Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Invisible trojan/virus

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
I'm curious if anybody has any input on these little critters:

On a Win98SE box, I discovered some hidden executables and DLL files in the Windows - Windows/System folders: LIDAJ.DLL, DRV2CLTR.DLL, CSVAA.EXE, RNSDIN.EXE. All installed within the past 2 days:

I was alerted by an attempt for Internet Explorer to connect (on its own) to an IP address in a 3rd world European country. I also started getting Windows Security Center alert popups which is absurd on a Win98SE platform. I now knew something had been dropped into my system but searching for suspicious open ports showed nothing. Scanning with Trend Micro Online showed nothing. AdAwareSE showed nothing unusual. SpybotS&D timed out and stalled twice for the first time ever (currently attempting to reinstall and initiate). Symantec showed a LIDAJ.DLL virus file which could not be seen in native Windows mode, it only showed up in regular boot level DOS. Panda scan showed same file plus infected Registry Start/Run key infection regarding TaskMonitor and ScanRegistry call statements possibly infected by Backdoor trojan variants. These keys have since been nulled to prevent their startup. One final hope, HJT showed absolutely nothing abnormal as compared to log histories for the past year (HJT version was updated today).

Now the funny part: nulling the Taskmonitor and Scanregistry call keys stopped the popups. Digging by hand through Windows root folders I found a RDT.INI file flagged with random casino, viagra, etc.. URL call statements and quarantined it. Hiding Windows and System folders from native windows is not an easy trick to do. Somebody posted that Microsoft made this feature possible to prevent average users from fully deleting their caches/histories. Fine, no big deal, we've all known that for years now. But moving hidden ( +s[ecret] ) files out of the Windows main directory should make them visible. These virus/trojan files listed above remain completely invisible except in boot level DOS mode. Not easy to do, and difficult for most scanners to detect (as noted above). My >.EXE< hacker program doesn't run from DOS mode, only native GUI Windows so I can't break it down to code level. The DLL's are editable in DOS but are completely binary.

Does anybody have any references/info about hiding virus files and trojans completely from native windows and is there a DOS level editor for EXE files? The hosting companies for the target URLs of these strains all center from the country of Estonia (ESTHOST.COM). I'm going to clean the files eventually but I want to preserve them first and later submit to Symantec for definition file updates. I believe they are mostly re-arranged client/server trojan programs that evade all but certain hueristic smart scannings. Any thoughts or help appreciated. Logs available upon request.

-the CPUhatchery
  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP