Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: N@URINE on December 15, 2008, 11:53:28 AM
-
I have avast pro latest version. today a warning popped up showing that there's a suspicious file found in rootkit hidden process : "C:\windows\system32.\ils.dll".
I think it's a false positive : I searched in google and other sites, the file is authentic.
and this the report of virstotal site :
http://www.virustotal.com/fr/analisis/106adb90b408e372ad7fd3ff22af087e
I didn't delete it and avast recommended to run scan boot but I haven't yet. I need to make sure it's not a false positive.
-
I went to the file "ils.dll" and scanned it but avast detects nothing about it?! I don't understand what's wrong!!!
-
Same case here, on Windows XP. Details:
File: C:\windows\system32\ils.dll
OS: Windows XP SP3 (greek)
File version: 5.1.2600.5512
MD5Sum of the file: bd51ab8c4dbdb5ec2b28c613687fcbd8
@Nourine: I'd suggest to press "Ignore" but also check the "Submit the file to ..." option. Seems like a false positive.
-
thanks Maleas! I did. I hope I can find a solution as soon as possible, because I'm not the only user of this computer, my sisters use it, too. and they don't know much about viruses and computer. they would have immediately deleted it if they had found it.
@Nourine: I'd suggest to press "Ignore" but also check the "Submit the file to ..." option. Seems like a false positive.
-
Hi,
First post :)
Same thing here. Shortly after booting up this morning I got the "suspicious hidden file found" warning.
I'm ultra paranoid when it comes to internet security so I'm going to assume that this is a FP?
-
one more thing, I checked the log viewer and found in warning :
15/12/2008 10:32 1229337133 SYSTEM 1128 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
15/12/2008 10:49 1229338167 SYSTEM 1128 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
???
I think the problem started after the today's update, because the database has been updated at 10:20 this morning.
-
The problem should be fixed in a few minutes (with a new VPS update).
-
Thanks, I had I the same problem and run boot scan, but Avast found nothing, all is clear. Glad that you will fix problem so quick! I am extremly satisified with Avast! I was saved 6 times in last year by it! Thanks also for free licence key!
-
Also got ils.dll being flagged as bad. Unable to get on here for a while, kept getting "TRy Later". In the meanwhile did a boot scan - nothing, submitted the dll to Virus Total - 0/38 and finally zipped and submitted to avast vie email.
Having now read this will wait for the next definitions update and re-scan the file.
-
thanks. vps has already updated I will restart and see.
The problem should be fixed in a few minutes (with a new VPS update).
-
:) I'm glad to say that I'm satisfied with avast, too
Thanks, I had I the same problem and run boot scan, but Avast found nothing, all is clear. Glad that you will fix problem so quick! I am extremly satisified with Avast! I was saved 6 times in last year by it! Thanks also for free licence key!
-
Also got ils.dll being flagged as bad. Unable to get on here for a while, kept getting "TRy Later".
the same prb here.
-
Morning igor and all,
The 2nd update today seems to have fixed this quirk.
Thanks for the prompt fix.
Regards,
2harts4ever
-
sorry, my mistake... it's a false positive.. fixed VPS should be available already...
-
this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS. The problem has been resolved? ???
-
same file, same problem, at 13.52 avast sent a new update, may be the problem has been fixed.
DO NOT ELIMINATE THE FILE.
-
sorry, my mistake... it's a false positive.. fixed VPS should be available already...
all we make errors ;D
-
the problem was solved by the vps?
???
sorry, my mistake... it's a false positive.. fixed VPS should be available already...
all we make errors ;D
-
with VPS 081215-1, the problem is fixed :)
this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS. The problem has been resolved? ???
-
yes, no more pop-up concerning ils.dll in system32
:) :) :) :) :) :)
the problem was solved by the vps?
???
sorry, my mistake... it's a false positive.. fixed VPS should be available already...
all we make errors ;D
-
scan needs to solve the problem?
with VPS 081215-1, the problem is fixed :)
this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS. The problem has been resolved? ???
-
Yup, just happened to me about an hour ago... also by heuristic method, XP Pro MCE 2005 here, I deleted it and it said it was gonna send it to Avast for analysis...
I guess we'll find out soon enough... if need be, I can re-install netmeeting at some future time, but I haven't used netmeeting in a long long time anyway, so no big loss...
-
[color=green]I GOT THE SAME WARNING, I GUESS WE ALL AVAST HOME USERS GOT IT AFTER THE DATABASE WAS UPDATED![/color] ???
-
as I know the rootkit is scanned automatically at the start up. if there's something wrong a pop-up window will show up in few seconds or minutes after the startup
scan needs to solve the problem?
with VPS 081215-1, the problem is fixed :)
this morning I have had the same problem >:( >:( >:(. now I have the 081215-1 version of the VPS. The problem has been resolved? ???
-
I've read a few topics and this one seems to fit my situation perfectly, is it a false positive? and is it fixed yet?
I've restarted my computer, and it is scanning it, when thats done I'll wait 8min to see if it pops up :)
If someone could explain this in english(non tech lingo) I would appreciate it, thanks ;)
-
i have same issue here, will try updating signatures, but this isn't the issue itself i think because false positives is somewhat 'normal' and you have to expect some of them.
So, this one goes to developers (i post this sugestion here because it's directly related to this topic):
It would be *very nice* if avast! display info on the suspected file like owner, file version, copyright, date & size, time-stamp, etc., the kind of info you get when you google for that file - in this case c:\windows\system32\ils.dll on my XP system.
that way it would be lot easier to know what to do with it.
cheers
-
finally finished and at 8min it popped up again, how do you update it?
-
When I saw the warning I DELETED the file ils.dll
Now what should I do? Is that file needed by Windows or another programme? Where shouls I find it now?
Thank you
-
i got d same msg today "suspicious file". advised me 4 a boot time scan... after starting boot scan it came on a file (dont remember d name), and den d hole system bcame as it is... nothing worked. i hd to restart my pc..
i was facing d same problem with avast a few days b4... when th scan would reach a perticular file, it was ntservicepackuninstall.dll, system wuld hang and i hd 2 restart. i deleted the particular file and it it was ok den since avast culd not reach the file for scaning.
and now im facing d same prob... i cant del alll the files on which avast malfunctions as de might be important... wat to do now. pls help
-
hi qim, can we chat? we can solve our probs
-
updated program and restarted, it didn't pop up again, next time I turn it on we shall see if its gone, but for now updating seems to have worked ;D
-
When I saw the warning I DELETED the file ils.dll
Now what should I do? Is that file needed by Windows or another programme? Where shouls I find it now?
Thank you
hi, there're many .DLL support websites where you can download that file from. just search for 'download ils.dll' or something like that (*without quots*) and you'll see.
try for instance www.dlldump.com. I already did the job 4 you: http://www.dlldump.com/download-dll-files_new.php/dllfiles/I/ils.dll/5.1.2600.2180/download.html
By the way, save the file in the \windows\system32 directory (folder)
avast! is just a GREAT product
-
Hello,
I am on the east coast and updated the vps file (081215) at approximately 6:30 A.M. After that time, I received the "suspicious file" popup. I checked "ignore", after which I was asked if I wanted a boot time scan. I allowed it....it was clean. Here's the problem - I continue to get the popup displaying this "suspicious file" (just got one at 3 P.M.)!!! How do I proceed here?
-
Hello,
I am on the east coast and updated the vps file (081215) at approximately 6:30 A.M. After that time, I received the "suspicious file" popup. I checked "ignore", after which I was asked if I wanted a boot time scan. I allowed it....it was clean. Here's the problem - I continue to get the popup displaying this "suspicious file" (just got one at 3 P.M.)!!! How do I proceed here?
Looks like you need to update again. The latest VPS is 081215-1. Alwil caught the error pretty quickly and corrected the detection in 081215-1.
-
Rick, my error I apologize - I DO have vps 081215-1....just checked to be sure! What now?
-
Did anybody actually delete this file, and has any problem with the computer as a result?
An Avast user at Wilders has posted concerning a detection she quarantined, and now has fairly significant problems.
Does anyone need a copy of this file?
-
after the vps update just restart your computer
Rick, my error I apologize - I DO have vps 081215-1....just checked to be sure! What now?
-
I'm here for the same reason as everyone else. But here's my question:
I did a manual update and the summary says: VPS Already up to date - Current version (081215-1)
When checking my Log viewer under 'Notice', it doesn't reflect this update. It still reads 081215-0 as the last entry. I've rebooted and am still getting the 'Suspicious File Found' notice. Please help.
-
Hi there,
i have the same problem as everyone else since today here except that it doesn't stay with only 1 file that may be infected in my case. It's more like 40 files..
for eg.:
"sign of rootkit hidden file has been found in C:\windows\system.ini
C:\windows\LAN
C:\windows\assembly/GAC_MSIL
C:\windows\assembly/GAC_32
C:\windows\SoftwareDistributionDownload
C:\windows\Twain_32.dll/LogiVid
i also already 2 times updated today and have the latest version (Avast home edition, windows XP) but the warning popup remains. I also only can choose between 'delete' or 'ignore'. When I hit ignore, the problem remains, i don't want to hit 'delete' because it's like 40files... Can anyone help please
thanx!!!
-
stoeterke, do you have an ACER computer?
-
stoeterke, do you have an ACER computer?
Indeed, I have an Acer Aspire 2001WLCi computer...
Do you know maybe what the problem is?
-
They're being studied by Alwil team...
Right now, the workaround will be disabling the antirootkit scanning at the Troubleshoot page of the program settings.
-
Tech, can you help me with my problem? (see above) Why is the update not being reflected in my log and why am I still getting the suspicious file messages? I'd really appreciate it. Thanks.
-
Tech, can you help me with my problem? (see above) Why is the update not being reflected in my log and why am I still getting the suspicious file messages? I'd really appreciate it. Thanks.
Annie, I've read your post... But I can't help, I mean, I don't understand why after booting the problem is still there...
-
Why is the update not being reflected in my log?
if you update manually the update doesn't appear in the log viewer, it's reflected only when it's automatically updated.
-
Thanks, NourinE. Have any idea why I'm still getting the message?
-
Thanks, NourinE. Have any idea why I'm still getting the message?
for me the VPS 081215-1 fixed the problem, because I think it's a false positive. if the problem persist there should be an update to fix the problem soon, just be patient. you can turn of the the rootkit scan till the problem is fixed.
program settings => troubleshooting => Disable rootkit scan on system startup.
-
Thanks, again. I think I'll take a breath and relax for a while. I'll check later to see if there's any more fixes. Again...thanks.
-
NourinE, thanks from me also. So far, and crossing my fingers, it has not popped up again....we shall see....
-
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)
-
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.
-
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
Fully agree... Alwil, please, do it. Also, think in a way of getting access to Chest from boot time...
-
Is it really a false positive ???
I got the same warning, made a copy of ils.dll and had it removed by Avast. The computer runs much faster now. MSN is still working with webcam and sound. The file is part of netmeeting which should not be running on my pc, but somehow it did, since Avast wanted me to shut down in order to remove the file. Maybe the file misbehaves like a rootkit after all, though it was signed by Microsoft. The Avast message showed that the file was suspect because of heuristics. This means, not because by chance it had the same fingerprint as a real rootkit, but because it behaved like one. Unless Avast can explain how it comes, I am not certain it was a false positive. Could someone tell me in what way ils.dll could do something useful for anyone?
-
made a copy of ils.dll
If you upload it to www.virustotal.com, what do you get?
-
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)
With all due respect, I find this a most puzzling statement. I for one hope that this forum continues to be CIVIL, as well as helpful.
-
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.
I'm not sure the 'delete' works anyway with Rootkit detection. At least when Rootkit detection said that 'process.exe' was suspicious 2 or 3 days ago on my PC, I tried the delete choice the second time it was detected. [After finding out that file wasn't important] The file was still there in my Sys32 folder and the same exact size. Someone suggested the code is changed so the file won't run and it's not really deleted. Not really sure though. File size was the same with the exact same extender (exe). ::)
-
Hi - new forum member - I think that my concern is answered but would like to check other user views
Having just got the 'suspicious...' message today I was concerned that it might not have been avast generated at all and perhaps be a piece of malware - but reading these last few pages I think that I can safely respond to the message - do an ignore or delete without being concerned that I will face some malware attack - would that be right?