Author Topic: Suspicious file found in rootkit hidden process "C:\windows\system32.\ils.dll"  (Read 64186 times)

0 Members and 1 Guest are viewing this topic.

Annie202b

  • Guest
Thanks, NourinE.  Have any idea why I'm still getting the message?

Offline N@URINE

  • Full Member
  • ***
  • Posts: 167
Thanks, NourinE.  Have any idea why I'm still getting the message?

for me the VPS 081215-1 fixed the problem, because I think it's a false positive. if the problem persist there should be an update to fix the problem soon, just be patient. you can turn of the the rootkit scan till the problem is fixed.
program settings => troubleshooting =>  Disable rootkit scan on system startup.
NourinE

Annie202b

  • Guest
Thanks, again.  I think I'll take a breath and relax for a while.  I'll check later to see if there's any more fixes.  Again...thanks.

NLT

  • Guest
NourinE, thanks from me also.  So far, and crossing my fingers, it has not popped up again....we shall see....

martosurf

  • Guest
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)

maleas

  • Guest
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.
Fully agree... Alwil, please, do it. Also, think in a way of getting access to Chest from boot time...
The best things in life are free.

Freddy Bischoff

  • Guest
Is it really a false positive ???
I got the same warning, made a copy of ils.dll and had it removed by Avast. The computer runs much faster now. MSN is still working with webcam and sound. The file is part of netmeeting which should not be running on my pc, but somehow it did, since Avast wanted me to shut down in order to remove the file. Maybe the file misbehaves like a rootkit after all, though it was signed by Microsoft. The Avast message showed that the file was suspect because of heuristics. This means, not because by chance it had the same fingerprint as a real rootkit, but because it behaved like one. Unless Avast can explain how it comes, I am not certain it was a false positive. Could someone tell me in what way ils.dll could do something useful for anyone?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
made a copy of ils.dll
If you upload it to www.virustotal.com, what do you get?
The best things in life are free.

NLT

  • Guest
c'mon people, let's get serious: other products have far more false positive in every new release than avast! in all it's history (i'm a longtime user of Pro version).
I don't see the reason to keep posting waste =P
(may be avast! forum is just too friendly)


With all due respect, I find this a most puzzling statement.  I for one hope that this forum continues to be CIVIL, as well as helpful.

Rick F

  • Guest
Just a suggestion for the avast team, with regard to the options presented, when the rootkit mechanism finds something suspicious: please replace "delete" with "move to quarantine". Or augment "delete" with another "move to quarantine" option. In either case, make "move to quarantine" the default option.

In general, if a heuristics mechanism finds something suspicious then by all means do provide a "move to quarantine" action and make that action the default one.

I'm not sure the 'delete' works anyway with Rootkit detection. At least when Rootkit detection said that 'process.exe' was suspicious 2 or 3 days ago on my PC, I tried the delete choice the second time it was detected. [After finding out that file wasn't important] The file was still there in my Sys32 folder and the same exact size.  Someone suggested the code is changed so the file won't run and it's not really deleted.  Not really sure though.  File size was the same with the exact same extender (exe).  ::)

mcfc1632

  • Guest
Hi - new forum member - I think that my concern is answered but would like to check other user views

Having just got the 'suspicious...' message today I was concerned that it might not have been avast generated at all and perhaps be a piece of malware - but reading these last few pages I think that I can safely respond to the message - do an ignore or delete without being concerned that I will face some malware attack - would that be right?