I keep getting the message that my Norton 360 has blocked an intrusion attempt by a specific computer.

If I go to the details, it shows:

     Risk Name: System Infected: Tidserv Activity 2

     Attaching Computer: [IP address + computer]

     Destination Address: [My computer]

     Source Address: [IP address]

     Traffic Description: TCP, https

And this message:

     Network traffic from [IP address] matches the signature of a known attack. The attack was resulted from

     \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE. To stop being notified for this type

     of traffic, in the Actions panel, click Stop Notifying Me.

Yet when I go to AutoBlock (which is ON and set for 48 hours), no computers are listed as being autoblocked.

I would like to know:

1) How to I put this computer on my AutoBlock list so I can restrict it permanently.

2) What do I need to do to rid my system of the risk.

I'm not a techie, so I thank you for your patience in advance.

Hi jim476,

The alert notice points to a Tidserv rootkit infection on your system.  Blocking the IP address will be of limited value.  Please register and post to one of the following free malware removal forums, that have been suggested here by delphinium.  They are staffed by experts who can help you find and remove this threat.  Be sure to mention Tidserv in your post.

http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

Hi Jim476,

Welcome to Norton Community!

I would suggest to try running the tool as mentioned in the following link and make sure that your computer is not infected:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99

Yogesh

Thank you for your suggestions.

Unfortunately, I have no idea what a "rootkit infection" is.

I don't like the idea of paying every year for Norton to protect me from something like this, then have to go to some freeware site to correct what I've already paid for.

But I guess I don't have any choice.

Once again, thanx to you two for giving the information to compensate for Norton's shortcomings.

Well, I downloaded and ran FixTDSS.exe. After it ran, I got the message, "Backdoor.Tidserv" has not been found on your computer."

So, that didn't work.

Meanwhile, while FixTDSS.exe was running, I got the message that Trojan.Zefarch!gen4 was detected by Auto-Protect and blocked.

AND ...

While I was writing this note, the very same computer that was attacking earlier, attacked AGAIN.

So I go back to my original question: How do I stop the attacking computer?

The attacking computer is actually responding to call outs from the Tidserv infection, which is most likely attempting to connect to servers in order to download more malware such as Trojan.Zefarch!gen4.  That is what these things do.  If you block the one IP address, the infection will simply switch to a server at a different address.

Unfortunately, no antivirus program can make you bulletproof.  The malware writers are not sitting idly by.  Everyday they churn out new variants that can temporarily evade detection by security software.  The forums I suggested are your best and easiest solution, as a trained person experienced in removing these sorts of infections will guide you through the removal process and make sure that your machine is clean.

I will try those forums and see if I can manage to stumble correctly through one of them.

Thanx again.