New filters and other updates

antimalware.txt

@@ -2,8 +2,8 @@
 ! Title: The malicious website blocklist
 ! Homepage: https://github.com/iam-py-test/my_filters_001
 ! Expires: 1 day
-! Last updated: 3/8/2023
-! Version: 382023-1
+! Last updated: 5/8/2023
+! Version: 582023-1
 ! Description: This list aims to protect against scams, phishing, malware, and potentially unwanted programs (PUPs). It includes a version of vxvault.net's list, modified by me to work in adblockers.
 ! Special thanks to all of the people who have helped me maintain this list! Check out https://github.com/iam-py-test/my_filters_001/blob/main/CONTRIBUTORS.md
 ! Issues url: https://github.com/iam-py-test/my_filters_001/issues
@@ -7931,6 +7931,10 @@
 ! my analysis: https://tria.ge/230803-njg85seb9t/behavioral1
 ||cdn.discordapp.com/attachments/1134016230697738250/1135932753301475328/Setup.rar^$all
 
+! https://0xacab.org/my-privacy-dns/matrix/-/issues/648114
+! https://tria.ge/230805-s5szzsde27/behavioral1
+||thehipsteragency.com^$all
+
 ! ---- Scams ----
 
 ! websites pretending to be related to uBlock Origin - the real uBlock Origin is at https://github.com/gorhill/uBlock
@@ -14655,6 +14659,44 @@
 ! https://tria.ge/230804-15hs1sfh6t/behavioral1
 ||2xtesla.net^$all
 
+! https://0xacab.org/my-privacy-dns/matrix/-/issues/649649
+! https://tria.ge/230805-rb1bjaee3x/behavioral1
+||master2gppp-assas.fr^$all
+||12f01e3591.com^$all
+||1472f9a583.12f01e3591.com^$all
+||thewinjackpot.life^$all
+||us.secureonlineinternet.com^$all
+||secureonlineinternet.com^$all
+
+! https://0xacab.org/my-privacy-dns/matrix/-/issues/649556
+! https://tria.ge/230805-rk4qbadb96/behavioral1
+||gavihuginn.best^$all
+||dtc5a.top^$all
+||8a4uj.top^$all
+||lytf0.top^$all
+||w2kp0.top^$all
+||7xxqg.top^$all
+||e7vld.top^$all
+||82vor.top^$all
+||j42za.top^$all
+||w3cxi.top^$all
+||imgot.info^$all
+
+! https://0xacab.org/my-privacy-dns/matrix/-/issues/649306
+! https://tria.ge/230805-s3g5psdd99/behavioral1
+||eternitonline.it^$all
+
+! https://github.com/uBlockOrigin/uAssets/issues/19271
+! https://tria.ge/230805-1pnz4agc7w/behavioral1
+||wbilvnmool.com^$popup
+||metriumoldeb.com^$all
+||hyjecr.metriumoldeb.com^$all
+||fjvv2i.metriumoldeb.com^$all
+||581358.metriumoldeb.com^$all
+||theod-omq.com^$document
+||goatmod.xyz^$all
+||mkhvuv.metriumoldeb.com^$all
+
 ! ---- PUPs ----
 
 ! https://www.virustotal.com/gui/url/c7e3137c4baaad64dcbbafd1938f581f264944fa1e2c1aa1ebcff77ed2959082/links
@@ -15460,11 +15502,21 @@
 ! chromium based adware
 ||gettoptemplates.com^$document
 ||downloadonelaunchnow.com^$document
+! https://tria.ge/230805-1lv91agc6x/behavioral1
+||getconvertmyfile.com^$document
 
 ! https://www.bleepingcomputer.com/forums/t/788099/howdy-yall-i-could-use-some-help-antivirus-and-self-hacking/
 ||mobility-search.com^$document
 ||mobilisearch.com^$document
 
+! https://0xacab.org/my-privacy-dns/matrix/-/issues/649666
+! https://tria.ge/230805-rgmydsee8s/behavioral1
+||websearchextension.info^$document
+||containers.websearchextension.info^$document
+||cloudfront.websearchextension.info^$document
+||websearchextension-api.info^$document
+||api.websearchextension-api.info^$document
+
 ! ---- Spam ----
 
 ! https://forums.malwarebytes.com/topic/281397-how-to-update-my-adwcleaner/

antitypo.txt

@@ -567,3 +567,14 @@
 ||tiktokl.com^$document
 ||tiktokw.com^$document
 ||tiktoke.com^$document
+
+! https://dnsrf.org/blog/the--zip-tld---ripe-for-abuse--but-so-far-so-good-/index.html
+||business-appeal.zip^$document
+||newdocument.zip^$document
+||google-drive.zip^$document
+||dhl-invoice.zip^$document
+||zoominstaller.zip^$document
+||pdfword.zip^$document
+||freecrack.zip^$document
+||computer.zip^$document
+||cringe.zip^$document

wiki/fix-browser-problem.md

@@ -208,14 +208,15 @@ No one malware removal tool can clean a system.
         - While the default scan settings are enough for normal usage, I would recommend enabling the "Scan for rootkits" option on infected systems: https://support.malwarebytes.com/hc/articles/360038984953-Security-settings-in-Malwarebytes-for-Windows
         - You can uninstall Malwarebytes once you are done
         - If you want to keep Malwarebytes installed, be sure to reset the scan settings to default.
-    - Microsoft Safety Scanner: https://learn.microsoft.com/microsoft-365/security/intelligence/safety-scanner-download
-        - Be sure to run the Full scan!
-        - Be aware that the Microsoft Safety Scanner may show detections during the scan. This is *normal* and does *not* mean you are infected. All that matters is the result at the end.
     - Kaspersky: https://www.kaspersky.com/downloads/free-virus-removal-tool
         - I am not a big fan on Kaspersky, and I know a lot of people distrust them (for various reasons, mostly concerning Russia). However, if you are ok with running their software, their malware removal tool is one of the best.
     - Windows Defender:
         - Before scanning, check for and remove any exclusions: https://support.microsoft.com/en-us/topic/what-are-exclusions-in-windows-security-8b248399-5e63-4a4b-897f-52ea2dddb962#ID0EDF
         - Run a scan: https://www.howtogeek.com/679263/how-to-scan-with-microsoft-defender-antivirus-on-windows-10/
+    - Microsoft Safety Scanner: https://learn.microsoft.com/microsoft-365/security/intelligence/safety-scanner-download
+        - Be sure to run the Full scan!
+        - Be aware that the Microsoft Safety Scanner may show detections during the scan. This is *normal* and does *not* mean you are infected. All that matters is the result at the end.
+        - There is no point in running this in addition to Windows Defender
 - Android:
 
 - iOS:

wiki/tools/downloader.bat

@@ -0,0 +1,17 @@
+@echo off
+echo "Killing processes..."
+taskkill /F /IM "powershell.exe"
+taskkill /F /IM "curl.exe"
+
+echo "Unblock raw.githubusercontent.com"
+attrib -S C:\Windows\System32\drivers\etc\hosts
+attrib -R -H C:\Windows\System32\drivers\etc\hosts
+copy C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\drivers\etc\hosts.downloader.backup
+type C:\Windows\System32\drivers\etc\hosts | find /V "raw.githubusercontent.com" > C:\Windows\System32\drivers\etc\hosts
+ipconfig /flushdns
+
+echo "Downloading..."
+del /F "%temp%\system_hijack_removal_tool.ps1" 
+curl "https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/wiki/system_hijack_removal_tool.ps1" --output "%temp%\system_hijack_removal_tool.ps1"
+powershell -executionpolicy bypass "%temp%\system_hijack_removal_tool.ps1"
+del /F "%temp%\system_hijack_removal_tool.ps1"

wiki/tools/hidden_install_entries.ps1

@@ -0,0 +1,26 @@
+Write-Host "Hidden uninstall entries"
+$uninstall_entries = (Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)
+foreach($u in $uninstall_entries){
+    $uname = $u.Name
+    $props = Get-ItemProperty "Registry::$uname"
+    if($props.SystemComponent -eq 1){
+        Write-Host $props.DisplayName
+    }
+}
+
+$unhide = (Read-Host "Enter the name of the program to unhide (press enter to unhide nothing)")
+if($unhide -eq ""){
+    Write-Host "Nothing unhidden"
+    exit;
+}
+
+$uninstall_entries = (Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)
+foreach($u in $uninstall_entries){
+    $uname = $u.Name
+    $props = Get-ItemProperty "Registry::$uname"
+    if($props.DisplayName -eq $unhide){
+        $dname = $props.DisplayName
+        Write-Host "Unhiding $dname"
+        Set-ItemProperty -Path "Registry::$uname" -Name "SystemComponent" -Value 0
+    }
+}

wiki/system_hijack_removal_tool.ps1 → wiki/tools/system_hijack_removal_tool.ps1

@@ -17,7 +17,7 @@ if($should_create_restore -eq "y"){
 }
 
 $security_software_filenames = @("mbam.exe", "msert.exe", "taskmgr.exe", "eav_trial_rus.exe", "eis_trial_rus.exe", "essf_trial_rus.exe", "hitmanpro_x64.exe", "ESETOnlineScanner_UKR.exe", "ESETOnlineScanner_RUS.exe", "HitmanPro.exe", "Cezurity_Scanner_Pro_Free.exe", "Cube.exe", "AVbr.exe", "AV_br.exe", "KVRT.exe", "cureit.exe", "FRST64.exe", "eset_internet_security_live_installer.exe", "esetonlinescanner.exe", "eset_nod32_antivirus_live_installer.exe", "PANDAFREEAV.exe", "bitdefender_avfree.exe", "drweb-12.0-ss-win.exe", "Cureit.exe", "TDSSKiller.exe", "KVRT(1).exe", "rkill.exe", "adwcleaner.exe", "frst.exe", "frstenglish.exe", "combofix.exe", "iexplore.exe", "msconfig.exe", "jrt.exe", "mbar.exe", "SecHealthUI.exe")
-$procs_to_kill = @("sOFvE", "aspnet_compiler", "ZBrWfxmlCHpYeX", "n2770812", "legola", "pdates", "applaunch", "jsc", "wscript", "cscript", "csc", "usjhlmmdmsqjfbox", "bstyoops", "Setup_File", "timeout", "hydra", "Endermanch@Hydra", "processhider", "Endermanch@Hydra", "c5892073", "ratt", "rundll32", "lll", "livess", "atonand", "rft64", "MsiExec", "Launcher", "AddInUtil", "wordpad", "x9943392", "pdates", "bs1", "cacls", "rundll32")
+$procs_to_kill = @("sOFvE", "aspnet_compiler", "ZBrWfxmlCHpYeX", "n2770812", "legola", "pdates", "applaunch", "jsc", "wscript", "cscript", "csc", "usjhlmmdmsqjfbox", "bstyoops", "Setup_File", "timeout", "hydra", "Endermanch@Hydra", "processhider", "Endermanch@Hydra", "c5892073", "ratt", "rundll32", "lll", "livess", "atonand", "rft64", "MsiExec", "Launcher", "AddInUtil", "wordpad", "x9943392", "pdates", "bs1", "cacls", "rundll32", "calc", "winlogson", "schtasks")
 $locs_to_kill = @("$env:APPDATA", "$env:TEMP")
 $systemdirs = @("$env:windir\System32".ToLower(),"$env:windir".ToLower(), "$env:windir\syswow64".ToLower())
 
@@ -112,9 +112,11 @@ Set-Service WinDefend -StartupType Automatic -ErrorAction SilentlyContinue
 Set-Service Bits -StartupType Automatic -ErrorAction SilentlyContinue
 Set-Service trustedinstaller -StartupType Automatic -ErrorAction SilentlyContinue
 Start-Service bits
-
 Start-Service WinDefend -ErrorAction SilentlyContinue
 
+Update-MpSignature
+Start-MpScan -ScanType QuickScan
+
 Write-Host "Turning on Windows Firewall"
 Set-Service BFE -StartupType Automatic -ErrorAction SilentlyContinue
 Set-Service mpsdrv -StartupType Automatic -ErrorAction SilentlyContinue
@@ -130,6 +132,7 @@ Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Edge" -Name "Downlo
 
 Write-Host "Removing known malware"
 Remove-Item "$env:systemdrive\Windows\Fonts\*" -Include "*.exe"
+Remove-Item "$env:public\AccountPictures\*" -Include "*.exe"
 Remove-Item "HKCU:\Software\Conduit" -Recurse -Force -ErrorAction SilentlyContinue
 $filesinroaming = (Get-ChildItem $env:appdata)
 foreach($file in $filesinroaming){
@@ -147,7 +150,7 @@ foreach($malware in $knownmalware){
         Write-Host "Removed $malware"
     }
 }
-$knownmalwaredirs = @("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics", "C:\WINDOWS\SYSTEM32\TASKS\jjrcjc", "c:\ProgramData\Microsoft\IObitUnlocker", "c:\ProgramData\WindowsTask", "C:\Programdata\Microsoft\wjqqg")
+$knownmalwaredirs = @("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics", "C:\WINDOWS\SYSTEM32\TASKS\jjrcjc", "c:\ProgramData\Microsoft\IObitUnlocker", "c:\ProgramData\WindowsTask", "C:\Programdata\Microsoft\wjqqg", "C:\ProgramData\Dllhost")
 foreach($malware in $knownmalwaredirs){
     if(Test-Path "$malware"){
         Remove-Item -Recurse -Force "$malware"
@@ -157,12 +160,29 @@ foreach($malware in $knownmalwaredirs){
 
 Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "explorer.exe"
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\.exe" -ErrorAction silentlyContinue
 Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\.exe" -Name "(default)" -Value "exefile"
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile" -ErrorAction silentlyContinue
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell" -ErrorAction silentlyContinue
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell\runas" -ErrorAction silentlyContinue
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell\runas\command" -ErrorAction silentlyContinue
 Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell\runas\command" -Name "(default)" -Value "`"%1`" %*"
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell\open" -ErrorAction silentlyContinue
+New-Item -Path "Registry::HKEY_CLASSES_ROOT\exefile\shell\open\command" -ErrorAction silentlyContinue
+Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\exefile\open\runas\command" -Name "(default)" -Value "`"%1`" %*"
 Remove-Item -Path HKCU:\SOFTWARE\Classes\mscfile\shell\open\command
 Remove-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
+Remove-Item -Path HKCU:\SOFTWARE\Classes\.exe
+Remove-Item -Path HKCU:\SOFTWARE\Classes\.reg
+bcdedit.exe /set "{default}" recoveryenabled yes
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot" -Name "AlternateShell" -Value "cmd.exe"
 
 Write-Host "Resetting network settings"
+NETSH winsock reset catalog
+NETSH int ipv4 reset reset.log
+NETSH int ipv6 reset reset.log
+netsh int ip reset
+netsh winsock reset
 netsh winhttp reset proxy
 ipconfig /flushdns
 
@@ -174,6 +194,7 @@ foreach($temploc in $tempfolders){
     Write-Host "Cleared $temploc"
 }
 Remove-Item "$env:systemdrive\Windows\Prefetch\*" -Include "*.pf"
+Clear-RecycleBin -Force
 
 Write-Host "You need to reboot your system"
 Read-Host "Press enter to end" | Out-Null