problem with false positive

Viruses and worms
1

Hi everyone!
I think I am having a false positive with the program jetstart, today when I started the machine the avast antivirus put an adware warning, it says that the program jetstart has an archive named sqlite3.dll and it has Win32:Adware-gen [Adw] but i have been using this program for almost a year! so it seems probably to me that it has a false positive…
Can you help me with this? I am a little concern about it because the program is blocking is a little piece of software I use a lot.
Thanks in advance!

2

Upload the file to www.virustotal.com and post the result here.

3

To avoid avast alerting when you access it and avoid having to pause the standard shield whilst uploading to VT.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

4

Hi again!
This is the result of the virustotal test… i think it’s not good news for me :frowning:

http://www.virustotal.com/es/analisis/0a7c09db3471b0ba93437abed13e9e88

Análisis del archivo jetstart_4.4.exe.VIR recibido el 21.04.2008 10:27:29 (CET)
Estado actual: análisis terminado
Resultado: 7/32 (21.88%)
Compactar Compactar Imprimir resultados Imprimir resultados
Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.4.19.0 2008.04.21 -
AntiVir 7.8.0.8 2008.04.21 DR/Beginto.H.1
Authentium 4.93.8 2008.04.20 -
Avast 4.8.1169.0 2008.04.21 -
AVG 7.5.0.516 2008.04.20 -
BitDefender 7.2 2008.04.21 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.21 -
DrWeb 4.44.0.09170 2008.04.21 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5720 2008.04.21 -
Ewido 4.0 2008.04.20 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.21 -
FileAdvisor 1 2008.04.21 -
Fortinet 3.14.0.0 2008.04.21 Adware/Beginto
Ikarus T3.1.1.26 2008.04.21 -
Kaspersky 7.0.0.125 2008.04.21 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.21 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.20 -
Prevx1 V2 2008.04.21 Heuristic: Suspicious Self Modifying File
Rising 20.41.00.00 2008.04.21 Trojan.PSW.Win32.GameOnline.arc
Sophos 4.28.0 2008.04.21 Sus/ComPack-C
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.21 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 AdWare.Win32.Beginto.h
VirusBuster 4.3.26:9 2008.04.20 -
Webwasher-Gateway 6.6.2 2008.04.21 Trojan.Dropper.Beginto.H.1
Información adicional
File size: 931812 bytes
MD5…: 0f58494b95b904b4e805f0fd2a6722ce
SHA1…: 7b3401bf4937b6883b24754122ca860e7b9d107d
SHA256: 818e5884f9f363a309d1a422a8a21b5668fc3af45f596d99bafd671a4a90c31f
SHA512: 92cfd978a8e60090724fbce8ffe6d91fb803c7d1788d917e59a3fa4458c7c86e
6b952efd8be501faa77b0735d43890765012948ff5c4363b276805408e30c63e
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4098d8
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8ffc 0x9000 6.59 ed788fae7220cb2d4e9b894f08f57acf
DATA 0xa000 0x248 0x400 2.71 475e69ed1e566f7a7a43f199e6bf6951
BSS 0xb000 0xe34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x950 0xa00 4.43 bd5bdc394dd9459844ea032b48349bc1
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x8a0 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2a00 0x2a00 4.43 5c45f905bc646b049905aaa883e05dab

( 8 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll: InitCommonControls
advapi32.dll: AdjustTokenPrivileges

( 0 exports )
packers: PE_Patch
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8B98308CE4FC6C0737D20EE1D988C30059166CED

5

Indeed… seems a Beginto infection.

6

Those are a very bad news… yesterday I made Avast antivirus to do a scan in the computer, but it seems that I have a BeginTo infection wich the antivirus didn’t detect, so, what can i do now?
Thanks

7

  1. Can you send the samples to virus@avast.com ?
    You can zip and password the files… Inform a link to this thread and the password used.
    You can send the files to Chest and, from there, resend to Alwil for analysis.
    Thanks for helping improving detection.

  2. I suggest:

  3. Disable System Restore and reenable it after step 3.

  4. Clean your temporary files.

  5. Update your avast and schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.

  6. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  7. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

  8. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

  9. Immunize your system with SpywareBlaster or Windows Advanced Care.

  10. Check if you have insecure applications with Secunia Software Inspector.