How do you block a .dll trojan?

Discussion in 'Ghost Security Suite (GSS)' started by TopperID, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. TopperID
    Offline

    TopperID Registered Member

    Supposing you want to create Application Rules to prevent a piece of malware on your system from making any changes to your Registry; I assume you would create a Group for the malware and include the keys:-

    HKEY_CLASSES_ROOT\**
    HKEY_CURRENT_USER\**
    HKEY_LOCAL_MACHINE\**
    HKEY_USERS\**
    HKEY_CURRENT_CONFIG\**

    and then, for each key, tick all the 'event' boxes and select 'block'.

    But supposing you had a .dll trojan on your system, which had injected itself into, for example, Winlogon.exe; would you create the Group around Winlogon (and hence block that) or would you give the file path of the .dll trojan and block it directly?

    I'm thinking of a situation where a .dll trojan is acting in tandem with another trojan .exe file which gets placed as an autorun in the Registry, and you want to stop it running next reboot.

    Does anyone know whether you should be blocking the .dll itself or the legitimate .exe system file it has been injected into?
  2. Rico
    Offline

    Rico Registered Member

    Hi Topper, How about PG? How about Trojan Hunter? At least this is how I will hopefully avoid it.

    Take Care
    rico
  3. TopperID
    Offline

    TopperID Registered Member

    Oh yes, that's true; but I was thinking more of a situation where a machine is already infected and you want to do something about it.

    For example, if you disable PG/RD to do an install and get more than you bargained for! Or else you are simply working on an infected machine that didn't have PG/RD at the time of infection.

    I just wondered how you could use RD to suppress a .dll trojan from making further changes to the Registry after you've got it on your comp.
  4. tuatara
    Offline

    tuatara Registered Member

    I don't believe it is possible to stop a .dll from starting from PG

    I tried to ALLOW firefox to start, and to stop JAVA (dll) (started via Firefox) by PG
    ( i know there are other ways to stop this, but this is just for testing)
    And whatever i did, i could not stop the java .dll by PG

    But perhaps i have overlooked something, otherwise it is just not possible.

    And i don't know if there are any other programs that allow you to
    select which <file>.dll can be started, and which are blacklisted or so.

    So if these java dll file(s) are replaced by malware, OR you don't trust the files anymore, it is very difficult to stop them.

    Perhaps there is other software that can do this.
    It should be possible with Tiny Personal Firewall , but i am not sure
    and did not test it.
    Perhaps with tools like Prevx ? or SSM ?
  5. TopperID
    Offline

    TopperID Registered Member

    Reading from what you are saying tuatara, I think the answer to my question is going to be that you have to block the 'process' into which the .dll has been injected, rather than the .dll itself.

    That seems logical I suppose!
  6. deviladovcate
    Offline

    deviladovcate Guest

    Hmm seems to me even in the "non-injected" form , I have never seen a dll request permission to change the registry in regdefend.......
Thread Status:
Not open for further replies.