"8-steps" - Stuck on step 4, mbam - (msansspc.dll)

By Pmitch
Dec 1, 2008
Topic Status:
Not open for further replies.
  1. Hello,

    Symantec Antivirus picked up the following on my laptop: C:\WINDOWS\system32\msansspc.dll.

    After reviewing several posts in the TechSpot forums I attempted to follow the 8-step process prior to posting my logs.

    I'm having difficulty with step 4, Malwarebyte's Anti-Malware. I get:

    C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.

    When I click to proceed It tries to reboot but comes to a black screen giving me choices to either boot normally, use last known good configuration or select one of the various safe modes.The problem I'm having is that the only way that I can reboot is by going back to the last known good configuration, which leaves the msansspc.dll untouched.

    What have I overlooked that is keeping me in this loop?

    Thank you.

    Fyi... When I turned on the computer this morning Symantec Auto-Protect was able to quarantine this. Over the past several days all it has done was left it alone. I will reboot & re-run Malwarebytes to see if it's still showing up and post an update.
  2. Pmitch

    Pmitch Newcomer, in training Topic Starter

    8-Steps completed & logs posted

    I ran mbam and found nothing. Shortly afterwards Symantec picked something else up in another location & quarantined it.

    Scan type: Auto-Protect Scan
    Event: Threat Found!
    Threat: Trojan Horse
    File: C:\System Volume Information\_restore{15C55394-404E-413D-B2BB-38D4B54EED38}\RP1287\A0416846.dll
    Location: Quarantine
    Computer: LAPTOP
    User: Patrick
    Action taken: Quarantine succeeded : Access denied
    Date found: Monday, December 01, 2008 11:16:33 AM


    Then I ran SAS, updated Java & removed the old versions, then ran HJT.

    The logs are attached.

    Thanks!
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    NOTE: this refers to the System Restore points. Do NOT use System restore while cleaning- it will reinfect the system. 'Access denied' is because SR points are protected files and can't be removed by cleaning programs. When cleaning is finished, we will drop the old restore points and create a new, clean one.

    Mbam shows you clean. but I'd like you to run it again. According to the time, you ran Mbam first then SAS, but SAS picked up some malware that should have been found by Malwarebuyes. SAS show you have about every Tracking Cookie available:
    Have SAS remove these and all other malware findings. See the lower left image on this site for box to check for removal- click on image to enlarge: http://superantispyware.en.softonic.com/images

    Reset Cookies:
    Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK

    Firefox: Tool> options> Privacy tab> Cookies section> CHECK 'accept Cookies from sites'> UNCHECK 'accept third party Cookies.'

    Put the following add-ons on Firefox:
    Update Java:
    Update Adobe:
    Re Adobe and FoxIT: Both have free versions. They also have paid versions. Be sure to click on Free reader. No credit card is required.
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK:
    The only processes you NEED on Startup are the antivirus, firewall, touchpad for laptop and network process if on network. ALL else can be started manually when needed.

    Start> Run> services.msc> right click> Properties on the following Services:
    Control Panel? Add/Remove Programs> UNINSTALL any of the following:
    All Viewpoint entries
    All Java except the new update v7u10
    All Adobe reader except the new v9

    Stop Housecall from running: Open IE> Manage add-on> find the active X entry for Housecall and disable it. You may have run the online scan at one time and it stays on the system until you remove it.

    Reboot into Normal Mode. you will get a nag message which you can ignore after checking 'don't show this message again'. Stay in Selective Startup.

    Please Run Malwarebytes again, then rescan with HijackThis. Attach logs for both.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.