Avast WEBforum

Other => Viruses and worms => Topic started by: Lisandro on April 23, 2010, 01:34:57 PM

Title: MBAM false positives?
Post by: Lisandro on April 23, 2010, 01:34:57 PM
Two files were detected as being infected:

C:\Windows\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Delete on reboot.

The first one I couldn't find.
The second I don't know what is it.

Can anybody help?
Essexboy? Oldman? Polonus?
Title: Re: MBAM false positives?
Post by: polonus on April 23, 2010, 01:56:40 PM
Hi Tech,

This about the malicious dll: http://htlogs.com/what-is-sshnas21-dll-how-to-remove-sshnas21-dll/
also: http://www.prevx.com/filenames/1969726235776757102-X1/SSHNAS21.DLL.html
The second malicious find: htxp://www.exterminate-it.com/malpedia/file/%7B35DC3473-A719-4d14-B7C1-FD326CA84A0C%7D.job (just use the info, remember this advice: http://www.siteadvisor.com/sites/exterminate-it.com - exterminate.it has been found with potential security risk issues!, so do not chase out the devil with Beelzebub!)
And here: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.es.windowsxp&tid=d2e9ae57-1fd8-4102-94e4-f267f88909e1&cat=&lang=&cr=&sloc=&p=1

Just easily to be found in the virus encyclopedia,

Damian
Title: Re: MBAM false positives?
Post by: Lisandro on April 23, 2010, 02:02:05 PM
Hmmm... seems that avast missed both...
It's not being a good detection rate analyzing the latest dates... avast is missing to many samples (at least for me...).
Title: Re: MBAM false positives?
Post by: polonus on April 23, 2010, 02:06:16 PM
Hi Tech,

They always have to decide as what they put into an update or in what they scan for, the malcode that you have found here was first seen in January last of this year. They certainly gonna add it, but it was not that old again, so I agree with you, you should have been protected, my friend,

polonus
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 05:41:32 PM
Hmmm... I've booted. Scan again and the items are there again (seems not removed).
Something is telling me it's a problem of MBAM...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 08:50:51 PM
Quote
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
This one is difficult to recognize for an AV as all it does is give directions to another file to run, but it is malware

Quote
C:\Windows\system32\sshnas21.dll
This one is either/or as MS networks have file with this name and location - but it is also a trojan downloader

However, if Avast read that file from the task then it was doing its job
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: polonus on April 23, 2010, 08:53:47 PM
Hi essexboy,

Thanks for the final on this,

pol
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 08:59:44 PM
Essexboy, but the file isn't there... I can't see any strange task job either.
Besides, MBAM fails to remove both files that reappear in the next boot.
What do I do?
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 09:04:11 PM
Could you post the MBAM log please Tech
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:07:42 PM
Sorry, it's in Portuguese. But the last two lines are the important ones.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versão da Base de Dados:  4024

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23/04/2010 10:31:58
mbam-log-2010-04-23 (10-31-58).txt

Tipo de Verificação:  Verificação Completa  (C:\|D:\|F:\|)
Objetos escaneados:  218425
Tempo decorrido: 56 minuto(s), 2 segundo(s)

Processos de Memória Infectados:  0
Módulos de Memória Infectados:  0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados:  0
Pastas Infectadas:  0
Arquivos Infectados: 2

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
C:\Windows\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Delete on reboot.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 09:12:05 PM
And these keep returning ?  The language is no problem as the format is always the same

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90


Title: Re: MBAM false positives? No. avast missdectection again.
Post by: DavidR on April 23, 2010, 09:24:52 PM
Quote from: Tech on April 23, 2010, 08:59:44 PM
Essexboy, but the file isn't there... I can't see any strange task job either.
Besides, MBAM fails to remove both files that reappear in the next boot.

So even when the file and .job are recreated (or they wouldn't be detected again), you can't see a new scheduled task ?

I know it is possible to hide the file (possible rootkit, etc.), but I wasn't aware that it could also hide a scheduled task, that's a new one on me.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:30:35 PM
Quote from: DavidR on April 23, 2010, 09:24:52 PM
So even when the file and .job are recreated (or they wouldn't be detected again), you can't see a new scheduled task ?
I run MBAM and files are detected. At the same time they're not there at Windows Explorer (hidden/system files being shown).

Quote from: DavidR on April 23, 2010, 09:24:52 PM
I know it is possible to hide the file (possible rootkit, etc.), but I wasn't aware that it could also hide a scheduled task, that's a new one on me.
For me too.
The problem is that avast detected nothing...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 09:34:12 PM
A task can be hidden but it would show on my scanners as such -
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:37:50 PM
Quote from: essexboy on April 23, 2010, 09:12:05 PM
Make sure all other windows are closed and to let it run uninterrupted.
Almost impossible in my computer... there are a lot of running things.
I'm scanning. Do I need to do it in Safe Mode?

Quote from: essexboy on April 23, 2010, 09:12:05 PM
The scan wont take long.
Well, mine is longing :)
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:40:07 PM
For sure MBAM is detecting it with the latest two virus databases.
The files are the same but they're completely hidden...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 09:43:24 PM
No it is just that it is quicker if no other programmes are running, the scan will generate about 300 lines of code.  Obviously if you have just Updated a service pack or something similar there will be a lot more files within the 30 day time frame.  Takes about 10 minutes on mine whilst I am surfing and playing music  ;D
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:55:00 PM
I'm posting both logs. I just only change my user logon name for Tech.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:55:27 PM
The second log...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 09:58:57 PM
I'll boot the computer... see you soon.
Thanks for the help.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 10:11:13 PM
You can remove the log attachments now Tech, there are no tasks on your system.  Not even hidden ones as OTL would show them as locked even if they could not be identified
%systemroot%\Tasks\*.job /lockedfiles


It may well be a MBAM false positive.  I am not sure how they are reported as they usually need the file to play with 

To remove OTL run the programme and hit the cleanup button and it will disappear  ;D
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 10:33:01 PM
Wow! My computer is clean then!
Thanks for the help. Although a mystery...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: bong2x on April 23, 2010, 10:36:18 PM
hello tech

i know im not qualified to post here but i like also to share some of my experience about this.
this dynamic link library (dll) virus is difficult to see.
it some kind of murfer process, its run only by service host.

this one don't have a registry that's why resident protection cannot detect it.

if you willing to try my idea, it simple only but maybe it will help

Regards!!!
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 10:37:20 PM
Ok, bong2x, but if it is so, how to remove it?
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: bong2x on April 23, 2010, 10:48:11 PM
we will try,
first unhide your system folder

then using search option, search the file  sshnas21.dll,

and open the command prompt, at the end of string type tasklist/svc

this revealed all the service host

let check irrelevant service running there.

 
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 11:00:51 PM
Look... the file isn't there... There is no reason to search...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 11:08:43 PM
No netsvc indications on OTL either
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 11:13:13 PM
Essexboy, why does MBAM is detecting it?
Is there any other scanning I could do to check if my computer is clean?
No abnormal activity in the computer as far I can see...
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: bong2x on April 23, 2010, 11:18:31 PM
tech if the file is hidden cannot be seen physically even in search option,

you must unhide it first. (folder option show hidden files and folder)

sorry i am not good at expressing a word,

ok, how about the service host is there anything you found running not related to any of your application?

Regards!!

Title: Re: MBAM false positives? No. avast missdectection again.
Post by: essexboy on April 23, 2010, 11:36:38 PM
For pure peace of mind we can run Combofix - I see nothing on your system that would cause problems, so I am happy for you to run it

 Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 23, 2010, 11:42:45 PM
Quote from: bong2x on April 23, 2010, 11:18:31 PM
you must unhide it first. (folder option show hidden files and folder)
No offense, but this is obvious. I've done it.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: bong2x on April 24, 2010, 12:02:16 AM
if the file is physically not there, then its end up of chasing ghost.

tech, how many times did you format your hard drive?

it cannot be a bad sector of hard drive nor virtual generator.

i can manually guide you to remove virus but if not there, its a big problem, how can we removed nothing?

ok, tech i think there is nothing to remove there,

edit: no wonder it cannot be found :D this thing merge with this - C:\WINDOWS\system32\svchost.exe

if you try to removed it you are trying to shut down everything.

this things i think subject for investigation, something like x86 update  ??? ::) :D

Best Regards!!!



Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 24, 2010, 03:29:25 AM
Quote from: bong2x on April 24, 2010, 12:02:16 AM
tech, how many times did you format your hard drive?
I've done 15 days ago  :-[

Quote from: bong2x on April 24, 2010, 12:02:16 AM
it cannot be a bad sector of hard drive nor virtual generator.
No, all my disk is completely clean, no physical damage, bad sectors, etc.
I run chkdsk when necessary.
Title: Re: MBAM false positives? No. avast missdectection again.
Post by: Lisandro on April 24, 2010, 01:59:37 PM
Essexboy, how could I fully uninstall Combofix? Seems that a lot of files and folders are installed...
Title: Re: MBAM false positives?
Post by: essexboy on April 24, 2010, 02:31:56 PM
No indications of any malware there at all Tech.  CF removal follows  ;D

The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall
Title: Re: MBAM false positives?
Post by: Lisandro on April 24, 2010, 02:46:20 PM
Hmmm...
C:\ComboFix was created after I've manually delete it...
I've received a message of fully uninstall Combofix though.

Title: Re: MBAM false positives?
Post by: essexboy on April 24, 2010, 02:55:20 PM
Just delete that folder - any other entries in your system should be gone
Title: Re: MBAM false positives?
Post by: Lisandro on April 24, 2010, 03:05:18 PM
Thanks. Done.
Now the only mystery is MBAM...
Title: Re: MBAM false positives?
Post by: essexboy on April 24, 2010, 04:16:24 PM
The thing is how do we give MBAM a copy of a file that does not exist ?
Title: Re: MBAM false positives?
Post by: Lisandro on April 24, 2010, 05:49:16 PM
I've sent an email for them. Hope they could take a look into this thread.
Title: Re: MBAM false positives?
Post by: Lisandro on April 24, 2010, 10:51:35 PM
Quote from: Tech on April 24, 2010, 05:49:16 PM
I've sent an email for them. Hope they could take a look into this thread.
They already do it. I'd like the quick response of their support.
Hope we can find what's going on.
By the way, the latest 4032 database of MBAM also detects them as infected, i.e., the problem persists.
Title: Re: MBAM false positives?
Post by: essexboy on April 25, 2010, 12:03:58 AM
OK let me have a thunk on this, and see if I can rake upo a tool that looks in different areas
Title: Re: MBAM false positives?
Post by: Lisandro on April 25, 2010, 12:22:21 AM
Quote from: essexboy on April 25, 2010, 12:03:58 AM
OK let me have a thunk on this, and see if I can rake upo a tool that looks in different areas
Elaborate please... what should I do? Wait?
Title: Re: MBAM false positives?
Post by: essexboy on April 25, 2010, 01:38:43 PM
Wait no more - I have a tool that will strip permissions from any file and then delete it, so if it is there it will go.  This will kill your desktop when it runs as all processes will be stopped, they will come back on reboot. 

 Please download OTM (http://oldtimer.geekstogo.com/OTM.exe)
Code: [Select]
:Processes
explorer.exe

:Files
C:\Windows\system32\sshnas21.dll
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

:Commands
[Reboot]
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Title: Re: MBAM false positives?
Post by: Lisandro on April 25, 2010, 11:04:30 PM
Log:

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\Windows\system32\sshnas21.dll not found.
File/Folder C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job not found.
========== COMMANDS ==========
 
OTM by OldTimer - Version 3.1.11.0 log created on 04252010_171440
Title: Re: MBAM false positives?
Post by: essexboy on April 25, 2010, 11:16:49 PM
I think that says it all - a final check that neither of those files are on your system

To remove OTM run it and hit the cleanup button
Title: Re: MBAM false positives?
Post by: Lisandro on April 25, 2010, 11:55:09 PM
I've run SystemLook.exe as per MBAM support and the files couldn't be found either.
So, I'm waiting for their instructions...

Thanks for your help Essexboy.
Title: Re: MBAM false positives?
Post by: essexboy on April 26, 2010, 08:53:40 PM
No problem Tech - I get to play with my toys  ;D
Title: Re: MBAM false positives?
Post by: earshurt on June 19, 2010, 08:46:51 AM
I just found the same thing with mbam. Said this was found in
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job


Had the same experience. Went there and nothing was there. So, right clicked the task folder and changed the properties of the "hide" option to "hide". Then I unchecked the "hide" option and it and about three more files that were previously hidden suddenly showed up and {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
was suddenly in the task folder after I selected hide, and then deselected it.

Just looking at it in the explorer screen it says it is a 1 kb file. When I right click the file and choose properties and look at the size it says it is 310 bytes

and

Task Scheduler Task Object (.job)

size on disk: 4.00 KB (4,096 bytes)

says created may Wednesday, ‎May ‎26, ‎2010, ‏‎8:32:52 PM

and modified just a few minutes ago Today, ‎June ‎19, ‎2010, ‏‎24 minutes ago which might be the time i hid and unhid it probably

accessed Wednesday, ‎May ‎26, ‎2010, ‏‎8:32:52 PM

attributes "hidden"


Seems a little crazy. I could not see it until I selected "hide" on the windows task folder, and then deselected it. Now it says attributes "hidden" but I can see it. I have not dared to unselect the task folder in the windows folder yet though since I hid and unhid it because it will probably disappear again. I reckon I could get it to appear again by hiding and unhiding again but I haven't tried yet.

Any thoughts?



Title: Re: MBAM false positives?
Post by: earshurt on June 19, 2010, 08:48:00 AM
oh yeah, mbam said the above was trojan.downloader
Title: Re: MBAM false positives?
Post by: earshurt on June 19, 2010, 08:59:13 AM
Forgive me for the additions but as you see i'm a newbie, newbie stupid...

these are the other two files that suddenly showed up. this one showed up in the other dudes trojan.downloader report too
{8C3FDD81-7AE0-4605-A464-2488B179F2A3}
Mbam didn't find and list this as a trojan but it looks like the same number the other dude posted right? And it suddenly popped into view when I hid and unhid the task folder. Explorer says it is 1kb too, but the properties say 310 bytes

The other file that suddenly came into view was this one:
SA
That is its name "SA", and the file type is "video cd movie". explorer says it is 1kb and the properties say it is 6kb

these are the ones that suddenly popped into view when i hid and unhid files in the task folder of windows

this file is in the windows task folder too. it was there the first time i looked and i didn't have to hide/unhide to see it
SCHEDLGU
Title: Re: MBAM false positives?
Post by: essexboy on June 19, 2010, 01:56:39 PM
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Is a good detection - it runs a vundo file to download further malware and should be deleted
Title: Re: MBAM false positives?
Post by: earshurt on June 19, 2010, 04:52:51 PM
Ok. I went ahead and told mbam to delete it. When I did {8C3FDD81-7AE0-4605-A464-2488B179F2A3} disappeared from the task folder too so I guess it was somehow tied to the one I deleted.
Title: Re: MBAM false positives?
Post by: Lisandro on June 19, 2010, 05:48:55 PM
earshurt, go ahead and fully scan your system...
Something infected put that .job there...
Title: Re: MBAM false positives?
Post by: earshurt on June 19, 2010, 11:47:50 PM
Ok I will, I just got back to the puter and getting ready to do a good scan. I just rebooted, and thanks so much for taking the time to reply to me. I really appreciate your knowledge and help.


 File Name: launcher.exe
Display Name: soft thinks Launcher
Description: Launcher
Publisher: soft thinks
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: C:\Windows\SMINST\launcher.exe
File Path: C:\Windows\SMINST\launcher.exe


What about this guy above? I found this with "start ed lite" program. Its launching on boot. I think I have told start ed not to let it boot before but it keeps enabling itself by itself. Seen it before but the reviews on the web are mixed and i'm confused. Any help you experts have would be greatly appreciated. You guys have a great forum. Ya'll rock the house dudes! Lots of knowledgeable people here.

Title: Re: MBAM false positives?
Post by: Lisandro on June 19, 2010, 11:50:07 PM
I don't know...
Maybe you could upload the file to www.virustotal.com and check if it is clean.
Googling you can find to which program does it belongs...
http://www.vistax64.com/vista-security/87995-what-windir-sminst-launcher-exe.html
http://forums.malwarebytes.org/index.php?showtopic=23701