Author Topic: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"  (Read 58264 times)

0 Members and 1 Guest are viewing this topic.

Offline Annie202b

  • Newbie
  • *
  • Posts: 18
Thanks, NourinE.  Have any idea why I'm still getting the message?

Offline N@URINE

  • Full Member
  • ***
  • Posts: 167
Thanks, NourinE.  Have any idea why I'm still getting the message?

for me the VPS 081215-1 fixed the problem, because I think it's a false positive. if the problem persist there should be an update to fix the problem soon, just be patient. you can turn of the the rootkit scan till the problem is fixed.
program settings => troubleshooting =>  Disable rootkit scan on system startup.
NourinE

Offline Annie202b

  • Newbie
  • *
  • Posts: 18
Thanks, again.  I think I'll take a breath and relax for a while.  I'll check later to see if there's any more fixes.  Again...thanks.

Offline NLT

  • Jr. Member
  • **
  • Posts: 41
NourinE, thanks from me also.  So far, and crossing my fingers, it has not popped up again....we shall see....
Dell Inspiron 530s, Intel Core2 Duo Processor, 4GB DDR2 SDRAM @ 667 MHz, 500 GB Serial ATA II Hard Drive, Windows XP SP3, Dell 19" WFP Flat Panel Analog and Digital Monitor, Integrated Intel Graphics Media Accelerator 3100. Avast Free vs7, SuperAntiSpyware Free, Malwarebytes Anti-Malware Free

Offline martosurf

  • Full Member
  • ***
  • Posts: 182
  • www.supportkevin.com - Support Kevin Kjonnas SHAC7
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)
"Emancipate yourself from mental slavery / none but ourselves can free our mind" - Bob Marley

Offline maleas

  • Jr. Member
  • **
  • Posts: 23
  • I'm a llama!
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67249
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
Fully agree... Alwil, please, do it. Also, think in a way of getting access to Chest from boot time...
The best things in life are free.

Offline Freddy Bischoff

  • Newbie
  • *
  • Posts: 1
Is it really a false positive ???
I got the same warning, made a copy of ils.dll and had it removed by Avast. The computer runs much faster now. MSN is still working with webcam and sound. The file is part of netmeeting which should not be running on my pc, but somehow it did, since Avast wanted me to shut down in order to remove the file. Maybe the file misbehaves like a rootkit after all, though it was signed by Microsoft. The Avast message showed that the file was suspect because of heuristics. This means, not because by chance it had the same fingerprint as a real rootkit, but because it behaved like one. Unless Avast can explain how it comes, I am not certain it was a false positive. Could someone tell me in what way ils.dll could do something useful for anyone?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67249
made a copy of ils.dll
If you upload it to www.virustotal.com, what do you get?
The best things in life are free.

Offline NLT

  • Jr. Member
  • **
  • Posts: 41
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)


With all due respect, I find this a most puzzling statement.  I for one hope that this forum continues to be CIVIL, as well as helpful.
Dell Inspiron 530s, Intel Core2 Duo Processor, 4GB DDR2 SDRAM @ 667 MHz, 500 GB Serial ATA II Hard Drive, Windows XP SP3, Dell 19" WFP Flat Panel Analog and Digital Monitor, Integrated Intel Graphics Media Accelerator 3100. Avast Free vs7, SuperAntiSpyware Free, Malwarebytes Anti-Malware Free

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.

I'm not sure the 'delete' works anyway with Rootkit detection. At least when Rootkit detection said that 'process.exe' was suspicious 2 or 3 days ago on my PC, I tried the delete choice the second time it was detected. [After finding out that file wasn't important] The file was still there in my Sys32 folder and the same exact size.  Someone suggested the code is changed so the file won't run and it's not really deleted.  Not really sure though.  File size was the same with the exact same extender (exe).  ::)
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline mcfc1632

  • Newbie
  • *
  • Posts: 1
Hi - new forum member - I think that my concern is answered but would like to check other user views

Having just got the 'suspicious...' message today I was concerned that it might not have been avast generated at all and perhaps be a piece of malware - but reading these last few pages I think that I can safely respond to the message - do an ignore or delete without being concerned that I will face some malware attack - would that be right?