diff --git a/antimalware.txt b/antimalware.txt index 54be59f22..a7a781592 100644 --- a/antimalware.txt +++ b/antimalware.txt @@ -7968,6 +7968,10 @@ ! https://www.youtube.com/watch?v=DUbemJF_3zE /wp-admin/Install.exe|$document +! https://www.bleepingcomputer.com/news/security/evil-telegram-android-apps-on-google-play-infected-60k-with-spyware/ +||telegrnm.org^$all +||sg.telegrnm.org^$all + ! ---- Scams ---- ! websites pretending to be related to uBlock Origin - the real uBlock Origin is at https://github.com/gorhill/uBlock @@ -15499,7 +15503,6 @@ ||odesbest.com^$all ||loadoverlylatestinfo-program.info^$all - ! ---- PUPs ---- ! https://www.virustotal.com/gui/url/c7e3137c4baaad64dcbbafd1938f581f264944fa1e2c1aa1ebcff77ed2959082/links @@ -16338,6 +16341,9 @@ ! https://github.com/hagezi/dns-blocklists/discussions/1515 ||techadsology.com^$all +! sells driver updater snake oil +||drivereasy.com^$document + ! ---- Spam ---- ! https://forums.malwarebytes.com/topic/281397-how-to-update-my-adwcleaner/ diff --git a/antipup.txt b/antipup.txt index 0b0fe698f..8c5a9acd7 100644 --- a/antipup.txt +++ b/antipup.txt @@ -109,6 +109,7 @@ winaero.com##.widget:has([href="/fix-classic-issues-performance/"]) ||ccleaner.com^$document ! https://tria.ge/230821-2bt5maad51/behavioral1 +||fortect.com^$document ||cloud.fortect.com^$document ! https://forums.malwarebytes.com/topic/301486-vetting-cleanmymac/ diff --git a/antitypo.txt b/antitypo.txt index cc41df396..ef86fde2f 100644 --- a/antitypo.txt +++ b/antitypo.txt @@ -5,7 +5,7 @@ ! Homepage: https://github.com/iam-py-test/my_filters_001 ! Issues url: https://github.com/iam-py-test/my_filters_001/issues ! GitLab issues url (not checked as often): https://gitlab.com/iam-py-test/my_filters_001/-/issues -! Last updated: 23/8/2023 +! Last updated: 11/9/2023 ! https://safeweb.norton.com/report/show?url=xn--gogle-jua.com ! https://www.virustotal.com/gui/url/0a354e33a0171ba3a740b823473ac7f8f0ae6d60924c9ced0ae6ba46851275bb/detection @@ -587,3 +587,6 @@ ! https://www.virustotal.com/gui/url/45a03d912eaf1ec11a69a69129b393e3b84a3f48812264c5c9f95854e4bc6a36?nocache=1 ||www.paypal-com-verify.$document,domain=~translate.goog + +! https://www.bleepingcomputer.com/news/security/evil-telegram-android-apps-on-google-play-infected-60k-with-spyware/ +||telegrnm.org^$all diff --git a/wiki/tools/system_hijack_removal_tool.ps1 b/wiki/tools/system_hijack_removal_tool.ps1 index 000f2a0b4..e90b8fbe4 100644 --- a/wiki/tools/system_hijack_removal_tool.ps1 +++ b/wiki/tools/system_hijack_removal_tool.ps1 @@ -126,11 +126,11 @@ else{ Add-SHRTLog "Drive healthy" } -$security_software_filenames = @("mbam.exe", "msert.exe", "taskmgr.exe", "eav_trial_rus.exe", "eis_trial_rus.exe", "essf_trial_rus.exe", "hitmanpro_x64.exe", "ESETOnlineScanner_UKR.exe", "ESETOnlineScanner_RUS.exe", "HitmanPro.exe", "Cezurity_Scanner_Pro_Free.exe", "Cube.exe", "AVbr.exe", "AV_br.exe", "KVRT.exe", "cureit.exe", "FRST64.exe", "eset_internet_security_live_installer.exe", "esetonlinescanner.exe", "eset_nod32_antivirus_live_installer.exe", "PANDAFREEAV.exe", "bitdefender_avfree.exe", "drweb-12.0-ss-win.exe", "Cureit.exe", "TDSSKiller.exe", "KVRT(1).exe", "rkill.exe", "adwcleaner.exe", "frst.exe", "frstenglish.exe", "combofix.exe", "iexplore.exe", "msconfig.exe", "jrt.exe", "mbar.exe", "SecHealthUI.exe", "software_reporter_tool.exe", "mrt.exe", "msert64.exe", "MusNotification.exe", "WaaSMedic.exe", "WaasMedicAgent.exe", "Windows10Upgrade.exe", "Process Explorer.exe", "procexp.exe", "procexp64.exe", "wfc.exe", "Securitycheck.exe", "chrome_cleanup_tool.exe", "stinger32.exe", "SophosInstall.exe", "Zemana.AntiMalware.Setup.exe", "avastui.exe") +$security_software_filenames = @("mbam.exe", "msert.exe", "taskmgr.exe", "eav_trial_rus.exe", "eis_trial_rus.exe", "essf_trial_rus.exe", "hitmanpro_x64.exe", "ESETOnlineScanner_UKR.exe", "ESETOnlineScanner_RUS.exe", "HitmanPro.exe", "Cezurity_Scanner_Pro_Free.exe", "Cube.exe", "AVbr.exe", "AV_br.exe", "KVRT.exe", "cureit.exe", "FRST64.exe", "eset_internet_security_live_installer.exe", "esetonlinescanner.exe", "eset_nod32_antivirus_live_installer.exe", "PANDAFREEAV.exe", "bitdefender_avfree.exe", "drweb-12.0-ss-win.exe", "Cureit.exe", "TDSSKiller.exe", "KVRT(1).exe", "rkill.exe", "adwcleaner.exe", "frst.exe", "frstenglish.exe", "combofix.exe", "iexplore.exe", "msconfig.exe", "jrt.exe", "mbar.exe", "SecHealthUI.exe", "software_reporter_tool.exe", "mrt.exe", "msert64.exe", "MusNotification.exe", "WaaSMedic.exe", "WaasMedicAgent.exe", "Windows10Upgrade.exe", "Process Explorer.exe", "procexp.exe", "procexp64.exe", "wfc.exe", "Securitycheck.exe", "chrome_cleanup_tool.exe", "stinger32.exe", "SophosInstall.exe", "Zemana.AntiMalware.Setup.exe", "avastui.exe", "hmpsched.exe") $procs_to_kill = @("sOFvE", "aspnet_compiler", "ZBrWfxmlCHpYeX", "n2770812", "legola", "pdates", "applaunch", "jsc", "wscript", "cscript", "csc", "usjhlmmdmsqjfbox", "bstyoops", "Setup_File", "timeout", "hydra", "Endermanch@Hydra", "processhider", "Endermanch@Hydra", "c5892073", "ratt", "rundll32", "lll", "livess", "atonand", "rft64", "MsiExec", "Launcher", "AddInUtil", "wordpad", "x9943392", "pdates", "bs1", "cacls", "rundll32", "calc", "winlogson", "schtasks", "autoit", "autoit3", "0a29ee64b40a3adb3f5a5e1815c5de53", "b78f9dc987653121104c5eaa55ab8d4a", "fe2c051a9160b6207a186110b585a5b8", "TotalUninstall", "Total Uninstall Professional","totalav", "spyhunter", "regclean", "mssconfig", "mscnfig", "393", "aafg31", "more", "bot", "mshta", "system64bit", "ApowerREC", "NdKP12ZmmL", "Lavasoft.WCAssistant.WinService", "santivirusclient", "ChromiumUpdate", "powercfg", "vbc", "saves", "windowsx64_build", "GenuineService") $locs_to_kill = @("$env:APPDATA", "$env:TEMP", "$env:windir\Temp", "$env:windir\Fonts","$env:userprofile", "$env:public") $systemdirs = @("$env:windir\System32".ToLower(),"$env:windir".ToLower(), "$env:windir\syswow64".ToLower()) -$bad_schtasks = @("svvchost", "DigitalPulseUpdateTask", "Microsoft\Windows\Wininet\Cleaner", "NvStray\NvStrayService_bk6481", "RuntimeBroker_startup_266_str", "CCleanerSkipUAC") +$bad_schtasks = @("svvchost", "DigitalPulseUpdateTask", "Microsoft\Windows\Wininet\Cleaner", "NvStray\NvStrayService_bk6481", "RuntimeBroker_startup_266_str", "CCleanerSkipUAC", "\pmvk5v\dc6ity\8awzt8\7g8740\57s9va\2socn5\d9dcay\ydm4mj\gaj141\t8v7nl\2tjnx7\auokl6\87xl3z\9jmohv\r2uzp0\tybmet\xmh4v3", "pmvk5v\dc6ity\8awzt8\7g8740\57s9va\2socn5\d9dcay\ydm4mj\gaj141\t8v7nl\2tjnx7\auokl6\87xl3z\9jmohv\r2uzp0\tybmet\xmh4v3", "\kdgrzn\ah251m\okab1m\tnqenz\gu6wde\3cnhb8\wyq1nd\a5qyeb\khp2x6\7y138g\5wfwm1\mxo3dp\i9gzuo\l4mldq\hlrg1s\adcaoo\durhkc", "kdgrzn\ah251m\okab1m\tnqenz\gu6wde\3cnhb8\wyq1nd\a5qyeb\khp2x6\7y138g\5wfwm1\mxo3dp\i9gzuo\l4mldq\hlrg1s\adcaoo\durhkc") $knownmalware = @("$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\eNXtBTKShU.url", "$env:systemdrive\Users\Public\Viyeinmz.url", "$env:systemdrive\Users\Public\Owhgjnta.url", "$env:systemdrive\ProgramData\Default\cDefaultc.vbs", "$env:systemdrive\Windows\system32\config\systemprofile\AppData\Roaming\winlogon.exe", "$env:systemdrive\Program Files\WindowsPowershell\RuntimeBroker.exe", "$env:systemdrive\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe", "$env:windir\rft64.exe", "$env:windir\SYSTEM32\TASKS\GoogleUpdateTaskMachineQC", "$env:systemdrive\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE", "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\Scanned.js", "$env:userprofile\Videos\edddegyjjykj.exe", "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk", "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\519b55464950ce55b68715cb59bcfbfb.exe", "$env:userprofile\Documents\NdKP12ZmmL.pif", "$env:systemdrive\Program Files\Common Files\System\iediagcmd.exe", "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\system.exe", "$env:systemdrive\ProgramData\HostData\logs.uce", "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\runsauto32.ini.lnk", "$env:systemdrive\PROGRAM FILES\GOOGLE\CHROME\CHROMEUPDATE.EXE") $knownmalwaredirs = @("$env:systemdrive\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics", "$env:windir\SYSTEM32\TASKS\jjrcjc", "$env:systemdrive\ProgramData\Microsoft\IObitUnlocker", "$env:systemdrive\ProgramData\WindowsTask", "$env:systemdrive\Programdata\Microsoft\wjqqg", "$env:systemdrive\ProgramData\Dllhost", "$env:systemdrive\ProgramData\Windows Tasks Service". "$env:systemdrive\Programdata\ReaItekHD", "$env:programdata\IObit\Advanced SystemCare", "C:\Users\Default\AppData\Local\Microsoft\Windows\InetHelper", "$userprofile\AppData\Local\Microsoft\Windows\InetHelper", "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\InetHelper", "$env:systemdrive\ProgramData\WindowsTask", "C:\Program Files (x86)\IObit", "$env:systemdrive\ProgramData\Microsoft\NetFramework\57aZolanDbk", "C:\ProgramData\Microsoft\MapData\MDTFx6Mpd", "C:\ProgramData\Dllhost", "$env:userprofile\Appdata\Roaming\windows_update_513432", "$env:systemdrive\Program Files\CCleaner", "$env:appdata\WinSupUpdet2004")