sshnas.dll or sshnas21.dll is a component of trojan FakeAlert. The trojan come from malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. The filename of the trojan is flash-HQ-plugin. Once started, the trojan will download and install core components: c.exe, msa.exe and sshnas.dll (sshnas21.dll). When downloaded, it will be configured to start automatically when Windows starts. Trojan FakeAlert may display many popups and fake security alerts, hijack Internet Explorer, disable Windows Task Manager and Registry editor.Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected, then use these removal instructions below, which will remove sshnas.dll (sshnas21.dll) trojan and other components of trojan FakeAlert for free.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [Videohost] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c.exe
O4 – HKCU\..\Run: [SSHNAS] rundll32.exe C:\Windows\system32\sshnas.dll,DllWork
O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas.dll,AddConsoleAliasAW
O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,AllocConsoleA
O4 – HKCU\..\Run: [Halo2] rundll32.exe C:\Users\username\AppData\Local\Temp\sshnas21.dll,GetMainWnd
Use the following instructions to remove sshnas.dll (sshnas21.dll) trojan and other components of trojan FakeAlert
Step 1.
Please download OTM by OldTimer from here and save it to desktop.
Run OTM. Copy, then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:services
SSHNAS
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Videohost"=-
"SSHNAS"=-
"LosAlamos"=-
"Halo2"=-
:files
%windir%\msa.exe
%windir%\system32\sshnas.dll
%windir%\system32\sshnas21.dll
%windir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
%windir%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
:Commands
[emptytemp]
[Reboot]
Click the red Moveit! button. When the tool is finished, it will produce a report for you. If you are asked to reboot the machine choose Yes.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button. MalwareBytes Anti-malware will now remove all of associated Trojan FakeAlert files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Trojan FakeAlert creates the following files and folders
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
C:\WINDOWS\msa.exe
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
%UserProfile%\Local Settings\temp\a.exe
%UserProfile%\Local Settings\temp\b.exe
%UserProfile%\Local Settings\temp\c.exe
C:\WINDOWS\system32\sshnas.dll
Trojan FakeAlert creates the following registry keys and values
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS
HKEY_CURRENT_USER\SOFTWARE\XML
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sshnas
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sshnas
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\videohost
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sshnas
exelente ajuda, foi o unico site, dentre varios foruns que pesquisei por horas, que resouveu meu problema. objetivo e eficaz. parabens
Wonderfull. Thaks a lot
Done! 🙂
Thank you very much for your help.
This is an excellent tool. Cleaned and no fake alerts.
Thank you very much.
Thanks for the help. In my case, NIS “stopped” part of the infection but i`ve got a pop-up saying something about “system32 can`t find sshnas.dll” or something like that. I just run malware bytes, as you said, and everything is gone away. Thanks again.
thank you so much man. as soon as i upgraded to windows 7 on monday i had this problem but now its completly gone.
thank you very much for your eforts
This is the only thing that worked. Thanks!
Thank you so much for the help… I ran MBAM without using OTM and it did not take care of the problem… Running OTM then MBAM did take care of the problem. Thank you for these instructions, just wish people that create these things would find something better to do with their time.
I ran the OTM and then clicked yes when prompted to re-boot my computer
However, when it re-booted all i have now is a black screen with the mouse pointer
what’s happened?? and how can i fic this, at least with a trojan i could use my computer.
SORRY for the last post, computer is back up and running and hopefully trojan free although it did say it could not lcate the sshnas.dll file but THANKS
John, try run Malwarebytes Anti-malware again and perform a full scan. If it does not help you, then ask for help in our Spyware removal forum.
Thanks! it works!
Hi there!
I followed the instructions and it seems to have worked. At least, afetr startup no files like a.exe or b.exe etc. are running. Anyhow my system is now saying that he can’t find the sshnas.dll file. I looked up for it in msconfig, but there is no entry. how can i avoid the message prompting me on startup or when I end Windows?
Thanks!
Me again! After a FULL SCAN of Malwarebytes Anti-malware everything works fine again (like Patrik’s advice in the last post here). Thanks very much to that guy who wrote this article. YOU MADE MY DAY 🙂
Thanks dear it really worked
Thanks man this is great stuff!!!
Thanks. That was great info.
Just a suggestion, include a warning that the [emptytemp] command for the OTM deletes anything in a temp directory, ANYWHERE. Had a temp directory in a subdirectory on my desktop and it cleared out about 300 MB of work… I tend to drop things into a temp directory while I’m actively working on them.
Jason, is not right idea – store important files in Temp folder.
This works! It booted with no problems! No sshnas.dll issues! Thank you for your advice and spoon feeding this to the public like me who was just about to reformat the whole operating system!
You are a champion! Took forever, and multiple computers (because my downloading was knocked out by this .dll) and about 30 restarts in all thanks to this little bug crashing me with every 2nd task i tried to complete, BUT this saved my ass. Thank you so much 🙂
I was impressed with the instructions but still have the message
“C:Users\XXX\AppData\Local\Temp\sshnas.dll
Invalid access to memory location”
at start up everytime. I removed a program I found but it still runs?
What am I doing wrong? I thought I had really good protection with Symantec Endpoint and then followed all of your instructions.
Thanks allot … it really worked out for me ..
stress’s Gone Phew !
hehe.. Thanks so much..
I’ve followed these steps and nothing hapened. My issue is still there. I have a black screen at boot and a error message at boot, saying sshnas.dll cannot be found. What can I do next? Please advise.
Thanks.
Excelente, MUCHAS GRACIAS.
Fue necesario realizar los Pasos 1 y 2
SJ Smith, please open a new topic in our Spyware removal forum. I will help you.
Catalin, if the instructions above does not help you, then ask for help in our Spyware removal forum.
hi,
when i run OTM it start deleting the temp files, but when it was going to finish suddely stop working and i had to close the program…. and my computer restart automaticaly…
i dont know if it work..
thanks
super
thanks