New filters

antimalware.txt

@@ -2,8 +2,8 @@
 ! Title: The malicious website blocklist
 ! Homepage: https://github.com/iam-py-test/my_filters_001
 ! Expires: 1 day
-! Last updated: 28/10/2023
-! Version: 28102023-1
+! Last updated: 2/11/2023
+! Version: 2112023-1
 ! Description: This list aims to protect against scams, phishing, malware, some stalkerware, and potentially unwanted programs (PUPs). It includes a version of vxvault.net's list, modified by me to work in adblockers.
 ! Special thanks to all of the people who have helped me maintain this list! Check out https://github.com/iam-py-test/my_filters_001/blob/main/CONTRIBUTORS.md
 ! Issues url: https://github.com/iam-py-test/my_filters_001/issues
@@ -8226,6 +8226,27 @@ ostrowlubelski.pl##^responseheader(location)
 ! https://www.virustotal.com/gui/file/1045127280b64e5d8e7af1efc347089f759860222f1373349d8c4aa1449918db/relations
 ||stratum-eu.rplant.xyz^$all
 
+! https://tria.ge/231102-m8cjhsch24/behavioral1
+||walknotice.com^$all
+||thedentadsi24.com^$all
+
+! https://github.com/uBlockOrigin/uAssets/issues/20389
+||ruiukp.top^$all
+
+! https://www.virustotal.com/gui/url/6afece7c72420223ae6f1700d02c8bee4806a335d23ab120522accba5e45250d
+! my analysis: https://tria.ge/231102-nctnlach68/behavioral1
+||synergyproz.com^$all
+||apparaatbeheer-online-abnamro-icscards.codeanyapp.com^$all
+||apparaatbeheer-online-abnamro-icscards.$document
+
+! https://bazaar.abuse.ch/sample/b842080ef401cb64de4b9c7d823ef60b0ed4f4bbd42431fbf26db940ece9f4f1/
+! my analysis: https://tria.ge/231102-nggjtsch93/behavioral2
+||mouseoiet.fun^$all
+
+! https://bazaar.abuse.ch/sample/9fbd818dc28ea5561278e873bd9b6deb896d4fbaac86209903bdeaad55c6c31a/
+! my analysis: https://tria.ge/231102-npbnjsda74/behavioral2
+||ddos.dnsnb8.net^$all
+
 ! ---- Scams ----
 
 ! fails to disclose it's lack of connection to uBlock *Origin*

antitypo.txt

@@ -5,7 +5,7 @@
 ! Homepage: https://github.com/iam-py-test/my_filters_001
 ! Issues url: https://github.com/iam-py-test/my_filters_001/issues
 ! GitLab issues url (not checked as often): https://gitlab.com/iam-py-test/my_filters_001/-/issues
-! Last updated: 28/10/2023
+! Last updated: 2/11/2023
 
 ! https://safeweb.norton.com/report/show?url=xn--gogle-jua.com
 ! https://www.virustotal.com/gui/url/0a354e33a0171ba3a740b823473ac7f8f0ae6d60924c9ced0ae6ba46851275bb/detection
@@ -658,6 +658,22 @@
 ||usps.com-$document,domain=~usps.com|~translate.goog
 ! hxxp[://]linkedindocumentinquiry[.]ap-south-1.linodeobjects[.]com/linkedinindex.html
 /^http:\/\/linkedindocumentinquiry\..*\/linkedinindex\.html$/$document
+! hxxpx[://]metamchromextensoin[.]gitbook[.]io/us/
+||metamchromextensoin.$document
+! hxxpx[://]www[.]lnstagram-tropicaibaiitouts[.]com/mobile.html
+||www.lnstagram-$document,domain=com|top|xyz
+! hxxpx[://]subscription-netflix-support[.]codeanyapp[.]com/monika/jonika/account/
+||subscription-netflix-support.$document
+! hxxpx://promote-warning-meta[.]help/3b070e09e0b9ac588d6b873cb246b2ae.html
+||promote-warning-meta.$document
+! hxxpx[://]mailoutlook365login[.]us-lax-1.linodeobjects.com/link.html
+||mailoutlook365login.us-$document
+! hxxp[://]office356domainlistmaintainnance231clouding1[.]brizy[.]site/
+||office356domainlistmaintainnance$document
+! hxxp[://]me-metamasklogin[.]mystrikingly[.]com/
+||me-metamasklogin.$document
+! hxxp[://]matamask-logi[.]mystrikingly[.]com/
+||matamask-logi.$document
 
 ! typo I made
 ||downlod.com^$all
@@ -687,3 +703,7 @@
 
 ! another day another typo
 ||adblockplu.org^$document
+
+! https://www.virustotal.com/gui/url/6afece7c72420223ae6f1700d02c8bee4806a335d23ab120522accba5e45250d
+! my analysis: https://tria.ge/231102-nctnlach68/behavioral1
+||apparaatbeheer-online-abnamro-icscards.$document

personal/iam-py-test.txt

@@ -140,6 +140,7 @@ mywot.com##[class*="StyledCookiesConsent__CookiesConsentContainer-"]
 ||tiktok*.com^$document
 ||adpointrtb.com^$document
 ||clicknewsview.com^$document
+||dnsnb8.net^$all
 
 ! ---- unwanted allowlist rules ----
 @@||fundingchoicesmessages.google.com^$script,xmlhttprequest,subdocument,badfilter

wiki/tools/system_hijack_removal_tool.ps1

@@ -126,7 +126,7 @@ else{
     Add-SHRTLog "Drive healthy"
 }
 
-$security_software_filenames = @("mbam.exe", "msert.exe", "taskmgr.exe", "eav_trial_rus.exe", "eis_trial_rus.exe", "essf_trial_rus.exe", "hitmanpro_x64.exe", "ESETOnlineScanner_UKR.exe", "ESETOnlineScanner_RUS.exe", "HitmanPro.exe", "Cezurity_Scanner_Pro_Free.exe", "Cube.exe", "AVbr.exe", "AV_br.exe", "KVRT.exe", "cureit.exe", "FRST64.exe", "eset_internet_security_live_installer.exe", "esetonlinescanner.exe", "eset_nod32_antivirus_live_installer.exe", "PANDAFREEAV.exe", "bitdefender_avfree.exe", "drweb-12.0-ss-win.exe", "Cureit.exe", "TDSSKiller.exe", "KVRT(1).exe", "rkill.exe", "adwcleaner.exe", "frst.exe", "frstenglish.exe", "combofix.exe", "iexplore.exe", "msconfig.exe", "jrt.exe", "mbar.exe", "SecHealthUI.exe", "software_reporter_tool.exe", "mrt.exe", "msert64.exe", "MusNotification.exe", "WaaSMedic.exe", "WaasMedicAgent.exe", "Windows10Upgrade.exe", "Process Explorer.exe", "procexp.exe", "procexp64.exe", "wfc.exe", "Securitycheck.exe", "chrome_cleanup_tool.exe", "stinger32.exe", "SophosInstall.exe", "Zemana.AntiMalware.Setup.exe", "avastui.exe", "hmpsched.exe")
+$security_software_filenames = @("mbam.exe", "msert.exe", "taskmgr.exe", "eav_trial_rus.exe", "eis_trial_rus.exe", "essf_trial_rus.exe", "hitmanpro_x64.exe", "ESETOnlineScanner_UKR.exe", "ESETOnlineScanner_RUS.exe", "HitmanPro.exe", "Cezurity_Scanner_Pro_Free.exe", "Cube.exe", "AVbr.exe", "AV_br.exe", "KVRT.exe", "cureit.exe", "FRST64.exe", "eset_internet_security_live_installer.exe", "esetonlinescanner.exe", "eset_nod32_antivirus_live_installer.exe", "PANDAFREEAV.exe", "bitdefender_avfree.exe", "drweb-12.0-ss-win.exe", "Cureit.exe", "TDSSKiller.exe", "KVRT(1).exe", "rkill.exe", "adwcleaner.exe", "frst.exe", "frstenglish.exe", "combofix.exe", "iexplore.exe", "msconfig.exe", "jrt.exe", "mbar.exe", "SecHealthUI.exe", "software_reporter_tool.exe", "mrt.exe", "msert64.exe", "MusNotification.exe", "WaaSMedic.exe", "WaasMedicAgent.exe", "Windows10Upgrade.exe", "Process Explorer.exe", "procexp.exe", "procexp64.exe", "wfc.exe", "Securitycheck.exe", "chrome_cleanup_tool.exe", "stinger32.exe", "SophosInstall.exe", "Zemana.AntiMalware.Setup.exe", "avastui.exe", "hmpsched.exe", "wininit.exe")
 $procs_to_kill = @("sOFvE", "aspnet_compiler", "ZBrWfxmlCHpYeX", "n2770812", "legola", "pdates", "applaunch", "jsc", "wscript", "cscript", "csc", "usjhlmmdmsqjfbox", "bstyoops", "Setup_File", "timeout", "hydra", "Endermanch@Hydra", "processhider", "Endermanch@Hydra", "c5892073", "ratt", "rundll32", "lll", "livess", "atonand", "rft64", "MsiExec", "Launcher", "AddInUtil", "wordpad", "x9943392", "pdates", "bs1", "cacls", "rundll32", "calc", "winlogson", "schtasks", "autoit", "autoit3", "0a29ee64b40a3adb3f5a5e1815c5de53", "b78f9dc987653121104c5eaa55ab8d4a", "fe2c051a9160b6207a186110b585a5b8", "TotalUninstall", "Total Uninstall Professional","totalav", "spyhunter", "regclean", "mssconfig", "mscnfig", "393", "aafg31", "more", "bot", "mshta", "system64bit", "ApowerREC", "NdKP12ZmmL", "Lavasoft.WCAssistant.WinService", "santivirusclient", "ChromiumUpdate", "powercfg", "vbc", "saves", "windowsx64_build", "GenuineService")
 $locs_to_kill = @("$env:APPDATA", "$env:TEMP", "$env:windir\Temp", "$env:windir\Fonts","$env:userprofile", "$env:public")
 $systemdirs = @("$env:windir\System32".ToLower(),"$env:windir".ToLower(), "$env:windir\syswow64".ToLower())
@@ -298,6 +298,8 @@ Remove-Item "HKCU:\Software\Lavasoft\Web Companion" -Force -ErrorAction Silently
 #  https://forums.malwarebytes.com/topic/301140-pupadwareheuristic-wont-quarantine/#comment-1582969
 Remove-Item -Path "HKCU:\SOFTWARE\353526A37049C6636D28F632A766CA4B" -force -ErrorAction SilentlyContinue
 Remove-Item -Path "HKCU:\SOFTWARE\4F905DFBB0C92199DB550940702AF609" -force -ErrorAction SilentlyContinue
+# https://forums.malwarebytes.com/topic/303905-a-running-process-on-your-device-is-potentially-malicious/
+Remove-Item -Path "HKLM:\SOFTWARE\7-ZipAA8xK7ht" -Force -ErrorAction SilentlyContinue
 
 # https://stackoverflow.com/questions/69518375/delete-a-locked-file-using-powershell
 $Win32 = Add-Type -Passthru -Name Win32 -MemberDefinition '