Constant "blocked" attacks and Win32 Services keeps crashing. HELP!

Not sure where to start with this, so I'll try the very beginning...

 

I had a virus last week.

 

It came from a program claiming to produce code for a javascript image slideshow.  Norton automatically scans the program upon downloading and found nothing.  Since it was from a random website, I scanned it with Norton again once it was on the harddrive (before installing).  Again, Norton found nothing.

 

My Norton is set to autoupdate so ... yea.

 

The program installed ok and ran ok.  When I tried to "preview" the image slideshow, I got some kind of "virus found" error message and it offered me some fixes from free anti-virus programs.  I  recognized most of the names as well-known anti-virus programs so I trusted it.  I clicked one of the ones that would supposedly help, but I believe that was the ACTUAL virus.

 

It downloaded and claimed to be scanning my computer but was probably infecting files, not scanning them.  After this, I could not open any internet browsers or run "task manager."  Instead, this "anti-virus" program would pop-up and say (paraphrased) "that program has been found unsafe and is blocked, to fix the program please enter your credit card info and buy the upgraded version."

 

At this point, I finally realized this was not a legit program.

 

I looked up the problem online and it seemed the Malwarebytes program was going to be able to fix it.  I downloaded the program on another computer, put it on a thumb drive, ran it on the infected computer, and seemingly everything was fixed!

 

I also downloaded Securnia PSI and began using it to check/update programs that might have been vulnerable.

 

Everything ran fine for a few days.

 

In the last 24-ish hours, Norton keeps popping up saying "an attack on your computer has been blocked" and then it gives a some information that I don't really understand.  A series of IP addresses and a long harddrive location ending in svchost.exe.

 

I get this message constantly.  Seems to be more while surfing the net (regardless of site).  Again, Norton claims to be blocking the attacks and that "no action is required."


I've run several full system scans but nothing is found.

 

I did some searching and heard that a "rootkit" is a type of virus that Norton might not recognize that could be responsible for these issues.  However, I ran "Blacklight" and it found nothing.

 

Also, once a day I get an error saying "Generic Host Process for Win32 Services has encountered a problem and needs to close."  My taskbar then changes from its usual blue to gray and the smooth edges of certain WinXP applications (calculator, etc.) become blocky and ... basic-looking.... hard to describe.

 

What is wrong!? What can I do?!

 

I'm really not great with advanced computer troobleshooting so.... feel free to speak to me like a 5-year-old.

 

Thanks in advance! I really need your help!!

Hello JAL

 

Welcome to the Norton Community Forum

 

Can you please tell us about your computer? What operating system and service pack are you using and is it 32 or 64 bit please? What Norton product and what is the version number please? It does sound like a rootkit or bad piece of malware. They can be responsible for downloading rogue security programs. Your best bet may be one of the removal sites that are often recommended here. You can pick one and register with them and tell them what has happened. They have the proper tools and will tell you what logs to try and run.

 

Please go to one of these free Forums for help in removing your bad malware or rootkits.


http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

(Thanks to Delph for providing the list of sites)

Please tell us which one you would want to try out and keep us up to date, but please answer the other questions first. Thanks.

Absolutely, floplot, thanks for responding.

 

Windows XP - Service Pack 3

I'm quite sure it's 32-bit, but where can I confirm this?

I'm using "Norton Internet Security" and .... I can't find a version number. =(

 

Does it give the name to what Norton's Intrusion Prevention blocked  like HTTP.Tidserv...................

 

Quads

"HTTPS Tidserv Request 2"

and

"HTTP Tidserv Request"

 

Also, in addition to svchost.exe, firefox.exe is getting flagged in these.

 

Lastly, each "blocked attack" is coupled with a "Pending" "IPS Detection Statistical Submission" at the exact same time.

 

Just noticed those because Norton wasn't bringing them to my attention.....

for further:

 

32 or 64 bit windows version:

 

 

 

version number of NIS: 

 

u.PNG

 

JAL, I am having the same exact problem as you. However, my computer to my knowledge did not get infested by a virus before these norton blocks began to occur. Hope your question solves this problem because it could help solve mine.

what said for example the TDSSKiller removal tool?

http://www.kaspersky.com/virus-removal-tools

 

see also:

 

HitmanPro (scantime: 4-10 mins)

http://www.surfright.nl/en/downloads

 

Dr.Web CureIt (quick scan: 20-60 mins, full for me: up to 24-30 hours)

http://www.freedrweb.com/cureit/?lng=en

 

 

!First see Quads warning!

http://community.norton.com/t5/Norton-Internet-Security-Norton/Constant-quot-blocked-quot-attacks-and-Win32-Services-keeps/m-p/311780#M131651

 

For me (Win XP SP3 32 bit and NIS 2010/2011) the problems was never occured. This all are Virus removal tools written by professionals and not interfering with main(resident) antivirus program

Niko-

 

i only see 2 triangle images in your post.

 

???

this is new symantec "technology": new images must be approved by moderators and only than can be viewed in topic.

see them in downloadable archive http://rapidshare.com/files/425869793/snaps.zip [150 kB]

 

Do not use Himan Pro or Dr Web Cureit, it's not a good Idea to load up a PC with programs when it's having problems, like Services and possible freezing or BSODs occuring

 

And people wonder why they end up with problems.

 

The 2 tools below should be fast enough to cure the driver involved as they only scan the areas involved to look for the driver. before services crashes.   TDSSkiller can cure the latest I have.

 

NOTE:  The Kaspersky Tool removes the variant of the family known including the Bootkit versions,  Symantec's tool does not.

 

Try  http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

 

If the variant is too new a warning will appear when trying to repair, but it will list the driver involved.

 

If that doesn't work because it's a new variant of TDL3 or is the TDL4 Bootkit try

 

http://support.kaspersky.com/viruses/solutions?qid=208280684

 

You will see that an .exe version is available for download.

 

Quads 

 

UPDATE:

 

I downloaded/ran the TDSSKiller program.

 

It found one problem file and one "suspicious" file.

 

As soon as my malwarebytes finishes its scan I will reboot to "cure" the problem TDSSKiller found.

 

No cure with TDSSkiller first,    Malwarebytes will not detect TDL3 and above driver or MBR, it's not meant to,   so no point in doing things out of order.

 

Quads

 

Ok, ever since rebooting after TDSSkiller ran, I have not gotten the "blocked attack" message and nothing has crashed (yay!).

 

I then ran FixTDSS.

 

After a lengthy scan it said "Backdoor.tidserv has been found on your computer" and then let me click "OK" and closed.

 

Did it take care of said problem? Or just identify it?

 

What's my next move?

I have to go out for a few hours, but will be back tonight, I will be wanting to look at the TDSSkiller log as you said 2 files were detected one as suspicious,  So one must be cured just have to see what the other was.

 

Quads

Ok, it's already 10:32pm here but even if I'm not awake I will appreciate your reply later.

 

I ran TDSSkiller again to see the "report".  Thankfully, it only found the "suspicious" file this time, which I assume means that the problematic file really was taken care of.

 

In any case, here's what it says for the suspicious file:

 

========================

Suspicious Objects

   Locked File                                                          Skip

      Service

     Service name: sptd

     Service type: Kernel driver (0x1)

     Service start: Boot (0x0)

     File: C:\WINDOWS\system32\Drivers\sptd.sys

     MD5: 71e276f6d189413266ea22171806597b

========================

 

Let me know what my next step is when you return! and THANK YOU!

 

Also,

 

I wanted to turn my Windows Firewall on as per the instructions on bleepingcomputer.  However, when I try to do that, Norton pops up and tells me that it has a superior firewall running and that I should leave Windows Firewall disabled.

 

Can anyone confirm which program I should let handle my firewall??

TDSSkiller will detect Daemon Tools Driver as suspicious as even though the driver is legit it's the way the driver works and is locked.

 

 If you are using a CD Emulator (Daemon ToolsAlchohol 120%,etc) they use rootkit-like techniques to hide from other applications and can interfere with investigative or anti-rootkit (ARK) tools or be detected due to the way the file is working,  also it can cause a conflict between the actual rootkit or other Malware causing unexpected crashes, BSODs

 

If You are No longer receiving the crashes of any sort, then I would say you are free to use other no realtime products like Malwarebytes,  Dr Cureit etc.

 

The reason to use specialist tools when receiving BSODS, file  crashes is that specialist removal tools like FixTDSS or TDSSkiller is that the tools are quicker as they only scan the specific areas TDSS (TDL, Tidserv) are located like the MBR and the "drivers" folder, and means the scan and detection should be quick enough between any crashes to cure the area / file needed, whereas a Quick or Full Scan takes a lot longer and a crash in someway could occur during the scan screwing that.

 

If you are having problem with Daemon Tools and it's driver after the rootkit removal or you think it is best anyway, you could remove Daemon Tool completely and install it again a fresh.

 

Quads

JAL:

 

Norton should be the one you are running.  It turns off Windows firewall by default during the installation.

Everything still seems to be going well. :smileyhappy:

 

I do have one of those phantom CD drive programs.  So as long as that's all it is, I'm not concerned.

 

Glad to know the firewall is all set too.

 

Quad mentioned running Malwarebytes again so I'll do that.

 

Is there anything else I should do?

 

Is it safe to resume my online banking practices???

 

You could probably run the complimentary programs as mentioned my Niko233 to make sure nothing is picked up.

 


HitmanPro (scantime: 4-10 mins) 

http://www.surfright.nl/en/downloads

  

 

Dr.Web CureIt (quick scan: 20-60 mins, full for me: up to 24-30 hours) 

http://www.freedrweb.com/cureit/?lng=en

 


 

Mitka