# Forum in English  > Computer security: software  > Beta Testing  >  AVZ Questions :)

## Rorschach112

Hello everybody, I have recently become an External Specialist in the hope of learning as much as possible about this excellent tool. If this is better suited to the External Specialist forum then feel free to move it there  :Smiley: 

I have a few questions and I don't want to be constantly bugging ScratchyClaws for help(I have read all the help file). Also maybe the answers will help other non-russian speaking members.



1) Is using BC_DeleteFile less safe than the other ways? Should I only use that for really tough malware, like we do for The Avenger? I know they are both similar.

2) How successful are the quarantine and deletion file ways for removing malware? Will they have trouble against infections(any in specific)? Do the staff here start off with quarantine/deletion for files, then try use BC_DeleteFile if it comes back?

3) Can I add in any other files myself from other scans that need to be deleted into the AVZ fix, that don't show up in the HTML file. 
For example, DSS/ComboFix often report files that HJT/AVZ won't show, so could I just add in files with this when I know they are there.

QuarantineFile('c:\malware.exe','');
and repeat that for others? Will AVZ delete them even if it doesn't detect them in the first place?

4) I assume *Registry cleanup after deleting files should be used at the end always? * It just deletes the left over registry keys from the files we deleted right?

5) I am currently working on a log that has the Wareout infection, the sign being from a HJT log
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.61 85.255.112.218

I assume I will be able to fix this with AVZ, however how successful will AVZ be? Would there be a good chance that the users internet connection may be damaged?


6) Would the developer(s) or main admins consider becoming a Visiting Consultant at some of the English Speaking Anti-Malware sites and keeping us updated about the tool and future updates? 


Anyway, it would be greatly appreciated if any of my questions are answered. I am trying to understand this tool so I can become as good as you all are at it  :Smiley:

----------


## NickGolovko

> Hello everybody, I have recently become an External Specialist in the hope of learning as much as possible about this excellent tool. If this is better suited to the External Specialist forum then feel free to move it there 
> 
> I have a few questions and I don't want to be constantly bugging ScratchyClaws for help(I have read all the help file). Also maybe the answers will help other non-russian speaking members.


Hello Rorschach112, 

welcome on board again.  :Smiley: 

I will try answering your questions one by one.




> 1) Is using BC_DeleteFile less safe than the other ways? Should I only use that for really tough malware, like we do for The Avenger? I know they are both similar.


BC stands for BootCleaner. It is a boot driver which performs its operations at the early stages of system startup, when most of other drivers are not yet loaded and the file to be processed is not protected by any of them. It is well OK to use it, no system crash will happen, but you should always be conscious of the fact that this is the ultimate tool that is virtually sure to delete the file if you said to. In other words, the only danger of using BootCleaner is that nothing can save the file you are deleting by it. 

In our common practice we practically always use BC_ImportDeletedList function after the list of

DeleteFile();
DeleteFile();

or BC_ImportALL after the list of

QuarantineFile();
DeleteFile;

BootCleaner makes us sure that no additional operations would be required to remove malicious files. We use it even for not highly protected malware - to be on the safe side.




> 2) How successful are the quarantine and deletion file ways for removing malware? Will they have trouble against infections(any in specific)? Do the staff here start off with quarantine/deletion for files, then try use BC_DeleteFile if it comes back?


They rarely fail, but we usually add BootCleaner commands, see above. When I read an AVZ log, I click on links under the items (Script: Quarantine Delete), so I finally get a list of functions. For example:

 QuarantineFile('C:\WINDOWS\system32\mscoriezz.dll'  ,'');
 QuarantineFile('C:\WINDOWS\inetloader.dll','');
 QuarantineFile('C:\WINDOWS\se_spoof.dll','');
 QuarantineFile('C:\WINDOWS\system32\bitsprx2a.dll'  ,'');
 QuarantineFile('winrwq32.dll','');
 DeleteFile('winrwq32.dll');
 DeleteFile('C:\WINDOWS\system32\bitsprx2a.dll');
 DeleteFile('C:\WINDOWS\se_spoof.dll');
 DeleteFile('C:\WINDOWS\inetloader.dll');
 DeleteFile('C:\WINDOWS\system32\mscoriezz.dll');

etc.

If I am not sure that DeleteFile will succeed (and I am never sure  :Smiley:  ), I add BC_ImportDeletedList after the list. It imports to BootCleaner task the list of deleted files. If I am also interested in retrieving the files, I use BC_ImportALL. It imports both lists of quarantined and deleted files (I guess you know that BootCleaner can also quarantine, copy files, etc.).




> 3) Can I add in any other files myself from other scans that need to be deleted into the AVZ fix, that don't show up in the HTML file. 
> For example, DSS/ComboFix often report files that HJT/AVZ won't show, so could I just add in files with this when I know they are there.
> 
> QuarantineFile('c:\malware.exe','');
> and repeat that for others? Will AVZ delete them even if it doesn't detect them in the first place?


Of course you can. AVZ will do what you've commanded to do. It will try to find the file and process it even if it does not detect it. 




> 4) I assume *Registry cleanup after deleting files should be used at the end always? * It just deletes the left over registry keys from the files we deleted right?


Yes, it is mainly used after BC_Import, or right after the list of Quarantine/DeleteFile if you do not use BC_Import. It searches for registry traces of the deleted files and heuristically removes them.




> 5) I am currently working on a log that has the Wareout infection, the sign being from a HJT log
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.61 85.255.112.218
> 
> I assume I will be able to fix this with AVZ, however how successful will AVZ be? Would there be a good chance that the users internet connection may be damaged?


Some fixes are better to be done in HJT. They are not numerous, but they exist. For example, HJT is better in removing BHOs and other CLSID objects from the registry. So it is well OK if you use HJT for some fixes.

AVZ can just delete this registry item if you ask to.




> 6) Would the developer(s) or main admins consider becoming a Visiting Consultant at some of the English Speaking Anti-Malware sites and keeping us updated about the tool and future updates?


As soon as AVZ 4.28 is ready (with multiple languages support and, hopefully, new help file), I will do my best to promote it abroad. So I am ready to fulfill these functions.  :Smiley:

----------


## Rorschach112

Thank you very much for answering my questions Nick. It was very helpful.

I have used AVZ earlier today on some bad infections and I was *very* happy with the results. It did a great job at removing them. I have been chatting with a few friends about the tool, so we are all excited about using this tool which is new to us  :Smiley: 




> As soon as AVZ 4.28 is ready (with multiple languages support and, hopefully, new help file), I will do my best to promote it abroad.


I look forward to this, if you need any help at all, feel free to give me a PM.


Thanks again.

----------


## drongo

About adding suspected files to quarantine with AVZ. If the file itself (that you want to copy) is in the "white" list, it will not be quarantined after executing script with QuarantineFile(' '); .Maybe anybody knows the script -code to  temporary disable this function ?

----------

