Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Nsanti


  • Please log in to reply
11 replies to this topic

#1 srichipan

srichipan

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 25 February 2008 - 05:57 AM

I had search on the other post regarding this, but i guess different computer had different file being infected. Thus i start a new post here. I have installed AVG and detected a Win32 NsAnti virus running in my computer. Please advise me on how to remove it. AVG and norton had also detected other trojan house running in my computer but is unable to remove it.

Appreciate any help being offered

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 AM

Posted 25 February 2008 - 11:10 AM

AVG and norton had also detected other trojan

Are you using two anti-virus programs or is this AVG Anti-spyware that you are referring to? I ask because you should not be using two anti-virus programs on your system due to the conflicts that can result.

Did AVG provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 25 February 2008 - 10:03 PM

ya.. i am using AVG 7.5 Antivirus and Norton internet security 2005.. Should i delete one of the programme?

Both gave me the same virus alert
Object Name: C:\WINDOWS\system32\ssa.dll
Virus Name Trojan Horse

What should i do?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 AM

Posted 26 February 2008 - 09:36 AM

Use only one anti-virus. The primary concern with using more than one anti-virus program is due to conflicts that can arise when both are running in real-time mode simultaneously. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognised by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Most anti-virus vendors recommend that you install and run only one anti-virus program at a time:
Symantec's statement.
Avast's statement.
AVG's statement.
Dell Support advises the same for their systems.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\ssa.dll <- this file
Click "Open", then click the "Submit" button.
Please copy the results and paste them in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 27 February 2008 - 12:25 AM

they give me this result.

0 bytes size received / Se ha recibido un archivo vacio

#6 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 27 February 2008 - 12:28 AM

and this:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 AM

Posted 27 February 2008 - 09:11 AM

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\Windows\system32\ssa.dll

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 28 February 2008 - 01:42 AM

Result from OTMoveit2

LoadLibrary failed for C:\Windows\system32\ssa.dll
C:\Windows\system32\ssa.dll NOT unregistered.
C:\Windows\system32\ssa.dll moved successfully.

OTMoveIt2 v1.0.20 log created on 02282008_144017

#9 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 28 February 2008 - 03:18 AM

i have scan the computer as instructed by you. And i have detected 9 files and had since removed them. IT seems my problem are solved, as AVG did not give me any alert anymore. Thanks for your help!!

I suspect my thumbdrive spread the virus/spyware to my computer. Is there any way to confirm?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 AM

Posted 28 February 2008 - 11:11 AM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

"Autorun" is the feature built into Windows that automatically runs a program specified by an "autorun.inf" file whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable", install it on your USB Flash Drive, update its definition files and perform a scan.

Another prevention measure you can use is Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again. Firefox also has a free NoScript Add-on for its browser.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 srichipan

srichipan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 29 February 2008 - 07:52 AM

Last question here. Its seeems that i am unable to view the hidden file in my computer. I tried to change the setting to "show hidden file" But the next momemt, it automatically change itself to "do not show hidden file"

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:57 AM

Posted 29 February 2008 - 08:22 AM

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #368 and click "Folder Options/View Empty - Restore Now" in the left column. Go to File, choose "Save page as" All Files and save viewfolderrestore.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

If that does not work, download RatsCheddar.zip and save it to your desktop. It is a Policy Controller program written by Rathat to remove certain restrictions on XP systems often disabled by malware. This program was developed for Windows XP ONLY. Do not run this program in any other Operating System.
  • Extract (unzip) the file to the desktop. (Click here for information on how to do this if not sure.)
  • Double-click on RatsCheddar.exe to launch the tool.
  • Select Enable for everything listed, then click Exit.
  • Restart your computer.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users