ntdll.dll infected

When I started my computer avast said that ntdll.dll was infected. When I tried to move to chest/rename/delete, avast couldn’t do it. I restarted in safe mode and scanned the ntdll.dll file with avast and it said no threat were detected. Is this file really infected?

I don’t think it’s really infected… if it claims to be Win32:rootkit-gen . I started getting
this within a minute or two of my systems applying the 100719-1 update (Avast ADNM
with 4.8 clients). I’m getting hundreds of Virus alert emails every few minutes from all
the infected machines now, all pointing at NTDLL.DLL in the system32 or dllcache
directory, as well as copies in the C:\WINDOWS\TEMP_AVAST4_\ directory.

sigh

Are both files the same? I mean, are they in the same folder?
Can you submit it to www.virustotal.com and check?

The files in my case are identical… the “main” copy of ntdll.dll and the cached
copy. Virustotal.com says nothing’s wrong with them. Last mod date 2/9/2009.
I scanned this file on a copy still on 100719-0, with no issues. Then let the machine
update to 100719-1, and bingo - Win32:rootkit-gen, and it goes in the chest.

Seems indeed a false positive.
Hope they correct it quick soon!

In the VT results, what is the reported file size ?

What is your OS ?
Mine is XP Pro SP3 and the ntdll.dll in the system32 folder scans clean, see image, also see the MD5 hash which you can check against yours if you also have XP SP3.

My copy in the dllcache sub-folder is identical so no detection.

Can you explain what you mean by the email alerts are all pointing at the ntdll.dll file ?
Do you mean that that is the process responsible for sending them, as it is possible that there could be something manipulating the ntdll.dll file.

Interesting. My computer also suddenly started complaining that my ntdll.dll is infected with Win32:Rootkit-gen[Rtk] yesterday night although I wasn’t paying attention to whether it had recently updated itself.
I’ve not had a chance to run my ntdll.dll through virustotal but I do suspect it’s a false alert somehow. My pc is running something at the moment so won’t have a chance to reboot to grab ntdll.dll anytime soon.
And I see at least another topic started very recently about this alert: http://forum.avast.com/index.php?topic=62027.0

Please let us know if this is confirmed as a false alert on Avast and when this is fixed so I can download latest and scan again.

Thanks,
Calvin

Did you click on the image to enlarge it and check the details on it and are they the same as yours ?

You don’t have to reboot to grab anything, you should be able to copy the file so it can be uploaded, but you will need to take measures to stop avast a) alerting and b) blocking the upload to VT.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest or in the original location if avast is alerting, you need to extract/copy it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

Overnight, my ADNM server updated to 100720-0, and it pushed out to the workstations around 3:05 this morning
my time. My last email from ADNM was at 3:00. These are the email alerts I was referring to… the notifications
that are sent to the ADNM administrator when a virus is detected on a managed workstation.

Oddly enough, it didn’t hit every workstation we have… they are all XP SP3. I believe it has something to
do with what actions were being performed after 100719-1 was applied. On my own workstation, for example,
I never had a hit. It seemed to me that the most frequent “hits” were generated on workstations which
Internet Explorer was most active on… folks that used the web the most frequently in their jobs (we’re
a City government) were getting the most virus alerts… here’s an example of what I was seeing in the
emails:

First emailed notice was always on the “base” NTDLL.DLL file:

avast! [REC-FRONTDESK]: File “C:\WINDOWS\SYSTEM32\NTDLL.DLL” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

Usually followed within a minute by:

avast! [REC-FRONTDESK]: File “C:\WINDOWS\system32\dllcache\ntdll.dll” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

Then, I get dozens of notices along these lines:

avast! [REC-FRONTDESK]: File “C:\WINDOWS\TEMP_AVAST4_\UNP121114727.TMP” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

avast! [REC-FRONTDESK]: File “C:\WINDOWS\TEMP_AVAST4_\UNP133494784.TMP” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

avast! [REC-FRONTDESK]: File “C:\WINDOWS\TEMP_AVAST4_\UNP185592629.TMP” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

…ad nauseum.

the NTDLL.DLL files involved are all identical… CRC’s are identical, file sizes are identical, last mod dates
identical… the files on the machines reporting infections are identical to the one on my own workstation
which never reported an infection… only difference between us is that I use Firefox, and all of the workstations
that reported an infection had Internet Explorer running at the time, although the resident protection
module (Standard Shield) reported the infections - it was never the web shield.

Anyways, it’s almost 8:00 AM here, and the infection reports vanished with the application
of 100720-0, so I’m going to guess that 100719-1 was a bad update, and hope there’s no
fallout.

Most probably.

Sorry my misunderstanding, I though that you were having emails somehow sent that were linked to ntdll.dll and not that you were receiving the avast emails notifying you of infections on other systems. So these emails are normal if you have setup the email notifications to come to you, I thought you had a spambot at work.

So obviously we have to find why these copies of ntdll.dll or their actions are considered suspect (rootkit-gen), unfortunately as an avast user I’m not able to get into that. But if this is an FP on such a file, I would imagine that it is quickly investigated as there would be a lot of activity. The latest VPS should now be 100720-0 so I don’t know if this might have a correction to the Win32:Rootkit-gen [Rtk] generic signature, but most likely.

I don’t use IE either, with firefox as my default browser, so perhaps your right about it being related to those using IE.

This one is a little different:
avast! [REC-FRONTDESK]: File “C:\WINDOWS\TEMP_AVAST4_\UNP121114727.TMP” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

It is a detection on a file that remains in the _AVAST4_\ temp folder, this is where avast unpacks/copies files it is going to scan and on successful completion that folder should be empty except for C:\WINDOWS\Temp_avast4_\Webshlock.txt the web shield lock file. So for some reason this folder hasn’t been cleared.

These files are all copies of NTDLL.DLL, and are moved to the virus chest after the
virus alert is issued… on one workstation, I have almost 100 of them in the chest. The
AVAST4 folder is indeed empty as soon as the file is moved to the chest, but it
kept repeating the error with a new temporary filename, then moving it to the chest.

Anyway, with the new update this morning, all is calm again… just a few stragglers
still on 100719-1 when the power up their workstations… it causes a hit like so:

avast! [COMM-DEV-ASST1]: File “C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntdll.dll” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used
Version of current VPS file is 100719-1, 07/19/2010

As soon as the VPS updates, the problem goes away.

Updated my Avast (didn’t take note of the version numbers unfortunately) and the alert has gone away.
Thanks to ElderGeek’s tip.

Fixed mine too. See under topic:

Rootkit Virus…Help me to remove it

So a false positive? That sounds about right. I’ll manually update avast and see if that fixes the problem.