A simple and convenient AVZ utility that can not only will help, but also knows how to restore the system. Why is this necessary?
The fact is that after the invasion of viruses (it happens that AVZ kills them in thousands), some programs refuse to work, the settings have all disappeared and Windows somehow does not work quite correctly.
Most often, in this case, users simply reinstall the system. But as practice shows, this is not necessary at all, because using the same AVZ utility, you can restore almost any damaged programs and data.
In order to give you a clearer picture, I provide a complete list of what can be restoredAVZ.
Material taken from the handbook onAVZ - http://www.z-oleg.com/secur/avz_doc/ (copy and paste into the browser address bar).
Currently, the database contains the following firmware:
1.Restoring startup parameters for.exe, .com, .pif files
This firmware restores the system's response to exe, com, pif, scr files.
Indications for use: after removing the virus, programs stop running.
2.Reset Internet Explorer protocol prefix settings to standard
This firmware restores the protocol prefix settings in Internet Explorer
Indications for use: when you enter an address like www.yandex.ru, it is replaced with something like www.seque.com/abcd.php?url=www.yandex.ru
3.Restoring Internet Explorer Start Page
This firmware restores the start page in Internet Explorer
Indications for use: spoofing the start page
4.Reset Internet Explorer search settings to standard
This firmware restores Internet Explorer search settings
Indications for use: When you click the "Search" button in IE, there is a call to some third-party site
5.Restoring Desktop Settings
This firmware restores the desktop settings.
Recovery means removing all active ActiveDesctop elements, wallpaper, removing locks on the menu that is responsible for desktop settings.
Indications for use: The tabs for setting the desktop in the "Properties: screen" window have disappeared, extraneous inscriptions or drawings are displayed on the desktop
6.Delete all Policies (restrictions) of the current user
Windows provides a mechanism for limiting user actions called Policies. This technology is used by many malicious programs because settings are stored in the registry and are not difficult to create or modify.
Indications for use: Explorer or other system functions are blocked.
7.Delete the message displayed during WinLogon
Windows NT and later systems in the NT line (2000, XP) allow you to set the message displayed during startup.
A number of malicious programs take advantage of this, and killing the malicious program does not destroy the message.
Indications for use: An extraneous message is introduced during system boot.
8.Restoring Explorer Settings
This firmware resets a number of Explorer settings to the standard ones (the settings that are changed by malware are first reset).
Indications for use: Explorer settings changed
9.Remove system process debuggers
Registering a system process debugger will allow the application to be launched stealthily, which is used by a number of malicious programs.
Indications for use: AVZ detects unrecognized debuggers of system processes, there are problems with starting system components, in particular, after a reboot, the desktop disappears.
10.Restoring Boot Settings in SafeMode
Some malware, in particular the Bagle worm, corrupts the boot settings of the system in Protected Mode.
This firmware restores boot settings in secure mode. Indications for use: The computer does not boot in SafeMode. This firmware should be used only in case of problems with booting in protected mode .
11.Unlock Task Manager
Task Manager blocking is used by malware to protect processes from detection and deletion. Accordingly, the execution of this microprogram removes the lock.
Indications for use: Blocking the task manager, when you try to call the task manager, the message "The task manager is blocked by the administrator" is displayed.
12.Clear the ignore list of the HijackThis utility
The HijackThis utility stores a number of its settings in the registry, in particular, the list of exclusions. Therefore, to disguise itself from HijackThis, a malicious program only needs to register its executable files in the exclusion list.
A number of malicious programs are currently known to exploit this vulnerability. The AVZ firmware clears the exclusion list of the HijackThis utility
Indications for use: Suspicions that the HijackThis utility does not display all information about the system.
13. Cleaning up the Hosts file
Clearing the Hosts file is as simple as finding the Hosts file, removing all meaningful lines from it, and adding the standard line "127.0.0.1 localhost".
Indications for use: Suspicion that the Hosts file has been modified by malware. Typical symptoms are the blocking of antivirus software updates.
You can control the contents of the Hosts file using the Hosts file manager built into AVZ.
14. Automatic correction of SPl / LSP settings
It analyzes the SPI settings and, if any errors are found, it automatically corrects the errors found.
This firmware can be re-run an unlimited number of times. After executing this firmware, it is recommended that you restart your computer. Note! This firmware cannot be launched from a terminal session
Indications for use: Internet access was lost after the malware was removed.
15. Reset SPI / LSP and TCP / IP settings (XP +)
This firmware only works on XP, Windows 2003 and Vista. Its principle of operation is based on resetting and recreating SPI / LSP and TCP / IP settings using the standard netsh utility included with Windows.
Note! You should only apply a factory reset if necessary if there are unrecoverable problems with Internet access after removing malware!
Indications for use: After the malware was removed, access to the Internet and the execution of the “14. Automatic correction of SPl / LSP settings ”has no effect.
16. Recovering the Explorer startup key
Restores system registry keys responsible for starting Explorer.
Indications for use: Explorer does not start during system boot, but it is possible to manually launch explorer.exe.
17. Unlock Registry Editor
Unlocks Registry Editor by removing the policy that prevents it from starting.
Indications for use: Unable to start Registry Editor, when you try, you receive a message stating that it was blocked by the administrator.
18. Complete re-creation of SPI settings
It backs up the SPI / LSP settings, then destroys them and creates them according to the reference stored in the database.
Indications for use: Severe damage to SPI settings, unrecoverable by scripts 14 and 15. Use only if necessary!
19. Clear Base MountPoints
Clears the MountPoints and MountPoints2 database in the registry. This operation often helps in the case when disks do not open in Explorer after being infected with a Flash virus.
To perform the restoration, one or several items must be checked and the button "Perform marked operations" must be pressed. Pressing the "OK" button closes the window.
On a note:
Recovery is useless if the system is running a Trojan horse that performs such reconfigurations - you must first remove the malware and then restore the system settings
On a note:
To eliminate the traces of most Hijackers, you need to run three firmware - "Reset Internet Explorer search settings to standard", "Restore Internet Explorer start page", "Reset Internet Explorer protocol prefix settings to standard"
On a note:
Any of the firmware can be executed several times in a row without affecting the system. Exceptions - “5.
Restoring desktop settings "(the operation of this firmware will reset all desktop settings and you will have to re-select the desktop coloring and wallpaper) and" 10.
Restoring Boot Settings in SafeMode "(this firmware recreates the registry keys responsible for booting in SafeMode).
To start recovery, first download, unpack and run utility... Then we press the file - system restore. By the way, you can still execute 
We mark the checkboxes that you need and click to start operations. Everything, we look forward to it :-)
In the following articles, we will take a closer look at the problems that the avz firmware system recovery will help us to solve. So good luck to you.
Today I will talk about how to localize a virus if it does penetrate your computer, how to defeat Trojans and how to restore your system after being infected with rootkits if everything has gone too far.
So, if you suspect that your computer is infected, the first thing you should do is follow these steps:
- disconnect the computer from the Internet (pull out the UTP cable, turn off Wi-Fi);
- disconnect all external devices from the computer (external hard drives, flash drives, phones, etc.).
All this must be done to isolate the infected computer from the outside world. It is imperative to disconnect the computer from access to the outside world via the Internet and from the local internal network, since the malicious program with almost 100% probability will try to spread itself to the entire segment accessible to it.
In addition, if the malware is part of a botnet network or contains components, then it will be inactive and will be activated at the moment when a control command is received from the external network. This will also insure us against leakage of local data into the network, for example, through DNS-tunneled or similar hacking things.
Registry repair
The Windows registry, starting from the very first versions of the OS, remains a critical component of the system, in fact, it is a database for storing various parameters and settings of the working environment, installed software and Windows itself. It is logical that a violation of the registry or damage to it threatens an inoperative state of the OS.
The registry itself, which is opened with the regular regedit utility, is physically represented by several files stored in the% SystemRoot% \ System32 \ config \ path. These are files with the names SYSTEM, SOFTWARE, SECURITY, SAM, DEFAULT without extensions and are available only for system processes NT AUTHORITY \ SYSTEM, LocalSystem. But if you open the registry through a regular editor, then these files will appear in the form of a large hierarchical tree.
The first thing that comes to mind is, of course, to make backups of these files and, if necessary, just replace the broken ones with backups. But from under the loaded OS, simple copying will not be possible, and data export using regedit may turn out to be incomplete. Therefore, we will consider the tools that will help us in this matter.
Windows standard tools to restore the registry
"Out of the box" Windows, unfortunately, does not have a separate tool for backing up the registry. All that the system can give is the functionality of the outdated NTBackUp from the era of Windows XP / 2003 Server or its reincarnation in the new Windows 7, 8, 10 operating systems in the form of "", offering to create an entire system image (the entire system - not the registry! ). Therefore, let's look at just a small example of the steps in the Recovery Console to manually restore the registry. In fact, these are operations of replacing broken files on the infected system with the original registry files from a previously made backup copy.
NTBackUp utility interface
Having booted into Live CD mode from the installation disc or from a locally installed Recovery Console (for XP / 2003), you must run the following commands described by Microsoft itself:
// Create backup copies of the system registry
md tmp
copy c: \ windows \ system32 \ config \ system c: \ windows \ tmp \ system.bak
copy c: \ windows \ system32 \ config \ software c: \ windows \ tmp \ software.bak
copy c: \ windows \ system32 \ config \ sam c: \ windows \ tmp \ sam.bak
copy c: \ windows \ system32 \ config \ security c: \ windows \ tmp \ security.bak
copy c: \ windows \ system32 \ config \ default c: \ windows \ tmp \ default.bak
// Remove broken files from the OS system directory
delete c: \ windows \ system32 \ config \ system
delete c: \ windows \ system32 \ config \ software
delete c: \ windows \ system32 \ config \ sam
delete c: \ windows \ system32 \ config \ security
delete c: \ windows \ system32 \ config \ default
// Copy the working registry files from the shadow copy
copy c: \ windows \ repair \ system c: \ windows \ system32 \ config \ system
copy c: \ windows \ repair \ software c: \ windows \ system32 \ config \ software
copy c: \ windows \ repair \ sam c: \ windows \ system32 \ config \ sam
copy c: \ windows \ repair \ security c: \ windows \ system32 \ config \ security
copy c: \ windows \ repair \ default c: \ windows \ system32 \ config \ default
That's it, we restart the car and see the result!
Advanced Registry Repair Techniques
As we found out, Windows doesn't have a decent registry management tool. Therefore, let's see what third-party manufacturers can offer us.
TCPView Utility WindowThe list of network services and the corresponding reserved ports for NT systems can be viewed in the file% SystemRoot% \ system32 \ drivers \ etc \ services - this is also essentially a text file without an extension, which can be viewed by any notepad.
Nirsoft CurrPorts utility windowAnd finally, for everything described above that we did with our hands, you can use tools, for example. This utility restores system network settings registry keys with default values. In addition, she also:
- checks the hosts file for the correctness of the localhost pointer (must refer to the address 127.0.0.1);
- creates a backup of the current system settings (at the request of the user);
- disables all network adapters and resets their parameters.
WinSock XP Fix utility window The native GUI tool we talked about does the same thing as the netsh int ip reset and netsh winsock reset commands. Similar to it is the Reset-TCPIP tool, which executes all the described combinations of console commands under one GUI.
Reset-TCPIP utility windowAnother good free tool is designed to fix a variety of errors related to the network and the Internet in Windows. A short list of its features:
- clear and fix the hosts file;
- enable Ethernet and wireless network adapters;
- reset Winsock and TCP / IP;
- clear DNS cache, routing tables, clear static IP connections;
- restart NetBIOS.
Live CD as a lifeline
And, continuing our topic, we simply could not pass by the story about Live CD assemblies intended for system recovery. Initially, Live CD was positioned as a tool for performing administrative tasks: preparing a hard disk, quickly gaining access to data stored on disks, and so on. Now Live CDs are more like a universal lifeline for reanimating the system in the event of various falls, including after a virus attack. Their main advantage is that all tools are collected under one hood and can work in parallel. But there is also a drawback: to boot into Live CD mode, you need to reboot the machine, which in some cases is unacceptable for us.
All well-known antivirus vendors have free bootable system recovery discs. We will briefly go over them, but we will not go into details - we agreed at the beginning of our article that we will use only those tools that are not pure antivirus software.
Like
Like
Tweet
There are programs as universal as the Swiss knife. The hero of my article is just such a "universal". His name is AVZ(Zaitsev's anti-virus). With the help of this free you can catch antivirus and viruses, and optimize the system, and fix the problems.
AVZ features
I already talked about the fact that this is an antivirus program in. The work of AVZ as a one-time antivirus (more precisely, an anti-rootkit) is well described in its help, but I will show you the other side of the program: checking and restoring settings.
What can be "fixed" with AVZ:
- Restore startup programs (.exe, .com, .pif files)
- Reset Internet Explorer Preferences to Standard
- Restore Desktop Preferences
- Remove restrictions on rights (for example, if a virus blocked the launch of programs)
- Remove banner or window that appears before login
- Remove viruses that can run along with any program
- Unblock Task Manager and Registry Editor (if the virus has prevented them from starting)
- Clear file
- Prevent autostart of programs from flash drives and disks
- Delete unnecessary files from your hard drive
- Fix Desktop Issues
- And much more
You can also use it to check the security of Windows settings (in order to better protect against viruses), as well as optimize the system by cleaning startup.
The AVZ download page is located.
The program is free.
First, let's secure our Windows from careless actions
The AVZ program has very many functions affecting the operation of Windows. This dangerously, because in case of a mistake, trouble can happen. Please read the text and help carefully before doing anything. The author of the article is not responsible for your actions.
To be able to "return everything as it was" after careless work with AVZ, I wrote this chapter.
This is a mandatory step, in fact, creating a "escape route" in case of careless actions - thanks to a restore point, you can restore the settings, the Windows registry to an earlier state.
Windows Recovery is a required component of all versions of Windows, starting with Windows ME. It's a pity that they usually don't remember about it and waste time reinstalling Windows and programs, although you could just click the mouse a couple of times and avoid all the problems.
If the damage is serious (for example, some of the system files have been deleted), then System Restore will not help. In other cases - if you misconfigured Windows, "tricky" with the registry, installed a program from which Windows does not boot, misused the AVZ program - "System Restore" should help.
After work, AVZ creates subfolders with backups in its folder:
/ Backup- backup copies of the registry are stored there.
/ Infected- copies of deleted viruses.
/ Quarantine- copies of suspicious files.
If after the work of AVZ problems started (for example, you thoughtlessly used the AVZ System Restore tool and the Internet stopped working) and Windows System Restore did not roll back the changes, you can open the registry backups from the folder Backup.
How to create a restore point
Go to Start - Control Panel - System - System Protection:
Click "System Protection" in the "System" window.
Press the button "Create".
The process of creating a restore point can take up to ten minutes. Then a window will appear:
The restore point will be created. By the way, they are automatically created when you install programs and drivers, but not always. Therefore, before dangerous actions (setting up, cleaning the system), it is better to once again create a restore point in order to praise yourself for your prudence in case of trouble.
How to restore a computer using a restore point
There are two options for launching System Restore - from under running Windows and using the installation disc.
Option 1 - if Windows starts
Go to Start - All Programs - Accessories - System Tools - System Restore:
Will start Choose a different restore point and press Further. A list of restore points will open. We choose the one that is needed:
The computer will automatically restart. After downloading, all settings, its registry and some important files will be restored.
Option 2 - if Windows won't boot
You need an "installation" disk with Windows 7 or Windows 8. Where to get it (or download), I wrote in.
We boot from disk (how to boot from bootable disks, it is written) and select:
Choose "System Restore" instead of installing Windows
Fixing the system after viruses or inept actions with the computer
Before any action, get rid of viruses, for example, using. Otherwise, there will be no sense - the launched virus will "break" the corrected settings again.
Restoring startup programs
If a virus has blocked the launch of any programs, then AVZ will help you. Of course, you still need to run AVZ itself, but it's pretty easy:
First we go to Control Panel- set any kind of view, except for Category - Folders settings - View- remove the checkbox from Hide extensions for registered file types - OK. Now you can see each file extension- several characters after the last period in the name. For programs, this is usually .exe and .com... To run AVZ antivirus on a computer where the launch of programs is prohibited, rename the extension to cmd or pif:
Then AVZ will start. Then, in the program window itself, click File - :
It should be noted points:
1. Restoring startup parameters for.exe, .com, .pif files(actually, it solves the problem of launching programs)
6. Removing all Policies (restrictions) of the current user(in some rare cases, this item also helps to solve the problem of launching programs if the virus is caught very harmful)
9. Removing system process debuggers(It is highly desirable to mark this point, because even if you checked the system with an antivirus, something could remain from the virus. It also helps if the Desktop does not appear at system startup)
, we confirm the action, a window appears with the text "System restore completed". After that, it remains to restart the computer - the problem with starting the programs will be solved!Restoring Desktop Launch
A fairly common problem is that when the system starts, the Desktop does not appear.
Run Desktop you can do this: press Ctrl + Alt + Del, launch the Task Manager, press there File - New task (Run ...) - introduce explorer.exe:
In order not to do this every time, you need to restore the program launch key. explorer("Explorer", which is responsible for the standard view of the contents of folders and the work of the Desktop). In AVZ we press File- and mark the item
Unlocking Task Manager and Registry Editor
If the virus blocked the launch of the two above-mentioned programs, you can remove the ban through the AVZ program window. Just check two points:
11. Unlocking the task manager
17. Unlock Registry Editor
And press Perform the marked operations.
Internet problems (Vkontakte, Odnoklassniki and antivirus sites do not open)
Cleaning the system from unnecessary files
Programs AVZ knows how to clean the computer from unnecessary files. If the hard disk cleaning program is not installed on the computer, then AVZ will do, since there are many possibilities:
More about points:
- Clear system cache Prefetch- cleaning the folder with information about which files to load in advance to quickly launch programs. This option is useless because Windows itself quite successfully monitors the Prefetch folder and cleans it up when needed.
- Delete Windows log files- you can clear a variety of databases and files that store various records of events occurring in the operating system. This option is useful if you need to free up a dozen or two megabytes of hard disk space. That is, the benefit from using is scanty, the option is useless.
- Delete memory dump files- when critical errors occur, Windows interrupts its work and shows BSOD (blue screen of death), at the same time saving information about running programs and drivers to a file for further analysis by special programs in order to identify the culprit of the failure. This option is almost useless, as it allows you to win only ten megabytes of free space. Cleaning the memory dump files does not harm the system.
- Clear the list of Recent documents- oddly enough, the option clears the list of Recent documents. This list is on the Start menu. You can also clear the list manually by right-clicking on this item in the Start menu and selecting "Clear the list of recent items". Useful option: I've noticed that clearing the list of recent documents allows the Start menu to display its menus a little bit faster. It won't hurt the system.
- Clearing the TEMP folder- The Holy Grail for those who are looking for the cause of the disappearance of free space on the C: drive. The fact is that in the TEMP folder many programs store files for temporary use, forgetting to "clean up after themselves" later. A typical example is archivers. They will unpack the files there and forget to delete. Clearing the TEMP folder does not harm the system, it can free up a lot of space (in especially neglected cases, the gain of free space reaches fifty gigabytes!).
- Adobe Flash Player - cleaning temporary files- "Flash Player" can save files for temporary use. They can be removed. Sometimes (rarely) the option helps in the fight against Flash Player glitches. For example, problems with video and audio playback on the Vkontakte website. There is no harm from use.
- Clearing the terminal client cache- As far as I know, this option cleans up the temporary files of a Windows component called "Remote Desktop Connection" (remote access to computers via RDP). Option seems to be does no harm, frees up space with a dozen megabytes at best. There is no point in using it.
- IIS - deleting HTTP error log- take a long time to explain what it is. Let me just say that it is better not to enable the IIS log flush option. In any case, no harm, no benefit.
- Macromedia Flash Player- item duplicates "Adobe Flash Player - cleaning temporary files", but affects rather ancient versions of Flash Player.
- Java - clearing cache- gives a gain of a couple of megabytes on your hard disk. I do not use Java programs, so I did not check the consequences of enabling this option. I do not advise you to turn it on.
- Emptying the recycle bin- the purpose of this item is absolutely clear from its name.
- Delete installation logs of system updates- Windows keeps a log of installed updates. Enabling this option clears the log. The option is useless, because there is no gain in free space.
- Remove Windows Update Protocol- similar to the previous point, but other files are deleted. Also a useless option.
- Clear MountPoints Base- if when connecting a flash drive or hard drive, icons with them are not created in the Computer window, this option can help. I advise you to turn it on only if you have problems connecting flash drives and disks.
- Internet Explorer - clear cache- cleans up temporary Internet Explorer files. The option is safe and useful.
- Microsoft Office - clear cache- cleans up temporary files of Microsoft Office programs - Word, Excel, PowerPoint and others. I can't check the security option because I don't have Microsoft Office.
- Clearing the CD Writing System Cache is a useful option that allows you to delete files that you have prepared for writing to discs.
- Clearing the system TEMP folder- unlike the user's TEMP folder (see point 5), clearing this folder is not always safe, and usually a little space is freed up. I do not advise you to turn it on.
- MSI - clearing the Config.Msi folder- this folder contains various files created by program installers. The folder is large if the installers did not terminate correctly, so clearing the Config.Msi folder is worthwhile. Nevertheless, I warn you - there may be problems with uninstalling programs that use .msi installers (for example, Microsoft Office).
- Clear Task Scheduler Logs- Windows Task Scheduler stores a log where it records information about completed tasks. I do not recommend including this item, because there is no benefit, but it will add problems - Windows Task Scheduler is a rather buggy component.
- Remove Windows Installation Logs- winning a place is insignificant, there is no point in deleting.
- Windows - clearing the icon cache- useful if you have problems with shortcuts. For example, when the Desktop appears, the icons do not appear immediately. Enabling this option will not affect the stability of the system.
- Google Chrome - clear cache is a very useful option. Google Chrome stores copies of pages in a dedicated folder to quickly open sites (pages are loaded from the hard drive instead of downloading over the Internet). Sometimes the size of this folder reaches half a gigabyte. Cleaning is useful because it frees up space on your hard drive, it does not affect the stability of either Windows or Google Chrome.
- Mozilla Firefox - clearing the CrashReports folder- whenever a problem occurs with Firefox and it crashes, report files are generated. This option deletes the report files. The gain of free space reaches a couple of tens of megabytes, that is, there is little sense from the option, but there is. The stability of Windows and Mozilla Firefox is not affected.
Depending on the installed programs, the number of items will differ. For example, if the Opera browser is installed, you can clear its cache too.
Cleaning the list of startup programs
A surefire way to make your computer turn on and speed up is to clear the startup list. If unnecessary programs do not start, then the computer will not only turn on faster, but also work faster too - due to the freed up resources, which will not be taken by the programs running in the background.
AVZ is able to view almost all loopholes in Windows through which programs are launched. You can view the autorun list in the Tools - Autorun Manager menu:
An ordinary user has absolutely no need for such powerful functionality, so I urge do not turn off everything... It is enough to look at only two points - Startup folders and Run *.
AVZ displays autorun not only for your user, but also for all other profiles:
In chapter Run * it is better not to disable the programs located in the section HKEY_USERS- this can disrupt other user profiles and the operating system itself. In chapter Startup folders you can turn off everything that you do not need.
Lines recognized by the antivirus as known are marked in green. This includes both Windows system programs and digitally signed third-party programs.
All other programs are marked in black. This does not mean that such programs are viruses or something similar, just not all programs are digitally signed.
Do not forget to stretch the first column wider to show the name of the program. The usual unchecking will temporarily disable the autostart of the program (you can then check the checkbox again), highlighting the item and pressing the button with a black cross will delete the entry forever (or until the program registers itself to autorun again).
The question arises: how to determine what can be disabled and what cannot? There are two solutions:
First, there is common sense: you can make a decision by the name of the program file. For example, during installation, Skype creates an entry to start automatically when you turn on your computer. If you do not need it, uncheck the box ending with skype.exe. By the way, many programs (and Skype among them) are able to remove themselves from startup by themselves, it is enough to uncheck the corresponding item in the settings of the program itself.
Secondly, you can search the Internet for information about the program. Based on the information received, it remains to make a decision: to remove it from autorun or not. AVZ makes it easy to find information about items: just right-click on an item and select your favorite search engine:
By disabling unnecessary programs, you will noticeably speed up your computer startup. However, it is undesirable to disable everything in a row - this is fraught with the fact that you will lose the layout indicator, disable the antivirus, etc.
Disable only those programs that you know for sure - you do not need them in autostart.
Outcome
In principle, what I wrote about in the article is akin to hammering nails with a microscope - the AVZ program is suitable for optimizing Windows, but in fact it is a complex and powerful tool suitable for performing a variety of tasks. However, in order to use AVZ to its fullest, you need to thoroughly know Windows, so you can start small - namely, with what I described above.
If you have any questions or comments - under the articles there is a block of comments, where you can write to me. I am following the comments and will try to answer you as soon as possible.
Related entries:
Like
Like
A week has already passed since Petya dried up in Ukraine. In general, more than fifty countries around the world have suffered from this ransomware virus, but 75% of the mass cyberattack hit Ukraine. Government and financial institutions across the country were affected, with Ukrenergo and Kyivenergo being among the first to report that their systems had been hacked. To penetrate and block the Petya.A virus, it used the M.E.Doc accounting program. This software is very popular with all kinds of institutions in Ukraine, which became fatal. As a result, some companies took a long time to recover from the Petya virus. Some managed to resume work only yesterday, 6 days after the ransomware virus.
Purpose of the Petya virus
The purpose of most ransomware viruses is extortion. They encrypt information on the victim's PC and demand money from her to obtain a key that will resume access to encrypted data. But scammers do not always keep their word. Some ransomware are simply not designed to be decrypted, and the Petya virus is one of them.
This sad news was reported by specialists from Kaspersky Lab. In order to recover data after a ransomware virus, a unique virus installation identifier is required. But in a situation with a new virus, it does not generate an identifier at all, that is, the creators of the malware did not even consider the option of restoring a PC after the Petya virus.
But at the same time, the victims received a message in which the address was called where to transfer $ 300 in bitcoins in order to restore the system. In such cases, experts do not recommend assisting hackers, but nevertheless, the creators of "Petit" managed to earn more than $ 10,000 in 2 days after the massive cyber attack. But experts are confident that extortion was not their main task, since this mechanism was poorly thought out, unlike other mechanisms of the virus. From this, it can be assumed that the purpose of the Petya virus was to destabilize the operations of global enterprises. It is also entirely possible that the hackers were simply rushed and ill-considered part of getting the money.
PC recovery after Petya virus
Unfortunately, after a complete infection with Petya, the data on the computer cannot be recovered. Nevertheless, there is a way to unlock your computer after the Petya virus, if the ransomware did not have time to completely encrypt the data. It was made public on the official Cyberpolice website on July 2.
There are three options for Petya infection
- all information on the PC is completely encrypted, a window with extortion of money is displayed on the screen;
- PC data is partially encrypted. The encryption process was interrupted by external factors (incl. Power supply);
- The PC is infected, but the encryption process for the MFT has not been started.
In the first case, everything is bad - the system cannot be restored... At least for now.
In the last two options, the situation is fixable.
To recover data that has been partially encrypted, it is recommended to load the Windows installation disc:
If the hard disk has not been damaged by an encryption virus, the boot OS will see the files and start recovering the MBR:
This process has its own nuances for each version of Windows.
Windows XP
After loading the installation disk, the "Windows XP Professional Settings" window appears on the screen, there you need to select "to restore Windows XP using the recovery console, press R". After pressing R, and the recovery console will start to load.
If the devices have one operating system installed and it is located on the C drive, a notification will appear:
"1: C: \ WINDOWS which copy of Windows should I use to sign in?" Accordingly, it is necessary to press the key "1" and "Enter".
Then you will see: "Enter the administrator password." Enter the password and press "Enter" (if there is no password, press "Enter").
You should be prompted to the system: C: \ WINDOWS>, enter fixmbr.
Then "WARNING" will appear.
To confirm the new MBR record, press "y".
Then the notification "A new MBR is in progress on the physical disk \ Device \ Harddisk0 \ Partition0."
And: "New Master Boot Record has been done successfully."
Windows Vista:
The situation is simpler here. Boot the OS, choose your language and keyboard layout. Then the screen will display "Restore your computer to work". A menu will appear, in which you must select "Next". A window will appear with the parameters of the restored system, where you need to click on the command line, in which you need to enter bootrec / FixMbr.
After that, you need to wait for the process to complete, if everything went well, a confirmation message will appear - press "Enter", and the computer will start to reboot. Everything.
Windows 7:
The recovery process is similar to Vista. After selecting the language and keyboard layout, select the OS, and then click "Next". In the new window, select the item "Use recovery tools that can help solve problems with starting Windows."
All other steps are similar to Vista.
Windows 8 and 10:
Boot the OS, on the window that appears, select the item Repair your computer> troubleshooting, where by clicking on the command line, enter bootrec / FixMbr. After completing the process, press "Enter" and reboot the device.
After the MBR recovery process has completed successfully (regardless of the Windows version), you need to scan the disk with an antivirus.
If the encryption process was started by a virus, you can use file recovery software such as Rstudio. After copying them to removable media, you need to reinstall the system.
In the case when you use data recovery software written to the boot sector, for example Acronis True Image, you can be sure that "Petya" has not affected this sector. This means that you can return the system to working condition, without reinstalling.
If you find an error, please select a piece of text and press Ctrl + Enter.
:: Introduction
After removing viruses, the system may malfunction (or not boot at all), access to the Internet or to certain sites may be lost, so after the antivirus reported " All viruses destroyed"The user is left alone with a faulty system. Also, problems can be caused by program errors or their incompatibility with your system. Let's consider options for solving the problems.
:: Internet does not work
The cause of problems with the network can be both a consequence of a virus and the work of a crooked software. There are several solutions to this problem. Here we will consider one - AntiSMS utility.
Run as an admin and perform a full restore of network settings. The utility's work is simple: one click of the mouse and you're done.
:: Standard Windows System Restore
If System Restore has not been disabled on the system, then use this standard Windows functionality to solve problems. Also, this method of system recovery is effective if damage to the system is caused by the actions of inexperienced users or program errors.
Windows XP: Start -> All programs -> Standard -> Service -> System Restore... And choose a restore point a few days before the problems appear.
: Open System Restore by clicking the Start button. Type system restore in the search box, and then select System restore from the list of results. Enter the administrator password or confirm the password if prompted. Follow the instructions in the wizard to select a restore point and recover your computer.
If the computer does not boot, then try to go to Windows Safe Mode... To select it, you need to go to the service menu - to call it, make multiple key presses F8(or F5) immediately after turning on the computer. In Safe Mode, also use the " Start"to restore the system as described above.
Good to know: in Windows "7, Recovery can be invoked using the" Computer troubleshooting "item.
Windows XP Advanced Boot Options Menu:
Windows 7 Advanced Boot Options Menu:
If Safe Mode doesn't work either, then try to go to Safe mode with command line support... In this mode, the "Start" button will no longer exist, so you will need to invoke system restore through the command line, for this, in the command line, type the line:
% SystemRoot% \ system32 \ restore \ rstrui.exe
and press the key Enter... This is for Windows "XP!
For Windows versions Vista / 7/8, just enter the command rstrui.exe and press Enter.
If it didn't work and you have a Windows boot disk, then you can boot from it and try to restore the system. Let's take a look at Windows "7 as an example:
insert the boot disk into your computer and boot from it.
Select " System Restore".
A window with options for action will open.
Select item " Launch recovery", then try to boot in the usual way. If it doesn't help, then select" System Restore"(this is an analogue of the system restore, which is discussed above) and select a restore point at the time of normal system operation. Try to boot in the usual way. If this did not help, then select" Command line"and type in the command line chkdsk c: / f / r and press Enter- a check for hard disk errors will be launched, perhaps this check will give a positive result.
:: Restore system files with sfc command
If after disinfection Windows will malfunction, then Start -> Run, enter the command:
sfc / scannow
and press Enter- Windows will check the integrity of protected files on your computer. You may need an OS installation disc for recovery.
If you do not find the "Run" button, then you can call it with the keyboard shortcut [ Win] + [R]. If the system does not boot normally, then use Safe mode.
Next, we will analyze a number of third-party programs for recovering the system after a virus. Recommend use them in Windows Safe Mode. Don't forget about administrator rights.
:: Recovery using Windows Repair (All In One)
Windows Repair (All In One) is a utility that will help you fix errors in the system registry, restore the original settings modified during computer infection or installation of programs, restore stable operation of the Internet Explorer browser, Windows Update service, Windows Firewall and other OS services and components.
Unzip the downloaded archive, then run the program. Necessarily update it: File -> Database update.
Run " Troubleshooting Wizard" (on the menu " File").
Click " Start". If AVZ found any problems, then check the boxes and click" Fix reported issues".
Then on the menu " File"select" System Restore". Check the boxes for all the items, BESIDES these:
- Automatic correction of SPl / LSP settings;
- Reset SPI / LSP and TCP / IP settings (XP +);
- Complete re-creation of SPI settings;
- Replace DNS of all connections with Google DNS
Then press " Perform marked operations", wait a little, close the program and restart your computer.
If after infection of the computer there are problems with access to some sites, for example, social networks falsely report blocking or some kind of left advertising pops up, then there is a possibility of DNS substitution for malicious - in this case, you can use the item " Replace DNS of all connections with Google DNS". But this should be done only after checking the computer with antivirus scanners (if they did not help). You can also try this item if you cannot get the Internet back after infection.
Paragraph " Automatic correction of SPl / LSP settings"can be used if Internet access is lost after the virus (restart the computer after application). Reset SPI / LSP and TCP / IP Settings (XP +)"It is also intended to restore access to the network, but this item can only be used if nothing else helps (restart the computer after using it). If both points above did not help return the Internet, then there is one more item." Full re-creation of SPI settings"- apply only if nothing else helps. Pay attention to these three points that we are talking about the fact that there is no access to the network at all.
:: Check hard disk (chkdsk)
This is a standard Windows program for checking the hard drive for errors. Open " My computer"(in Windows," 7 is just " Computer") on the Desktop or through the menu " Start". Select the desired partition or disk, right-click on it, press" Properties", select the tab" Service" and press " Check", check the boxes on" Automatically fix system errors" and " Check and repair bad sectors". If you are checking the system partition, then you will need to schedule the scan for the next startup (you will need to restart the computer to check).
An example of launching through the command line: chkdsk c: / f / r
:: Windows does not boot in any modes
Windows can crash if the registry or system files are damaged. We'll have to use a LiveCD - this is a disk or flash drive that bypasses the system installed on the computer. You will need to download the image (file with the iso extension) on a healthy computer and mount it on a disk or flash drive, and then from it.
We will use LiveCD AntiSMS: download download page. There is a special program for writing to a flash drive on the download page.
After booting from the LiveCD on the problem computer, you will see a regular desktop. Click the shortcut " AntiSMS". After the AntiSMS utility reports that everything is fine, remove the LiveCD and boot in the usual way. The AntiSMS utility restores some of the registry branches and system files that are necessary for Windows to work properly - perhaps this will be enough to restore the system.
If it doesn't help, then try restoring the registry from a backup:
for Windows "7 : boot from the AntiSMS LiveCD and start Total Commander, which is provided on this LiveCD. Go to folder Windows \ System32 \ Config(this is the Windows folder installed on the problem computer). Files SYSTEM and SOFTWARE rename to SYSTEM.bad and SOFTWARE.bad accordingly. Then copy the files from the folder SYSTEM and SOFTWARE to folder Windows \ System32 \ Config This should help, try to boot your computer in the usual way.
for Windows "XP : go to folder windows \ system32 \ config, files system and software rename to system.bad and software.bad accordingly. Next, copy the files system and software from folder windows \ repair to folder windows \ system32 \ config
For reference: in the folder Windows \ System32 \ Config \ RegBack stored backups of the registry hives. They are created Task Scheduler every ten days.
