Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Posting this here in the hope that it will help someone in future.
Manually fixed a PC that was infected with fake advices that the computer is infected with viruses.   In fact the virus was the program itself which was telling the user they needed to pay £x to clean up their PC from non-existent malware.

I did a bit of research and whilst it is known that msa.exe is a fake virus and it says it should be simple to remove by simply deleting the file..... this was not the case in this instance and it was using several associated files to automatically re-propagate itself. Scanning with usual AV stuff didnt throw anything up and whilst msa.exe is supposedly easy to remove it will keep coming back.

One of the associated files was sshnas.dll - itself another known fake virus file and will be caught & identified by HJT, but if you simply remove this file then you will get an error on next reboot saying "error loading C:/Windows/system32/sshnas.dll"


Once i'd found all the associated re-propagation files its actually quite easy to remove.
  
You will need to start the PC in safe mode as one or some of the files will be running in the background and it wont let you fully remove it.
In this particular instance the running process was c.exe -  I actually killed it in process manager using unlocker assistant, but otherwise make sure you go into safe mode.

I list below the bad files and their locations which need removing.

sshnas.dll - C:\Windows\system32\sshnas.dll
msa.exe - C:\Windows\msa.exe

a.exe - C:\Documents and Settings\user\Local Settings\temp\a.exe
a.dat - C:\Documents and Settings\user\Local Settings\temp\a.dat
b.exe - C:\Documents and Settings\user\Local Settings\temp\b.exe
c.exe - C:\Documents and Settings\user\Local Settings\temp\c.exe
d.exe - C:\Documents and Settings\user\Local Settings\temp\d.exe

Then to tidy up... Clean out your prefetch files in particular :-

A.EXE-NumberString - C:\Windows\Prefetch\
B.EXE-NumberString - C:\Windows\Prefetch\
C.EXE-NumberString - C:\Windows\Prefetch\
D.EXE-NumberString - C:\Windows\Prefetch\
MSA.EXE-NumberString - C:\Windows\Prefetch\

[camallison]

Thanks for that advice, and a Happy New Year.

Had 2 PCs die on me over the festive period - motherboards just gave up the ghost.  When I checked on the build date of the chassis in each case, it was way back in 1998!!!  Can't complain can I?  They were just rattling along doing mundane logging tasks and every now and then spitting out full logs (that had been interpreted) to a remote server.

I have a full image backup of the hard drives, and will transfer to new ones - luckily they hadn't died too.  Will rebuild into a new Novatech barebones base unit - they have always served me well.

1998!  I bet the current crop of PCs don't last that long.  Anyone got an older PC still running?

Colin

[BritBrat]

 I actually killed it in process manager using unlocker assistant, but otherwise make sure you go into safe mode.

What is unlocker assistant?

Not this is it: Unlocker 1.8.7

[tuftedduck]

 I actually killed it in process manager using unlocker assistant, but otherwise make sure you go into safe mode.

What is unlocker assistant?

Not this is it: Unlocker 1.8.7

Yes, but the veraion I have is 1.8.8

[BritBrat]

That version is still infected but 1.8.6 is OK.

You can get older versions here:
http://www.filehippo.com/download_unlocker/ Look on RH side of page.