tips: virus.rst@f4b078cbff20 (annotated)

1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	1	.. -- coding: utf-8 --
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	2
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	3	=================================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	4	Computer viruses and rootckits.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	5	=================================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	6
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	7	Online virus scaner.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	8	====================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	9
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	10	* http://virusscan.jotti.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	11	* http://www.virustotal.com/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	12	* http://virscan.org/
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	13
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	14	Rootkit checker.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	15	================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	16
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	17	For Debian::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	18
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	19	$ sudo apt-get install rkhunter chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	20
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	21	$ sudo rkhunter -c
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	22	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	23
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	24	$ sudo chkrootkit
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	25	...
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	26
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	27	..
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	28
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	29	http://www.rootkit.nl/projects/rootkit_hunter.html
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	30
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	31	For Windows just use `Sysinternals suite
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	32	<https://technet.microsoft.com/ru-ru/sysinternals/>`_. There are two tools which
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	33	help a lot:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	34
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	35	* ``procexp.exe`` to find which process lock file and path to executable images
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	36	for removing unwanted software.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	37	* ``autoruns.exe`` to find program and service registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	38
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	39	Also you may use less powerful but built-in ``msconfig.exe`` to investigate
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	40	startup processes registration.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	41
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	42	HijackThis.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	43	-----------
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	44
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	45	Works nice on 32-bit Windows. But fail to properly handle paths on 64-bit.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	46
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	47	Autoruns from sysinternals supresses HijackThis by quality and number of
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	48	detected places.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	49
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	50	http://sourceforge.net/projects/hjt/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	51	Home page
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	52	https://en.wikipedia.org/wiki/HijackThis
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	53	Wiki page.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	54
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	55	GMER.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	56	-----
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	57
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	58	List processes, services, autostarts, scans for rootkits or 3rd party file
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	59	registration.
1824 897d88b927bc HijackThis, Sysinternals. Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1823 diff changeset	60
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	61	Under Windows 10 x64 it cause reboot due to write to rean-only memory.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	62
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	63	http://www.gmer.net/
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	64	Home page.
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	65	https://en.wikipedia.org/wiki/GMER
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	66	Wiki page.
1826 5c0e92ea4bce msconfig.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1824 diff changeset	67
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	68	Antivirus software.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	69	===================
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	70
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	71	Debian.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	72	-------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	73
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	74	ClamAV - anti-virus utility for Unix::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	75
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	76	$ sudo apt-get install clamav
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	77
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	78	Windows.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	79	--------
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	80
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	81	Free active antivirus:
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	82
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	83	* `Windows Defender
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	84	<http://windows.microsoft.com/en-us/windows/using-defender>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	85	* `Avast <http://www.avast.com/>`_ - free Antivirus is free only for personal
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	86	and non-commercial use.
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	87
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	88	Free one time scan antivirus:
89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	89
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	90	* `Dr.Web CureIt! <https://free.drweb.ru/cureit/>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	91	* `Free Kaspersky security scan for your PC
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	92	<http://www.kaspersky.com/free-virus-scan>`_
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	93	* `Kaspersky Virus Removal Tool <www.kaspersky.com/antivirus-removal-tool>`_
1828 89380c212670 autoruns.exe Oleksandr Gavenko <gavenkoa@gmail.com> parents: 1826 diff changeset	94	* `ESET SysInspector <http://www.eset.com/int/support/sysinspector/>`_.
1823 fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	95
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	96	Nod32 removal.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	97	~~~~~~~~~~~~~~
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	98
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	99	Disable nod32 services by 'msconfig' utility.
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	100
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	101	Remove such keys from registry by 'regedit'::
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	102
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	103	HKEY_LOCAL_MACHINE\SOFTWARE\ESET
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	104	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NOD32DRV
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	105	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eamon ==>
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	106	... easdrv easdrv EhttpSrv ekrn epfw Epfwndis epfwtdi
fb2ead263aed Windows Defender Oleksandr Gavenko <gavenkoa@gmail.com> parents: diff changeset	107

author	Oleksandr Gavenko <gavenkoa@gmail.com>
	Mon, 22 Feb 2016 13:02:27 +0200
changeset 1907	f4b078cbff20
parent 1828	89380c212670
child 1911	870693ce6ff0
permissions	-rw-r--r--