help with rootkit

I am working on my mother-in-law’s pc. Avast is giving a warning that malware was found. File name: C:\Windows\System32\ntdll.dll malware type: rootkit
The recommended action is to move to chest. I tried this but then I get a “cannot process C:\Windows\System32\ntdll.dll specified file is read only”. What should I do now? Should I move the file or delete?
Thanks,

Ensure that your virus definitions version is up to date this occurred a couple of days ago and was corrected in the next virus definitions update. Many topics about ntdll.dll in the viruses and worms forum.

Does your mother in-law not have the engine and virus definitions on auto update (the default setting as this should have automatically corrected the detection.

She does have auto update, however, she is on dial-up. I checked the log and it looks like the definitions were updated on 7-17-10. I can’t even open the browser, let alone get online. I can’t get past the avast warning screen. One time it let me get in to the avast screen where I was able to schedule a boot scan. The scan started fine but then froze up on Windows\system32\dllcache file.

There is something stopping the updates, the latest is 100722-1 released a couple of hours ago. Try a manual avast update.

The one in the dllcache location is a backup one so shouldn’t be in use. The one in system32 is a system file and avast won’t send that to the chest or delete it (and you shouldn’t try to remove it either), so you should select No Action.

What avast version are you using 4.8 or 5.0 ?

What browser is she using as I believe this is related to IE using ntdll.dll, so you could try installing firefox, download on your system an transfer.

She uses firefox. It is version 4.8. I just booted it up again. Got the avast warning. This time when I hit No action, it disappeared, the last time I tried it just froze up. I tried to open firefox and just sits there with the hourglass. I now notice that the indicator light on the front of the tower is blinking red. This is new.

Once you have booted if you get the alert select the No Action and don’t try to do anything other than do a manual VPS update so as to get the latest VPS signature updates.

I ended up doing a system restore. It wouldn’t let me open a browser before it would just freeze up. Since doing system restore, I am no longer getting the warning, have updated avast and ran a thorough scan as well as Malwarebytes and Spybot. So far so good.
Thanks for all the help.

You’re welcome.