Kernel32.dll Avast scan problem and Virus warning

[KillerX]

Hi Avast forum.

Like the subject says i have a problem. The problem is that i have been having trouble scanning the ddr memory of my computer because everytime i start the scan and when it comes to the memory the whole computer hangs totally. The thing now is that i ran avast today again and it hang it self again but after i had restarted the computer and went to check the scanloggs i found that all of my processes which are active after i have started the computer were infected with Win32:Kryptik-EWK [Trj] virus. Is this a false positive or is it a Real virus? Because its only in one memory block and only found in the memory and not in any file, yet it says its Kernel32.dll which is infected . Please help i dont want to need to install windows again if its not needed .

Thanks for all help.

[itsjustme2]

upload the file to virustotal.com

[Pondus]

upload the file to virustotal.com

You cant Upload a detection in memory as it is not a file. 


@KillerX

I guess You did a memory scan and selected "scan memory".?

If so DO NOT use the memory scan as it will give some veird detection results...
Searc the forum and You find hundreds of cases

[KillerX]

@Pondus

So is this a bug in avast or is it a virus, well yea i picked the "scan memory" in avast.
The strange thing is that it has never happend with previous versions (have been using avast since v4,8 pro).'

Ohwell i didnt have much on the main harddrive anyway and SUPERantispyware found a trojan downloader so i think its safer to do a clean format and clean windows install again , i had just only games mostly on the main harddrive.

Thanks for the replies btw.

[Pondus]

So is this a bug in avast or is it a virus, well yea i picked the "scan memory" in avast.

it is not a virus. did you search the forum....and read the other cases ?

The strange thing is that it has never happend with previous versions (have been using avast since v4,8 pro).'

as i can remeber avast 4.8 did not have a "scan memory" option

dont change the default scan settings if you do not know the result

[DavidR]

It did have a limited memory scan back in avast 4.7.

But no where near as in depth as when running a custom scan of memory and when many of these  signature/strange detections in memory.

[KillerX]

@pondus

Sorry i havent checked other cases yet, but when i ran the avast fullscan on my minipc it didnt find any of the stuff like on my mainrig. And this has never happend with avast 5 and 6 versions.

And sorry to dissapoint ya but well i know the result of doing a fullscan, and well i have changed the default settings before to. but now it found like 37 viruses only in the memory before the computer hanged it self.

Im gonna do a fullscan without the memoryscan and see if it finds anything in the harddrives.
And if it dosent its probably a false positive, And btw SAS didnt find any of those trojans but it did find 3 other ones. but none in the memory only on the harddrive.
If it does and it cant repair or anything like that, then its easiest to do a clean windows install again

[akama1]

if not to scan memory with avast then whats the scan memory option for?

[KillerX]

@akama1

Well sure its important to have the memoryscan, but if its a bug or false positive or if the computer chrashes then its best to not scan the memory to see if there is any viruses or trojans in the harddrive

[DavidR]

There are three levels of memory scan and the one that causes all of this grief is when a user creates a custom scan and chooses memory it is the most thorough/sensitive. So my guess is the OP is running a custom scan with memory scan option.

Memory scans are a throwback from long ago, as has been mentioned if a malware/virus is in memory, you are too late. The idea is to catch the malware before it loads stuff into memory.

[KillerX]

@DavidR

I just ran a fullscan without the memory option and there were absolutlely no viruses in my 2 hardrives.

After that i ran a custom memory scan 2 times and it didnt find the kernel32.dll trojans which i found before, but it did find a few but they are from known programs (cmdagent.exe and from superantispyware.exe) so its clean.
SUPERantispyware didnt find any trojans in the memory but did find 3 on the harddrive which were completely quarantined .

Was this after all just a catch of false positives from the custom scan or what  ?

EDIT: i forgot to mention that i havent got any isusses or slow downs on my computer except the avast custom scan crash when the whole computer and memory are selected to be scanned in scan settings.

[DavidR]

Not a false positive:
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.

It isn't alerting on either cmdagent.exe or superantispyware.exe, but the signatures that those processes loaded into memory.

[KillerX]

@DavidR

So is there anything in my computer? Because it dosent say that there is anything in the memory with the custom memory scan. And i dont get it, why does my computer hang itself when scanning with the memory selected in total custom system scan with everything else selected, but when i only scan the memory it dosent hang itself?

Which memory scan is the most sensitive? because it hasnt found anything after that i quarantined the trojans with superantispyware.

EDIT: the strange thing was that every one f the 36 trojans the memoryscan found were in the same memory block and had the same block size and all were only processes that were running + they had the kernel32.dll in the name to. But when i scanned with the special memory scan it didnt find anything.

[DavidR]

I don't know, or rather I can't answer that as there is insufficient information in this topic to do so.

But the detections in memory related to cmdagent.exe or superantispyware.exe loading unencrypted signatures. I can't see how you can possibly have sent these to quarantine as it is impossible if there are memory blocks. Now perhaps you can see why I said there is insufficient information to say.

We need the file name, location and malware name of detections.

If that is a memory detection you can't give that as it is Process: (responsible for the loading) Memory Block and Malware name, because it isn't a physical file it can't be sent to the chest.

The Quick and Full System scans are more than adequate (they both scan memory but at a lower sensitivity avoiding this type of detection), so I'm not entirely sure why you feel the need for the custom scan and the memory scan (if selected) is the most sensitive/thorough.

Some security applications run at a low level it is how they catch things before they can execute, so it may not be unusual to have something run at a kernel level. But again without full information all of this is supposition.

[KillerX]

@DavidR

The names for the processes are many, but all are in the memory block: 0x0000000075FE0000 with the name (kernel32.dll) Threat: Win32:Krytik-EWK [Trj]

But all of these havent showed up at all after i quarantined a few other trojans with SUPERantispyware. And now today nothing at all havent showed up at any scan i run.
I didnt quarantine the cmdagent.exe or Superantispyware.exe because they were in the memory, but i assume they are safe even if they show upp on the memory scan
Because they are both from security related programs.

Am i supposed to upload a support package to you at avast? Because there is the option to create a support package with logs, memory dumps and basic information.