MBAM false positives?

Two files were detected as being infected:

C:\Windows\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.
C:\Windows\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) → Delete on reboot.

The first one I couldn’t find.
The second I don’t know what is it.

Can anybody help?
Essexboy? Oldman? Polonus?

Hi Tech,

This about the malicious dll: http://htlogs.com/what-is-sshnas21-dll-how-to-remove-sshnas21-dll/
also: http://www.prevx.com/filenames/1969726235776757102-X1/SSHNAS21.DLL.html
The second malicious find: htxp://www.exterminate-it.com/malpedia/file/%7B35DC3473-A719-4d14-B7C1-FD326CA84A0C%7D.job (just use the info, remember this advice: http://www.siteadvisor.com/sites/exterminate-it.com - exterminate.it has been found with potential security risk issues!, so do not chase out the devil with Beelzebub!)
And here: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.es.windowsxp&tid=d2e9ae57-1fd8-4102-94e4-f267f88909e1&cat=&lang=&cr=&sloc=&p=1

Just easily to be found in the virus encyclopedia,

Damian

Hmmm… seems that avast missed both…
It’s not being a good detection rate analyzing the latest dates… avast is missing to many samples (at least for me…).

Hi Tech,

They always have to decide as what they put into an update or in what they scan for, the malcode that you have found here was first seen in January last of this year. They certainly gonna add it, but it was not that old again, so I agree with you, you should have been protected, my friend,

polonus

Hmmm… I’ve booted. Scan again and the items are there again (seems not removed).
Something is telling me it’s a problem of MBAM…

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
This one is difficult to recognize for an AV as all it does is give directions to another file to run, but it is malware
C:\Windows\system32\sshnas21.dll
This one is either/or as MS networks have file with this name and location - but it is also a trojan downloader

However, if Avast read that file from the task then it was doing its job

Hi essexboy,

Thanks for the final on this,

pol

Essexboy, but the file isn’t there… I can’t see any strange task job either.
Besides, MBAM fails to remove both files that reappear in the next boot.
What do I do?

Could you post the MBAM log please Tech

Sorry, it’s in Portuguese. But the last two lines are the important ones.

Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Versão da Base de Dados: 4024

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23/04/2010 10:31:58
mbam-log-2010-04-23 (10-31-58).txt

Tipo de Verificação: Verificação Completa (C:|D:|F:|)
Objetos escaneados: 218425
Tempo decorrido: 56 minuto(s), 2 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 2

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
C:\Windows\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.
C:\Windows\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) → Delete on reboot.

And these keep returning ? The language is no problem as the format is always the same

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

So even when the file and .job are recreated (or they wouldn’t be detected again), you can’t see a new scheduled task ?

I know it is possible to hide the file (possible rootkit, etc.), but I wasn’t aware that it could also hide a scheduled task, that’s a new one on me.

I run MBAM and files are detected. At the same time they’re not there at Windows Explorer (hidden/system files being shown).

For me too.
The problem is that avast detected nothing…

A task can be hidden but it would show on my scanners as such -

Almost impossible in my computer… there are a lot of running things.
I’m scanning. Do I need to do it in Safe Mode?

Well, mine is longing :slight_smile:

For sure MBAM is detecting it with the latest two virus databases.
The files are the same but they’re completely hidden…

No it is just that it is quicker if no other programmes are running, the scan will generate about 300 lines of code. Obviously if you have just Updated a service pack or something similar there will be a lot more files within the 30 day time frame. Takes about 10 minutes on mine whilst I am surfing and playing music ;D

I’m posting both logs. I just only change my user logon name for Tech.

The second log…

I’ll boot the computer… see you soon.
Thanks for the help.