How do you block a .dll trojan?

Discussion in 'Ghost Security Suite (GSS)' started by TopperID, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Supposing you want to create Application Rules to prevent a piece of malware on your system from making any changes to your Registry; I assume you would create a Group for the malware and include the keys:-

    HKEY_CLASSES_ROOT\**
    HKEY_CURRENT_USER\**
    HKEY_LOCAL_MACHINE\**
    HKEY_USERS\**
    HKEY_CURRENT_CONFIG\**

    and then, for each key, tick all the 'event' boxes and select 'block'.

    But supposing you had a .dll trojan on your system, which had injected itself into, for example, Winlogon.exe; would you create the Group around Winlogon (and hence block that) or would you give the file path of the .dll trojan and block it directly?

    I'm thinking of a situation where a .dll trojan is acting in tandem with another trojan .exe file which gets placed as an autorun in the Registry, and you want to stop it running next reboot.

    Does anyone know whether you should be blocking the .dll itself or the legitimate .exe system file it has been injected into?
     
  2. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    2,318
    Location:
    Canada
    Hi Topper, How about PG? How about Trojan Hunter? At least this is how I will hopefully avoid it.

    Take Care
    rico
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Oh yes, that's true; but I was thinking more of a situation where a machine is already infected and you want to do something about it.

    For example, if you disable PG/RD to do an install and get more than you bargained for! Or else you are simply working on an infected machine that didn't have PG/RD at the time of infection.

    I just wondered how you could use RD to suppress a .dll trojan from making further changes to the Registry after you've got it on your comp.
     
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    778
    I don't believe it is possible to stop a .dll from starting from PG

    I tried to ALLOW firefox to start, and to stop JAVA (dll) (started via Firefox) by PG
    ( i know there are other ways to stop this, but this is just for testing)
    And whatever i did, i could not stop the java .dll by PG

    But perhaps i have overlooked something, otherwise it is just not possible.

    And i don't know if there are any other programs that allow you to
    select which <file>.dll can be started, and which are blacklisted or so.

    So if these java dll file(s) are replaced by malware, OR you don't trust the files anymore, it is very difficult to stop them.

    Perhaps there is other software that can do this.
    It should be possible with Tiny Personal Firewall , but i am not sure
    and did not test it.
    Perhaps with tools like Prevx ? or SSM ?
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Reading from what you are saying tuatara, I think the answer to my question is going to be that you have to block the 'process' into which the .dll has been injected, rather than the .dll itself.

    That seems logical I suppose!
     
  6. Hmm seems to me even in the "non-injected" form , I have never seen a dll request permission to change the registry in regdefend.......
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.