| author | Oleksandr Gavenko <gavenkoa@gmail.com> |
| Sat, 10 Feb 2018 01:36:16 +0200 | |
| changeset 2229 | 1a0b6597e594 |
| parent 2228 | 837f1337c59b |
| permissions | -rw-r--r-- |
|
1911
870693ce6ff0
Fix my RST article style by 'check-format-policy' target.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1828
diff
changeset
|
1 |
.. -*- coding: utf-8; -*- |
| 1823 | 2 |
|
3 |
================================= |
|
4 |
Computer viruses and rootckits. |
|
5 |
================================= |
|
|
1911
870693ce6ff0
Fix my RST article style by 'check-format-policy' target.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1828
diff
changeset
|
6 |
.. contents:: |
|
870693ce6ff0
Fix my RST article style by 'check-format-policy' target.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1828
diff
changeset
|
7 |
:local: |
| 1823 | 8 |
|
9 |
Online virus scaner. |
|
10 |
==================== |
|
11 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
12 |
* http://virusscan.jotti.org/ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
13 |
* http://www.virustotal.com/ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
14 |
* http://virscan.org/ |
| 1823 | 15 |
|
16 |
Rootkit checker. |
|
17 |
================ |
|
18 |
||
19 |
For Debian:: |
|
20 |
||
21 |
$ sudo apt-get install rkhunter chkrootkit |
|
22 |
||
23 |
$ sudo rkhunter -c |
|
24 |
... |
|
25 |
||
26 |
$ sudo chkrootkit |
|
27 |
... |
|
28 |
||
29 |
.. |
|
30 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
31 |
* http://www.rootkit.nl/projects/rootkit_hunter.html |
| 1823 | 32 |
|
| 1828 | 33 |
For Windows just use `Sysinternals suite |
34 |
<https://technet.microsoft.com/ru-ru/sysinternals/>`_. There are two tools which |
|
35 |
help a lot: |
|
36 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
37 |
* ``procexp.exe`` to find which process lock file and path to executable images |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
38 |
for removing unwanted software. |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
39 |
* ``autoruns.exe`` to find program and service registration. |
|
1824
897d88b927bc
HijackThis, Sysinternals.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1823
diff
changeset
|
40 |
|
| 1828 | 41 |
Also you may use less powerful but built-in ``msconfig.exe`` to investigate |
42 |
startup processes registration. |
|
43 |
||
44 |
HijackThis. |
|
45 |
----------- |
|
46 |
||
47 |
Works nice on 32-bit Windows. But fail to properly handle paths on 64-bit. |
|
|
1824
897d88b927bc
HijackThis, Sysinternals.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1823
diff
changeset
|
48 |
|
| 1828 | 49 |
Autoruns from sysinternals supresses HijackThis by quality and number of |
50 |
detected places. |
|
51 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
52 |
http://sourceforge.net/projects/hjt/ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
53 |
Home page |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
54 |
https://en.wikipedia.org/wiki/HijackThis |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
55 |
Wiki page. |
|
1824
897d88b927bc
HijackThis, Sysinternals.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1823
diff
changeset
|
56 |
|
| 1828 | 57 |
GMER. |
58 |
----- |
|
59 |
||
60 |
List processes, services, autostarts, scans for rootkits or 3rd party file |
|
61 |
registration. |
|
|
1824
897d88b927bc
HijackThis, Sysinternals.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1823
diff
changeset
|
62 |
|
| 1828 | 63 |
Under Windows 10 x64 it cause reboot due to write to rean-only memory. |
64 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
65 |
http://www.gmer.net/ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
66 |
Home page. |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
67 |
https://en.wikipedia.org/wiki/GMER |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
68 |
Wiki page. |
| 1826 | 69 |
|
| 1823 | 70 |
Antivirus software. |
71 |
=================== |
|
72 |
||
73 |
Debian. |
|
74 |
------- |
|
75 |
||
76 |
ClamAV - anti-virus utility for Unix:: |
|
77 |
||
78 |
$ sudo apt-get install clamav |
|
79 |
||
80 |
Windows. |
|
81 |
-------- |
|
82 |
||
| 1828 | 83 |
Free active antivirus: |
| 1823 | 84 |
|
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
85 |
* `Windows Defender |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
86 |
<http://windows.microsoft.com/en-us/windows/using-defender>`_ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
87 |
* `Avast <http://www.avast.com/>`_ - free Antivirus is free only for personal |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
88 |
and non-commercial use. |
| 1828 | 89 |
|
90 |
Free one time scan antivirus: |
|
91 |
||
|
2228
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
92 |
* `Dr.Web CureIt! <https://free.drweb.ru/cureit/>`_ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
93 |
* `Free Kaspersky security scan for your PC |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
94 |
<http://www.kaspersky.com/free-virus-scan>`_ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
95 |
* `Kaspersky Virus Removal Tool <www.kaspersky.com/antivirus-removal-tool>`_ |
|
837f1337c59b
Removed indentation that compiled into <blockquote>.
Oleksandr Gavenko <gavenkoa@gmail.com>
parents:
1912
diff
changeset
|
96 |
* `ESET SysInspector <http://www.eset.com/int/support/sysinspector/>`_. |
| 1823 | 97 |
|
98 |
Nod32 removal. |
|
99 |
~~~~~~~~~~~~~~ |
|
100 |
||
101 |
Disable nod32 services by 'msconfig' utility. |
|
102 |
||
103 |
Remove such keys from registry by 'regedit':: |
|
104 |
||
105 |
HKEY_LOCAL_MACHINE\SOFTWARE\ESET |
|
106 |
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NOD32DRV |
|
107 |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eamon ==> |
|
108 |
... easdrv easdrv EhttpSrv ekrn epfw Epfwndis epfwtdi |
|
109 |