sshnas.dll or sshnas21.dll is a component of trojan FakeAlert. The trojan come from malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. The filename of the trojan is flash-HQ-plugin. Once started, the trojan will download and install core components: c.exe, msa.exe and sshnas.dll (sshnas21.dll). When downloaded, it will be configured to start automatically when Windows starts. Trojan FakeAlert may display many popups and fake security alerts, hijack Internet Explorer, disable Windows Task Manager and Registry editor.Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected, then use these removal instructions below, which will remove sshnas.dll (sshnas21.dll) trojan and other components of trojan FakeAlert for free.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [Videohost] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c.exe
O4 – HKCU\..\Run: [SSHNAS] rundll32.exe C:\Windows\system32\sshnas.dll,DllWork
O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas.dll,AddConsoleAliasAW
O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,AllocConsoleA
O4 – HKCU\..\Run: [Halo2] rundll32.exe C:\Users\username\AppData\Local\Temp\sshnas21.dll,GetMainWnd
Use the following instructions to remove sshnas.dll (sshnas21.dll) trojan and other components of trojan FakeAlert
Step 1.
Please download OTM by OldTimer from here and save it to desktop.
Run OTM. Copy, then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:services
SSHNAS
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Videohost"=-
"SSHNAS"=-
"LosAlamos"=-
"Halo2"=-
:files
%windir%\msa.exe
%windir%\system32\sshnas.dll
%windir%\system32\sshnas21.dll
%windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
%windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
:Commands
[emptytemp]
[Reboot]
Click the red Moveit! button. When the tool is finished, it will produce a report for you. If you are asked to reboot the machine choose Yes.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button. MalwareBytes Anti-malware will now remove all of associated Trojan FakeAlert files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Trojan FakeAlert creates the following files and folders
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
C:\WINDOWS\msa.exe
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
%UserProfile%\Local Settings\temp\a.exe
%UserProfile%\Local Settings\temp\b.exe
%UserProfile%\Local Settings\temp\c.exe
C:\WINDOWS\system32\sshnas.dll
Trojan FakeAlert creates the following registry keys and values
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS
HKEY_CURRENT_USER\SOFTWARE\XML
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sshnas
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sshnas
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\videohost
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sshnas
Thank you. Very nice effort
Thank you very much. very helpful.
I LOVE YOU GUYS! YOU SAVED ME FROM REFORMATTING… AGAIN!.
hi….thanks so much…
thanks from albania 🙂
this tutor and program very usefull.. thanks
Tank u so much
in persian we say :
خیلی مردی، دمت گرم
when ever i run the malwarebytes C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully. and HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully alway r infected each time i delete those file its always there right after i restart the computer no matter how much i use the malwarebytes those files are always there
linda, probably your PC infected with a hidden trojan that reinstall it. Please open a new topic in our Spyware removal forum. I will check your PC.
i dowloaded malwarebite’s anti-malware, but there are 2 runtime errors: ‘0’ and ‘440’. i got another anti-malware program, but i still get the error that sshnas21.dll can’t found. my pc is going nuts after some minutes!! HELP PLZ!!!
I cant down load malwarebytes or anything else that navagates away from your site. I ran the Hijackthis scan but I cant post the log anywhere to see which ones are bad because I cant access the internet. what should I do?
Im on a different comp now trying to find a way around av security suite. I was able to download hijackthis and run the scan but thats as far as Ive got.
jeroen, please follow the steps below:
Open notepad, copy/paste the text in the code box below into notepad:
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"
Where “C” in the above text is your system disk name.
Save this as fix.bat to your Desktop. Remember to select Save as file type: All files in Notepad.
Double Click fix.bat.
Reboot your PC and try run Malwarebytes once again.
losinit, you have tried the steps.
thnx patrik, it works now
thanks for the great help. the iritating trojans are now long gone may you continue to update this site to help more people…
thanks dude!
bro thanks it help allot… ur the best.
hey guys, it really works!! thank you very much for saving my very annoying day.! thanx again and more power to you!!!
you are a genius!great it really works!hope to help more..thanks
This solution works! Thank you for your help. 🙂
thanks so much!
great!! it worked! so nice of u man!
Awesome man it worked and now my PC is fine no Trojans relly thanks BRO ….
Also thanks from me!
it help a lot..thanks..
I removed it using Malware, it said i had to reboot for it to fully remove some files, and now my computer is crashed.. -.-
all i get is the following message:
“Reboot and select proper boot device or insert boot media in selected boot device and press a key”
help?
Thank you very much!
Now everything is finally back to normal.:D
Kj0diz, looks like MBR secion of hard disk is damaged. You need use recovery console to repair it.
Very useful tip!