This firmware restores boot settings in secure mode. Indications for use: The computer does not boot in SafeMode. This firmware should be used only in case of problems with booting in protected mode .
11.Unlock Task Manager
Task Manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this firmware releases the lock.
Indications for use: Blocking the task manager, when you try to call the task manager, the message "Task manager is blocked by the administrator" is displayed.
12.Clear the ignore list of the HijackThis utility
The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list.
At the moment, a number of malicious programs are known that use this vulnerability... AVZ firmware clears the exclusion list of the HijackThis utility
Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning up the Hosts file
Clearing the Hosts file amounts to finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".
Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are antivirus software updates being blocked.
You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
14. Automatic correction of SPl / LSP settings
It analyzes the SPI settings and, if any errors are found, automatically corrects the errors found.
This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended to restart your computer. Note! This firmware cannot be launched from a terminal session
Indications for use: Internet access was lost after the malware was removed.
15. Reset SPI / LSP and TCP / IP settings (XP +)
This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and re-creating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows.
Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!
Indications for use: After removing the malicious program, Internet access and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.
16. Restore the Explorer startup key
Restores system registry keys responsible for starting Explorer.
Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.
17. Unlock Registry Editor
Unlocks Registry Editor by removing the policy that prevents it from running.
Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.
18. Complete re-creation of SPI settings
It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.
Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!
19. Clear Base MountPoints
Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when the disks do not open in the explorer after being infected with the Flash virus
To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.
On a note:
Recovery is useless if the system is running a Trojan program that performs such reconfigurations - you must first remove malwareand then restore system settings
On a note:
To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"
On a note:
Any of the firmware can be executed several times in a row without affecting the system. Exceptions - “5.
Restoring Desktop Settings "(running this firmware will reset all desktop settings and you will have to re-select the desktop color and wallpaper) and" 10.
Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).
To start recovery, first download, unpack and run utility... Then we press the file - system recovery. By the way, you can still execute 
We mark the checkboxes that you need and click to start operations. Everything, we are waiting for execution :-)
In the following articles we will consider in more detail the problems that will help us solve avz firmware System Restore. So good luck to you.
A simple, easy and convenient way to restore performance even without having the qualifications and skills for this is possible thanks to the AVZ antivirus utility. The use of so-called "firmware" (the terminology of the AVZ antivirus utility) allows you to reduce the entire process to a minimum.
In order for everything to function in your laptop, this will be provided by a battery for laptop asus, and for the correct functioning of all the "screws" of the operating system, the AVZ functionality will not be the last.
Help is available for most of the typical problems faced by the user. All functionality of the firmware is called from the menu "File -\u003e System Restore".
- Restoring startup parameters for.exe, .com, .pif files
Restoring the standard system response to files with exe, com, pif, scr extensions.
after treatment for the virus, any programs and scripts stopped running. - Reset Internet Explorer Protocol Prefix Settings to Standard
Restoring the default settings of the protocol prefixes in internet browser Explorer
Recommendations for use: when you enter a web address, for example, www.yandex.ua, it is replaced with an address such as www.seque.com/abcd.php?url\u003dwww.yandex.ua - Restore Internet Explorer Start Page
Will just return the start page in Internet Explorer browser
Recommendations for use: if you changed the start page - Reset Internet Explorer Search Settings to Standard
Restores search settings in Internet Explorer
Recommendations for use: The "Search" button leads to the "left" sites - Restoring Desktop Preferences
Removes all active ActiveDesktop controls and wallpapers, and unlocks the desktop customization menu.
Recommendations for use: display on the desktop of third-party inscriptions and (or) drawings - Removing all Policies (restrictions) of the current user
removal of restrictions on user actions caused by changing Policies.
Recommendations for use: the functionality of the explorer or other functionality of the system was blocked. - Clearing the message displayed during WinLogon
Restore the standard message at system startup.
Recommendations for use: A third-party message is observed during system boot. - Restore Explorer Settings
Brings all Explorer settings to their standard form.
Recommendations for use: Inadequate Explorer Settings - Removing system process debuggers
Debuggers of the system process are launched secretly, which is very beneficial for viruses.
Recommendations for use: for example, after loading, the desktop disappears. - Restoring Boot Settings in Safe Mode (SafeMode)
Reanimates the effects of Bagle worms, etc.
Recommendations for use: problems with booting into SafeMode, otherwise it is not recommended to use. - Unlocking Task Manager
Unblocks any attempts to invoke the Task Manager.
Recommendations for use: if instead of the task manager you see the message "The task manager is blocked by the administrator" - Clearing the ignore list of the HijackThis utility
The HijackThis utility saves its settings in the system registry, in particular, the list of exclusions is stored there. Viruses masquerading as HijackThis are logged in this exclusion list.
Recommendations for use: You suspect that the HijackThis utility does not display all information about the system.
All uncommented lines are removed and the only meaningful line "127.0.0.1 localhost" is added.
Recommendations for use: changed the Hosts file. You can check the Hosts file using the Hosts file manager built into AVZ.- Automatic correction of SPl / LSP settings
SPI settings are analyzed and, if necessary, found errors are automatically corrected. The firmware can be safely re-run many times. After completion, a computer restart is required. Attention!!! Firmware cannot be used from a terminal session
Recommendations for use: After treatment for the virus, Internet access was lost. - Reset SPI / LSP and TCP / IP Settings (XP +)
The firmware runs exclusively on XP, Windows 2003 and Vista. The standard utility "netsh" from Windows is used. Described in detail in the Microsoft Knowledge Base - http://support.microsoft.com/kb/299357
Recommendations for use: After treatment for the virus, Internet access was lost and firmware # 14 did not help. - Explorer startup key recovery
Restore system registry keys responsible for starting Explorer.
Recommendations for use: After booting the system, launching explorer.exe can only be done manually. - Unlock Registry Editor
Unlocks the Registry Editor by removing the policy that prevents it from starting.
Recommendations for use: When I try to start Registry Editor, I get a message that the administrator has blocked it from starting. - Complete re-creation of SPI settings
It backs up all SPI / LSP settings, then creates their reference, which is in the database.
Recommendations for use: Firmware # 14 and # 15 did not help you when restoring SPI settings. Dangerous, apply at your own risk! - Clear MountPoints Base
The base in the system registry for MountPoints and MountPoints2 is cleared.
Recommendations for use: for example, disks cannot be opened in Explorer. - Replace DNS of all connections with Google Public DNS
Change all DNS addresses of the used servers to 8.8.8.8
Some useful tips:
- Most of the problems with Hijacker can be cured by three programs - # 4 "Reset Internet Explorer search settings to standard", # 3 "Restore Internet Explorer start page" and # 2 "Reset Internet Explorer protocol prefixes to standard".
- All firmware except # 5 and # 10 can be safely executed multiple times.
- And naturally it is useless to fix anything without first removing the virus.