False positive ?

Discussion in 'other anti-virus software' started by Long View, Feb 17, 2007.

Thread Status:
Not open for further replies.
  1. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Just had Antivir PE Classic has just claimed that C:\windows\jestertb.dll is a trogan. TR/Hijack.Exp.546.1

    As this file has been on the pc since Feb 2006 and hasn't been picked up before by Antivir or any other program is it possible that this is a false positive ?
     
  2. ASpace

    ASpace Guest

    Hurry up and load the DLL file to VirusTotal and we'll see ;)
     
  3. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Thanks - Just ran the check suggested and the only one to find a problem was
    Antivir. The other 28 said no problem.

    Thanks again. I will keep www.virustotal.com for future use.
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I wouldn't be too sure it is a FP, it may be, but i have uploaded many real nasties there, and a number of times AntiVir was the only show. I also sent these direct to Antivir, and they confirmed to me that they were genuine malware.

    Some time later the other AV's started to detect them when i uploaded them again. But even today not all of them still detecting some of them. Even worse, a few these samples are still undetected by all except AntiVir months later.

    I can't explain why the other vendors don't detect them, all i know is they don't. Once they are uploaded they are all supposed to get them at the same time. If they really do, then some samples look like they are not being analyised correctly.

    If you PM me a link were i can download a zipped copy of jestertb.dll i'll look into further for you and let you know what i discover.


    StevieO
     
  5. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Thanks - I have sent the file to Antivir - meanwhile it is in quarantine. Not even sure what the file is supposed to do. The date for the file is Feb 2006 so if true the file has been on my machine for quite a while.
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    My advice would be to zip the file up and password protect it with 'infected' and e mail the file to newvirus@kaspersky.com as you will always get a promt response. If they say its malicous then you know antivir was correct, if they say its clean then you know its a false positive.

    Good luck and let us know what Kaspersky say.

    Cheers

    Jlo
     
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Have done as you suggest. Very useful to know about this way to get a second opinion.
     
  8. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    they replied "Nothing virus\trojan like found"

    thanks again.
     
  9. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    File Research Center doesn't have any info for this .dll file either.
     
  10. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Have read on this board that AntiVir Classic often identifies Spyware as a "Trojan".

    That would explain the no virus/trojan reports from other sources.

    If you sent it to THIS AVIRA SITE you can expect a personal Email response from AVIRA Lab by 1600GMT on Monday.
     
  11. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
  12. ASpace

    ASpace Guest

    You are welcome . Thanks for letting me know !:thumb:
     
  13. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Sent the file to 2 different addresses at Antivir on Feb 17. It is now Feb 20 and no reply - not sure what to make of the lack of any response ?
     
  14. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Using this link:

    http://www.avira.com/en/support/submit_suspicious_files.html

    Have sent four files (over past year) and have always had an instant return acknowledgement of receipt and a personal opinion within *hours* (*normal M-F Working Hours).

    Using the auto-send from Quarantine produces the receipt but no opinion, also Emails to 'heuristik2@avira.com' produce receipt only.

    Last submission to the above website resulted in:
    BTW That file had initially been called "Trojan horse TR/AgentBJG" in Quarantine (Trustware supplies my BufferZone o_O).
     
  15. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  16. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Thanks StevieO. when I get a reply from Antivir I will update the list.
     
  17. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I received the following reply from Avira:

    We found a not regular software in the attachment you have sent us. This software can be used for an evasion of security protections in several computer programs.
    If we will find some malicious code inside the suspicious file, we will integrate the pattern recognition in one of our next updates.

    We thank you for your assistance.

    Attachment(s) you sent:
    - jestertb.zip


    Ok I give in - As far as I can tell Jestertb is doing nothing wrong but as I don't need it I have now deleted the file.
     
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ Long View

    How wierd ! Antivir PE Classic has exactly the same Trojan etc definitions as the paid versions. The only diffference is PE Classic doesn't include the Antispyware ones. But as i showed, this was detected as a Trojan by my Antivir Premium.

    The file you sent me was exactly the same as you sent them, so ?

    Anyway glad you got a reply, as i've found they are excellent at feedback.

    It'll be interesting to see what they detect it as if you scan it again !


    StevieO
     
  19. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    As for response that you got from Kaspersky guys and the one above from Avira, I understand that the file is clean :thumb:

    ________________________________________________________________________________________________________
     
  20. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I am sorry, I had no time to look into the DLL.

    It doesn't look that harmless. It does look for the systray window and sets a new window message handler procedure for it. It contains the string "3rdeye_tb_hacking_dll". It has no internet related functionality I could find on the first glance, so it doesn't looke like a trojan spy, but it's not really trustworthy either. Could be part of a game cheat.
     
Loading...
Thread Status:
Not open for further replies.