kernel32.dll Infected?

Okay. So I’m using Avira AntiVir V9 (last update on 18 July 2009) and CIS V3.9.95478.509 (I haven’t yet upgraded it to V3.10) along with Spyware Terminator V2.5.6.316 (database version is V3.007.017.000).
All these are for real-time and for on-demand I have SUPERAntiSpyware and Spybot S&D. (But these two shouldn’t matter because they weren’t involved since I didn’t use them to scan.)

I ran an on-demand complete system scan using Avira and when it finished, it showed that my kernel32.dll located at “WINDOWS\system32\kernel32.dll” and “WINDOWS\system32\dllcache\kernel32.dll” were infected and identified the infection as “TR/Patched.GR.6 Trojan”.

I set my Avira to automatically quarantine any infected files and delete the original if it cannot clean them. But in this case, since it was kernel32.dll, Avira didn’t do that and just left it there, and showed a warning message in the report saying “[WARNING] ‘Is the TR/Patched.GR.6 Trojan’. This detection is probably an error. Please send us this file immediately for further analysis.”
Well I didn’t send it to Avira since I didn’t know how to.

Now comes my questions.
Is my kernel32.dll really infected? How?! I only surfed the net like usual. I did go to some sites to download cracks and trainers for some games, but I visited those sites with all my security on. My Avira, CIS, and Spyware Terminator all didn’t report anything funny. When I ran the trainers I downloaded, I observed everything they did through the alerts of CIS, but all they did was just accessing the game in memory.

I have also sent my kernel32.dll to VirusTotal for a scan, and this link is the result. Only 3 Antivirus detected something in it. But I still feel unsafe.

What is “TR/Patched.GR.6”? Does this mean the core of my system is infected? (I haven’t yet seen any symptoms. Observable symptoms I mean.)
Can a malware infect my system and command my system to do something funny so that CIS and other security programs would let it pass? Is that possible?

You may think I’m paranoid but that’s because I am! I’ve even set my Defense+ to Paranoid Mode and Firewall to Custom Policy Mode (Safe Mode for both, previously). I disabled the Antivirus in CIS though, since I use Avira.

My OS is Windows XP SP2. I only enabled the Real-time Shield of my Spyware Terminator, but not its HIPS, since CIS’s HIPS is already in place.

So what should I do? Please help!~

A bit off-topic, but is the new free DNS service able to track where I go on the net? I don’t have the knowledge so I’m not sure.

Submit the file to Comodo:

I’ve tried that, but somehow it didn’t seem to work out.


Send both kernel32.dll files to
Mark them as false positives. They will response quite soon, so check your email. But, because it’s sunday, I think it will take them time to response.

You could post your reports in this section to be checked by a staff member:

Hi. Thanks for the link. Somehow I didn’t manage to see that page when I went to that website.
I’ve sent the 2 files in a ZIP file. Of course, the immediate result (verdict) was that my kernel32.dll was “malware”. But I’m waiting for the e-mail from their team.

Uh… May I know what sort of reports did you mean?

Yes the Camas and virustotal links you already posted here. Comodo av staff should understand the Camas report which I do not, they should reply to your topic if you put it in that section as they monitor that part of the forum.

Thanks. I’ll do that. :slight_smile:

I’ll close this duplicate. :slight_smile: