Avast WEBforum
Other => Viruses and worms => Topic started by: shopaholic201124 on August 22, 2011, 11:36:36 AM
-
Hi I have this in the running process, so obviously can't delete. But when I stop the rundll32.exe and do a full scan, it comes up clean
So is it a false postive? Kelihos-S
Thanks
-
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
-
https://www.virustotal.com/file-scan/reanalysis.html?id=5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124-1314006364
There we go
-
I think it must be a false, because stopped the rundll32.exe from my running process, and everything comes up clean, even when I scan it with Avast, Superantispyware and malwarebytes, also have Immunet and spywareblaster, lol alot I know
-
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows host process (Rundll32)
original name: RUNDLL32.EXE
internal name: rundll
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
What is rundll32.exe doing on my computer?
http://www.processlibrary.com/directory/files/rundll32/24799/
http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.
-
So is it a false postive?
-
when you say False Poitive...... does avast detect this as malware ?
-
Yes it does, started yesterday, but i cant delete it or clean as its in the running processes, so cant do nothing, but when I stop rundll32.exe from running processes from comodo, and do a complete through scan everything is clean
Also got all the rundll32.exe files up and scanned them with avast then its clean again, just seems to flag up as malware with Kelihos-S when its running in the processes
-
do you have latest virus update 110821-1 ?
-
do you have latest virus update 110821-1 ?
Yep I do
-
So can anyone help?
-
well i guess the avast guys have seen this.....so you should wait and see what happens when next VPS is released...if it is fixed or still detected
you can also upload it as a false positive detection from chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07
-
@ shopaholic201124
OK, lets get some information on the detection:
What scan/scanner was it that detected it (screenshot of the alert window if it happens again) ?
Whilst rundll32.exe(edit wrong extension) is a legit file name, it also depends on the location it is from, the alert should have given that location ?
-
@ shopaholic201124
OK, lets get some information on the detection:
What scan/scanner was it that detected it (screenshot of the alert window if it happens again) ?
Whilst rundll32.dll is a legit file name, it also depends on the location it is from, the alert should have given that location ?
I ran a scan from the custom scan menu just to scan the memory and auto start programs, as that is where it was coming from only
I noticed the rundll32.exe was mostly running from mcafee site advisor, so i deleted that and now its not coming up with anything? But the rundll32.exe is not in my running processes now, did another full scan just now and its clean, so bit confused
Oh it just said Process 2280 (rundll32.exe) memory block Threat Win32:Kelihos-S
-
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.
As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.
So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.
-
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.
As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.
So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.
Oh i see, just ive always scanned like that i suppose, 1st time i had a problem, as the immunet always flags up, but i know that is safe, just never had this before. Deleting mcafee site advisor seems to have stopped it anyway, as it wasnt used because firefox didnt support it at the moment
-
aaa... so it was one of those again
this function must be removed in next avast version.. alternative a big red warning label
WARNING: using "scan memory" setting may give very strange scan results
-
Well I noticed in passing another topic in the German forum about Kelihos-S also, but this was for three different files (but I don't know if that one was also a custom/memory scan).
So I think there is need for a reanalysis of this signature at the least, though how to submit that on a memory scan detection is beyond me. I guess it could be emailed as a false positive in the subject, without a file attachment, giving details of the detection and a link to the topic in the email body.
-
Well I noticed in passing another topic in the German forum about Kelihos-S also, but this was for three different files (but I don't know if that one was also a custom/memory scan).
So I think there is need for a reanalysis of this signature at the least, though how to submit that on a memory scan detection is beyond me. I guess it could be emailed as a false positive in the subject, without a file attachment, giving details of the detection and a link to the topic in the email body.
I saw that to, everything else come up clean on other scans i did with superantispy etc
Why is the memory scan not as good then?
-
Why is the memory scan not as good then?
search the forum "scan memory" with quotes
-
Ok, well thanks for the help everyone least I know not to do the memory scan now. Just I go in to paranoid if I see something I should'nt
Thanks again
-
You're welcome.
-
Me and my girlfried have the same problems with "Kelihos-S", Avast and the memory-test. I used the memory test many times before and I never had such "strange" results. I can remember one time, when there was a false-positive. It went away after a reboot.
So you think that no one of us has this kind of virus? So there is no matter to worry? I really do not trust these kind of messages where a virus is shown on my pc (in this case in the memory)...
-
So there is no matter to worry?
see reply #16
-
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!
-
What was the file name/s in the detections, I would be interested to know as there appear to be multiple files being detected with the Kelihos-S signature.
I have reported this in the hope that the actual signature will be re-analysed, rather than the different files that it is alerting on, albeit that these instances do appear to be detections in memory.
Save yourself some grief and don't scan the memory:
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.
As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.
So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.
-
and when/if you have a file you wonder about...
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
-
What was the file name/s in the detections, I would be interested to know as there appear to be multiple files being detected with the Kelihos-S signature.
I visited the site and there have been nor results, so the data is okay.
My files are "miranda32.exe" "java.exe" and "jp2launcher.exe"
-
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!
Well they should be OK to run, but until it is confirmed as an FP, there would always be a theoretical risk. Since these are only detected in memory unless you actually do a scan of memory then hopefully there would be no alert on running them (re my question on what they were).
You could manually right click on the file and have avast scan it first before running it, if that is avast doesn't alert. Otherwise you would have to wait for the signature to be corrected or exclude that file from being scanned (no rush on that yet).
-
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!
Well they should be OK to run, but until it is confirmed as an FP, there would always be a theoretical risk. Since these are only detected in memory unless you actually do a scan of memory then hopefully there would be no alert on running them (re my question on what they were).
You could manually right click on the file and have avast scan it first before running it, if that is avast doesn't alert. Otherwise you would have to wait for the signature to be corrected or exclude that file from being scanned (no rush on that yet).
See post no.27 ;)
I did exactly the same you said (I right clicked the files and folders to check them), but there was nothing detected.
-
<snip>
See post no.27 ;)
I did exactly the same you said (I right clicked the files and folders to check them), but there was nothing detected.
OK, should be OK to run them. as I don't believe that even though the program would be loaded into memory, the memory isn't actually scanned, unless you do an on-demand scan and include it.
What is the jp2launcher.exe as we have seen a similar launcher program "albanloader.exe" being a good detection, http://www.virustotal.com/file-scan/report.html?id=7b84cea0acea594d58984d7a48e36af23d06e008aa562ac7b467ddcd9c935655-1313963879 (http://www.virustotal.com/file-scan/report.html?id=7b84cea0acea594d58984d7a48e36af23d06e008aa562ac7b467ddcd9c935655-1313963879). So you could upload that to virustotal.com for a second (and 3rd - 43rd) opinion.
-
From runscanner.net:
"Jp2launcher.exe with description Java(TM) Platform SE binary is a process file from company Sun Microsystems, Inc. belonging to product Java(TM) Platform SE 6 U21.
The file is digitally signed from Oracle America, Inc. - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from Oracle America, Inc."
And 43 meanings of virustotal say "no virus detected". So it is fine ^.^
-
Yes, that looks good to go. So certainly for the time being avoid custom memory scans ;D
-
I will do, thanks!
-
Greetings all, ;D
I got it as well ~ literally last day or so, wondered if it was phishing off some web page but seems it came with the most recent bunch of Windows updates ~ it's Microsoft! (?)
See here:
http://camas.comodo.com/cgi-bin/submit?file=82c702be3c9b6e1ed7d2ba5f357ff62cfadd8d704ef9b4f40cdd7b8419b77105&iframe= (http://camas.comodo.com/cgi-bin/submit?file=82c702be3c9b6e1ed7d2ba5f357ff62cfadd8d704ef9b4f40cdd7b8419b77105&iframe=)
4th box down, (registry) "Values changed", couldn't find "albanloader" but I got it as "msoobe.exe"
It's associated key is all over the place under HKEY_LOCAL_MACHINE\COMPONENTS\CaconicalData\Catalogs (?)
and ditto ...\DerivedData\Components
Also mentioned in:
...\CurrentVersion\explorer\FileAssociation, "AddRemoveApps", 3rd from the end -
ditto "AddRemoveNames" for it suggests "Support" (same position in string)
Agree about turning off the memory scan though, then it never shows up.
Hope that helps -
-
There really have been some weird detections with Kelihos-S with multiple files, especially when they are detections in memory.
I feel I have been banging my head against a brick wall in trying to report this to support, but they just keep asking for samples, despite telling them they are detections in memory, so you can't send memory blocks for analysis. Made worse when the file on the hard disk isn't detected.
The problem being I'm using the conventional email reporting of a false positive without an attachment, and they insist they need an attachment/sample in order to be able to analyse it, colour me totally frustrated in trying to resolve this.
So save all the grief and don't scan memory.
-
There really have been some weird detections with Kelihos-S with multiple files, especially when they are detections in memory.
Yeah, I've got these false positives too yesterday.
-
Oh... I've got them now again :'(
-
Don't try sending an empty false positive report as you can't send a memory block.
Or you will get a sore head like me and a response like mine:
"We are sorry, but without samples we are not able to reproduce this issue."
This despite giving links to topics and telling them how to replicate it.
-
We will change this detection to avoid memory scan false positive alerts. This change will be in VPS update 110824-1.
-
Thanks Michal for getting involved in this as my emails to support were becoming very frustrating.
-
Thanks Misak. Indeed it will be on 24-1 as the 24-0 seems not to solve it yet.
-
I have got the new ....24-1 virus database and a few seconds ago my "memory test" ends without a "Kelihos-S" error. Java and Miranda are enabled ( these have been my problem files) and yeah, no warnings ^.^ Thank you!