Any good free trojan cleaners/detectors out there?

chameleon1

Lets say, hypothetically (Ahem!) that I followed your instructions - and found that F-Secure did not detect the trojan (tauscan and pestpatrol also failed).

Lets also say, hypothetically, that I was a silly ba****d and managed to infect my PC!

Lets also say that I was 99% sure I had subseven running on my PC as BlackICE poped up an alert that Subseven was sending out its ICQ alert (BI application protection not on and no baseline done - my own fault!) AND the demo warning flashed up from that packer you mentioned.

Lets say all this and the fact that right now - F-secure is running so slow that I cant use it - HOW WOULD I GET RID OF SUBSEVEN FROM MY SYSTEM??

 

Download TDS-3 trial version ... ;-))

 

I have. It finds subseven in memory (mutex) - or whatever it is called - but finds nothing else - even with a full system scan - ie - all it finds is evidence that the trojan is active - but it cant find the trojan itself.

As I have said, when I reboot, I get 2 warnings saying this file has been packed with xxxxx, (which I assume is the trojan loading).

F-secure is not working - runs so slowly - ie 4000 files scanned in 3 hours.

Tauscan finds nothing now also - but the little bug**r is running there in memory.

Help!

 

I still say try ESS, I have been using it for a week or so now and it has not let me down yet, I always check when and if it finds something to make sure it is not a false positive before deleting, but so far I have had nothing but good results. Compare this to the price of TDS 3 and it can't be beat for the price I am not knocking TDS 3, just saying that for a freebie ESS can't be beat IMHO

 

Totally agree - you can not place your computer in the hands of a totally un-tested, nearly brand-new application.

ewido as of this moment is only suitable as a "check-up" app - not a main-line defense.

The same holds true for any un-tested anti-trojan app. Pete

 

@ChrisP

TDS-3 file scanner will find it (--> suspicious file: Borland debugger, Microsoft tag). TDS-3 mem scanner will find it (--> the alert window will show the name and the path of trojan, moreover there is an option to kill process and (!) delete file)

Finally, you can post a hijackthis log. It is really basic stuff to remove this trojan.

 

apropos tds: Do somebody know a command to clear the alarm console window section of TDS-3 ?

 

TrojanHunter finds the trojan in memory a few seconds after startup - it cleanes it - but it is back when I restart.

TDS will find it in memory:

Live trojan found (in process memory): RAT.SubSeven 2.2
File: C:\WINDOWS\System32\rphf.exe

I have got TDS to delete it, even done a full system scan - but it does not fine the file you mention - and the trojan is there when I reboot.

Spooky

 

I have managed to remove the trojan - by using partition magic to format the drive!

I tried TDS - but although it found the trojan in memory and deleted the file itself - it was always running again on reboot.

I tried Trojanhunter - this gave the same result - though it was faster and easier to use.

I also tried trojanremover, tauscan and pestpatrol - none of these even found it in memory.

F-secure would not run - only slowly so I gave up.

I tried TDS several times - even starting in safe mode - 5 times - with a full system scan - but no joy.

I have learned several things from this:

1) Never infect yourself with a modified trojan!

2)F-Secure wont detect a trojan in memory - only the file itself - so if it is modified it may not find it....

3)TDS and trojanhunter have the advantage that they can detect trojans in memory.

4) TDS and TH cant remove subseven 2.2 if it is repacked with XXXXX.

5) Always do a baseline scan using BlackICE on a fresh install - As in my opinion this (on my system) is the only real security against trojans.

6) BlackICE detected and identified the trojan - even without application protection running.

7) It is too risky to run any unknown file - no software will protect you against a skilled hacker.

Layered defense is important - as I say, in my normal setup only BI would have alerted me to the trojan being there.

9) Never bugger about with trojans if you have not backed up your system using Acronis!!!!!! (4 Hours to go to complete the install now)

I may toy with the idea of buying Trojanhunter - even though it did not remove the infection it did alert me and probably would in more cases than BI - possibly...!!!!!

 

Hi Chris...

the formatting was certainly not required. Moreover, you forgot to mention another important rule:

Listen to me! ;-)

1.
I said: Use S7 2.15 not S7 2.2

2.
I said: Disable any autostart options when you configure the trojan. Apparently, you did not ;-)

3.
I said: Post a hijack this log. You did not but formatted your harddrive.

But don't worry. Life is an endless adventure. And everybody will learn his lesson ... sooner or later. ;-)

 

Yes, a layered defense system is important. I'm sorry that it took so much to bring you around to this realization -- but I will admit to having had a rather uncharitable giggle and snicker at your expense once you realized that you'd been nailed!

Please, next time, don't be quite so quick to rear back on your haunches in defense of a position. Listen ... at least a little bit. I haven't found many fools or idiots here as yet, and many of us speak from hard-won experience. As 'tis said, ChrisP, live and learn.

 

I did a test with one (yes only one) common trojan and here's what happened. I put the packed program in a zip file.

Trojan name: Briss
Packed program: start.exe
Infected files: a.exe, bridge.dll

I use Total Uninstall in safe mode on a test machine to clean out any files or registry entries added. I always triple check with a number of programs and do a search for all files added or modified within the last day and back up the registry.

All programs are fully apdated.

My AV - F-Prot for Windows found it only when it was installed. Too late. The new version (3.14e) finds it now before it's executed. Pass.

AVG Free spots it immediately. - Pass
Panda Titanium doesn't recognize it. - Fail
KAV spots it, even in a zip file. - Pass
NOD32 spots it before it's fully extracted. - Pass
AdAware cleans it up. - Pass
Tauscan doesn't recognize it. - Fail
a2 doesn't recognize it. - Fail

Disappointing for programs MADE to identify these kind of files.

I trust KAV with extended definitions far more than any AT. Layered defense IS the only way to go.

 

Hi Ailric

Re:-
Disappointing for programs MADE to identify these kind of files.

I trust KAV with extended definitions far more than any AT. Layered defense IS the only way to go.What do you recomend, and where can I find them??

Thanks Ed

 

The key point for me is that if I (and therefore any turkey) can rapack subseven 2.2 with XXX - no AT /AV will remove it. I guess there are 1000s of trojans out there that are worse.

Before anyone asks, yes I did update TDS and TH - but although they found the trojan in memory and also removed the file from wherever it was (cant remember right now) they did not remove whatever packed file was hiding - the one which started the trojan up again.

All I can sya again is I believe the only safety comes from taking a snapshot of your system - like with BI app protection / and or never using any downloaded file.

This is all a bit scary, Im thinking to myself - if it had been packed with a non evaluation packer that popped up a warning - just using F-Secure as I did (I only do a scan once a week if Im lucky) then I would not have known I was infected (Other than BlackICE warning me - But I guess other firewalls wouldnt have identified the trojan).

I would be interested to know the following:

Do you (chameleon1) think that the app protection of BI is useful in countering infections of this type?

Know of any AT/AV which unpack the XXXX you mentioned?

Have any other ideas which would make my system safer

Know why it is that my arrogant argumentative postings always stimulate such huge interest? (Just noticed the numberof views this and my Tauscan one have had!!!)


Respect to you all (within moderation)

 

Hi ecordle,

The extended definitions for Kaspersky and discussion can be found in this article:

[hr]
Hi,
Can you try to add a new address in the Updater:-

http://updates2.kaspersky-labs.com/updates_ext

This should download latest updates along with the additional updates.
Or for the paranoid user:

http://updates2.kaspersky-labs.com/updates_x/

http://forums.useice.com/cgi-bin/ikonboard.cgi?s=3fefd57117b3ffff;act=ST;f=1;t=202
[hr]
I'm paraniod.

I purchased F-Prot for Windows for resident protection and KAV 3.5 for on-demand scanning. The combination of the F-Prot and KAV scanning engines along with a combined 190,000 definitions for all kinds of malware make me feel pretty safe.

 

Thanks Ailric

This Thread (and others) has me prety paranoid too!!!! So, i'll take a look at your suggestions and just hope to stay one step ahead of the casual hacker.

I guess it's a bit like thieves, you'll only ever stop the casual thief, if a thief wants to break in he will!!

Any info on good FREE trojan defense systems would be welcome!!

Ed

 

@Chris

I am almost certain that your problem had nothing to do with the packer. It seems to me that Sub7 2.2 simply created a "backup" server on your harddrive. After you removed the orginal the server the backup server was first copied and then started. (Just a guess.)

You may try this again with an unpacked version of the trojan. Or better not ... ;-)

In any case, a hijack this log would have solved the problem since it had shown you the autostart entries of the server AND the backup server.

Moreover, I wonder whether you have a program on your computer allowing you to control the execution of files. Many new firewalls like Kerio 4 can do this. A system firewall like SSM can do even more.

 

Possibly because arrogant argumentation catches people's attention and some, such as I, just can't let that go by without demonstrating that we're just as arrogant and argumentative!

 

WOW ! I asked for a simple free trojan cleaner and it turns into an 8 page debate on what is best and why.

 

You've really got to watch what you ask around here! And, for having turned such a seemingly simple question into a raging debate, your first cookie is on me!

 

well who edited the server, which startup method did you choose?

sub7 is the one with master password, so i'd suggest caution with it.. ChrisP be glad that you didn't choose a rootkit as the test server... LOL

 

Hi All, new to this site, and yes it is because i have / had a trojan using the executable access[1].exe which tries to hijack my browers. this lettle thing can with trojan adclicker, trogan download and a couple more. think i am almost free of it. and i am not firewalled upto the hilt as well as my normal A/V.

Read this and decided to get the Ewido program as well ( already have ad-aware). One question though. When i run Ewido if it detects a trojan you can clean it. but on the analysis there is a list of about 20 things that it can read like
localservice\ntuser.dat.log.
I know half of these arent bad - but do i need to worry about them not being readable?

Cheers

 

A² is pretty good for a free anti trojan. In fact it was previously known as Anti-Trojan and a payware, now a freeware and good for the community to protect itself.