No internet access, no main workspace

[roriconfan]

A Trojan type program designated as a virus crawled in my System32 files and prevents me from using the internet while deleted or hid all the shortcuts and files I had on the opening screen. I can still use all other programs and access all files normally. The firewalls can't quarantine or delete it. Any suggestions other than formating? I didn't try to delete it manually because this is System32 we are talking about.
The name of the virus is Trojan.FakeAV!gen18

[chikorita157]

First off, using a different computer, obtain a copy of HijackThis and run it on your computer and paste the log here. Also, obtain a copy of Malwarebytes and do a scan to try and remove the Trjoan.

[-KarumA-]

use a usb stick, put setup for malware programs on it and then install it from the usb, take out internet cord when doing so on the infected pc.
On usb stick install Malwarebytes, Combofix and Hijack this (can be run from the usb)

do scan with hijack this, post in this topic
then install and scan with malwarebytes (free anti malware scanner)
then do a scan with Combofix (very important scanner will probably hit it right on the nail)

post both logs here that come with those two programs after scanning and make a new hijack this scan and post that up as well afterward

[roriconfan]

Ok the message I get on Symantec when I try to open firefox is this:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.FakeAV!gen18
File: C:\WINDOWS\system32\sshnas21.dll
Location: C:\WINDOWS\system32
Computer: ORION
User: MULTIMEDIA-CENTER
Action taken: Clean failed : Quarantine failed : Access denied

Is this the reason I can't get in? Symantec does not let me?

----

I used HijackThis and got this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:19 μμ, on 25/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
G:\Νέος φάκελος\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...5&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...5&gct=&gc=1&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/f...D=0408&Ext=dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Χόμπι\Προγράμματα\MegaIEMn.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Έξυπνη επιλογή HP - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 6986 bytes

-----

I don’t see the file in question so I can delete it.

-----

I am trying to use Mallware Bytes but the pc keeps saying runtime error "0". I can still run it normally on my laptop though.

-------

I am making Live Update of Symantec AntiVirus and it works ok although I don't know if it accesses the internet to do that. It has found 2 Trojan FakeAv files at these adresses:

C:\WINDOWS\msa.exe
C:\System Volume Information\_restore{C4E2516C... AND A HUNDRED OTHER DIGITS... exe

[chikorita157]

I suggest trying to boot into Safe Mode and try running Malware Bytes from there if it's not running. I find it pretty odd on why it wouldn't run on your computer...

Also, try deleting the trojan, sshnas21.dll in safe mode.

[Archon_Wing]

It's possible that the trojan is detecting malware bytes. Try renaming mbam.exe in the Malware bytes folder to a random name and see what happens. Of course, any shortcut to it will no longer work, so you will have to make a new shortcut with the altered file name.

[tyranuus]

If you're on Xp, combofix might also be useful in this case.

[-KarumA-]

Renaming the programs (malwarebytes and combofix) is a must, some trojans block out certain programs because of the program's name

Follow Archon_Wing's advice

lastly if Malwarebytes cannot remove it then do a scan with Combofix, rename it of course

they should pick up your virus that firefox gives out also, if not then it needs to be removed manually (it isn't anything windows-ish) together with some registry keys because if you remove it when you start windows it will probably complain that the .dll is gone while the commands to starts it at boot still remains
Lastly, not sure if you did this already but leave the cord of internet out of your ' puter when you have it running cause trojans are nasty and you might get more unwanted crap downloaded on it while trying to fix it. First fix it then plug it back in

edit:

C:\WINDOWS\system32\RUNDLL32.EXE
http://htlogs.com/what-is-sshnas21-d...-sshnas21-dll/

might be an unwanted part of your
Virus name: Trojan.FakeAV!gen18
File: C:\WINDOWS\system32\sshnas21.dll
problem

[roriconfan]

Renamed the exe file and still nothing. It runs ok on my laptop but on my pc it is always runtime error 0 and 440.

I tried to dl combofix but the laptop can't dl it and cancels it all the time. I will try on another laptop and see how in goes.

Edit: Success! Combofix dit it and now I have access again!

ComboFix 10-03-26.02 - MULTIMEDIA-CENTER 27/03/2010 11:02:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.511.168 [GMT 2:00]
Running from: G:\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\Ινδιάνος .bmp
c:\windows\system32\sshnas21.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS