Running winxp, ontrack system suite
Virus software doesn't detect anything wrong, however, xp launches dial up connection, and ontrack firewall notices changes to kernel32 and asks to allow access to internet. This happens ever time I manually disconnect from internet(DSL).If I block kernel32, it recoonecta automatically, kernel32 changes again. Help!!!

Is it win kernal 32 that is trying to access the net?

Kernel32.exe

hi dan,
here are 3 possible trojans that may be affecting your machine.
for more info go to www.thepublicworks.com and click on links:
simovits consulting, dark-e, dalantec, trojan remover
you may also want to do a free port and trojan scan at pcflank.com and download from wilders.org a free 30 day trial of trojan hunter and scan your machine......

Darksun
Aliases: Trojan/Darksun,
Ports:
Files: Kernel32.exe - Sysexplr.exe -
Created:
Requires:
Actions: Remote Access

Versions:
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\HKEY_LOCAL_MACHINE\Software\Classes\txtfile\Shell\Open\command
Notes:
Country:

Program:
Hooker
Aliases: Win32.PSW.Hooker, Trojan.PSW.Hooker, PWS.Hooker, DUNpws.bo,
Ports: 80
Files: Hooker24sour.zip - 94,272 bytes Hooker2.4.zip - 93,785 bytes Hooker2.5.zip - 133,209 bytes Hooker2.52.zip - 28,799 bytes Hooker.exe - 15,982 bytes Hooker.exe - 21,504 bytes Hooker.exe - 38,912 bytes Hooker.dat - 21,504 bytes Hconf.exe - 8,192 bytes Hoconf.exe - 59,392 bytes Hooconf.exe - 90,107 bytes Hconf.ini - 3,072 bytes Hconf.ini - 3,161 bytes Hconf.ini - 3,477 bytes Hcheck.exe - Hkconf.exe - 8,192 bytes Hkconf.exe - 13,312 bytes Hkconf.exe - 38,912 bytes Infected.exe - Dropper.dat - 8,704 bytes Config.bat - 28 bytes Kernel32.exe -
Created: July 1999
Requires:
Actions: Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLLis packed by LZW. It can send information via mails on a regular schedule.Hooker can delete itself on a preconfiguered date.
Versions: 1.0, 2.0, 2.2, 2.3, 2.4, 2.5, 2.52,
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_ MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\So ftware\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\Software \Microsoft\Windows\CurrentVersion\RunServicesOnce\ HKEY_CURRENT_USER\Software\Mi crosoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\RunOnce\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer sion\RunServices\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru nServicesOnce\
Notes: Works on Windows 95, 98, ME, NT and 2000. ˆ Source code isavailable. Works together with ICQ 99 a.
Country: written in Russia
Program: Written in C++ 5.

Name: The Flu
Aliases: Rux the Flu,
Ports: 21, 5534 (port can be changed)
Files: Theflu1.0.zip - 590,651 bytes Client.exe - 229,376 bytes Config.exe- 203,776 bytes Server.exe - 162,824 bytes Kernel32.exe -
Created: Noc 2000
Requires:
Actions: FTP server
Alters System.ini. Any FTP client can connect to the server.
Versions: 1.0,
Registers: Does not register.
Notes: Works on Windows 95, 98 and ME. Any FTP client can be used.
Country:
Program: Written in Delphi 5.

cheers,
murve