No internet access, no main workspace
A Trojan type program designated as a virus crawled in my System32 files and prevents me from using the internet while deleted or hid all the shortcuts and files I had on the opening screen. I can still use all other programs and access all files normally. The firewalls can't quarantine or delete it. Any suggestions other than formating? I didn't try to delete it manually because this is System32 we are talking about.
The name of the virus is Trojan.FakeAV!gen18 |
First off, using a different computer, obtain a copy of HijackThis and run it on your computer and paste the log here. Also, obtain a copy of Malwarebytes and do a scan to try and remove the Trjoan.
|
use a usb stick, put setup for malware programs on it and then install it from the usb, take out internet cord when doing so on the infected pc.
On usb stick install Malwarebytes, Combofix and Hijack this (can be run from the usb) do scan with hijack this, post in this topic then install and scan with malwarebytes (free anti malware scanner) then do a scan with Combofix (very important scanner will probably hit it right on the nail) post both logs here that come with those two programs after scanning and make a new hijack this scan and post that up as well afterward |
Ok the message I get on Symantec when I try to open firefox is this:
Scan type: Realtime Protection Scan Event: Virus Found! Virus name: Trojan.FakeAV!gen18 File: C:\WINDOWS\system32\sshnas21.dll Location: C:\WINDOWS\system32 Computer: ORION User: MULTIMEDIA-CENTER Action taken: Clean failed : Quarantine failed : Access denied Is this the reason I can't get in? Symantec does not let me? ---- I used HijackThis and got this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:32:19 μμ, on 25/3/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\WINDOWS\system32\CTFMON.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe G:\Νέος φάκελος\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...5&gct=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...5&gct=&gc=1&q= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/f...D=0408&Ext=dll R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Χόμπι\Προγράμματα\MegaIEMn.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Έξυπνη επιλογή HP - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 6986 bytes ----- I don’t see the file in question so I can delete it. ----- I am trying to use Mallware Bytes but the pc keeps saying runtime error "0". I can still run it normally on my laptop though. ------- I am making Live Update of Symantec AntiVirus and it works ok although I don't know if it accesses the internet to do that. It has found 2 Trojan FakeAv files at these adresses: C:\WINDOWS\msa.exe C:\System Volume Information\_restore{C4E2516C... AND A HUNDRED OTHER DIGITS... exe |
I suggest trying to boot into Safe Mode and try running Malware Bytes from there if it's not running. I find it pretty odd on why it wouldn't run on your computer...
Also, try deleting the trojan, sshnas21.dll in safe mode. |
It's possible that the trojan is detecting malware bytes. Try renaming mbam.exe in the Malware bytes folder to a random name and see what happens. Of course, any shortcut to it will no longer work, so you will have to make a new shortcut with the altered file name.
|
If you're on Xp, combofix might also be useful in this case.
|
Renaming the programs (malwarebytes and combofix) is a must, some trojans block out certain programs because of the program's name
Follow Archon_Wing's advice lastly if Malwarebytes cannot remove it then do a scan with Combofix, rename it of course they should pick up your virus that firefox gives out also, if not then it needs to be removed manually (it isn't anything windows-ish) together with some registry keys because if you remove it when you start windows it will probably complain that the .dll is gone while the commands to starts it at boot still remains Lastly, not sure if you did this already but leave the cord of internet out of your ' puter when you have it running cause trojans are nasty and you might get more unwanted crap downloaded on it while trying to fix it. First fix it then plug it back in edit: C:\WINDOWS\system32\RUNDLL32.EXE http://htlogs.com/what-is-sshnas21-d...-sshnas21-dll/ might be an unwanted part of your Virus name: Trojan.FakeAV!gen18 File: C:\WINDOWS\system32\sshnas21.dll problem |
Renamed the exe file and still nothing. It runs ok on my laptop but on my pc it is always runtime error 0 and 440.
I tried to dl combofix but the laptop can't dl it and cancels it all the time. I will try on another laptop and see how in goes. Edit: Success! Combofix dit it and now I have access again! ComboFix 10-03-26.02 - MULTIMEDIA-CENTER 27/03/2010 11:02:51.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.511.168 [GMT 2:00] Running from: G:\ComboFix.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\data c:\program files\AskSearch\bin\DefaultSearch.dll c:\windows\Ινδιάνος .bmp c:\windows\system32\sshnas21.dll c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Service_SSHNAS |
All times are GMT -5. The time now is 17:57. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.