Author Topic: rundll32.exe Kelihos-S  (Read 19514 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #30 on: August 22, 2011, 04:04:31 PM »
<snip>
See post no.27 ;)

I did exactly the same you said (I right clicked the files and folders to check them), but there was nothing detected.

OK, should be OK to run them. as I don't believe that even though the program would be loaded into memory, the memory isn't actually scanned, unless you do an on-demand scan and include it.

What is the jp2launcher.exe as we have seen a similar launcher program "albanloader.exe" being a good detection, http://www.virustotal.com/file-scan/report.html?id=7b84cea0acea594d58984d7a48e36af23d06e008aa562ac7b467ddcd9c935655-1313963879. So you could upload that to virustotal.com for a second (and 3rd - 43rd) opinion.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #31 on: August 22, 2011, 04:22:08 PM »
From runscanner.net:

"Jp2launcher.exe with description Java(TM) Platform SE binary is a process file from company Sun Microsystems, Inc. belonging to product Java(TM) Platform SE 6 U21.
 The file is digitally signed from Oracle America, Inc. - VeriSign Time Stamping Services Signer - G2
 We do not recommend removing digitally signed files from Oracle America, Inc."

And 43 meanings of virustotal say "no virus detected". So it is fine ^.^

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #32 on: August 22, 2011, 04:27:07 PM »
Yes, that looks good to go. So certainly for the time being avoid custom memory scans ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #33 on: August 22, 2011, 04:37:13 PM »
I will do, thanks!

Mike H

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #34 on: August 24, 2011, 01:21:49 AM »
Greetings all,  ;D

I got it as well ~ literally last day or so, wondered if it was phishing off some web page but seems it came with the most recent bunch of Windows updates ~ it's Microsoft! (?)

See here:
http://camas.comodo.com/cgi-bin/submit?file=82c702be3c9b6e1ed7d2ba5f357ff62cfadd8d704ef9b4f40cdd7b8419b77105&iframe=

4th box down, (registry) "Values changed", couldn't find "albanloader" but I got it as "msoobe.exe"

It's associated key is all over the place under HKEY_LOCAL_MACHINE\COMPONENTS\CaconicalData\Catalogs (?)
and ditto ...\DerivedData\Components

Also mentioned in:
...\CurrentVersion\explorer\FileAssociation, "AddRemoveApps", 3rd from the end -
ditto "AddRemoveNames" for it suggests "Support" (same position in string)

Agree about turning off the memory scan though, then it never shows up.

Hope that helps -

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #35 on: August 24, 2011, 02:43:37 AM »
There really have been some weird detections with Kelihos-S with multiple files, especially when they are detections in memory.

I feel I have been banging my head against a brick wall in trying to report this to support, but they just keep asking for samples, despite telling them they are detections in memory, so you can't send memory blocks for analysis. Made worse when the file on the hard disk isn't detected.

The problem being I'm using the conventional email reporting of a false positive without an attachment, and they insist they need an attachment/sample in order to be able to analyse it, colour me totally frustrated in trying to resolve this.

So save all the grief and don't scan memory.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: rundll32.exe Kelihos-S
« Reply #36 on: August 24, 2011, 02:47:21 AM »
There really have been some weird detections with Kelihos-S with multiple files, especially when they are detections in memory.
Yeah, I've got these false positives too yesterday.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: rundll32.exe Kelihos-S
« Reply #37 on: August 24, 2011, 02:48:45 AM »
Oh... I've got them now again :'(
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #38 on: August 24, 2011, 03:09:00 AM »
Don't try sending an empty false positive report as you can't send a memory block.

Or you will get a sore head like me and a response like mine:
"We are sorry, but without samples we are not able to reproduce this issue."

This despite giving links to topics and telling them how to replicate it.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: rundll32.exe Kelihos-S
« Reply #39 on: August 24, 2011, 10:44:30 AM »
We will change this detection to avoid memory scan false positive alerts. This change will be in VPS update 110824-1.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: rundll32.exe Kelihos-S
« Reply #40 on: August 24, 2011, 01:06:31 PM »
Thanks Michal for getting involved in this as my emails to support were becoming very frustrating.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: rundll32.exe Kelihos-S
« Reply #41 on: August 24, 2011, 01:30:02 PM »
Thanks Misak. Indeed it will be on 24-1 as the 24-0 seems not to solve it yet.
The best things in life are free.

Venom

  • Guest
Re: rundll32.exe Kelihos-S
« Reply #42 on: August 25, 2011, 11:19:14 AM »
I have got the new ....24-1 virus database and a few seconds ago my "memory test" ends without a "Kelihos-S" error. Java and Miranda are enabled ( these have been my problem files) and yeah, no warnings ^.^ Thank you!