Author Topic: rundll32.exe Kelihos-S  (Read 19510 times)

0 Members and 1 Guest are viewing this topic.

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #15 on: August 22, 2011, 01:32:53 PM »
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.

As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.

So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.


Oh i see, just ive always scanned like that i suppose, 1st time i had a problem, as the immunet always flags up, but i know that is safe, just never had this before. Deleting mcafee site advisor seems to have stopped it anyway, as it wasnt used because firefox didnt support it at the moment

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: rundll32.exe Kelihos-S
« Reply #16 on: August 22, 2011, 01:34:26 PM »
aaa... so it was one of those again

this function must be removed in next avast version.. alternative a big red warning label

WARNING: using "scan memory" setting may give very strange scan results
« Last Edit: August 22, 2011, 01:36:01 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #17 on: August 22, 2011, 01:39:38 PM »
Well I noticed in passing another topic in the German forum about Kelihos-S also, but this was for three different files (but I don't know if that one was also a custom/memory scan).

So I think there is need for a reanalysis of this signature at the least, though how to submit that on a memory scan detection is beyond me. I guess it could be emailed as a false positive in the subject, without a file attachment, giving details of the detection and a link to the topic in the email body.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #18 on: August 22, 2011, 02:00:29 PM »
Well I noticed in passing another topic in the German forum about Kelihos-S also, but this was for three different files (but I don't know if that one was also a custom/memory scan).

So I think there is need for a reanalysis of this signature at the least, though how to submit that on a memory scan detection is beyond me. I guess it could be emailed as a false positive in the subject, without a file attachment, giving details of the detection and a link to the topic in the email body.

I saw that to, everything else come up clean on other scans i did with superantispy etc

Why is the memory scan not as good then?


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: rundll32.exe Kelihos-S
« Reply #19 on: August 22, 2011, 02:05:59 PM »
Quote
Why is the memory scan not as good then?
search the forum  "scan memory"  with quotes

shopaholic201124

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #20 on: August 22, 2011, 02:35:09 PM »
Ok, well thanks for the help everyone least I know not to do the memory scan now. Just I go in to paranoid if I see something I should'nt

Thanks again



Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #21 on: August 22, 2011, 02:40:40 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #22 on: August 22, 2011, 03:24:47 PM »
Me and my girlfried have the same problems with "Kelihos-S", Avast and the memory-test. I used the memory test many times before and I never had such "strange" results. I can remember one time, when there was a false-positive. It went away after a reboot.
So you think that no one of us has this kind of virus? So there is no matter to worry? I really do not trust these kind of messages where a virus is shown on my pc (in this case in the memory)...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: rundll32.exe Kelihos-S
« Reply #23 on: August 22, 2011, 03:26:41 PM »
Quote
So there is no matter to worry?
see reply #16

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #24 on: August 22, 2011, 03:30:17 PM »
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #25 on: August 22, 2011, 03:31:02 PM »
What was the file name/s in the detections, I would be interested to know as there appear to be multiple files being detected with the Kelihos-S signature.

I have reported this in the hope that the actual signature will be re-analysed, rather than the different files that it is alerting on, albeit that these instances do appear to be detections in memory.

Save yourself some grief and don't scan the memory:
OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.

As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.

So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren't anywhere near as detailed/thorough and generally they don't produce these anomalies.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: rundll32.exe Kelihos-S
« Reply #26 on: August 22, 2011, 03:32:43 PM »
and when/if you have a file you wonder about...


upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti    http://virusscan.jotti.org/en
VirSCAN  http://virscan.org/

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #27 on: August 22, 2011, 03:36:18 PM »
What was the file name/s in the detections, I would be interested to know as there appear to be multiple files being detected with the Kelihos-S signature.

I visited the site and there have been nor results, so the data is okay.
My files are "miranda32.exe" "java.exe" and "jp2launcher.exe"

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #28 on: August 22, 2011, 03:37:24 PM »
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!

Well they should be OK to run, but until it is confirmed as an FP, there would always be a theoretical risk. Since these are only detected in memory unless you actually do a scan of memory then hopefully there would be no alert on running them (re my question on what they were).

You could manually right click on the file and have avast scan it first before running it, if that is avast doesn't alert. Otherwise you would have to wait for the signature to be corrected or exclude that file from being scanned (no rush on that yet).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #29 on: August 22, 2011, 03:40:19 PM »
So then, I will start up all "Kelihos-S" infected programms and relax now after 4 hours of solving the problem...Cheers!

Well they should be OK to run, but until it is confirmed as an FP, there would always be a theoretical risk. Since these are only detected in memory unless you actually do a scan of memory then hopefully there would be no alert on running them (re my question on what they were).

You could manually right click on the file and have avast scan it first before running it, if that is avast doesn't alert. Otherwise you would have to wait for the signature to be corrected or exclude that file from being scanned (no rush on that yet).

See post no.27 ;)

I did exactly the same you said (I right clicked the files and folders to check them), but there was nothing detected.