Upon running my weekly scan today Spybot is flagging c:\windows\JESTERTB.DLL as virtumonde.sdn
This file comes up clean by Avast, Trojan Hunter, SAS & MBAM.
Submitted file to Virus Total - shows 0\41 (see attached)
Submitted file to Jotti - shows 0\19 (see attached)

Suggest this may be a false positive. Can supply copy if you wish.

Windows XP-Pro SP3 fully patched.

--- Search result list ---
Virtumonde.sdn: [SBI $043FD2D1] Library (File, nothing done)
C:\WINDOWS\JESTERTB.DLL
Properties.size=21504
Properties.md5=56DF1B6C087D4B9C0AB2318F226D3040
Properties.filedate=1241085852
Properties.filedatetext=2009-04-30 11:04:12

Much obliged.

To Team Spybot: Should I send in a copy of this file for your analysis?

Cheers

Gandalf

To Team Spybot: Should I send in a copy of this file for your analysis?

Cheers

Gandalf

I have sent the file in question for analysis.

Gandalf

I have the same one here. Please post results of false positive analysis.

Thanks

@@Gandalf

Could you post the actual VirusTotal and Jotti links of the results?

Also, see JESTERTB.DLL, Prevx (http://spywaredlls.prevx.com/RREJDE340136/JESTERTB.DLL.html). Do you have Notepad++ installed?

I have the same one here. Please post results of false positive analysis.

Thanks

When they let me know, yes with pleasure.


@@Gandalf

Could you post the actual VirusTotal and Jotti links of the results?

Also, see JESTERTB.DLL, Prevx (http://spywaredlls.prevx.com/RREJDE340136/JESTERTB.DLL.html). Do you have Notepad++ installed?

Those virus-total and jotti attachments in my initial post are current - see dates.

I do not have Notepad ++ onboard.

Cheers

Gandalf

When they let me know, yes with pleasure.



Those virus-total and jotti attachments in my initial post are current - see dates.

I do not have Notepad ++ onboard.

Cheers

Gandalf

I have just had the file re-scanned at Virus Total and Jotti

Virus Total
http://www.virustotal.com/analisis/3628e028f807787915691ea74041f9a93fa7fd0f2fe4d1175ad4fd117d00a2e5-1277048229"]http://www.virustotal.com/analisis/3628e028f807787915691ea74041f9a93fa7fd0f2fe4d1175ad4fd117d00a2e5-1277048229

Jotti
http://virusscan.jotti.org/en/scanresult/aa01dae0d2d4c4b11acf0f9e063ab2dd26b06690

I have just had the file re-scanned at Virus Total and Jotti

Virus Total
http://www.virustotal.com/analisis/3628e028f807787915691ea74041f9a93fa7fd0f2fe4d1175ad4fd117d00a2e5-1277048229"]http://www.virustotal.com/analisis/3628e028f807787915691ea74041f9a93fa7fd0f2fe4d1175ad4fd117d00a2e5-1277048229

Jotti
http://virusscan.jotti.org/en/scanresult/aa01dae0d2d4c4b11acf0f9e063ab2dd26b06690

Thanks for posting the links. This allows others to see the results exactly as you see them.

Apparently, JESTERTB.DLL has had a lot of false positives over the years by many antivirus and antimalware programs. A lot of results were returned on a Google search.

Thanks for posting the links. This allows others to see the results exactly as you see them.

Apparently, JESTERTB.DLL has had a lot of false positives over the years by many antivirus and antimalware programs. A lot of results were returned on a Google search.

Hence my posting here GT. :cool:

Gandalf

I chose to remove it and after restarting windows Spybot started automatically analysing the system, is it normal?

How did you remove it? Did you use SpyBot S&D or just manually delete it and restart windows?

Has SpyBot S&D completed the startup scan without incident? If so, check your installed programs to see if there are any abnormalities in their performance. If the file was legitimate, then perhaps the program that it came with should have an obvious error when you attempt run it.

hello,

I received the submitted jestertb.dll file and the analysis showed that it is not a part of Virtumonde.sdn. However this does not mean that the file is legit.

The file is still highly suspicious as it does not contain information about its origin or purpose, further more the files export function and name indicate that the file is possibly part of an unwanted toolbar.

To research this matter I would like to have more information on this issue.
Please create a full Spybot S&D report file by right clicking the scan results screen (no scan required) and selecting to save a full report file.

Attach this report file to your next post or email it to detections@spybot.info
I also would like to have a look at some folder contents, so those who send an email or already did concerning this matter will also get a batch file which will create text files listing the contents of some folders.

hello,

I received the submitted jestertb.dll file and the analysis showed that it is not a part of Virtumonde.sdn. However this does not mean that the file is legit.

The file is still highly suspicious as it does not contain information about its origin or purpose, further more the files export function and name indicate that the file is possibly part of an unwanted toolbar.

To research this matter I would like to have more information on this issue.
Please create a full Spybot S&D report file by right clicking the scan results screen (no scan required) and selecting to save a full report file.

Attach this report file to your next post or email it to detections@spybot.info
I also would like to have a look at some folder contents, so those who send an email or already did concerning this matter will also get a batch file which will create text files listing the contents of some folders.

Yodama

Have sent the extra files you requested already via email. Tried placing the full report on here but kept getting error - too many characters. Will now send full report via email.

Much obliged

Gandalf

edited attached as zipfile worked.

thank you for the requested files.

With these I could make sure that the jestertb.dll in question is harmless.
Further research showed that it belongs to flashjester a software for flash tools.

So you may have gotten the jestertb.dll while using a flash tool that was made with flashjester.

thank you for the requested files.

With these I could make sure that the jestertb.dll in question is harmless.
Further research showed that it belongs to flashjester a software for flash tools.

So you may have gotten the jestertb.dll while using a flash tool that was made with flashjester.

Many thanks Yodama for confirming that the file is harmless. I appreciate the effort. :bigthumb::bigthumb:

Gandalf