Trojan Randon and Redlof

Discussion in 'Trojan Defence Suite' started by Gonzalo, Dec 22, 2003.

Thread Status:
Not open for further replies.
  1. Gonzalo

    Gonzalo Guest

    The Troyan Explore detects two troyanos to me of dificil delete:
    Randon C:\WINDOWS\SYSTEM\TEMP
    Redlof
    C:\WINDOWS\SYSTEM\KERNEL.DLL

    ¿Somebody could help me?
    Greetings
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Gonzalo and welcome
    You mean you scanned with TDS and TDS found them or do you mean another function?

    I don't have a windows\system\temp so not sure what is stored there on your system;
    in my windows\temp are files which in most cases should able to be removed without problems. Unfortunately it's an irritating habit of too many programs installers to put necessary (un)install files there, causing uninstall problems when we did delete them.

    If you look at the kernel.dll file - properties, is there an unknown modification date on it? The kernel32.dll for instance most probably has the date of your software or close to that, kernel.dll depends on......
    Which windows version are you running?

    If you don't trust them, try to zip a copy of them and send it to the TDS lab:
    submit@diamondcs.com.au and wait for a reply.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Simply dont panic, KERNEL32.DLL is obviously not a danger. It is a system file. It cannot be replaced or Windows would not run :)

    Email the vendor and ask for their reason, the scanner must be using a simple method of fingerprinting. The file kernel32.dll doesn't have any similar makeup (or code I would expect) as the detected trojan, they are completely different.

    Now that I think back, Redlof is a VBS script ! You cant get any more far apart between a VBS trojan and the Windows Kernel DLL !
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin, i have kernel32.dll, kernel3B.dll and kernel.dll
    all three so i wonder about the kernel.dll Gonzalo is talking about too.
    My kernel.dll is just 28 kb and is of a later date then kernel32.dll (and clean of course), the 3B intrigues me as it is just as big as the 32 only two years younger and the specs name it kernel32 --guess it came with some security update or o_O
    This is on a win98 system.

    Hope to see Gonzalo's answer back soon too.
     
  5. Gonzalo

    Gonzalo Guest

    Hello, thanks for your advice, the antitroyanos lines that I detail
    it indicates the program Troyan Explore (Troyan Explore 3,94 -
    www.troyan.tk - info@troyan.tk (c) 2003 Buenos Aires Systems) and
    indicate to me that I have those two troyanos of dificil elimination.
    I have the Windows 98.
    Greetings
     
  6. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    In that case you came to the right place for a decent second opinion. ;) Download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then click System Testing > Full System scan.
    Have it remove everything it gives you a positive identification of.
     
  7. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    So am I the only one who has never seen a legit kernel.dll? :eek: :eek: :eek:
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Explain Tuulilapsi please? I have kernel.dll of 28kb too without any problems besides the other two, which seems very legal. Win98, it might have come with a security update. I'm more surprised about the kernel3B.dll.
    I remember ever have seen a TDS alert for a changed kernel32.dll which might have come with another update, not sure, and i think to remember i replaced it with the original from the windows cd-rom, after did some updates/grades again and the kernel32.dll was not overwritten with something newer, so i left it that way.
    Don't dare to replace them back to maybe be left with a lot of trouble.


    For the other advice, thanks for posting the exact links and update plus scan instructions:
    one thing: i would NOT immediately delete everything TDS alerts as positive on, depends on what it is and so please ask advice in the forum here first.
    Looking forward to your experiences, hoping you're clean!

    Discussions and information about the other program can be posted in the Wilders forum in "other security software".
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske, Could the kernel3B.dll "b" mean that it is a backup? Or an old version that was renamed? ;)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's what i guess, as that was the newer date from 2001 which was replaced with the original from 1999.


    Found a good description for Randon here
    and Redlof here
     
  11. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi Jooske,

    FYI

    There is no kernel.dll existing on my 98SE system. The kernel32.dll is the windows system file with a time stamp of 4/23/99, and is 460kb on this system.

    Kernel.dll Added as a result of the REDLOF.M VIRUS! is the listing from the Startup Applications List found at:

    http://www.sysinfo.org/startuplist.php
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    my kernel.dll 28kb came in 2001, while the redlof was discovered in 2002 and size 11,160 bytes; but it's sent for investigation to TDS lab, so we'll hear some day about it.
    I remember around the date it gave a major security update so it might have been part of that or might have come with another program using it.
    Till now didn't see which what where when.

    www.avp.ru online virus scan
    Current object: kernel.dll


    kernel.dll Ok

    Statistics:

    --------------------------------------------------------------------------------
    Known viruses: 79820 Updated: 23.12.2003
    File size (Kb): 28 Scan time: 00:00:01
    Speed (Kb/sec): 29 Virus bodies: 0
    Archives: 0 Packed: 0
    Folders: 0 Files: 1
    Suspicious: 0 Warnings: 0

    As far as i could read the file nothing suspicious either, nor the other effects of redlof like increasing size of all kinds of files is there, nor other files or registry keys whatever could have been signs.
    Windows system update history has several around that date so hard to tell...
    I see more descriptions of it, among others as a winNT API file, and here in a screen capture program, and in more cases a necessary file; it might include different things on various systems.
    So i would most certainly NOT delete it if all the other redlof signs are not around.


    If you did already delete it, here you can get a new one:
     
  13. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi,

    Hope everything turns out OK with the kernel.dll file on your system. Since I use 98SE and don't have the file, I just wanted you to know. Good luck.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, there are more applications using or installing it so i don't worry, as all the other specific infection things are not there either. A simple google for the filename learned the leagal WinNT API fill and the graphics thing and several more, as well as a place i just posted to d/l a legal copy if you need it.
    But so much depends on what you have on your system.

    If a scanner would only think of filenames and react on the name combined with redlof without actually scanning the code it would be a very unconvincing detection and i would dump the scanner immediately or just use it as a second opinion without having it deleting anything at all.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The file submitted is ok, its a simple IO DLL.. it could be used by any program legit or malware. Just WHAT uses it is uncertain :)

    Gonzalo, can you post your ASViewer results please ? Run ASViewer below, tick these menu options
    Show Drivers
    Show Services
    Show Active Setup Components

    Save and email the log please ? I'd PM you an email address but you arent registered. Use submitviruses@yahoo.com.au or post the log here :)
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I see on that same creation date on my system AntiCrash which was uninstalled long time ago and an AVP major update, so it might have been in one of those legal programs.
    Checking the dll deeper with Faber Toys doesn't give me clues either.
     
  17. Gonzalo

    Gonzalo Guest

    Hello to all, thanks for yours interest. You excuse the delay is that they are celebrations. Jooske: I have scanned the file kernel.dll in www.avp.ru online virus scan and it gives me just like to you, it is
    to say well. With TDS it does not give any trojan, both trojans to me indicates the Troyan Explore 3,94 that it indicates the following thing to me:

    Randon
    C:\WINDOWS\SYSTEM\TEMP
    Redlof
    C:\WINDOWS\SYSTEM\KERNEL.DLL
    The interpretation and use of the present report are under exclusive
    responsibility of the users. Troyan Explore 3,94 - www.troyan.tk -
    info@troyan.tk (C)2003 Buenos Aires Systems

    I use the Windows 98. In folder C:\WINDOWS\SYSTEM\TEMP with the
    explorer of the Windows gives to the folder empty. In the C:\WINDOWS\SYSTEM \ I have KERNEL.DLL with 28 K 2/06/2000. And Kernell32.dll with 468 k 5/5/98. Like programs runnig it is the Kernell32.

    Gavin: I do not know like doing what you request to me:“post your ASViewer results please ? Run ASViewer below, tick these menu options
    Show Drivers
    Show Services
    Show Active Setup Components” ‚ Can you explain to me like doing it? Thanks and
    greetings to every body.
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi

    Can you just send me the file kernel.dll ? I suggest sending it to the developers of that program to help them, and telling them about the other trojan.

    The other trojan uses names like TEMP sometimes, but there cant be a file and a folder both in there called TEMP. So if its an folder, EMPTY, then it looks like a false alarm.
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For the AutoStartViewer yuou should go to the DCS site www.diamondcs.com.au products and get the tool from the free tools part, d/l and upzip it, and further as instructed to tick all options and have the display , save to log or txt and that txt file you can post.
    You might get amazed how much there is in the autostart or trying to be there!
     
Thread Status:
Not open for further replies.