avast 6.0.1289 vs aswMBR

[Rick F]

This past weekend I updated to the latest ver. of avast (6.0.1289).  It's working fine, no problems.  Thanks again to the great team at avast! 

In reading the forum I noticed there's a newer version of avast's 'stand-alone' anti-rootkit so I downloaded it and ran it (aswMBR ver 0.9.8.986).  It didn't find a rootkit, but marked a file in my systems32 directory as being suspicious.  The file is: "windows\system32\ntdll.dll" (NT Layer DLL I think).  It's 692K is size and dated 8/10/2004, so I'm pretty sure it's legit.  I ran a full scan using avast and no threat was found.  Avast used to run a 'rootkit' scan 8 mins after boot, so I'm sure it should have said something in the prior days if there was something suspicious.  Yes? No?  The PC has been rebooted several times since the upgrading to 1289.

BTW, I know I'm still on WinXP; SP-2.  I can't install SP-3 due to two KBs that are included.

Thanks.

[Pondus]

Avast used to run a 'rootkit' scan 8 mins after boot,

still does...

The file is: "windows\system32\ntdll.dll"

upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti     http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/
Metascan  http://www.metascan-online.com/

[Rick F]

Thanks Pondus,

I should have remembered to do that, duh. 

Jotti and Metascan says all clean.  I get a 403 forbidden error at viruscan.org after uploading the file (any file to them), so it couldn't scan it.  But that's good enough for me.

Must be a false positive for the latest aswMBR.

Thanks again.   

[Pondus]

well...suspicious isn`t actually a False Positive....as it is not detected as malware   

[Rick F]

Oh you're right.  It's just a falsely suspicious.