Everytime I go to Google and do a search, I receive an Intrusion Alert message. Two trouble cases (499746535 and 499752933), full system scan, upgrade to 360 4.0, reset of IE8, etc., have all failed to correct the problem. Norton's "solution" was to "hide" the messages, telling me that whenever I see a green checkmark, I'm safe. WHAT A CROCK! There's some type of malware, or virus, on my computer that they can't find that causes the attack whenever I do a search. The problem just started 4-days ago. The only solutions I've read about on the Internet are to dump Norton, and pick up another company's package. Surely, Norton hasn't thrown in the towel on this problem. Has anyone sucessfully resolved this issue? Please advise.
Let us know more information about the Intrusion Alert you receive from your Norton program.
Yogesh
Hello jimrowe
Can you please tell us what operating system you are using and what service pack level.?
Please run a HiJackThis for us and then post the log after you have saved it
Please download HiJackThis from http://free.antivirus.com/hijackthis/ Choose the executable and save it on your desktop. Run the file and select the first option on the main menu "Do a system scan and save a log file". When this is finished, Notepad will open with the log file in it. Save the log file and attach it to a post here via the Add Attachments Please don't attempt to fix anything that it shows until someone checks out the log. Thanks.
Please come back and let us see the log. We do have Users here who are very helpful in helping people to find malware and get it cleaned up if the o/p follows directions.
I’ve had about 25 “attacks” this morning – basically, everytime I did a search.
Message is generally only from one or two addresses. 85.12.46.159,80 or 91.212.226.59,443
The Message reads:
An intrusion attempt by M01n83kjf7.com was blocked.
Matches the signature of a known attack.
Risk Name = HTTP Tidserv Request
Attacking Computer = 85.12.46.159,80
Again, sometimes it’s from 91.212.226.59,443
I'm going to download and run the hijack program someone else mentioned and will follow-up once I've done that. Thanks
I'm running XP Media Center Edition
Windows XP Professional Ver. 5.1 Build 2600 Service Pack 3
I'm running Internet Explorer 8
All updates are current for XP and IE8.
Thanks, Hijack Log is Attached
Hijackthis has no use with this so is not needed
Quads
thats is the same problem im having.
but in mine when im not useing internet explorer its says an intrusion blocked and the destination would be 202.157.171.207 or 91.212.226.59 as a TCP tarffic by SVCHOST.exe in sys32.
and check to see if there is 2 of the SVCHOST.exe but there is only 1 even in hidden files.
i need help pls tell me wat to do
SYSTEM INFO:
Window Vista Home Basic
Servics Pack 2
32 bit
My problem has also expanded to having the messages other than when I'm performing searches - with any search engine, not just Google. Also, when I'm just idle looking at my desktop. It has also expanded to include more intrusion IP addresses. Norton did a scan during Safe Mode for me yesterday, and that didn't help. They also re-set my IE8 settings again, and made a few other adjustments. None of it helped. I've Googled the problem, and the only fixes I read about are changing to a competitor. I hope I don't have to do that. The reason I came back to Norton was that CA could never get their "upgraded" product to run on my PC. Kaspersky was one mentioned that corrected the problem, along with some Malware program. Again, I would hate to switch, but it's looking like I might be forced to do so.
try using malwarebytes by that i got 8 infected file(includes registry) and thats was with quick scan not full scan.
ill add it as attachment.
Ill be restarting my computer to see if the alert gose away, if not then full scan.
Thanks for the update - please let me know if it works.
The posters here have different symptoms and not the same info from Norton
Quads
Nope didnt work but i did get 10 infected files off my computer :)
Thanks for letting me know. From what I've read on this thread, and many other previous posts by others with the same problem that we have, no one at Norton, or others on these blogs, has ever been able to solve the problem.
jimrowe wrote:Thanks for letting me know. From what I've read on this thread, and many other previous posts by others with the same problem that we have, no one at Norton, or others on these blogs, has ever been able to solve the problem.
LOL,
I have been able to script and remove TDL2, TDL3 and TDL4 for posters on this forum.
But due to others asking, attempting or steping in on a thread I then don't go on and proceed to remove the infection for people on that thread.
OH and if I could remove the Tidserv group as well as other malware by now I would say my PC would not be able to load Windows as I have tested Malware from Worms, Rootkits, Trojans, Rogues ......................... by infecting my PC in the "real world" not VM, then work at removing them without harming Windows or other data any further.
Quads
Don't short yourself for not being able to fix this problem, no one at Norton could fix it either and they were paid well for the package, as well as paid to install it on my computer. In fact, I've bought over 30-Norton packages over the past 25 or so years, and only once were they ever really helpful when I had a problem. I read where you wrote some scripts to help others, but I guess they really didn't apply to this situation because Norton never mentioned them.
This is a way how to get rid off the warning but not the real thing as no one knows wat it really is.
Norton 360>settings>firewall>Traffic Rules>ADD>Block>Connection to and from>Only Computers and sites> Add these ips :
202.157.171.207
91.212.226.67
91.212.226.59
85.12.46.159
85.12.46.158
91.212.226.178
91.212.226.130
>Protocol All>Apply this rule>Finish
This will lose all the cummnication with those ips, any further ips come up go back to the rule and modify it and add the new ip.
Its usefull till norton really find wat the problem is.
Thanks, I'll take care of that right away. Really appreciated.
There are four things that happened just prior to the problem. Don't know if they are related or not.
1. Norton program cleaned-up my PC and registry - can't undo what was done, since the upgrade wiped out the record of what was done.
2. Had just installed Firefox, and uninstalled it after the problem.
3. Just got "hung-up" in an automatic Java upgrade. Uninstalled all Java after the problem developed.
4. My wife, who knows nothing about computers, just used my computer to check a Facebook page before the problem started. .
Again, I don't know if any of these events are relevant to the problem.
Thanks again.
From Message on page 1
The Message reads:
An intrusion attempt by M01n83kjf7.com was blocked.
Matches the signature of a known attack.
Risk Name = HTTP Tidserv Request
Attacking Computer = 85.12.46.159,80
Is Intrusion prevention blocking the rookit accessing the net
I have just recently used a script for a user to remove the unofficially named TDL4, but scripts are individualized for that PC only as are most scripts as they are typed out, depending on what is needed to happen, what that files are named, where the backups are loacted etc.
It's not because I am not able to fix TDL, (Backdoor.Tidserv) but due to the thread, I am not wanting to (the use of Hijackthis before hand).
The Bleeping Computer Forum is also able to fix rootkits like this
Quads
Good Afternoon. From Monday - Wednesday, I had 84 intrusion attempts. Since following Shubby's blocking intructions, I haven't had any. Thanks for your interest.
That only blocking the I.P addresses.
Quads