• Restoring OS operation after a ransomware virus. Scripts for restoring Windows XP after a virus infection

    Like

    Like

    Tweet

    There are universal ones like swiss knife programs. The hero of my article is just such a “station wagon”. His name is AVZ(Zaitsev Antivirus). With this free Antivirus and viruses can be caught, the system can be optimized, and problems can be fixed.

    AVZ capabilities

    I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you another side of the program: checking and restoring settings.

    What can be “fixed” with AVZ:

    • Restore the launch of programs (.exe, .com, . pif files)
    • Reset settings Internet Explorer to standard
    • Restore desktop settings
    • Remove rights restrictions (for example, if a virus has blocked programs from launching)
    • Remove a banner or window that appears before you log in
    • Remove viruses that can run along with any program
    • Unblock the task manager and registry editor (if the virus has prevented them from running)
    • Clear file
    • Prohibit autorun of programs from flash drives and disks
    • Remove unnecessary files from hard drive
    • Fix desktop problems
    • And much more

    You can also use it to check for safety Windows settings(in order to better protect against viruses), and also optimize the system by cleaning startup.

    The AVZ download page is located.

    The program is free.

    First, let's protect your Windows from careless actions.

    The AVZ program has Very many functions affecting the operation of Windows. This dangerous, because if there is a mistake, disaster can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.

    In order to be able to “return everything as it was” after careless work with AVZ, I wrote this chapter.

    This is a mandatory step, essentially creating an “escape route” in case of careless actions - thanks to the restore point, it will be possible to restore the settings, Windows registry to an earlier state.

    Windows Recovery System is a required component of all versions of Windows, starting with Windows ME. It’s a pity that they usually don’t remember about it and waste time reinstalling Windows and programs, although you could just click a couple of times and avoid all the problems.

    If the damage is serious (for example, part of the system files), then System Restore will not help. In other cases - if you configured Windows incorrectly, messed around with the registry, installed a program that prevents Windows from booting, or used the AVZ program incorrectly - System Restore should help.

    After work, AVZ creates subfolders with backup copies in its folder:

    /Backup- are stored there backups registry

    /Infected- copies of deleted viruses.

    /Quarantine- copies suspicious files.

    If after using AVZ problems started (for example, you thoughtlessly used the AVZ “System Restore” tool and the Internet stopped working) and Recovery Windows systems did not roll back the changes made, you can open registry backups from the folder Backup.

    How to create a restore point

    Let's go to Start - Control Panel - System - System Protection:

    Click “System Protection” in the “System” window.

    Click the “Create” button.

    The process of creating a restore point can take ten minutes. Then a window will appear:

    A restore point will be created. By the way, they are automatically created when installing programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point, so that in case of trouble you can praise yourself for your foresight.

    How to restore your computer using a restore point

    There are two options for running System Restore - from under running Windows and using the installation disc.

    Option 1 - if Windows starts

    Let's go to Start - All Programs - Accessories - System Tools - System Restore:

    Will start Select a different restore point and press Next. A list of restore points will open. Choose the one you need:

    The computer will automatically restart. After downloading, all settings, its registry and part important files will be restored.

    Option 2 - if Windows does not boot

    You need an “installation” disk with Windows 7 or Windows 8. I wrote in where to get it (or download it).

    Boot from the disk (how to boot from boot disks is written) and select:

    Select "System Restore" instead of installing Windows

    Repairing the system after viruses or inept actions with the computer

    Before all actions, get rid of viruses, for example, using. Otherwise, it will be of no use - the running virus will “break” the corrected settings again.

    Restoring program launches

    If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to launch AVZ itself, but it’s quite easy:

    First we go to Control Panel- set any type of viewing, except Category - Folder Options - View- uncheck Hide extensions for registered file types - OK. Now you can see for each file extension- several characters after the last dot in the name. This is usually the case with programs. .exe And .com. To run AVZ antivirus on a computer where running programs is prohibited, rename the extension to cmd or pif:

    Then AVZ will start. Then in the program window itself, click File - :

    Points to note:

    1. Restoring startup parameters of .exe, .com, .pif files(actually, solves the problem of launching programs)

    6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps solve the problem of starting programs if the virus is very harmful)

    9. Removing system process debuggers(it is very advisable to note this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear when the system starts)

    , confirm the action, a window appears with the text “System restoration completed.” Then all that remains is to restart the computer - the problem with launching programs will be solved!

    Restoring the Desktop launch

    Enough common problem- When the system starts, the Desktop does not appear.

    Launch Desk you can do this: press Ctrl+Alt+Del, launch Task Manager, there press File - New task(Run...) - enter explorer.exe:

    OK- The desktop will start. But this is only a temporary solution to the problem - the next time you turn on the computer you will have to repeat everything again.

    To avoid doing this every time, you need to restore the program launch key explorer(“Conductor”, who is responsible for standard view folder contents and desktop operation). In AVZ click File- and mark the item

    Perform the marked operations, confirm the action, press OK. Now when you start your computer, the desktop will launch normally.

    Unlocking Task Manager and Registry Editor

    If a virus has blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:

    11. Unlock task manager

    17. Unlocking the registry editor

    And click Perform the marked operations.

    Problems with the Internet (VKontakte, Odnoklassniki and antivirus sites do not open)

    Cleaning the system from unnecessary files

    Programs AVZ knows how to clean your computer unnecessary files. If you don’t have a hard drive cleaning program installed on your computer, then AVZ will do, since there are many possibilities:

    More details about the points:

    1. Clear system cache Prefetch- cleaning the folder with information about which files to load in advance for quick launch of programs. The option is useless, because Windows itself quite successfully monitors Prefetch folder and cleans it when required.
    2. Delete Windows Log Files- you can clean various databases and files containing various entries about events occurring in the operating system. The option is useful if you need to free up a dozen or two megabytes of space on your hard drive. That is, the benefit from using it is negligible, the option is useless.
    3. Delete memory dump files- in case of critical Windows errors interrupts its work and shows BSOD ( blue screen death), at the same time saving information about running programs and drivers to a file for later analysis special programs to identify the culprit of the failure. The option is almost useless, as it allows you to win only ten megabytes free space. Clearing memory dump files does not harm the system.
    4. Clear list of Recent documents- oddly enough, the option clears the Recent Documents list. This list is located in the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting “Clear list of recent items.” The option is useful: I noticed that clearing the list recent documents allows the Start menu to display its menus a little faster. It won't harm the system.
    5. Clearing the TEMP folder- The Holy Grail for those who are looking for the reason for the disappearance of free space on the C: drive. The fact is that many programs store files in the TEMP folder for temporary use, forgetting to “clean up after themselves” later. A typical example is archivers. They will unpack the files there and forget to delete them. Clearing the TEMP folder does not harm the system; it can free up a lot of space (in particularly advanced cases, the gain in free space reaches fifty gigabytes!).
    6. Adobe Flash Player- cleaning temporary files- "flash player" can save files for temporary use. They can be removed. Sometimes (rarely) this option helps in dealing with Flash Player glitches. For example, with problems playing video and audio on the VKontakte website. There is no harm from use.
    7. Clearing the terminal client cache- as far as I know, this option clears the temporary files of a Windows component called "Remote Desktop Connection" ( remote access to computers via RDP protocol). Option it seems does no harm, frees up about ten megabytes of space best case scenario. There is no point in using it.
    8. IIS - Deleting HTTP Error Log- it takes a long time to explain what it is. Let me just say that it is better not to enable the IIS log clearing option. In any case, it does no harm, and no benefit either.
    9. Macromedia Flash Player- item duplicates « Adobe Flash Player - clearing temporary files", but affects rather ancient versions of Flash Player.
    10. Java - clearing cache- gives you a gain of a couple of megabytes on your hard drive. I don't use Java programs, so I haven't checked the consequences of enabling the option. I don't recommend turning it on.
    11. Emptying the Trash- the purpose of this item is absolutely clear from its name.
    12. Remove system update installation logs- Windows keeps a log installed updates. Enabling this option clears the log. The option is useless because there is no gain in free space.
    13. Delete protocol Windows Update - similar to the previous point, but other files are deleted. Also a demon useful option.
    14. Clear MountPoints database- if when you connect a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to enable it only if you have problems connecting flash drives and disks.
    15. Internet Explorer - clearing cache- cleans Internet Explorer temporary files. The option is safe and useful.
    16. Microsoft Office - clearing cache- cleans temporary files Microsoft programs Office - Word, Excel, PowerPoint and others. I can’t check the security options because I don’t have Microsoft Office.
    17. Clearing the CD burning system cache- a useful option that allows you to delete files that you have prepared for burning to disks.
    18. Cleaning system folder TEMP- unlike the user TEMP folder (see point 5), cleaning this folder is not always safe, and usually frees up little space. I don't recommend turning it on.
    19. MSI - cleaning the Config.Msi folder- are stored in this folder various files, created by program installers. The folder is large if the installation programs did not complete their work correctly, so cleaning the Config.Msi folder is justified. However, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
    20. Clear task scheduler logs- Scheduler Windows tasks keeps a log where he records information about completed tasks. I don’t recommend turning on this item, because there is no benefit, but it will add problems - Planner Windows jobs Quite a buggy component.
    21. Remove Windows Setup Logs- winning a place is insignificant, there is no point in deleting.
    22. Windows - clearing icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, icons do not appear immediately. Enabling this option will not affect system stability.
    23. Google Chrome- cache clearing- a very useful option. Google Chrome stores copies of pages in a designated folder to help open sites faster (pages are loaded from your hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive; it does not affect the stability of either Windows or Google Chrome.
    24. Mozilla Firefox- cleaning the CrashReports folder- every time when Firefox browser a problem occurs and it closes abnormally, report files are created. This option deletes report files. The gain in free space reaches a couple of tens of megabytes, that is, the option is of little use, but it is there. Does not affect the stability of Windows and Mozilla Firefox.

    Depending on installed programs, the number of items will vary. For example, if installed Opera browser, you can clear its cache too.

    Cleaning the list of startup programs

    A surefire way to speed up your computer's startup and speed is to clean the startup list. If unnecessary programs will not start, then the computer will not only turn on faster, but also work faster - due to the freed up resources, which will not be taken up by programs running in the background.

    AVZ can view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:

    The average user has absolutely no need for such powerful functionality, so I urge don't turn everything off. It is enough to look at only two points - Autorun folders And Run*.

    AVZ displays autorun not only for your user, but also for all other profiles:

    In the section Run* It’s better not to disable programs located in the section HKEY_USERS- this may disrupt the operation of other user profiles and the operating system. In the section Autorun folders you can turn off everything you don't need.

    The lines identified by the antivirus as known are marked in green. This includes both system programs Windows and third party programs with a digital signature.

    All other programs are marked in black. This does not mean that such programs are viruses or anything like that, just that not all programs are digitally signed.

    Don't forget to make the first column wider so that the program name is visible. Simply unchecking the checkbox will temporarily disable the program's autorun (you can then check the box again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself in autorun again).

    The question arises: how to determine what can be turned off and what cannot? There are two solutions:

    Firstly, there is common sense: you can make a decision based on the name of the .exe file of the program. For example, Skype program upon installation creates an entry for automatic start when you turn on the computer. If you don’t need this, uncheck the box ending with skype.exe. By the way, many programs (and Skype among them) can remove themselves from startup; just uncheck the corresponding item in the settings of the program itself.

    Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on the item and select your favorite search engine:

    By disabling unnecessary programs, you will significantly speed up your computer startup. However, it is not advisable to disable everything - this risks losing the layout indicator, disabling the antivirus, etc.

    Disable only those programs that you know for sure - you don’t need them at startup.

    Bottom line

    In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for Windows optimization, but in general it is complex and powerful tool, suitable for the most different tasks. However, to use AVZ to its fullest, you need to know Windows thoroughly, so you can start small - namely, what I described above.

    If you have any questions or comments, there is a comment section under the articles where you can write to me. I am monitoring the comments and will try to respond to you as quickly as possible.

    Related posts:

    Like

    Like

    A week has already passed since Petya landed in Ukraine. In general, more than fifty countries around the world were affected by this ransomware virus, but 75% of the massive cyberattack hit Ukraine. Government and financial institutions across the country were among the first to report that their systems were affected. hacker attack steel Ukrenergo and Kyivenergo. To penetrate and block, the Petya.A virus used the accounting program M.E.Doc. This software is very popular among various institutions in Ukraine, which became fatal. As a result, for some companies it took a long time to restore their system after the Petya virus. Some managed to resume work only yesterday, 6 days after the ransomware virus.

    The purpose of the Petya virus

    The goal of most ransomware viruses is extortion. They encrypt information on the victim's PC and demand money from her to obtain a key that will restore access to the encrypted data. But scammers do not always keep their word. Some ransomware are simply not designed to be decrypted, and the Petya virus is one of them.

    This sad news was reported by specialists from Kaspersky Lab. In order to recover data after a ransomware virus, you need a unique virus installation identifier. But in the situation with a new virus, it does not generate an identifier at all, that is, the creators of the malware did not even consider the option of restoring a PC after the Petya virus.

    But at the same time, the victims received a message in which they named the address where to transfer $300 in bitcoins in order to restore the system. In such cases, experts do not recommend assisting hackers, but nevertheless, the creators of Petya managed to earn more than $10,000 in 2 days after a massive cyber attack. But experts are confident that extortion was not their main goal, since this mechanism was poorly thought out, unlike other mechanisms of the virus. From this it can be assumed that the goal of the Petya virus was to destabilize the work of global enterprises. It's also entirely possible that the hackers were simply in a hurry and didn't think through the money-getting part well.

    Restoring a PC after the Petya virus

    Unfortunately, once Petya is completely infected, the data on your computer cannot be restored. But nevertheless, there is a way to unlock a computer after the Petya virus if the ransomware did not have time to completely encrypt the data. It was published on the official website of the Cyber ​​Police on July 2.

    There are three variants of infection Petya virus

    — all information on the PC is completely encrypted, a window with extortion of money is displayed on the screen;
    — PC data is partially encrypted. The encryption process was interrupted external factors(incl. food);
    — The PC is infected, but the process of encrypting MFT tables has not been started.

    In the first case, everything is bad - the system cannot be restored. At least for now.
    In the last two options, the situation is fixable.
    To recover data that has been partially encrypted, it is recommended to download the Windows installation disk:

    In case hard drive was not damaged by a ransomware virus, the boot OS will see the files and begin MBR recovery:

    For each Windows versions this process has its own nuances.

    Windows XP

    After loading the installation disk, the “Windows XP Professional Settings” window appears on the screen, where you need to select “to restore Windows XP using the recovery console, press R.” After pressing R, the recovery console will begin to load.

    If the devices have one operating system installed and it is located on drive C, a notification will appear:
    "1: C:\WINDOWS which copy of Windows should I use it to log in? Accordingly, you need to press the “1” and “Enter” key.
    Then the following message will appear: “Enter the administrator password.” Enter the password and press “Enter” (if there is no password, press “Enter”).
    A system prompt should appear: C:\WINDOWS>, enter fixmbr.

    Then a “WARNING” will appear.
    To confirm new entry MBR, you need to press “y”.
    Then the notification “A new main boot record on physical disk\Device\Harddisk0\Partition0."
    And: “The new master boot record was successfully created.”

    Windows Vista:

    Here the situation is simpler. Load the OS, select the language and keyboard layout. Then “Restore your computer to normal” will appear on the screen. A menu will appear in which you must select “Next”. A window will appear with the parameters of the restored system, where you need to click on the command line, in which you need to enter bootrec / FixMbr.
    After this, you need to wait for the process to complete; if everything went well, a confirmation message will appear - press “Enter” and the computer will begin to reboot. All.

    Windows 7:

    The recovery process is similar to Vista. After selecting your language and keyboard layout, select your OS, then click “Next.” In the new window, select “Use recovery tools that can help solve problems starting Windows.”
    All other actions are similar to Vista.

    Windows 8 and 10:

    Boot the OS, in the window that appears, select Restore your computer>troubleshooting, where by clicking on the command line, enter bootrec /FixMbr. Once the process is complete, press “Enter” and reboot your device.

    After the process MBR recovery, completed successfully (regardless of the Windows version), you need to scan the disk with an antivirus.
    If the encryption process was started by a virus, you can use file recovery software, such as Rstudio. Then copy them to removable media, you need to reinstall the system.
    In the case when you use data recovery programs written to the boot sector, for example Acronis True Image, then you can be sure that “Petya” did not affect this sector. This means that you can return the system to working condition without reinstallation.

    If you find an error, please highlight a piece of text and click Ctrl+Enter.

    Antivirus programs, even when detecting and removing malicious software, do not always restore full system functionality. Often, after removing a virus, a computer user receives an empty desktop, a complete lack of access to the Internet (or access to some sites is blocked), a non-functional mouse, etc. This is usually caused by the fact that some system or user settings changed by the malicious program remain untouched.

    The utility is free, works without installation, is surprisingly functional and has helped me out in a variety of situations. A virus, as a rule, makes changes to the system registry (adding to startup, modifying program launch parameters, etc.). In order not to delve into the system, manually correcting traces of the virus, it is worth using the “system restore” operation available in AVZ (although the utility is very, very good as an antivirus, it is very good to check the disks for viruses with the utility).

    To start the recovery, run the utility. Then click file - system restore

    and such a window will open before us

    check the boxes we need and click “Perform selected operations”

    1.Restoring startup parameters of .exe, .com, .pif files
    This firmware restores the system's response to exe files, com, pif, scr.
    Indications for use: After the virus is removed, programs stop running.
    2.Reset Internet Explorer protocol prefix settings to standard
    This firmware restores protocol prefix settings in Internet Explorer
    Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
    3.Recovery home page Internet Explorer
    This firmware restores the start page in Internet Explorer
    Indications for use: replacing the start page
    4.Reset Internet Explorer search settings to standard
    This firmware restores search settings in Internet Explorer
    Indications for use: When you click the “Search” button in IE, you are directed to some third-party site
    5.Restore desktop settings
    This firmware restores desktop settings. Restoration involves deleting all active ActiveDesctop elements, wallpaper, and unblocking the menu responsible for desktop settings.
    Indications for use: The desktop settings bookmarks in the “Display Properties” window have disappeared; extraneous inscriptions or pictures are displayed on the desktop
    6.Deleting all Policies (restrictions) of the current user
    Windows provides a mechanism for restricting user actions called Policies. Many malware use this technology because the settings are stored in the registry and are easy to create or modify.
    Indications for use: Explorer functions or other system functions are blocked.
    7.Deleting the message displayed during WinLogon
    Windows NT and subsequent systems in the NT line (2000, XP) allow you to set the message displayed during startup. A number of malicious programs take advantage of this, and the destruction malware does not destroy this message.
    Indications for use: During system boot, an extraneous message is entered.
    8.Restoring Explorer settings
    This firmware resets a number of Explorer settings to standard (the settings changed by malware are reset first).
    Indications for use: Explorer settings changed
    9.Removing system process debuggers
    Registering a system process debugger will allow you to launch an application hidden, which is used by a number of malicious programs
    Indications for use: AVZ detects unidentified system process debuggers, there are problems starting system components, in particular, after a reboot the desktop disappears.
    10.Restoring boot settings in SafeMode
    Some malware, in particular the Bagle worm, corrupts the system's boot settings in protected mode. This firmware restores boot settings in protected mode.
    Indications for use: The computer does not boot into SafeMode. This firmware should be used only in case of problems with booting in protected mode .
    11.Unlock task manager
    Task Manager blocking is used by malware to protect processes from detection and removal. Accordingly, executing this microprogram removes the lock.
    Indications for use: The task manager is blocked; when you try to call the task manager, the message “Task Manager is blocked by the administrator” is displayed.
    12.Clearing the ignore list of the HijackThis utility

    The HijackThis utility stores a number of its settings in the registry, in particular a list of exceptions. Therefore, to disguise itself from HijackThis malware, it is enough to register your executable files in the list of exceptions. There are currently a number of known malicious programs that exploit this vulnerability. AVZ firmware clears HijackThis utility exception list

    Indications for use: There are suspicions that the HijackThis utility does not display all information about the system.
    13. Cleaning Hosts file
    Cleaning up the Hosts file involves finding the Hosts file, removing all significant lines from it, and adding the standard “127.0.0.1 localhost” line.
    Indications for use: It is suspected that the Hosts file has been modified by malware. Typical symptoms are blocking the update of antivirus programs. You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
    14. Automatic correction of SPl/LSP settings

    Performs analysis of SPI settings and, if errors are detected, automatically corrects the errors found. This firmware can be re-run an unlimited number of times. After running this firmware, it is recommended to restart your computer. Pay attention! This firmware cannot be run from a terminal session

    Indications for use: After removing the malicious program, I lost access to the Internet.
    15. Reset SPI/LSP and TCP/IP settings (XP+)

    This firmware only works on XP, Windows 2003 and Vista. Its operating principle is based on resetting and re-creating SPI/LSP and TCP/IP settings using standard utility netsh, included with Windows.Pay attention! You should use a factory reset only if necessary if you have unrecoverable problems with Internet access after removing malware!

    Indications for use: After removing the malicious program, access to the Internet and execution of the firmware “14. Automatically correcting SPl/LSP settings does not work.
    16. Recovering the Explorer launch key
    Restores system registry keys responsible for launching Explorer.
    Indications for use: During system boot, Explorer does not start, but it is possible to launch explorer.exe manually.
    17. Unlocking the registry editor
    Unblocks the Registry Editor by removing the policy that prevents it from running.
    Indications for use: It is impossible to start the Registry Editor; when you try, a message is displayed stating that its launch is blocked by the administrator.
    18. Complete re-creation SPI settings
    Performs backup SPI/LSP settings, after which it destroys them and creates them according to the standard, which is stored in the database.
    Indications for use: Severe damage to SPI settings that cannot be repaired by scripts 14 and 15. Use only if necessary!
    19. Clear MountPoints database
    Cleans up the MountPoints and MountPoints2 database in the registry. This operation often helps when, after infection with a Flash virus, disks do not open in Explorer
    To perform a recovery, you must select one or more items and click the “Perform selected operations” button. Clicking the "OK" button closes the window.
    Note:
    Restoration is useless if the system is running a Trojan that performs such reconfigurations - you must first remove the malicious program and then restore the system settings
    Note:
    To eliminate traces of most Hijackers, you need to run three firmware - “Reset Internet Explorer search settings to standard”, “Restore Internet Explorer start page”, “Reset Internet Explorer protocol prefix settings to standard”
    Note:

    Any of the firmware can be executed several times in a row without damaging the system. Exceptions are “5.Restoring desktop settings” (running this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and “10. Restoring boot settings in SafeMode" (this firmware recreates the registry keys responsible for booting in safe mode).

    An excellent program for removing viruses and restoring the system is AVZ (Zaitsev Anti-Virus). You can download AVZ by clicking on the orange button after generating links.And if a virus blocks the download, then try downloading the entire anti-virus set!

    The main capabilities of AVZ are virus detection and removal.

    AVZ antivirus utility is designed to detect and remove:

    • SpyWare and AdWare modules are the main purpose of the utility
    • Dialer (Trojan.Dialer)
    • Trojan programs
    • BackDoor modules
    • Network and mail worms
    • TrojanSpy, TrojanDownloader, TrojanDropper

    The utility is a direct analogue of the TrojanHunter and LavaSoft Ad-aware 6 programs. The primary task of the program is SpyWare removal And Trojan programs.

    Features AVZ utilities(in addition to the typical signature scanner) is:

    • Heuristic system check microprograms. Firmware searches for known SpyWare and viruses based on indirect signs - based on analysis of the registry, files on disk and in memory.
    • Updated database of secure files. It includes digital signatures of tens of thousands of system files and files of known safe processes. The database is connected to all AVZ systems and works on the “friend/foe” principle - safe files are not quarantined, deletion and warnings are blocked for them, the database is used by an anti-rootkit, a file search system, and various analyzers. In particular, the built-in process manager highlights safe processes and services in color; searching for files on the disk can exclude known files from the search (which is very useful when searching for Trojan programs on the disk);
    • Built-in Rootkit detection system. RootKit search occurs without using signatures based on a study of basic system libraries for interception of their functions. AVZ can not only detect RootKit, but also correctly block UserMode RootKit for its process and KernelMode RootKit at the system level. Anti-RootKit applies to everything service functions AVZ, as a result, the AVZ scanner can detect masked processes, the registry search system “sees” masked keys, etc. The anti-rootkit is equipped with an analyzer that detects processes and services masked by RootKit. In my opinion, one of the main features of the RootKit countermeasures system is its functionality in Win9X (the widespread opinion about the absence of RootKit working on the Win9X platform is deeply erroneous - hundreds of Trojan programs are known that intercept API functions to mask their presence and distort API work functions or monitoring their use). Another feature is the universal detection and blocking system KernelMode RootKit, compatible with Windows NT, Windows 2000 pro/server, XP, XP SP1, XP SP2, Windows 2003 Server, Windows 2003 Server SP1
    • Keylogger and Trojan DLL detector. The search for Keylogger and Trojan DLLs is carried out based on system analysis without using a signature database, which allows you to confidently detect previously unknown Trojan DLLs and Keylogger;
    • Neuroanalyzer. In addition to the signature analyzer, AVZ contains a neuroemulator, which allows you to examine suspicious files using a neural network. Currently, the neural network is used in a keylogger detector.
    • Built-in Winsock SPI/LSP settings analyzer. Allows you to analyze settings and diagnose possible errors in settings and perform automatic treatment. The ability to automatically diagnose and treat is useful for novice users (utilities like LSPFix do not have automatic treatment). To study SPI/LSP manually, the program has a special LSP/SPI settings manager. The Winsock SPI/LSP analyzer is covered by the anti-rootkit;
    • Built-in manager of processes, services and drivers. Designed for learning running processes and loaded libraries, running services and drivers. The work of the process manager is covered by the anti-rootkit (as a result, it “sees” processes masked by the rootkit). The process manager is linked to the AVZ safe file database; identified safe and system files are highlighted in color;
    • Built-in utility for searching files on disk. Allows you to search a file using various criteria; the capabilities of the search system exceed those of the system search. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” files masked by the rootkit and can delete them); the filter allows you to exclude files identified by AVZ as safe from the search results. Search results are available as a text log and in table form, in which you can mark a group of files for later deletion or quarantine
    • Built-in utility for searching data in the registry. Allows you to search for keys and parameters according to a given pattern; search results are available in the form of a text protocol and in the form of a table in which you can mark several keys for their export or deletion. The operation of the search system is covered by the anti-rootkit (as a result, the search “sees” registry keys masked by the rootkit and can delete them)
    • Built-in analyzer of open TCP/UDP ports. It is covered by an anti-rootkit; in Windows XP, the process using the port is displayed for each port. The analyzer is based on an updated database of ports of known Trojan/Backdoor programs and known system services. The search for Trojan program ports is included in the main system scanning algorithm - when suspicious ports are detected, warnings are displayed in the protocol indicating which Trojan programs are likely to use this port
    • Built-in analyzer shared resources, network sessions and files opened over the network. Works in Win9X and Nt/W2K/XP.
    • Built-in analyzer Downloaded Program Files(DPF) - displays DPF elements, connected to all AVZ systems.
    • System recovery firmware. Firmware performs recovery Internet settings Explorer, program launch options and others system parameters damaged by malware. Restoration is started manually, the parameters to be restored are specified by the user.
    • Heuristic file deletion. Its essence is that if during treatment the malicious files and this option is enabled, an automatic system scan is performed, covering classes, BHO, IE and Explorer extensions, all types of autorun available to AVZ, Winlogon, SPI/LSP, etc. All found links to a deleted file are automatically cleared, with information about what exactly was cleared and where it was recorded in the log. For this cleaning, the system treatment firmware engine is actively used;
    • Checking archives. Starting from version 3.60, AVZ supports scanning archives and compound files. Archives are currently being checked ZIP format, RAR, CAB, GZIP, TAR; emails and MHT files; CHM archives
    • Checking and treating NTFS streams. Checking NTFS streams is included in AVZ starting from version 3.75
    • Control scripts. Allow the administrator to write a script that performs a set of specified operations on the user’s PC. Scripts allow you to use AVZ in corporate network, including its launch during system boot.
    • Process analyzer. The analyzer uses neural networks and analysis firmware; it is turned on when advanced analysis is enabled at the maximum heuristic level and is designed to search for suspicious processes in memory.
    • AVZGuard system. Designed to combat hard-to-remove malware, it can, in addition to AVZ, protect user-specified applications, for example, other anti-spyware and anti-virus programs.
    • System direct access to the disk to work with locked files. Works on FAT16/FAT32/NTFS, is supported on all operating systems of the NT line, allows the scanner to analyze blocked files and quarantine them.
    • Driver for monitoring processes and drivers AVZPM. Designed to monitor the start and stop of processes and loading/unloading of drivers to search for masquerading drivers and detect distortions in the structures describing processes and drivers created by DKOM rootkits.
    • Boot Cleaner Driver. Designed to perform system cleaning (removing files, drivers and services, registry keys) from KernelMode. The cleaning operation can be performed both during the process of restarting the computer and during treatment.

    Restoring system parameters.

    • Restoring startup parameters.exe .com .pif
    • Reset IE settings
    • Restoring desktop settings
    • Remove all user restrictions
    • Deleting a message in Winlogon
    • Restoring File Explorer settings
    • Removing system process debuggers
    • Restoring Safe Mode boot settings
    • Unblocking the task manager
    • Cleaning the host file
    • Correcting SPI/LSP settings
    • Resetting SPI/LSP and TCP/IP settings
    • Unlocking Registry Editor
    • Cleaning MountPoints Keys
    • Replacing DNS servers
    • Removing the proxy setting for the IE/EDGE server
    • Removing Google Restrictions


    Program tools:

    • Process Manager
    • Services and Driver Manager
    • Kernel space modules
    • Internal DLL Manager
    • Search the registry
    • Search files
    • Search by Coocie
    • Startup Manager
    • Browser Extension Manager
    • Control Panel Applet Manager (cpl)
    • Explorer Extensions Manager
    • Print Extension Manager
    • Task Scheduler Manager
    • Protocol and Handler Manager
    • DPF Manager
    • Active Setup Manager
    • Winsock SPI Manager
    • Hosts File Manager
    • TCP/UDP Port Manager
    • General Manager network resources and network connections
    • A set of system utilities
    • Checking a file against the database of safe files
    • Checking a file against the Microsoft Security Catalog
    • Calculating MD5 sums of files

    Here is a rather large kit to save your computer from various infections!

    My best friend He brought me a netbook to look at, which was seriously infected with viruses, and asked me to help clean the system from the zoo. For the first time I saw with my own eyes a funny branch in the development of malware: “ransomware”. Such programs block some functions of the operating system and require you to send an SMS message to receive an unlock code. The treatment turned out to be not entirely trivial, and I thought that perhaps this story would save someone some nerve cells. I tried to provide links to all sites and utilities that were needed during treatment.

    IN in this case, the virus was posing as an antivirus Internet program Security and required sending SMS K207815200 to number 4460. On the Kaspersky Lab website there is a page that allows you to generate ransomware response codes: support.kaspersky.ru/viruses/deblocker

    However, after entering the code, the OS functions remained blocked, and launching any antivirus program led to the instantaneous opening of a virus window that carefully emulated the operation of the antivirus:

    Attempts to boot into safe modes led to exactly the same result. Also complicating matters was the fact that passwords for everything accounts administrators were empty, and login to a computer over the network for administrators with an empty password was blocked by policy by default.
    I had to boot from USB Flash disk (a netbook, by definition, does not have a disk drive). The easiest way to make a bootable USB drive:
    1. Format the disk to NTFS
    2. Make the partition active (diskpart -> select disk x -> select partition x -> active)
    3. Use the \boot\bootsect.exe utility from the Vista/Windows 2008/Windows 7 distribution: bootsect /nt60 X: /mbr
    4. Copy all the files of the distribution kit (I had it on hand Windows distribution 2008) to a USB drive. That's it, you can boot.

    Since we don’t need to install the OS, but treat viruses, we copy to disk a set of free treatments (AVZ, CureIt) and auxiliary utilities (looking ahead, I needed Streams from Mark Russinovich) and Far. We reboot the netbook, set the BIOS to boot from USB.

    The Windows 2008 installation program is loaded, agree to the choice of language, Install now and then press Shift+F10. A window appears command line, from which we can run our antivirus agents and look for infection on the system disk. Here I encountered a difficulty, CureIt dropped the system into the blue screen of death with curses about an error in working with NTFS, and AVZ, although it worked, could not find anything. Apparently the virus is very, very fresh. The only clue is a message from AVZ that executable code was detected in an additional NTSF stream for one of the files in Windows directory. This seemed strange and suspicious to me, since additional NTFS streams are used in very specific cases and nothing executable there should be stored on normal machines.

    Therefore, I had to download the Streams utility (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx) from Mark and delete this stream. Its size was 126,464 bytes, just like the dll files that the virus laid out on flash drives inserted into the system.

    After that, with the help of Far, I searched all system disk for files of the same size and found another 5 or 6 suspicious files created in the last 2-3 days. They were deleted in the same way. After that, CureIt was able to work (apparently it stumbled on additional threads) and successfully cleaned out two more Trojans :)

    After reboot everything worked, additional runs antivirus scanners found nothing. With the help of AVZ, policies that limited OS functions were restored. A friend was given a strict instruction about how important it is to use antiviruses, especially since there are many free ones (

    Read more: