Trojan Randon and Redlof

The Troyan Explore detects two troyanos to me of dificil delete:
Randon C:\WINDOWS\SYSTEM\TEMP
Redlof
C:\WINDOWS\SYSTEM\KERNEL.DLL

¿Somebody could help me?
Greetings

 

Hello Gonzalo and welcome
You mean you scanned with TDS and TDS found them or do you mean another function?

I don't have a windows\system\temp so not sure what is stored there on your system;
in my windows\temp are files which in most cases should able to be removed without problems. Unfortunately it's an irritating habit of too many programs installers to put necessary (un)install files there, causing uninstall problems when we did delete them.

If you look at the kernel.dll file - properties, is there an unknown modification date on it? The kernel32.dll for instance most probably has the date of your software or close to that, kernel.dll depends on......
Which windows version are you running?

If you don't trust them, try to zip a copy of them and send it to the TDS lab:
submit@diamondcs.com.au and wait for a reply.

 

Simply dont panic, KERNEL32.DLL is obviously not a danger. It is a system file. It cannot be replaced or Windows would not run

Email the vendor and ask for their reason, the scanner must be using a simple method of fingerprinting. The file kernel32.dll doesn't have any similar makeup (or code I would expect) as the detected trojan, they are completely different.

Now that I think back, Redlof is a VBS script ! You cant get any more far apart between a VBS trojan and the Windows Kernel DLL !

 

Gavin, i have kernel32.dll, kernel3B.dll and kernel.dll
all three so i wonder about the kernel.dll Gonzalo is talking about too.
My kernel.dll is just 28 kb and is of a later date then kernel32.dll (and clean of course), the 3B intrigues me as it is just as big as the 32 only two years younger and the specs name it kernel32 --guess it came with some security update or
This is on a win98 system.

Hope to see Gonzalo's answer back soon too.

 

Hello, thanks for your advice, the antitroyanos lines that I detail
it indicates the program Troyan Explore (Troyan Explore 3,94 -
www.troyan.tk - info@troyan.tk (c) 2003 Buenos Aires Systems) and
indicate to me that I have those two troyanos of dificil elimination.
I have the Windows 98.
Greetings

 

In that case you came to the right place for a decent second opinion. Download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.
Have it remove everything it gives you a positive identification of.

 

So am I the only one who has never seen a legit kernel.dll?

 

Explain Tuulilapsi please? I have kernel.dll of 28kb too without any problems besides the other two, which seems very legal. Win98, it might have come with a security update. I'm more surprised about the kernel3B.dll.
I remember ever have seen a TDS alert for a changed kernel32.dll which might have come with another update, not sure, and i think to remember i replaced it with the original from the windows cd-rom, after did some updates/grades again and the kernel32.dll was not overwritten with something newer, so i left it that way.
Don't dare to replace them back to maybe be left with a lot of trouble.


For the other advice, thanks for posting the exact links and update plus scan instructions:
one thing: i would NOT immediately delete everything TDS alerts as positive on, depends on what it is and so please ask advice in the forum here first.
Looking forward to your experiences, hoping you're clean!

Discussions and information about the other program can be posted in the Wilders forum in "other security software".

 

Jooske, Could the kernel3B.dll "b" mean that it is a backup? Or an old version that was renamed?

 

That's what i guess, as that was the newer date from 2001 which was replaced with the original from 1999.


Found a good description for Randon here
and Redlof here

 

Hi Jooske,

FYI

There is no kernel.dll existing on my 98SE system. The kernel32.dll is the windows system file with a time stamp of 4/23/99, and is 460kb on this system.

Kernel.dll Added as a result of the REDLOF.M VIRUS! is the listing from the Startup Applications List found at:

http://www.sysinfo.org/startuplist.php

 

my kernel.dll 28kb came in 2001, while the redlof was discovered in 2002 and size 11,160 bytes; but it's sent for investigation to TDS lab, so we'll hear some day about it.
I remember around the date it gave a major security update so it might have been part of that or might have come with another program using it.
Till now didn't see which what where when.

www.avp.ru online virus scan
Current object: kernel.dll


kernel.dll Ok

Statistics:

--------------------------------------------------------------------------------
Known viruses: 79820 Updated: 23.12.2003
File size (Kb): 28 Scan time: 00:00:01
Speed (Kb/sec): 29 Virus bodies: 0
Archives: 0 Packed: 0
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0

As far as i could read the file nothing suspicious either, nor the other effects of redlof like increasing size of all kinds of files is there, nor other files or registry keys whatever could have been signs.
Windows system update history has several around that date so hard to tell...
I see more descriptions of it, among others as a winNT API file, and here in a screen capture program, and in more cases a necessary file; it might include different things on various systems.
So i would most certainly NOT delete it if all the other redlof signs are not around.


If you did already delete it, here you can get a new one:

 

Hi,

Hope everything turns out OK with the kernel.dll file on your system. Since I use 98SE and don't have the file, I just wanted you to know. Good luck.

 

Yes, there are more applications using or installing it so i don't worry, as all the other specific infection things are not there either. A simple google for the filename learned the leagal WinNT API fill and the graphics thing and several more, as well as a place i just posted to d/l a legal copy if you need it.
But so much depends on what you have on your system.

If a scanner would only think of filenames and react on the name combined with redlof without actually scanning the code it would be a very unconvincing detection and i would dump the scanner immediately or just use it as a second opinion without having it deleting anything at all.

 

The file submitted is ok, its a simple IO DLL.. it could be used by any program legit or malware. Just WHAT uses it is uncertain

Gonzalo, can you post your ASViewer results please ? Run ASViewer below, tick these menu options
Show Drivers
Show Services
Show Active Setup Components

Save and email the log please ? I'd PM you an email address but you arent registered. Use submitviruses@yahoo.com.au or post the log here

 

I see on that same creation date on my system AntiCrash which was uninstalled long time ago and an AVP major update, so it might have been in one of those legal programs.
Checking the dll deeper with Faber Toys doesn't give me clues either.

 

Hello to all, thanks for yours interest. You excuse the delay is that they are celebrations. Jooske: I have scanned the file kernel.dll in www.avp.ru online virus scan and it gives me just like to you, it is
to say well. With TDS it does not give any trojan, both trojans to me indicates the Troyan Explore 3,94 that it indicates the following thing to me:

Randon
C:\WINDOWS\SYSTEM\TEMP
Redlof
C:\WINDOWS\SYSTEM\KERNEL.DLL
The interpretation and use of the present report are under exclusive
responsibility of the users. Troyan Explore 3,94 - www.troyan.tk -
info@troyan.tk (C)2003 Buenos Aires Systems

I use the Windows 98. In folder C:\WINDOWS\SYSTEM\TEMP with the
explorer of the Windows gives to the folder empty. In the C:\WINDOWS\SYSTEM \ I have KERNEL.DLL with 28 K 2/06/2000. And Kernell32.dll with 468 k 5/5/98. Like programs runnig it is the Kernell32.

Gavin: I do not know like doing what you request to me:“post your ASViewer results please ? Run ASViewer below, tick these menu options
Show Drivers
Show Services
Show Active Setup Components” ‚ Can you explain to me like doing it? Thanks and
greetings to every body.

 

Hi

Can you just send me the file kernel.dll ? I suggest sending it to the developers of that program to help them, and telling them about the other trojan.

The other trojan uses names like TEMP sometimes, but there cant be a file and a folder both in there called TEMP. So if its an folder, EMPTY, then it looks like a false alarm.

 

For the AutoStartViewer yuou should go to the DCS site www.diamondcs.com.au products and get the tool from the free tools part, d/l and upzip it, and further as instructed to tick all options and have the display , save to log or txt and that txt file you can post.
You might get amazed how much there is in the autostart or trying to be there!