tips: virus.rst@870693ce6ff0 (annotated)

1911 870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	1	.. -- coding: utf-8; --
870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	2	.. include:: HEADER.rst
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	3
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	4	=================================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	5	Computer viruses and rootckits.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	6	=================================
1911 870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	7	.. contents::
870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	8	:local:
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	9
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	10	Online virus scaner.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	11	====================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	12
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	13	* http://virusscan.jotti.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	14	* http://www.virustotal.com/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	15	* http://virscan.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	16
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	17	Rootkit checker.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	18	================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	19
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	20	For Debian::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	21
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	22	$ sudo apt-get install rkhunter chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	23
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	24	$ sudo rkhunter -c
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	25	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	26
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	27	$ sudo chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	28	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	29
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	30	..
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	31
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	32	http://www.rootkit.nl/projects/rootkit_hunter.html
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	33
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	34	For Windows just use `Sysinternals suite
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	35	<https://technet.microsoft.com/ru-ru/sysinternals/>`_. There are two tools which
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	36	help a lot:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	37
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	38	* ``procexp.exe`` to find which process lock file and path to executable images
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	39	for removing unwanted software.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	40	* ``autoruns.exe`` to find program and service registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	41
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	42	Also you may use less powerful but built-in ``msconfig.exe`` to investigate
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	43	startup processes registration.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	44
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	45	HijackThis.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	46	-----------
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	47
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	48	Works nice on 32-bit Windows. But fail to properly handle paths on 64-bit.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	49
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	50	Autoruns from sysinternals supresses HijackThis by quality and number of
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	51	detected places.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	52
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	53	http://sourceforge.net/projects/hjt/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	54	Home page
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	55	https://en.wikipedia.org/wiki/HijackThis
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	56	Wiki page.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	57
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	58	GMER.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	59	-----
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	60
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	61	List processes, services, autostarts, scans for rootkits or 3rd party file
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	62	registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	63
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	64	Under Windows 10 x64 it cause reboot due to write to rean-only memory.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	65
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	66	http://www.gmer.net/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	67	Home page.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	68	https://en.wikipedia.org/wiki/GMER
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	69	Wiki page.
1826 5c0e92ea4bce msconfig.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1824 diff changeset	70
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	71	Antivirus software.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	72	===================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	73
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	74	Debian.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	75	-------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	76
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	77	ClamAV - anti-virus utility for Unix::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	78
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	79	$ sudo apt-get install clamav
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	80
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	81	Windows.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	82	--------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	83
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	84	Free active antivirus:
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	85
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	86	* `Windows Defender
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	87	<http://windows.microsoft.com/en-us/windows/using-defender>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	88	* `Avast <http://www.avast.com/>`_ - free Antivirus is free only for personal
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	89	and non-commercial use.
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	90
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	91	Free one time scan antivirus:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	92
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	93	* `Dr.Web CureIt! <https://free.drweb.ru/cureit/>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	94	* `Free Kaspersky security scan for your PC
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	95	<http://www.kaspersky.com/free-virus-scan>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	96	* `Kaspersky Virus Removal Tool <www.kaspersky.com/antivirus-removal-tool>`_
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	97	* `ESET SysInspector <http://www.eset.com/int/support/sysinspector/>`_.
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	98
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	99	Nod32 removal.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	100	~~~~~~~~~~~~~~
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	101
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	102	Disable nod32 services by 'msconfig' utility.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	103
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	104	Remove such keys from registry by 'regedit'::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	105
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	106	HKEY_LOCAL_MACHINE\SOFTWARE\ESET
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	107	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NOD32DRV
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	108	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eamon ==>
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	109	... easdrv easdrv EhttpSrv ekrn epfw Epfwndis epfwtdi
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	110

author	Oleksandr Gavenko <gavenkoa@gmail.com>
	Mon, 22 Feb 2016 13:34:55 +0200
changeset 1911	870693ce6ff0
parent 1828	89380c212670
child 1912	8b81a8f0f692
permissions	-rw-r--r--