Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware?, tidserv request?


  • Please log in to reply
1 reply to this topic

#1 331/3

331/3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 24 May 2010 - 04:52 AM

Hello all, Just recently i've run into somewhat of a problem. Whenever I acess google, nothing terrible happens, but whenever I click "Search" then Norton comes up with "A recent attempt to attack your computer was blocked". that's happened before (when viewing google results, not searching), but only once or twice, this is every single time. Getting tiresome, as i'm not sure if it's infected or not, or how badly, etc. Here is some relevant information;

Windows XP, service pack 3
Norton internet security 2010 version 17.6.0.32
Internet explorer 8

So far, All I have done is updated Norton through Liveupdate, and run a full system scan, where all it seemingly finds is tracking cookies (no big deal, I think). I have done this twice, and after both, the same problem is there. I'll post what Norton says below, but the interesting thing (to me, at least) is that Norton is saying the attempt is blocked, and that no action is required, as well that severity is high; other than that;

Firstly;
"An intrustion attempt by m01n83kjf7.com was blocked"
Risk name ; HTTP Tidserv Request
Attacking computer; m01n83kjf7.com (85.12.46.159, 80)
Attacker URL; 7gafd33ja90a.com/ [insert incredibly long string - will post on request]
Destination address; [our IP]
Source adress; 85.12.46.159 (85.12.46.159)
traffic description; TCP www-http
This one states the attack originated from;
\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

Getting a similar message from Norton, albeit without the "attacker url", but this time it's from 01n02n4cx00.cc (202.157.171.207, 443)...also it states it's a HTTP Tidserv request 2. The attack originated from;
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE

I would really appreciate some guidance, and thanks ahead of time!

~also, if any other information is needed, i'll post whatever is necessary (maybe I should screen-shot the errors?), thanks in advance!

EDIT; the block does not come up when doing a image search. However, doing a shopping search does trigger it, from a different place;
19js810300z.com (91.212.226.67, 443). It too, comes from \WINDOWS\SYSTEM32\SVCHOST.EXE

Another edit; another block came up, this time not from google, though. Like the last new one, from svchost.exe, but differently, from lj1i16b0.com (91.212.226.59, 443)

wunnerful, wunnerful, another one; n16fa53.com (202.157.171.207, 443) - this one is also in SVCHOST.EXE.
, looked into the IP address, apparently at least one of these is from some place in Bangkok, Thailand...sigh...

And again- sorry for the amount of updates, but man... this is; 19js810300z.com (91.212.226.67, 443), this is from WINDOWS\SYSTEM32\SVCHOST.EXE.

Norton says these are blocked- how would one make sure?

and again, also saying; zz87jhfda88.com, again, at SVCHOST.EXE. Checked online (through a searcher), and it too is a known malware site.

Would malwarebytes be a next step?...hate to add more than one question per post, but before trying a clean, would backing up be advisable, and if so, how would you get only safe files?. Used to think I knew something about computers (ha)...

Edited by 331/3, 24 May 2010 - 10:09 AM.


BC AdBot (Login to Remove)

 


#2 331/3

331/3
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 24 May 2010 - 12:29 PM

Since I recall a one-post per problem kinda deal, i'll add non-vital questions here.

Before I try anything else, I recall reading a back-up would be a good idea, and since we have a portable drive, pretty easy. However, it seems like SVCHOST.EXE is a pretty important thing. And if the supposed malware has indeed infected it, what would be the correct path to save all documents and programs while avoiding the problem area. On that note, reading wikipedia (albeit, not the best source for info) it says many viruses disguise themselves under svchost, how could one determine a "real" svc from a "fake" svc?...

Again, thanks for looking.

Edited by 331/3, 24 May 2010 - 12:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users