Msansspc.dll problem with attached logs

By tharimrattler
Nov 29, 2008
Topic Status:
Not open for further replies.
  1. This is the main file that cannot be removed with my antivirus software. After doing the 8 step virus removal instructions, I can now click on search results in google (previously it was being redirected). I noticed my pc is generally operating quicker and more efficiently after running all those scans and updating java. Any help is greatly appreciated.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have a seriously infected system- Vundo, AntivirusXp 2009 and a Rootkit. Some has been removed, but you will need to turn off the Real Time Monitoring and run the programs again.

    Please see this for instructions:
    Temporarily Disable Real Time Monitoring Programs:
    http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
    * 1 Spybot S&D (Teatimer)
    * 2 Ad-Aware Ad-Watch
    * 3 Spywareguard
    * 4 Windows Defender
    * 5 TrojanHunter Guard
    * 6 Disable SpySweeper
    * 7 WinPatrol
    * 8 CounterSpy
    * 9 AVG Anti-Spyware (formerly ewido)
    * 10 Spyware Doctor
    * 11 Prevx
    * 12 ProcessGuard
    * 13 ZoneAlarm's OS Firewall
    * 14 Ad-Aware 2007 Service
  3. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    Thanks for the reply. I did what you said and got some new logs to post up. What are my options at this point?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Rootkit TDSServ is still showing in SAS, but Mbam and HijackThis are clean..
    Lets follow this to remove:

    ***NOTE: Path for #7 & #8:
    Right click on Start> Explore> Windows > System 32

    #9: SD FIX- what it does: http://www.bleepingcomputer.com/forums/topic131299.html
    #9: ComboFix:
    Rescan with HijackThis and attach logs from SDFix, ComboFix and HijackThis.
  5. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    I appreciate your continued help to me. Thank you.

    I followed your instructions and have new logs. I look forward to your response.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You did very well! Five posts and it looks to me like you're clean as a whistle!

    Did you look at the logs to see what was found and removed?

    Please give me system status. If running well, we can remove the cleaning tools and restore points.
  7. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    OS Name Microsoft Windows XP Professional
    Version 5.1.2600 Service Pack 2 Build 2600
    OS Manufacturer Microsoft Corporation
    System Name T42
    System Manufacturer IBM
    System Model 2374JU4
    System Type X86-based PC
    Processor x86 Family 6 Model 13 Stepping 6 GenuineIntel ~1694 Mhz
    BIOS Version/Date IBM 1RETDRWW (3.23 ), 6/18/2007
    SMBIOS Version 2.33
    Windows Directory C:\WINDOWS
    System Directory C:\WINDOWS\system32
    Boot Device \Device\HarddiskVolume1
    Locale United States
    Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
    User Name T42\mboatright
    Time Zone Pacific Standard Time
    Total Physical Memory 768.00 MB
    Available Physical Memory 317.16 MB
    Total Virtual Memory 2.00 GB
    Available Virtual Memory 1.96 GB
    Page File Space 1.46 GB
    Page File C:\pagefile.sys
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please put your System Specs information in your Profile <==

    Otherwise you will need to paste them in on every new thread you make!
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, I'm sorry- you misunderstood. When I ask for system status, I want you to tell me how the computer is running and if original problems have been resolved!

    No upload needed- just a few words.
  10. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    Everything seems to be working fine, no problems that I can tell. Thanks a lot for all your help! =)
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Please let us know if you need more help.
     
  12. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    I have a couple more questions.

    When I turned Spybot TeaTimer back on, it prompted me to allow or deny several changes. Is this because of all the scans I ran, and changes those scans made? Also, I ran an Avast virus scan and there are several files that cannot be scanned because access is denied. What can I do here?
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This is the issue with Spybots S&D
    When a message pops up saying allow or deny from the programs Tea Timer (resident protection) A user must try to learn or search for what the issue is in relation to, on the spot!

    In most cases this is highly technical areas, that normal users just can't do
    But to confirm which way you should go (allow or deny) you really need to do this on each individual popup. ie Bobbye cannot advise you if it's ok or not, without knowing what the message Allow\Deny single issue is.

    Not only that, but you may get tens or hundreds of these popups from Spybots S&D all the time. It would literally take hours, if not days to know them all, and then apply your answer correctly.

    Therefore Spybots S&D may not be actually ideal for the standard Windows user
    ie They may "Allow" when they should have "Denied"
    Personally I say, if you're unsure, just un-install Spybots S&D


    As for Antivirus not scanning some files (in use) that's ok :)
  14. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    Thanks for the reply.

    For a Firewall, would you recommend Comodo or Zone Alarm for me?

    Also, when I install either of those, should I turn off my windows firewall?
  15. Kazi

    Kazi Newcomer, in training Posts: 112

    they automatically turn windows firewall off for you

    Zonealarm and comodo are kinda different but work the same

    Zonealarm is a application based firewall

    Comodo is a rule based firewall

    From people, they say comodo is lighter on the system then zonealarm
    They also say using comodo is easier once you get the hang of it

    It is however up to you

    Zonealarm is easier to config
  16. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    I went with your advice with uninstalling Spybot. When I uninstalled it, however, I noticed I could not connect to someone in a online game I frequent. I re installed spybot and now it works again. Is there any way to completely get rid of spybot and everything that comes with it?
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Running Spybot when you need it is okay. I would just leave Tea Timer disabled. Any Real Time alert feature can be very confusing to deal with.

    Spybot S&D (Teatimer)

    I had the AdAware SE paid for several years. That version had a Registry alert, AdWatch. Every time there was any change to the Registry, it popped up. Just about anything we do makes a change to the registry, so I ended up disabling AdWatch!
  18. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    just a little update:


    i'm doing good now! i feel like everything is secure now, but would it be safe for me to access things like my banking account online? is there a possibility that something is creeping in the background waiting to access my info?
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your system should be clean. If you would like to run one more HijackThis scan I'll check it for you. If clean we can remove the cleaning programs and old restore points.
  20. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    New HJT attachment.

    When I tried removing Spybot s&d it would not let me connect in a certain program so I am weary of removing things, unless I did something wrong. I had to reinstall spybot to connect in this program.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't know why Spybot S&D needs to be installed to connect to "certain programs.": What programs are you referring to?

    You still have parts remaining for Symantec/Norton as follows:
    Download and Save the Norton removal Tool to the desktop:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    Once you have downloaded the removal tool, don't run yet> boot into Safe Mode:

    You should take all Symantec/Norton entries off of the Startup menu and change the two Services to Disabled.
    Start> run> msconfig> enter> Selective Startuo> Startuo tac> UUNCHECK Symantec.Norton processes> Apply> OK

    Start> Run> services.msc> right click on each of the following> Properties> change startup type to Disabled:
    DefWatch
    Norton AntiVirus Client (rtvscan.exe)

    When through, reboot the system into Normal Mode. NOTE: You will get nag message that you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

    Double click on the Saved Normal Removal Tool and run.
  22. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    The certain program is called GGPO. It's an online based street fighter client. I can technically get connected to an opponent, but their inputs and mine don't match whats going on on the monitor. It must be some desync issue.


    Wait, so those steps are going to help me get rid of norton? I still have norton installed, should I unistall it or what?
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your first HijackThis log showed you were only using the Norton/Symantec program. By the log in Post #3, you show Avast installed. You need to remove Norton if you're going to run Avast instead.

    The Step #1 in the cleaning states:
    So you did not need to follow this-or if you decided to change, Norton should have been uninstalled. If you are going to be using Avast, please follow the instructions for removing the Symantec/Norton processes.

    I still don't know why you need Spybot to connect to GGPO.
  24. tharimrattler

    tharimrattler Newcomer, in training Topic Starter Posts: 17

    Hey ya'll I noticed a new problem since doing this, and I have feeling its from the Comodo Firewall since I never really used a Firewall before this.


    The problem is I can't use my online applications on my wireless network now. I get a excellent signal, and connect fine to the network, but I can't connect to anything. Wired works fine, and wireless used to work fine on this same network but not now.

    Any suggestions?
  25. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.