"8-steps" - Stuck on step 4, mbam - (msansspc.dll)

[Pmitch]

Hello,

Symantec Antivirus picked up the following on my laptop: C:\WINDOWS\system32\msansspc.dll.

After reviewing several posts in the TechSpot forums I attempted to follow the 8-step process prior to posting my logs.

I'm having difficulty with step 4, Malwarebyte's Anti-Malware. I get:

C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.

When I click to proceed It tries to reboot but comes to a black screen giving me choices to either boot normally, use last known good configuration or select one of the various safe modes.The problem I'm having is that the only way that I can reboot is by going back to the last known good configuration, which leaves the msansspc.dll untouched.

What have I overlooked that is keeping me in this loop?

Thank you.

Fyi... When I turned on the computer this morning Symantec Auto-Protect was able to quarantine this. Over the past several days all it has done was left it alone. I will reboot & re-run Malwarebytes to see if it's still showing up and post an update.

 

[Pmitch]

8-Steps completed & logs posted

I ran mbam and found nothing. Shortly afterwards Symantec picked something else up in another location & quarantined it.

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\System Volume Information\_restore{15C55394-404E-413D-B2BB-38D4B54EED38}\RP1287\A0416846.dll
Location: Quarantine
Computer: LAPTOP
User: Patrick
Action taken: Quarantine succeeded : Access denied
Date found: Monday, December 01, 2008 11:16:33 AM


Then I ran SAS, updated Java & removed the old versions, then ran HJT.

The logs are attached.

Thanks!

 

[Bobbye]

File: C:\System Volume Information\

NOTE: this refers to the System Restore points. Do NOT use System restore while cleaning- it will reinfect the system. 'Access denied' is because SR points are protected files and can't be removed by cleaning programs. When cleaning is finished, we will drop the old restore points and create a new, clean one.

Mbam shows you clean. but I'd like you to run it again. According to the time, you ran Mbam first then SAS, but SAS picked up some malware that should have been found by Malwarebuyes. SAS show you have about every Tracking Cookie available:
Have SAS remove these and all other malware findings. See the lower left image on this site for box to check for removal- click on image to enlarge: http://superantispyware.en.softonic.com/images

Reset Cookies:
Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK

Firefox: Tool> options> Privacy tab> Cookies section> CHECK 'accept Cookies from sites'> UNCHECK 'accept third party Cookies.'

Put the following add-ons on Firefox:

AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: Filters fo AdBlock Plus(get all three) http://easylist.adblockplus.org/

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Re Adobe and FoxIT: Both have free versions. They also have paid versions. Be sure to click on Free reader. No credit card is required.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Program Files\BigFix\BigFix.exe>> (BigFix can automatically download and read technical support information Should not be on Startup> a known resource hog)
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Microsoft Money
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: qbwc - {O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe- mscoree.dll (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK:

BigFix
Registry Booster
Viewpoint
Housecall
emachines

The only processes you NEED on Startup are the antivirus, firewall, touchpad for laptop and network process if on network. ALL else can be started manually when needed.

Start> Run> services.msc> right click> Properties on the following Services:

Viewpoint Manager Service > set Startup type to Disabled
Bonjour Service > set to Manual Google Updater Service (gusvc) > set to Disabled
HP Port Resolver> set to Manual
HP Status Server> set to Manual
Ipod> set to Manual
Kodak> set to Manual

Control Panel? Add/Remove Programs> UNINSTALL any of the following:
All Viewpoint entries
All Java except the new update v7u10
All Adobe reader except the new v9

Stop Housecall from running: Open IE> Manage add-on> find the active X entry for Housecall and disable it. You may have run the online scan at one time and it stays on the system until you remove it.

Reboot into Normal Mode. you will get a nag message which you can ignore after checking 'don't show this message again'. Stay in Selective Startup.

Please Run Malwarebytes again, then rescan with HijackThis. Attach logs for both.