Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: N@URINE on December 15, 2008, 11:53:28 AM

Title: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 11:53:28 AM
I have avast pro latest version. today a warning popped up showing that there's a suspicious file found in rootkit hidden process : "C:\windows\system32.\ils.dll".
I think it's a false positive : I searched in google and other sites, the file is authentic.
and this the report of virstotal site :
http://www.virustotal.com/fr/analisis/106adb90b408e372ad7fd3ff22af087e
I didn't delete it and avast recommended to run scan boot but I haven't yet. I need to make sure it's not a false positive.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 12:00:52 PM
I went to the file "ils.dll" and scanned it but avast detects nothing about it?! I don't understand what's wrong!!!
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: maleas on December 15, 2008, 12:25:45 PM
Same case here, on Windows XP. Details:
File: C:\windows\system32\ils.dll
OS: Windows XP SP3 (greek)
File version: 5.1.2600.5512
MD5Sum of the file: bd51ab8c4dbdb5ec2b28c613687fcbd8

@Nourine: I'd suggest to press "Ignore" but also check the "Submit the file to ..." option. Seems like a false positive.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 12:31:17 PM
thanks Maleas! I did. I hope I can find a solution as soon as possible, because I'm not the only user of this computer, my sisters use it, too. and they don't know much about viruses and computer. they would have immediately deleted it if they had found it.


@Nourine: I'd suggest to press "Ignore" but also check the "Submit the file to ..." option. Seems like a false positive.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Pekker on December 15, 2008, 12:34:11 PM
Hi,

First post :)

Same thing here. Shortly after booting up this morning I got the "suspicious hidden file found" warning.

I'm ultra paranoid when it comes to internet security so I'm going to assume that this is a FP?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 12:40:45 PM
one more thing, I checked the log viewer and found in warning :

15/12/2008   10:32   1229337133   SYSTEM   1128   Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006. 
15/12/2008   10:49   1229338167   SYSTEM   1128   Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006. 
 ???
I think the problem started after the today's update, because the database has been updated at 10:20 this morning.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: igor on December 15, 2008, 01:11:26 PM
The problem should be fixed in a few minutes (with a new VPS update).
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: fensi88 on December 15, 2008, 01:27:26 PM
Thanks, I had I the same problem and run boot scan, but Avast found nothing, all is clear. Glad that you will fix problem so quick! I am extremly satisified with Avast! I was saved 6 times in last year by it! Thanks also for free licence key!
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Gandalf_22h on December 15, 2008, 01:41:57 PM
Also got ils.dll being flagged as bad. Unable to get on here for a while, kept getting "TRy Later". In the meanwhile did a boot scan - nothing, submitted the dll to Virus Total - 0/38 and finally zipped and submitted to avast vie email.
Having now read this will wait for the next definitions update and re-scan the file.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 01:46:21 PM
thanks. vps has already updated I will restart and see.

The problem should be fixed in a few minutes (with a new VPS update).
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 01:48:47 PM
:) I'm glad to say that I'm satisfied with avast, too
Thanks, I had I the same problem and run boot scan, but Avast found nothing, all is clear. Glad that you will fix problem so quick! I am extremly satisified with Avast! I was saved 6 times in last year by it! Thanks also for free licence key!
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 01:51:23 PM
Also got ils.dll being flagged as bad. Unable to get on here for a while, kept getting "TRy Later".

the same prb here.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: 2harts4ever on December 15, 2008, 01:52:09 PM
Morning igor and all,

The 2nd update today seems to have fixed this quirk.
Thanks for the prompt fix.
Regards,
2harts4ever
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Maxx_original on December 15, 2008, 01:56:06 PM
sorry, my mistake... it's a false positive.. fixed VPS should be available already...
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: falcon710 on December 15, 2008, 01:58:40 PM
this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS.   The problem has been resolved? ???
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: antonpaco on December 15, 2008, 02:00:43 PM
same file, same problem, at 13.52 avast sent a new update, may be the problem has been fixed.
DO NOT ELIMINATE THE FILE.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: falcon710 on December 15, 2008, 02:02:03 PM
sorry, my mistake... it's a false positive.. fixed VPS should be available already...


all we make errors ;D
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: mansteel on December 15, 2008, 02:11:45 PM
the problem was solved by the vps?
 ???


sorry, my mistake... it's a false positive.. fixed VPS should be available already...


all we make errors ;D
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 02:12:20 PM
with VPS 081215-1, the problem is fixed :)

this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS.   The problem has been resolved? ???
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 02:13:40 PM
yes, no more pop-up concerning ils.dll in system32
 :) :) :) :) :) :)

the problem was solved by the vps?
 ???


sorry, my mistake... it's a false positive.. fixed VPS should be available already...


all we make errors ;D
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: mansteel on December 15, 2008, 02:15:10 PM
scan needs to solve the problem?


with VPS 081215-1, the problem is fixed :)

this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS.   The problem has been resolved? ???
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: primeuser on December 15, 2008, 02:16:15 PM
Yup, just happened to me about an hour ago... also by heuristic method, XP Pro MCE 2005 here, I deleted it and it said it was gonna send it to Avast for analysis...

I guess we'll find out soon enough... if need be, I can re-install netmeeting at some future time, but I haven't used netmeeting in a long long time anyway, so no big loss...
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: tukso_n_march on December 15, 2008, 02:20:51 PM
[color=green]I GOT THE SAME WARNING, I GUESS WE ALL AVAST HOME USERS GOT IT AFTER THE DATABASE WAS UPDATED![/color]  ???
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 02:21:47 PM
as I know the rootkit is scanned automatically at the start up. if there's something wrong a pop-up window will show up in few seconds or minutes after the startup

scan needs to solve the problem?


with VPS 081215-1, the problem is fixed :)

this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS.   The problem has been resolved? ???
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: radar9077 on December 15, 2008, 04:45:41 PM
I've read a few topics and this one seems to fit my situation perfectly, is it a false positive? and is it fixed yet?

I've restarted my computer, and it is scanning it, when thats done I'll wait 8min to see if it pops up :)

If someone could explain this in english(non tech lingo) I would appreciate it, thanks ;)
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: martosurf on December 15, 2008, 05:08:15 PM
i have same issue here, will try updating signatures, but this isn't the issue itself i think because false positives is somewhat 'normal' and you have to expect some of them.


So, this one goes to developers (i post this sugestion here because it's directly related to this topic):

It would be *very nice* if avast! display info on the suspected file like owner, file version, copyright, date & size, time-stamp, etc., the kind of info you get when you google for that file - in this case c:\windows\system32\ils.dll on my XP system.

that way it would be lot easier to know what to do with it.

cheers
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: radar9077 on December 15, 2008, 05:19:40 PM
finally finished and at 8min it popped up again, how do you update it?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: qim on December 15, 2008, 05:49:16 PM
When I saw the warning I DELETED the file ils.dll

Now what should I do?  Is that file needed by Windows or another programme?  Where shouls I find it now?

Thank you
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: anupupadhye on December 15, 2008, 05:53:55 PM
i got d same msg today "suspicious file". advised me 4 a boot time scan... after starting boot scan it came on a file (dont remember d name), and den d hole system bcame as it is... nothing worked. i hd to restart my pc..
i was facing d same problem with avast a few days b4... when th scan would reach a perticular file, it was ntservicepackuninstall.dll, system wuld hang and i hd 2 restart. i deleted the particular file and it it was ok den since avast culd not reach the file for scaning.
and now im facing d same prob... i cant del alll the files on which avast malfunctions as de might be important... wat to do now. pls help
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: anupupadhye on December 15, 2008, 05:59:22 PM
hi qim, can we chat? we can solve our probs
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: radar9077 on December 15, 2008, 07:04:53 PM
updated program and restarted, it didn't pop up again, next time I turn it on we shall see if its gone, but for now updating seems to have worked  ;D
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: martosurf on December 15, 2008, 07:30:17 PM
When I saw the warning I DELETED the file ils.dll

Now what should I do?  Is that file needed by Windows or another programme?  Where shouls I find it now?

Thank you

hi, there're many .DLL support websites where you can download that file from. just search for 'download ils.dll' or something like that (*without quots*) and you'll see.
try for instance www.dlldump.com. I already did the job 4 you: http://www.dlldump.com/download-dll-files_new.php/dllfiles/I/ils.dll/5.1.2600.2180/download.html
By the way, save the file in the \windows\system32 directory (folder)


avast! is just a GREAT product
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: NLT on December 15, 2008, 09:25:07 PM
Hello,

I am on the east coast and updated the vps file (081215) at approximately 6:30 A.M.  After that time, I received the "suspicious file" popup.  I checked "ignore", after which I was asked if I wanted a boot time scan.  I allowed it....it was clean.  Here's the problem - I continue to get the popup displaying this "suspicious file" (just got one at 3 P.M.)!!!  How do I proceed here?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Rick F on December 15, 2008, 09:31:11 PM
Hello,

I am on the east coast and updated the vps file (081215) at approximately 6:30 A.M.  After that time, I received the "suspicious file" popup.  I checked "ignore", after which I was asked if I wanted a boot time scan.  I allowed it....it was clean.  Here's the problem - I continue to get the popup displaying this "suspicious file" (just got one at 3 P.M.)!!!  How do I proceed here?

Looks like you need to update again.  The latest VPS is 081215-1.  Alwil caught the error pretty quickly and corrected the detection in 081215-1.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: NLT on December 15, 2008, 09:45:07 PM
Rick, my error I apologize - I DO have vps 081215-1....just checked to be sure!  What now?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Tarq57 on December 15, 2008, 09:46:46 PM
Did anybody actually delete this file, and has any problem with the computer as a result?
An Avast user at Wilders has posted concerning a detection she quarantined, and now has fairly significant problems.
Does anyone need a copy of this file?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 10:05:35 PM
after the vps update just restart  your computer
Rick, my error I apologize - I DO have vps 081215-1....just checked to be sure!  What now?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Annie202b on December 15, 2008, 10:08:51 PM
I'm here for the same reason as everyone else.  But here's my question:

I did a manual update and the summary says: VPS Already up to date - Current version (081215-1)

When checking my Log viewer under 'Notice', it doesn't reflect this update.  It still reads 081215-0 as the last entry.  I've rebooted and am still getting the 'Suspicious File Found' notice.  Please help.  
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: stoeterke on December 15, 2008, 10:25:54 PM
Hi there,
i have the same problem as everyone else since today here except that it doesn't stay with only 1 file that may be infected in my case. It's more like 40 files..
for eg.:
"sign of rootkit hidden file has been found in C:\windows\system.ini
                                                            C:\windows\LAN
                                                            C:\windows\assembly/GAC_MSIL
                                                            C:\windows\assembly/GAC_32
                                                            C:\windows\SoftwareDistributionDownload
                                                             C:\windows\Twain_32.dll/LogiVid
i also already 2 times updated today and have the latest version (Avast home edition, windows XP) but the warning popup remains. I also only can choose between 'delete' or 'ignore'. When I hit ignore, the problem remains, i don't want to hit 'delete' because it's like 40files... Can anyone help please
thanx!!!
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Lisandro on December 15, 2008, 10:37:08 PM
stoeterke, do you have an ACER computer?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: stoeterke on December 15, 2008, 10:39:15 PM
stoeterke, do you have an ACER computer?

Indeed, I have an Acer Aspire 2001WLCi computer...
Do you know maybe what the problem is?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Lisandro on December 15, 2008, 10:44:50 PM
They're being studied by Alwil team...
Right now, the workaround will be disabling the antirootkit scanning at the Troubleshoot page of the program settings.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Annie202b on December 15, 2008, 10:50:00 PM
Tech, can you help me with my problem? (see above) Why is the update not being reflected in my log and why am I still getting the suspicious file messages?  I'd really appreciate it.  Thanks.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Lisandro on December 15, 2008, 10:56:13 PM
Tech, can you help me with my problem? (see above) Why is the update not being reflected in my log and why am I still getting the suspicious file messages?  I'd really appreciate it.  Thanks.
Annie, I've read your post... But I can't help, I mean, I don't understand why after booting the problem is still there...
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 11:24:52 PM
Why is the update not being reflected in my log?

if you update manually the update doesn't appear in the log viewer, it's reflected only when  it's automatically updated.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Annie202b on December 15, 2008, 11:33:28 PM
Thanks, NourinE.  Have any idea why I'm still getting the message?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: N@URINE on December 15, 2008, 11:43:11 PM
Thanks, NourinE.  Have any idea why I'm still getting the message?

for me the VPS 081215-1 fixed the problem, because I think it's a false positive. if the problem persist there should be an update to fix the problem soon, just be patient. you can turn of the the rootkit scan till the problem is fixed.
program settings => troubleshooting =>  Disable rootkit scan on system startup.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Annie202b on December 15, 2008, 11:47:35 PM
Thanks, again.  I think I'll take a breath and relax for a while.  I'll check later to see if there's any more fixes.  Again...thanks.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: NLT on December 16, 2008, 02:59:09 AM
NourinE, thanks from me also.  So far, and crossing my fingers, it has not popped up again....we shall see....
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: martosurf on December 16, 2008, 03:39:22 AM
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: maleas on December 16, 2008, 11:17:27 AM
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Lisandro on December 16, 2008, 11:50:46 AM
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
Fully agree... Alwil, please, do it. Also, think in a way of getting access to Chest from boot time...
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Freddy Bischoff on December 16, 2008, 12:48:03 PM
Is it really a false positive ???
I got the same warning, made a copy of ils.dll and had it removed by Avast. The computer runs much faster now. MSN is still working with webcam and sound. The file is part of netmeeting which should not be running on my pc, but somehow it did, since Avast wanted me to shut down in order to remove the file. Maybe the file misbehaves like a rootkit after all, though it was signed by Microsoft. The Avast message showed that the file was suspect because of heuristics. This means, not because by chance it had the same fingerprint as a real rootkit, but because it behaved like one. Unless Avast can explain how it comes, I am not certain it was a false positive. Could someone tell me in what way ils.dll could do something useful for anyone?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Lisandro on December 16, 2008, 02:44:52 PM
made a copy of ils.dll
If you upload it to www.virustotal.com, what do you get?
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: NLT on December 16, 2008, 03:25:08 PM
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)


With all due respect, I find this a most puzzling statement.  I for one hope that this forum continues to be CIVIL, as well as helpful.
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: Rick F on December 16, 2008, 04:32:52 PM
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.

I'm not sure the 'delete' works anyway with Rootkit detection. At least when Rootkit detection said that 'process.exe' was suspicious 2 or 3 days ago on my PC, I tried the delete choice the second time it was detected. [After finding out that file wasn't important] The file was still there in my Sys32 folder and the same exact size.  Someone suggested the code is changed so the file won't run and it's not really deleted.  Not really sure though.  File size was the same with the exact same extender (exe).  ::)
Title: Re: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"
Post by: mcfc1632 on November 09, 2010, 01:04:34 PM
Hi - new forum member - I think that my concern is answered but would like to check other user views

Having just got the 'suspicious...' message today I was concerned that it might not have been avast generated at all and perhaps be a piece of malware - but reading these last few pages I think that I can safely respond to the message - do an ignore or delete without being concerned that I will face some malware attack - would that be right?