process-injecting trojans

Hello,

I am shopping around for a trojan detection/removal application.

I downloaded the trial version of TDS yesterday and liked the ease of use and the many features. I am seriously considering purchasing TDS but before I make a final decision I have a question.

In my search for an "anti-trojan" application I noticed a claim at the "TrojanHunter" website and wanted to get a TDS perspective on this:

"This new version of TrojanHunter makes TrojanHunter the only trojan scanner on the market capable of cleaning process-injecting trojans"

Is this important? Does TDS perform the same or a similar task?

thanks in advance for your feedback,

Hipgnosis

 

Helo Hipgnosis & welcome, I am not familiar with TH's claimed capabilties TDS3 uses over 17 ways of detecting Trojans & has daily updates to it's database.
With the trial version you will have to get the radius file from here: http://tds.diamondcs.com.au/index.php?page=update and place it in your TDS3 main directory.
Also the trial version does not include "Execution protection" which is the resident part of TDS3.

I am sure that DCS will answer your question directly in a few hours as they are based in Perth, Australia and it is the middle of the night there

Some things to consider, A Trojan detection system with many useful scanning & Trojan hunting utilities, regular updates made by a dedicated team, scrpting / command line abilities, free upgrade to TDS4 & support which is second to none

HTH Pilli

 

Hi Hypgnosis,
Pilli mentioned already some terms, like the tools and scripting -- If you run XP/NT/2000 you can also add the free tools especially for those systems like the very advanced APM to inject yourself into processes, in the scripting to add extra functions (in the Private TDS registered operators only forum people work together on very fine scripts adding functions not thought of on internet as far as i'm informed) etc.
For the other technical details DCS will add their advices.
For me, since first install several years ago i never have been without TDS, WormGuard and recently Port Explorer, the three working very fine together on verious levels and each on their own special area.
TDS is so very strong in detection and protection and keeps us in the drivers seat.

 

I was asked this question recently, I believe that quote is BADLY worded. TDS can remove process injecting trojans, anyone can remove an injected DLL. It just doesnt AUTOMATICALLY remove it from the process it was injected into. TDS doesn't rely on techniques that are not yet perfect, it relies on you the user (ok and us, support )

The best way to remove them is from Safe Mode anyway, where the trojan is not live. Also, any DLL trojan uses an EXE (dropper) which can be deleted by TDS - on rebooting, the trojan will not go live again, and the DLL will also be deleted without any fuss.

Of course the most fun way, you can use APM (freeware) to unload the trojan DLL and then delete it too

However the other point still remains the most important - if the DROPPER is not detected, there is no point detecting the DLL. The user will reboot, the trojan DLL will be back, injected inside whatever process, and will need to be killed again.. and again..

 

>Of course the most fun way, you can use APM (freeware) to unload the trojan DLL and then delete it too

Not exactly. APM does a simple FreeLibrary inside the remote thread. This works in some cases - but not in all - especially not if you are infected with an DLL injecting backdoor like Beast 2.x for example.

You can only do a FreeLibrary if a DLL is not used by any thread anymore. So first you have to kill all threads that uses the DLL and THAN you can do a FreeLibrary.

 

Yes, the present version of APM just invokes FreeLibrary, it doesn't terminate the threads from the DLL yet but this is relatively easy to add and is on the To Do list, but we have other priorities.

 

I also wanted to mention like Andreas Haak that APM has unfortunately no chance actually against the Beast 2.01/2.02 winlogon dll injection trick.

APM and the whole system starts to freeze in that case this is very irritating!

 

We'll add a removal routine as soon as possible, for now reboot to Safe Mode to ensure removal, or just kill all droppers first and reboot DLL wont be loaded, delete

Remember this is still a better solution than any AV offers for removals. We have been researching this and other (worse) problems for quite some time and want perfect or near perfect clean removal in upcoming TDS products