PLEASE HELP

[tornado73]

Please help me.
I did a scan on my netbook, which has Windows 7 and Avast 6.0 Free Edition as its antivirus. This computer is new and has almost nothing installed, but Avast detected a threat called "Win32:Kelihos-S [Trj]".This could be an oridinary virus, but to my surprise Avast doesn't let me delete it, quarantine it nor repare it (the "Apply" button doesn't have black letters, it has grey instead). I rebooted my system and did a scan during boot. It found a corrupt file, but not a threat. However, when I scanned the computer again (I did it right away, just to confirm) I still got "Win32:Kelihos-S [Trj]". It is on the memory and it says that it is related to rundll32.exe (Process 2396). Please help me, I need to delete this thing!  :'(

PS: It also found a decompression bomb, but that's from the Nero BackItUp that came with the computer.

[Pondus]

so you did a custom scan and selected "scan memory"..... DO NOT use that setting as it give some strange scan results

use the default quick / full scan with default settings....they are default bc avast know what is best for the average user

(the "Apply" button doesn't have black letters, it has grey instead).

bc it is detected as a memory process...it is not a file that can be removed

[tornado73]

I use this scan on my PC, nothing strange ever happened, but if you say this is the problem, does "Complete System Scan" go through everything??
PS: Is this Kelihos-S a false positive? I searched on bing and it talked about variations of it being backdoors, but never this one.  I really don't have a clue.

[tornado73]

Oh and if I open task manager "rundll32.exe" is the only file to not have Username nor Description... (besides winlogon.exe and csrss.exe)  this is really awkward

[Pondus]

I use this scan on my PC, nothing strange ever happened, but if you say this is the problem, does "Complete System Scan" go through everything??

it is not necesarry to scan everything....... if it was avast would have made the program with only one scan that scanned everything......it would be slow as molasses and use a week to finish

the realtime shield is running in the background all time and scanning every file that moves in the computer, if a malware file is moving it will grab it
so if you do a quick scan a week it is plenty


and if you search the forum for  "scan memory"  or "memory scan"  with quotes, you will see the forum is full of this

[Pondus]

and if you still wonder about that file  rundll32.exe


upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the addressbar and post it here so we can see


alternative
Jotti`s   http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/




What is rundll32.exe And Why Is It Running?
http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

[tornado73]

Thanks, I'm doing a full scan now. I would put rundll32.exe on virustotal, but when i search it on my computer it doesn't show up 
So Kelihos-S is a false positive, right? 

[DavidR]

I'm pretty certain this is a false positive as there have been some weird detections with this Kelihos-S signature, especially on detections in memory.

I have tried to report, but have come away totally frustrated, as I'm dealing with someone in support insisting on a sample and they can't understand there is no sodding sample I or anyone else can send because it is a memory block and the original file in the hard disk isn't detected.

I just keep coming away with a sore head from banging it against a brick wall, colour me frustrated.

Save yourself a lot of grief and stop scanning memory.

[Lisandro]

So Kelihos-S is a false positive, right?  

Most probably. Update your avast and test again.

[tornado73]

I think it was a false positive, I did a full scan and it found two rootkits  but I quarantined them, then I ran avast again and it found nothing 
Really happy right now 

PS: I'm kinda new at this forum, and I don't understand why my e-mail is visible when I checked the box that said "Hide email from public" can anyone help here?

[DavidR]

Only you and the moderators can see your email address, no one else can see it, in the same way you can't see other peoples email addresses. Unless of course they haven't hidden it.

[tornado73]

Oooh so that's why... thanks then

[DavidR]

You're welcome.