Found Jesterss.dll Win32:Trojan-gen and want to make sure I'm clean.

I’m not entirely sure if this is actually infected The lab says it is, but after doing a little research I’m still not sure, as none of my other scanners detected it. But either way, seeing as it was a trojan infection I’d like to be at least 90 percent sure I have the “all clear” before I use this machine for shopping/banking again.

Edit: Finished adding all the logs.

Boot Scan log:
10/17/2012 03:52
Scan of all local drives

File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-rny.xpi|>chrome\noscript.jar|>locale\hu-HU\noscript\noscript.dtd Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-rny.xpi|>chrome\noscript.jar Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NU4E5KCG\bing%20rewards[1].bingbarapp|>images\alertState.png Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NU4E5KCG\slacker%20radio[1].bingbarapp|>flash\BingPlayer.swf Error 42127 {CAB archive is corrupted.}
File C:\Games\Nexus Mod Manager\Skyrim\Mods\downloads\Immersive_Armors_v5-19733-5.7z.partial|>data\textures\armor\Paladin\Armor3 copy.dds Error 42139 {7ZIP archive is corrupted.}
File C:\System Volume Information_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP876\A0138424.exe is infected by Win32:Trojan-gen, Moved to chest ← False positive
File C:\System Volume Information_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP900\A0141599.exe is infected by Win32:Trojan-gen, Moved to chest ← False positive
File C:\WINDOWS\system32\jesterss.dll|>[ASPack] is infected by Win32:Trojan-gen, Moved to chest
File D:\PRELOAD\data9_08.inp|>spra0424.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 29677
Number of tested files: 1320297
Number of infected files: 3

Avast’s complete scan found another generic but I couldn’t figure how to get a log for that:
C:\System Volume Information_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP900\A0141601.dll|>[ASPack]

I found this post which leads me to believe these may only be getting detected because they are “packed executables”:
http://www.techsupportforum.com/forums/f100/anything-need-to-be-done-on-my-log-124267.html
Though it would help allot more if I knew when the file was created on this computer.

There have been serious incidents related to this as well though:
http://www.bleepingcomputer.com/forums/topic235128.html

No other scanners picked it up prior to Avast and I’ve found nothing else so far. The computer seems to be acting normally.

All other logs are attached.

Avast's complete scan found another generic but I couldn't figure how to get a log for that: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP900\A0141601.dll|>[ASPack]
guessing this is the same file.....as this is a system restore backup
File C:\WINDOWS\system32\jesterss.dll|>[ASPack]
you may upload this to www.virustotal.com and test with 40+ malware scanners

alternative: jotti.org / metascan-online.com
you may post the link to the result here

malware removers are notified. it may take hours before one arrive so be patient

That file is an either or file, in some cases it is good and in some bad http://www.threatexpert.com/files/jesterss.dll.html

The system restore element could be an old infection or just a corrupt file, the easiest way to clear that is reset all restore points

Well it’s been placed inside of the chest. How do I send it from there? :-\

I am now currently receiving help on another forum, I will return if it doesn’t pan out. Sorry for wasting anyone’s time, it’s my fault for forgetting I’d already posted there.

More info: http://www.backgroundtask.eu/Systeemtaken/taakinfo/67843/jesterss.dll/
and
http://systemexplorer.net/file-database/file/jesterss-dll
1
Double-click Avast!'s round orange icon in the Windows notification area to open the main window. Click “Maintenance” in the left pane and select “Virus Chest.” The Virus Chest then displays a list of its files.

2
Right-click the file you want to retrieve. Select “Restore” to restore the file to its original location. Right-click the file and select “Properties” to view detailed information on the file and to view the location where it will restore.

3
Right-click a file in the Virus Chest and select “Extract” to copy the file to an alternate location on your hard drive. Select a location to copy the file in the “Browse for Folder” dialog box and click “OK.” Avast! then creates a copy of the file and saves it to the location you selected.

Now you can scan that file through uploading it to VT: https://www.virustotal.com/

polonus

I don’t know how comfortable I feel about reintroducing it into my system. Should it be safe so long as it isn’t in the win32 directory?

Well that is your decision, it is a possible generic threat/packer detection, see: http://r.virscan.org/bf6d82214f92b94239ce1bcbcc20bc12
Might it be a rootkit, I would leave it in the chest also, as nothing has access there. But it could also be a false positive. Hard to say now.
If you have no need for it, leave it in the chest. My best guess it is a spyware infection, because of 4E015214-6BB0-4181-B365-456CF1DEC069 found up there -Trojan-Spy.Win32,

polonus

Darn it I hate this. I’m sure it’s probably a trojan, since no matter what I cannot find it related to anything else. It just frustrates me that this happened on a machine that does nothing but watch youtube, official TV network sites, banking and shopping sites. The only reason it probably got through was because of Java not being updated, it’s even more frustrating that my firewall didn’t catch it first.

Well, thanks for the input.

This is extremely interesting to me because on the exact same day I had the same detection happen on my computer. But the similarities go further:

1.) I also have a Gateway computer (and it seems to happen mostly on Gateway computers)
2.) It happened almost immediately after an Avast virus definition update
3.) My computer seems to otherwise act normal.
4.) In additional to Jesterss.dll an file was also found in the System Information / restore area. Oddly enough Avast Virus Chest indicates the file it found in the restore area had not been modified since 2003. So if it’s really a virus it’s been out there for 9 years with no ill effects.
5.) I also cannot find much on the web about this “virus.” (and what little I find is in relation to Gateway computers).
6.) With both of the above files in the virus chest my computer now scans clean even in a boot scan.

But, I have another interesting symptom. I use(d) the default Gateway screen saver (gtw_logo in the screen saver selection menu). After Jesterss.dll was removed, the Gateway screen saver no longer worked. I can set the screen saver timer to 1 minute and observe the screen flicker as if the screen saver is trying to work, but it won’t. I move the mouse, wait another minute, the screen flickers but no screen saver. I then randomly picked numerous other screen savers and they do work fine.

Is it possible the "Jesterss.dll file is associated with the gtw_logo “screen saver” and this is a false positive? VicVegas it would be interesting if you also tried to assign the gtw_logo as your screen saver with a short 1 minute timeout and see if it works (or not).

Also, I have a second Gateway computer that uses McAfee and Spybot instead of Avast antivirus. There is a similarly named file, jestertb.dll, on this computer that McAfee and Spybot apparently have no issues with. In fact on a Spybot Forum, here is what they say about this file (after analyzing an upload by a user):

"[i][b]With these I could make sure that the jestertb.dll in question is harmless.
Further research showed that it belongs to flashjester a software for flash tools.

So you may have gotten the jestertb.dll while using a flash tool that was made with flashjester. "[/b][/i]

A quick update…a very cursory scan of flashjester on the web indicates (I think) that it can be used to make screen savers…maybe jesterss.dll was indeed associated with my gtw_logo screen saver…more evidence of a false positive?

As stated it can be good or bad, in this case gateway are using it for their screensaver

I just found this file on another gateway computer. I suppose a simple test would be to check and see if the built-in screensaver works? Lemme see…

The screensaver… it’s not working…

http://i3.kym-cdn.com/photos/images/original/000/175/315/PicardDoubleFacepalm-1.jpg

hi VicVegas,

Polonus did ask to have the jesterss.dll file to be scanned at virus total dot com a while back. Kudos to DavidR, a long-time user and contributor here, there is a way to enable this to be done safely:

[ol]- Create a new folder on your hard drive at the root named Suspect. This folder will be placed on the lowest level possible, and will reside on the same level your windows folder and program files will be, but will be separate and placed outside these folders. See screenshot below for proper placement.

  • Open Avast! and go to Settings upper right hand corner, click that>then Exclusions>Browse
  • Find the new Suspect Folder and click ok.
  • Go to the Virus Chest and use the procedure outlined by Polonus to move (extract) the file to the Suspect Folder.[/ol]

Step 3: What you are doing is telling Avast! to not scan the Suspect folder and can safely place this file inside it to upload it to Virus Total from there.

Copy/paste the resulting final scan url at Virus Total here in your next reply. Virus Total will give all of us a better idea of whether your particular file is a threat or not; advice as to what to do will follow if this is done.

Well the person who was helping me told me I turned up clean otherwise. Next time I’ll post here first though. Beyond that, this machine is not my frequent, so Trojan file or not I don’t feel like experimenting on someone else time.