Author Topic: rundll32.exe Kelihos-S  (Read 17415 times)

0 Members and 1 Guest are viewing this topic.

shopaholic201124

  • Guest
rundll32.exe Kelihos-S
« on: August 22, 2011, 11:36:36 AM »
Hi I have this in the running process, so obviously can't delete. But when I stop the rundll32.exe and do a full scan, it comes up clean

So is it a false postive? Kelihos-S

Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37191
Re: rundll32.exe Kelihos-S
« Reply #1 on: August 22, 2011, 11:44:51 AM »
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti    http://virusscan.jotti.org/en
VirSCAN  http://virscan.org/


shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #3 on: August 22, 2011, 11:54:38 AM »
I think it must be a false, because stopped the rundll32.exe from my running process, and everything comes up clean, even when I scan it with Avast, Superantispyware and malwarebytes, also have Immunet and spywareblaster, lol alot I know

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37191
Re: rundll32.exe Kelihos-S
« Reply #4 on: August 22, 2011, 11:59:42 AM »
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows host process (Rundll32)
original name: RUNDLL32.EXE
internal name: rundll
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned



What is rundll32.exe doing on my computer?
http://www.processlibrary.com/directory/files/rundll32/24799/
http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

Quote
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.



« Last Edit: August 22, 2011, 12:02:19 PM by Pondus »

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #5 on: August 22, 2011, 12:00:24 PM »
So is it a false postive?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37191
Re: rundll32.exe Kelihos-S
« Reply #6 on: August 22, 2011, 12:06:45 PM »
when you say False Poitive...... does avast detect this as malware ?

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #7 on: August 22, 2011, 12:11:00 PM »
Yes it does, started yesterday, but i cant delete it or clean as its in the running processes, so cant do nothing, but when I stop rundll32.exe from running processes from comodo, and do a complete through scan everything is clean


Also got all the rundll32.exe files up and scanned them with avast then its clean again, just seems to flag up as malware with Kelihos-S when its running in the processes
« Last Edit: August 22, 2011, 12:13:41 PM by shopaholic201124 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37191
Re: rundll32.exe Kelihos-S
« Reply #8 on: August 22, 2011, 12:13:28 PM »
do you have latest virus update  110821-1  ? 

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #9 on: August 22, 2011, 12:13:58 PM »
do you have latest virus update  110821-1  ? 

Yep I do

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #10 on: August 22, 2011, 12:27:24 PM »
So can anyone help?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37191
Re: rundll32.exe Kelihos-S
« Reply #11 on: August 22, 2011, 12:44:53 PM »
well i guess the avast guys have seen this.....so you should wait and see what happens when next VPS is released...if it is fixed or still detected


you can also upload it as a false positive detection from chest

https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07
« Last Edit: August 22, 2011, 12:56:04 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86802
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #12 on: August 22, 2011, 12:53:53 PM »
@ shopaholic201124
OK, lets get some information on the detection:

What scan/scanner was it that detected it (screenshot of the alert window if it happens again) ?

Whilst rundll32.exe(edit wrong extension) is a legit file name, it also depends on the location it is from, the alert should have given that location ?

« Last Edit: August 22, 2011, 01:09:10 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #13 on: August 22, 2011, 01:01:21 PM »
@ shopaholic201124
OK, lets get some information on the detection:

What scan/scanner was it that detected it (screenshot of the alert window if it happens again) ?

Whilst rundll32.dll is a legit file name, it also depends on the location it is from, the alert should have given that location ?



I ran a scan from the custom scan menu just to scan the memory and auto start programs, as that is where it was coming from only

I noticed the rundll32.exe was mostly running from mcafee site advisor, so i deleted that and now its not coming up with anything? But the rundll32.exe is not in my running processes now, did another full scan just now and its clean, so bit confused

Oh it just said Process 2280 (rundll32.exe) memory block Threat Win32:Kelihos-S
« Last Edit: August 22, 2011, 01:03:05 PM by shopaholic201124 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86802
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #14 on: August 22, 2011, 01:13:23 PM »
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.

As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.

So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security