Hi I have this in the running process, so obviously can’t delete. But when I stop the rundll32.exe and do a full scan, it comes up clean

So is it a false postive? Kelihos-S

Thanks

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

https://www.virustotal.com/file-scan/reanalysis.html?id=5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124-1314006364

There we go

I think it must be a false, because stopped the rundll32.exe from my running process, and everything comes up clean, even when I scan it with Avast, Superantispyware and malwarebytes, also have Immunet and spywareblaster, lol alot I know

sigcheck:
publisher…: Microsoft Corporation
copyright…: (c) Microsoft Corporation. All rights reserved.
product…: Microsoft_ Windows_ Operating System
description…: Windows host process (Rundll32)
original name: RUNDLL32.EXE
internal name: rundll
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

What is rundll32.exe doing on my computer?
http://www.processlibrary.com/directory/files/rundll32/24799/
http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.

So is it a false postive?

when you say False Poitive… does avast detect this as malware ?

Yes it does, started yesterday, but i cant delete it or clean as its in the running processes, so cant do nothing, but when I stop rundll32.exe from running processes from comodo, and do a complete through scan everything is clean

Also got all the rundll32.exe files up and scanned them with avast then its clean again, just seems to flag up as malware with Kelihos-S when its running in the processes

do you have latest virus update 110821-1 ?

Yep I do

So can anyone help?

well i guess the avast guys have seen this…so you should wait and see what happens when next VPS is released…if it is fixed or still detected

you can also upload it as a false positive detection from chest

https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

@ shopaholic201124
OK, lets get some information on the detection:

What scan/scanner was it that detected it (screenshot of the alert window if it happens again) ?

Whilst rundll32.exe(edit wrong extension) is a legit file name, it also depends on the location it is from, the alert should have given that location ?

I ran a scan from the custom scan menu just to scan the memory and auto start programs, as that is where it was coming from only

I noticed the rundll32.exe was mostly running from mcafee site advisor, so i deleted that and now its not coming up with anything? But the rundll32.exe is not in my running processes now, did another full scan just now and its clean, so bit confused

Oh it just said Process 2280 (rundll32.exe) memory block Threat Win32:Kelihos-S

OK, scanning the memory in a custom scan can produce some weird results. So I would suggest not running a custom memory scan as it is very thorough and can produce unexpected results. e.g. detection of unencrypted virus signatures from other security applications, etc.

As one of the avast team has said in the past, if malware has got into the memory, a memory scan it too late.

So I would stick to the Quick and Full System scans, whilst these both scan memory, they aren’t anywhere near as detailed/thorough and generally they don’t produce these anomalies.

Oh i see, just ive always scanned like that i suppose, 1st time i had a problem, as the immunet always flags up, but i know that is safe, just never had this before. Deleting mcafee site advisor seems to have stopped it anyway, as it wasnt used because firefox didnt support it at the moment

aaa… so it was one of those again

this function must be removed in next avast version… alternative a big red warning label

WARNING: using “scan memory” setting may give very strange scan results

Well I noticed in passing another topic in the German forum about Kelihos-S also, but this was for three different files (but I don’t know if that one was also a custom/memory scan).

So I think there is need for a reanalysis of this signature at the least, though how to submit that on a memory scan detection is beyond me. I guess it could be emailed as a false positive in the subject, without a file attachment, giving details of the detection and a link to the topic in the email body.

I saw that to, everything else come up clean on other scans i did with superantispy etc

Why is the memory scan not as good then?

Why is the memory scan not as good then?