sshnas.dll -- Infection Problem

[Tristicus]

Alright, so, a friend of the family mentioned he was having trouble with a PC. He said that Thursday something popped up telling him he was at risk, and instantly I knew it was a virus. He said he clicked cancel on everything, then shut down his PC, then when he rebooted it he installed updates (don't know if this is the correct order, and he said they were Windows updates, but eh...). Well, when he starts his PC up, dialog boxes were popping up for odd things asking for admin to pop up, as well as sshnas.dll couldn't be found. The computer also is blocked from the internet.

I went in, deleted the files asking for permission, deleted temp files, ran AVG in safe mode (found nothing), went in the registry and deleted some stuff pertaining to the virus..but it still won't connect to the internet, and I still fear that the virus is still there (regardless of the internet problem).

I've loaded a flash drive with the following:
Super Anti Spyware
Hitman Pro
Microsoft Security Essentials
Hijack This
Malewarebytes' Anti-Malware
(The page from EliteKiller.com for reference...just thought I'd have it).

Should this stuff find it? I hate to admit it, but when it comes to viruses, I'm not a genius at removing them besides basic things, because I tend to rarely, more likely never, get them. This one also seems to plant itself deep too.

 

[Modelworks]

My usual way of dealing with virus:

Download process hacker and install it
http://processhacker.sourceforge.net/

reboot the pc in safe mode by pressing F8 before the windows logo appears on startup.

Run process hacker and look at the process list. Look for anything with odd spelled characters like hs78swe3.exe etc. Also look under description for items that have no description . Most of the time malware doesn't show a description so that is an easy way to spot it. If nothing looks suspicious then start right clicking on each process and picking properties. Look at the image file name location to see if anything looks out of place, often virus will place themselves in custom created directories easily spotted.

If nothing there it could be a dll file. Go to Hacker menu, file handles or dll option.
Type in dll and click find.
That will show every dll file that windows has loaded and is using. Scan through them looking for anything suspicious like before looking for odd spelled names. Again if you find something right click on it and check the properties.

Once you find the malware either dll or exe do not terminate or kill that process. That only makes virus restart and re-infect. If it is an exe file then right click on it and pick suspend process. That freezes the program from running code but also makes it where it stays in memory so it doesn't try to start up again.

Now go to the directory that has the virus file and and right click on that file . Pick properties then security tab. Click edit.

Under options start with authenticated users and set the permissions under read&execute to deny. Proceed down the list for each user.
What you have done is set the programs security level so that it cannot be run by anyone not even the administrator. The virus is paused so it cannot detect the change.

Go back to process hacker and right click the process you suspended earlier and choose terminate process. That will close the virus and if it tries to restart it will not be allowed to because of the permissions you set above. Now delete the virus exe or dll.

The last thing is to go to the hosts file located in windows\system32\drivers\etc and open it with notepad, make sure there are not addresses in there except for 127.0.0.1 for local host. Some malware uses that to redirect to their sites.


This works for every virus I have ever found. It isn't as quick as an automated program but it works.

 

[TJCS]

When a machine has been compromised to this degree, the only option should be a clean-reinstall. If your friend didn't backup his data, then do an in-depth scan using your AV and Superantispyware to check for possible infections before you extract them.

You never know what other "updates" has been installed in his machine, and if your friend is using that PC for for financial and other important things then... good luck :hmm: