Msansspc.dll problem with attached logs

[tharimrattler]

This is the main file that cannot be removed with my antivirus software. After doing the 8 step virus removal instructions, I can now click on search results in google (previously it was being redirected). I noticed my pc is generally operating quicker and more efficiently after running all those scans and updating java. Any help is greatly appreciated.

 

[Bobbye]

You have a seriously infected system- Vundo, AntivirusXp 2009 and a Rootkit. Some has been removed, but you will need to turn off the Real Time Monitoring and run the programs again.

Please see this for instructions:
Temporarily Disable Real Time Monitoring Programs:
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
* 1 Spybot S&D (Teatimer)
* 2 Ad-Aware Ad-Watch
* 3 Spywareguard
* 4 Windows Defender
* 5 TrojanHunter Guard
* 6 Disable SpySweeper
* 7 WinPatrol
* 8 CounterSpy
* 9 AVG Anti-Spyware (formerly ewido)
* 10 Spyware Doctor
* 11 Prevx
* 12 ProcessGuard
* 13 ZoneAlarm's OS Firewall
* 14 Ad-Aware 2007 Service

 

[tharimrattler]

Thanks for the reply. I did what you said and got some new logs to post up. What are my options at this point?

 

[Bobbye]

The Rootkit TDSServ is still showing in SAS, but Mbam and HijackThis are clean..
Lets follow this to remove:

1. Open up Device Manager(Start> Control Panel> Hardware tab> Device Manager button)
2. Click 'View' and select 'Show Hidden Devices'
3. Expand the 'Non-Plug and Play' Drivers category
4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys (any that are present)
5. Restart computer to Safe Mode
6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
7. Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden so show hidden files)***
8. Navigate to 'C:\Windows\System32\ directory, Sort By Date, and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours ***
9. Run SDFIX (see below) and Combofix in Safe Mode (see below)
10. Reboot to Normal mode, install SAS, update, and run a quick scan
12. Run an ESET (NOD32) online scan: http://www.eset.com/onlinescan/
OR F-Secure online malware scan: http://support.f-secure.com/enu/home/ols.shtml

***NOTE: Path for #7 & #8:
Right click on Start> Explore> Windows > System 32

#9: SD FIX- what it does: http://www.bleepingcomputer.com/forums/topic131299.html

1. Download SDFix.exe from the link and save it to your desktop:
2. Confirm that the file SDFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps.
3. Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
4. A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as shown. Follow the instructions and screen shots on the site.

When you have finished, the log will open in Notepad which can be attached here.

#9: ComboFix:

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis and attach logs from SDFix, ComboFix and HijackThis.

 

[tharimrattler]

I appreciate your continued help to me. Thank you.

I followed your instructions and have new logs. I look forward to your response.

 

[Bobbye]

You did very well! Five posts and it looks to me like you're clean as a whistle!

Did you look at the logs to see what was found and removed?

Please give me system status. If running well, we can remove the cleaning tools and restore points.

 

[tharimrattler]

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name T42
System Manufacturer IBM
System Model 2374JU4
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 6 GenuineIntel ~1694 Mhz
BIOS Version/Date IBM 1RETDRWW (3.23 ), 6/18/2007
SMBIOS Version 2.33
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name T42\mboatright
Time Zone Pacific Standard Time
Total Physical Memory 768.00 MB
Available Physical Memory 317.16 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.46 GB
Page File C:\pagefile.sys

 

[kimsland]

Please put your System Specs information in your Profile <==

Otherwise you will need to paste them in on every new thread you make!

 

[Bobbye]

No, I'm sorry- you misunderstood. When I ask for system status, I want you to tell me how the computer is running and if original problems have been resolved!

No upload needed- just a few words.

 

[tharimrattler]

Everything seems to be working fine, no problems that I can tell. Thanks a lot for all your help! =)

 

[Bobbye]

You're welcome. Please let us know if you need more help.

 

[tharimrattler]

I have a couple more questions.

When I turned Spybot TeaTimer back on, it prompted me to allow or deny several changes. Is this because of all the scans I ran, and changes those scans made? Also, I ran an Avast virus scan and there are several files that cannot be scanned because access is denied. What can I do here?

 

[kimsland]

Spybot TeaTimer back on, it prompted me to allow or deny several changes

This is the issue with Spybots S&D
When a message pops up saying allow or deny from the programs Tea Timer (resident protection) A user must try to learn or search for what the issue is in relation to, on the spot!

In most cases this is highly technical areas, that normal users just can't do
But to confirm which way you should go (allow or deny) you really need to do this on each individual popup. ie Bobbye cannot advise you if it's ok or not, without knowing what the message Allow\Deny single issue is.

Not only that, but you may get tens or hundreds of these popups from Spybots S&D all the time. It would literally take hours, if not days to know them all, and then apply your answer correctly.

Therefore Spybots S&D may not be actually ideal for the standard Windows user
ie They may "Allow" when they should have "Denied"
Personally I say, if you're unsure, just un-install Spybots S&D


As for Antivirus not scanning some files (in use) that's ok

 

[tharimrattler]

Thanks for the reply.

For a Firewall, would you recommend Comodo or Zone Alarm for me?

Also, when I install either of those, should I turn off my windows firewall?

 

[Kazi]

they automatically turn windows firewall off for you

Zonealarm and comodo are kinda different but work the same

Zonealarm is a application based firewall

Comodo is a rule based firewall

From people, they say comodo is lighter on the system then zonealarm
They also say using comodo is easier once you get the hang of it

It is however up to you

Zonealarm is easier to config

 

[tharimrattler]

I went with your advice with uninstalling Spybot. When I uninstalled it, however, I noticed I could not connect to someone in a online game I frequent. I re installed spybot and now it works again. Is there any way to completely get rid of spybot and everything that comes with it?

 

[Bobbye]

Running Spybot when you need it is okay. I would just leave Tea Timer disabled. Any Real Time alert feature can be very confusing to deal with.

Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

I had the AdAware SE paid for several years. That version had a Registry alert, AdWatch. Every time there was any change to the Registry, it popped up. Just about anything we do makes a change to the registry, so I ended up disabling AdWatch!

 

[tharimrattler]

just a little update:


i'm doing good now! i feel like everything is secure now, but would it be safe for me to access things like my banking account online? is there a possibility that something is creeping in the background waiting to access my info?

 

[Bobbye]

Your system should be clean. If you would like to run one more HijackThis scan I'll check it for you. If clean we can remove the cleaning programs and old restore points.

 

[tharimrattler]

New HJT attachment.

When I tried removing Spybot s&d it would not let me connect in a certain program so I am weary of removing things, unless I did something wrong. I had to reinstall spybot to connect in this program.

 

[Bobbye]

I don't know why Spybot S&D needs to be installed to connect to "certain programs.": What programs are you referring to?

You still have parts remaining for Symantec/Norton as follows:

C:\Program Files\NavNT\rtvscan.exe
rtvscan.exe is an executable of the Symantec Internet Security suite.

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
VirusProtect Shield System Tray icon for Norton AntiVirus Corporate Edition.

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
"defwatch.exe" is part of Norton AntiVirus from Symantec Corporation. It detects out-of-date virus definitions for Norton Anti-Virus software.

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Download and Save the Norton removal Tool to the desktop:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Once you have downloaded the removal tool, don't run yet> boot into Safe Mode:

You should take all Symantec/Norton entries off of the Startup menu and change the two Services to Disabled.
Start> run> msconfig> enter> Selective Startuo> Startuo tac> UUNCHECK Symantec.Norton processes> Apply> OK

Start> Run> services.msc> right click on each of the following> Properties> change startup type to Disabled:
DefWatch
Norton AntiVirus Client (rtvscan.exe)

When through, reboot the system into Normal Mode. NOTE: You will get nag message that you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

Double click on the Saved Normal Removal Tool and run.

 

[tharimrattler]

The certain program is called GGPO. It's an online based street fighter client. I can technically get connected to an opponent, but their inputs and mine don't match whats going on on the monitor. It must be some desync issue.


Wait, so those steps are going to help me get rid of norton? I still have norton installed, should I unistall it or what?

 

[Bobbye]

Your first HijackThis log showed you were only using the Norton/Symantec program. By the log in Post #3, you show Avast installed. You need to remove Norton if you're going to run Avast instead.

The Step #1 in the cleaning states:

If you're NOT running any antivirus or firewall software, you should install one ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system -

So you did not need to follow this-or if you decided to change, Norton should have been uninstalled. If you are going to be using Avast, please follow the instructions for removing the Symantec/Norton processes.

I still don't know why you need Spybot to connect to GGPO.

 

[tharimrattler]

Hey ya'll I noticed a new problem since doing this, and I have feeling its from the Comodo Firewall since I never really used a Firewall before this.


The problem is I can't use my online applications on my wireless network now. I get a excellent signal, and connect fine to the network, but I can't connect to anything. Wired works fine, and wireless used to work fine on this same network but not now.

Any suggestions?

 

[kimsland]

Because it has been 3 months since your last reply
And 4 months since you created this thread

I believe you are best to go through the: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

But create a NEW THREAD in the Virus & Malware removal forum

For reference, Comodo Firewall is not a faulty program or anything