XP startup services SSHNAS?

Advise wanted please,

Today I have encountered a problem where my computer stopped responding. It would not “restart” or “close down”. The desk top shortcuts would not start anything - in other words, Computer not working!

5hrs later I was looking thru the “Services” area, and noticed that 10 services were stuck “starting”.
System Restore, system Event…, Telephony, Windows time, NLA, Network connections, Fast user switching, Auto updates, Windows management… and lastly something with NO description called SSHNAS? Address was - Windows\system32\svchost.exe -k netsvcs (which I cant find?)

Yesterday completed a “Boot scan”. today had problems?
Have run scans on Windows nothing found.

I got the computer going again by disabling all “stuck” services, restarting the computer (by turning off the power) then starting the services again one at a time.

But Im unsure what this SSHNAS is, and have not restarted.

update - avast just found SSHNAS21.dll while scanning system32. now in chest. why didnt the scan of windows find it?

Maybe problem solved? SSHNAS still shows as a service, but has no options - can i delete from list somehow?

Hope this may help others, but would like advise about what to do about the service list.

Thank you.

See this on sshnas21.dll, http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=SSHNAS21.dll, listed as a rogue program.

Why wasn’t it detected sooner, I don’t know as I don’t know the scan that detected it, I don’t know the scans you have done since it arrived on your system (if that would have been included and active). There are new signatures added all the time and it is in cases like this that it may pick up something otherwise not detected.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

Computer just finished another boot scan.

Has found multiple cases of “Win32:Renos-00{Trj]”.

Strange that it didnt find them when I ran scan the other day, could it be that the “SSHNAS service” was effecting the scan process?

Thank you for links, Im currently using “Advanced system care pro”, and Windows defender, to look for spyware etc. Im only using Avast 4.8 Home addition. Just seen the “upgrade” to 5.0 - doing so now

Thank you for links, Im currently using "Advanced system care pro",
Is that " Advanced System Care " from IObit ?

IObit info
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

There is also a tool for removal of IObit software. Bitremover 1.2
you will fiend it on the right side of this page
http://uninstallers.blogspot.com/

What were the file names and locations of the detections ?

Not too strange, when windows is running, there may well be something hiding the malware, since the boot-time scan operates before windows has fully loaded it is possible to find things that might otherwise be hidden. Not to mention new/modified signatures are continually added so it could be that it now detects this.

Given the trust issue mentioned by Pondus, I would look in another direction and the two options I suggested are two of the best anti-spyware/malware applications, one of which the trust issue stemmed from where their signature detections miraculously appeared in iobit’s advanced system care, which after the publicity they subsequently removed, protesting their innocence.

wow didnt know that about Iobit.

Are they talking about Advanced system care? not sure what 360 is (which the posts seem to be about) I think its more of a Anti virus program? (Im using Avast lol)

Its a shame, I really like Advanced system care Pro. The Utilities I find most useful - Smart Ram, Internet booster, Firefox optimizer etc etc etc…

Have downloaded the Malwarebytes program, see what happens when i run it :-\

Now using Avast5 full version - should I re-scan?

Yes, if you have now installed avast 5.0 I would scan again, it has some other tricks up its sleeves.

Done a quick scan, Ill do a boot scan tonight when i go to bed.

Just done a Malwarebytes scan - thanks for the link.

With avast 5, does the firewall override the windows firewall? do I need to add the same exceptions as on windows?

Any advise for avast 5 best settings - I have just left with defaults.

Please post the contents of the MBAM log file if anything was detected.

The default settings are generally best as they provide a good balance between performance and protection. Spend some time rummaging through the various areas of the avastUI without making any changes to get to an idea of what it can do. Then spend some time browsing the a avast help file, for the various areas of interest to become more familiar with the settings.

If you mean you have avast! Internet Security (AIS) suite then yes you can leave the windows firewall enabled (it should be compatible with it); if you haven’t got the AIS version then avast doesn’t come with a firewall ?

log file, after avast 5 check. (hope this what you wanted.) sorry dont have the log of the boot scan.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/8/2010 10:44:40 AM
mbam-log-2010-05-08 (10-44-40).txt

Scan type: Quick scan
Objects scanned: 125942
Time elapsed: 21 minute(s), 18 second(s) (long time)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\isecurity.mgr (Rouge.ISecurity) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\isecurity.mgr.1 (Rouge.ISecurity) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a8311e8f-e459-4d22-89b4-cb9dcf10a425} (Rouge.ISecurity) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{a8311e8f-e459-4d22-89b4-cb9dcf10a425} (Rouge.ISecurity) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{570ee2a3-039b-4e5f-ae6a-d7949f9d356b} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sshnas21_raschap (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sshnas21_rastls (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\iSecurity (Rouge.ISecurity) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TDSSdata (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\673351 (Trojan.BHO) → Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Tasks{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSofxh.log (Rootkit.TDSS) → Quarantined and deleted successfully.

Upgraded from the free avast5 to the auto selection 1 year 50% off deal, which looks like it is internet security.

Looks like MBAM has cleaned some registry entries associated with the rogue security application it detected but didn’t completely clear the registry entries. It has also restored the WSC settings so that it monitors your AV, Firewall and Windows Update rather than not watching they are enabled and running.

The TDSS Rootkit would also have been trying to hide these other files that have been found and some scheduled tasks it created to run tasks.

So it looks like the combination have done a reasonable cleanout.

The boot-time scan creates a file here C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt 

You should see the avast version you have at the top of the avastUI, see image example (free version).

How is your computer running now ?

Computer seems to be working ok, it seemed to come right after I found the SSHNAS service, and disabled it (see First post). Then the avast 4.8 scan of windows32 found SSHNAS21.dll, and then the 4.8 boot scan found temp files etc…

I think I may know the file which started the problem. This is why I done a boot scan to start with on Wednesday. I was using “process explorer” and noticed a new program running after start up called Jdipya.exe It was in kept in C:\windows.

I dont know where it came from, so I went online to see if any info on the file - None. So I deleted it.
Then ran the first boot scan. but Im guessing it was too late.

Thank you for all your help.

First I thought you were now using avast 5.0, which is why I posted that image ?
It makes a big difference in any advice I give, what version you have installed.

Finding zero hits (except this topic) for a file in the Windows folder is suspect in my mind anyway.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first.

I updated to Avast 5 after. better protection. Luv Avast and (sigh) advanced system care pro. lol

greetings from New Zealand, thank you very much again. you have been a great help.

No problem, glad I could help.