Did iXer send the dll dumped from windbg for scanning? I thought about the matter for a while and then searched the web a bit about the use of SOS.dll in Windbg for saving modules from memory to disk. It seems that there might be legitimate explanations for the discrepancies between the dumped version of iertutil.dll and the original one in System32. According to a discussion in stackoverflow, memory alignment could be one of the causes. So perhaps we are just worrying about sky-fall after all. However, the thought that a Zeus/ZBot has infiltrated our machines is just too scary -- who knows what such a bug could have stolen from us if it managed to penetrate our machines even with our (perhaps) over cautious way of scanning!
Michael (alan1998):
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do.
I echo paraxeno's sentiments. We are just trying to play safe and scan as thoroughly as possible, hopefully to increase the chance of catching any scary viruses like the ever-changing/polymophic Zeus-variants. Again, if custom or memory scans are not supposed to be done, then why would Avast provide the elaborate interface to allow users to do them? I am glad that it turns out to be another false alarm but I personally would rather go through such a drill once in a while and stay alert than to be complacent and get robbed clean :-)
PS. I scanned the machines with the updated Avast database and no threats are detected now.