Author Topic: MBAM false positives?  (Read 23283 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
MBAM false positives?
« on: April 23, 2010, 01:34:57 PM »
Two files were detected as being infected:

C:\Windows\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Delete on reboot.

The first one I couldn't find.
The second I don't know what is it.

Can anybody help?
Essexboy? Oldman? Polonus?
« Last Edit: April 24, 2010, 02:11:56 PM by Tech »
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Re: MBAM false positives?
« Reply #1 on: April 23, 2010, 01:56:40 PM »
Hi Tech,

This about the malicious dll: http://htlogs.com/what-is-sshnas21-dll-how-to-remove-sshnas21-dll/
also: http://www.prevx.com/filenames/1969726235776757102-X1/SSHNAS21.DLL.html
The second malicious find: htxp://www.exterminate-it.com/malpedia/file/%7B35DC3473-A719-4d14-B7C1-FD326CA84A0C%7D.job (just use the info, remember this advice: http://www.siteadvisor.com/sites/exterminate-it.com - exterminate.it has been found with potential security risk issues!, so do not chase out the devil with Beelzebub!)
And here: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.es.windowsxp&tid=d2e9ae57-1fd8-4102-94e4-f267f88909e1&cat=&lang=&cr=&sloc=&p=1

Just easily to be found in the virus encyclopedia,

Damian
« Last Edit: April 23, 2010, 02:08:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives?
« Reply #2 on: April 23, 2010, 02:02:05 PM »
Hmmm... seems that avast missed both...
It's not being a good detection rate analyzing the latest dates... avast is missing to many samples (at least for me...).
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Re: MBAM false positives?
« Reply #3 on: April 23, 2010, 02:06:16 PM »
Hi Tech,

They always have to decide as what they put into an update or in what they scan for, the malcode that you have found here was first seen in January last of this year. They certainly gonna add it, but it was not that old again, so I agree with you, you should have been protected, my friend,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives? No. avast missdectection again.
« Reply #4 on: April 23, 2010, 05:41:32 PM »
Hmmm... I've booted. Scan again and the items are there again (seems not removed).
Something is telling me it's a problem of MBAM...
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: MBAM false positives? No. avast missdectection again.
« Reply #5 on: April 23, 2010, 08:50:51 PM »
Quote
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
This one is difficult to recognize for an AV as all it does is give directions to another file to run, but it is malware

Quote
C:\Windows\system32\sshnas21.dll
This one is either/or as MS networks have file with this name and location - but it is also a trojan downloader

However, if Avast read that file from the task then it was doing its job

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Re: MBAM false positives? No. avast missdectection again.
« Reply #6 on: April 23, 2010, 08:53:47 PM »
Hi essexboy,

Thanks for the final on this,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives? No. avast missdectection again.
« Reply #7 on: April 23, 2010, 08:59:44 PM »
Essexboy, but the file isn't there... I can't see any strange task job either.
Besides, MBAM fails to remove both files that reappear in the next boot.
What do I do?
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: MBAM false positives? No. avast missdectection again.
« Reply #8 on: April 23, 2010, 09:04:11 PM »
Could you post the MBAM log please Tech

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives? No. avast missdectection again.
« Reply #9 on: April 23, 2010, 09:07:42 PM »
Sorry, it's in Portuguese. But the last two lines are the important ones.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versão da Base de Dados:  4024

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23/04/2010 10:31:58
mbam-log-2010-04-23 (10-31-58).txt

Tipo de Verificação:  Verificação Completa  (C:\|D:\|F:\|)
Objetos escaneados:  218425
Tempo decorrido: 56 minuto(s), 2 segundo(s)

Processos de Memória Infectados:  0
Módulos de Memória Infectados:  0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados:  0
Pastas Infectadas:  0
Arquivos Infectados: 2

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
C:\Windows\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Delete on reboot.
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: MBAM false positives? No. avast missdectection again.
« Reply #10 on: April 23, 2010, 09:12:05 PM »
And these keep returning ?  The language is no problem as the format is always the same

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83935
  • No support PMs thanks
Re: MBAM false positives? No. avast missdectection again.
« Reply #11 on: April 23, 2010, 09:24:52 PM »
Essexboy, but the file isn't there... I can't see any strange task job either.
Besides, MBAM fails to remove both files that reappear in the next boot.

So even when the file and .job are recreated (or they wouldn't be detected again), you can't see a new scheduled task ?

I know it is possible to hide the file (possible rootkit, etc.), but I wasn't aware that it could also hide a scheduled task, that's a new one on me.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives? No. avast missdectection again.
« Reply #12 on: April 23, 2010, 09:30:35 PM »
So even when the file and .job are recreated (or they wouldn't be detected again), you can't see a new scheduled task ?
I run MBAM and files are detected. At the same time they're not there at Windows Explorer (hidden/system files being shown).

I know it is possible to hide the file (possible rootkit, etc.), but I wasn't aware that it could also hide a scheduled task, that's a new one on me.
For me too.
The problem is that avast detected nothing...
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: MBAM false positives? No. avast missdectection again.
« Reply #13 on: April 23, 2010, 09:34:12 PM »
A task can be hidden but it would show on my scanners as such -

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: MBAM false positives? No. avast missdectection again.
« Reply #14 on: April 23, 2010, 09:37:50 PM »
Make sure all other windows are closed and to let it run uninterrupted.
Almost impossible in my computer... there are a lot of running things.
I'm scanning. Do I need to do it in Safe Mode?

The scan wont take long.
Well, mine is longing :)
The best things in life are free.