tips: virus.rst@ccaa2f364422 (annotated)

1911 870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	1	.. -- coding: utf-8; --
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	2
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	3	=================================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	4	Computer viruses and rootckits.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	5	=================================
1911 870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	6	.. contents::
870693ce6ff0 Fix my RST article style by 'check-format-policy' target. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1828 diff changeset	7	:local:
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	8
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	9	Online virus scaner.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	10	====================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	11
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	12	* http://virusscan.jotti.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	13	* http://www.virustotal.com/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	14	* http://virscan.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	15
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	16	Rootkit checker.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	17	================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	18
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	19	For Debian::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	20
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	21	$ sudo apt-get install rkhunter chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	22
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	23	$ sudo rkhunter -c
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	24	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	25
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	26	$ sudo chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	27	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	28
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	29	..
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	30
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	31	http://www.rootkit.nl/projects/rootkit_hunter.html
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	32
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	33	For Windows just use `Sysinternals suite
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	34	<https://technet.microsoft.com/ru-ru/sysinternals/>`_. There are two tools which
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	35	help a lot:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	36
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	37	* ``procexp.exe`` to find which process lock file and path to executable images
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	38	for removing unwanted software.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	39	* ``autoruns.exe`` to find program and service registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	40
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	41	Also you may use less powerful but built-in ``msconfig.exe`` to investigate
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	42	startup processes registration.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	43
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	44	HijackThis.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	45	-----------
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	46
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	47	Works nice on 32-bit Windows. But fail to properly handle paths on 64-bit.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	48
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	49	Autoruns from sysinternals supresses HijackThis by quality and number of
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	50	detected places.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	51
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	52	http://sourceforge.net/projects/hjt/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	53	Home page
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	54	https://en.wikipedia.org/wiki/HijackThis
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	55	Wiki page.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	56
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	57	GMER.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	58	-----
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	59
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	60	List processes, services, autostarts, scans for rootkits or 3rd party file
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	61	registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	62
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	63	Under Windows 10 x64 it cause reboot due to write to rean-only memory.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	64
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	65	http://www.gmer.net/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	66	Home page.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	67	https://en.wikipedia.org/wiki/GMER
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	68	Wiki page.
1826 5c0e92ea4bce msconfig.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1824 diff changeset	69
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	70	Antivirus software.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	71	===================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	72
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	73	Debian.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	74	-------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	75
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	76	ClamAV - anti-virus utility for Unix::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	77
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	78	$ sudo apt-get install clamav
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	79
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	80	Windows.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	81	--------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	82
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	83	Free active antivirus:
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	84
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	85	* `Windows Defender
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	86	<http://windows.microsoft.com/en-us/windows/using-defender>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	87	* `Avast <http://www.avast.com/>`_ - free Antivirus is free only for personal
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	88	and non-commercial use.
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	89
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	90	Free one time scan antivirus:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	91
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	92	* `Dr.Web CureIt! <https://free.drweb.ru/cureit/>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	93	* `Free Kaspersky security scan for your PC
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	94	<http://www.kaspersky.com/free-virus-scan>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	95	* `Kaspersky Virus Removal Tool <www.kaspersky.com/antivirus-removal-tool>`_
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	96	* `ESET SysInspector <http://www.eset.com/int/support/sysinspector/>`_.
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	97
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	98	Nod32 removal.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	99	~~~~~~~~~~~~~~
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	100
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	101	Disable nod32 services by 'msconfig' utility.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	102
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	103	Remove such keys from registry by 'regedit'::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	104
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	105	HKEY_LOCAL_MACHINE\SOFTWARE\ESET
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	106	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NOD32DRV
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	107	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eamon ==>
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	108	... easdrv easdrv EhttpSrv ekrn epfw Epfwndis epfwtdi
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	109

author	Oleksandr Gavenko <gavenkoa@gmail.com>
	Mon, 30 Jan 2017 00:44:30 +0200
changeset 2075	ccaa2f364422
parent 1912	8b81a8f0f692
child 2228	837f1337c59b
permissions	-rw-r--r--