Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help


  • Please log in to reply
14 replies to this topic

#1 Stephan7231

Stephan7231

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 July 2011 - 09:04 PM

Let me start of by saying..

I'm new to these forums, but I recently had an infection on my computer and asked my friend or help. He told me about this site and so I came here.

My problem:
Recently my computer got infected with a virus. I know this is vague, but that's the best I can do.

How did this happen?:
It was a pop up from a site I think. I'm not exactly sure because my father was on the computer at the moment.

How do I know?:
Everytime I log in, I get a message from my antivirus, Norton, saying that it has detected: Tidserv Activity 2

Now it gave me step by step instructions on how to get rid of this virus. This can be found here: www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23615

I downloaded the program they recommended, I installed, I ran it. But as it stated, I must dissable system restore first. I did that. Now it prompted me to restart my computer. I did that.

Now when it was restarting, I couldn't get back to the password screen. It kept restarting and taking my to a screen asking me to restart in Safe Mode. So I restarted in Safe Mode and I re-ran the program and when it scanned, it prompted me to restart again and so I did. This time it restarted normally. I got on and reenabled System Restore after I ran the scan. When it restarted my computer again, and after I logged in, it gave me the results; it read Tidserv Activity 2: Remove Failed.

Now I wasn't gettinf anymore alerts.. So I got confused and now 2 days later, I went back and I redid the scan because when I logged on today I was Alerted that the Scan Failed.

I went and rescaned and it said, Tidserv Activity 2 removed.

I was puzzled, so I restarted my computer and I was given the same warning...

It is really getting annoying.. I tried step by step instructions and nothing worked..

I'm really sorry if I posted this in the wrong section, but please help me. Also, sorry for the long essay I wrote, but please help!

Operating System: Windows XP Home and Pro.

Thank you! It is much appreciated!

Edited by hamluis, 28 July 2011 - 08:46 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 July 2011 - 09:18 PM

Sorry for double posting,

I know absoutly NOTHING about computers conpared to you guys.

What ever advice you give me, please dumb it down as much as possible.

Thank you yet again. Ps. Sorry for typos, I'm doin this from my iPod because my computer has been terribly slow ever since it was infected.

#3 Allan

Allan

  • BC Advisor
  • 8,589 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:30 AM

Posted 28 July 2011 - 07:00 AM

I've asked a mod to move this to the appropriate forum. Please wait for a malware specialist to respond.

#4 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 July 2011 - 08:12 AM

Thank you.

It's my first time here and I wasn't sure of the exact place.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 28 July 2011 - 06:18 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 July 2011 - 09:18 PM

Thank you!

But since no one answered, I took things in my own hands.

I used Malwarebytes and it scanned and found 10 viruses.

Here are the logs...

Well can't find where they were saved... Will post them later.

Anyways, after the scan I restarted my computer and then went on. Now usually when the virus was on my computer I got a message from Norton saying "Tidserv Activity 2 dected" Something of that kind. But this time when I came on there was no warning... Problem fixed?

Anyways, I went and I deleted all my internet history on Internet Explorer and Google Chrome. But now Malwarebytes keeps telling me that it has blocked a recent attempt to attack my computer was blocked. It also gives me the IP Address.

Anyways! Thank you so much for all the wonderful welcome(s) and if the problem continues or if I keep getting the bubble that pops up telling me about the recent attacks that were blocked, I will follow these directions.

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 28 July 2011 - 09:29 PM

I strongly suggest you follow steps from my previous reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 29 July 2011 - 10:14 AM

Ok I will do that.

I can't thank you enough for the help.

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 29 July 2011 - 11:12 AM

OK.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 30 July 2011 - 03:53 PM

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java DB 10.5.3.0
Java™ 6 Update 24
Java™ 6 Update 22
Java™ SE Development Kit 6 Update 21
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Adobe Reader 9.3.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````


LOG FROM SECURITY CHECK

I turned on Windows Firewall, but Norton gave me a message that it recommends that I turn it off... What do I do? Leave it off? or turn it on?

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 30 July 2011 - 03:56 PM

Norton includes a firewall, so leave Windows firewall OFF.

Edited by Broni, 30 July 2011 - 03:56 PM.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 31 July 2011 - 10:19 AM

Alrighty.

Thank you yet again.

Also, I already scanned with Malwarebytes and I don't know where the logs saved.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 31 July 2011 - 01:02 PM

Rescan.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 Stephan7231

Stephan7231
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 31 July 2011 - 01:30 PM

I rescanned and I have that log, but I don't have the log of when it first removed the virus'.

Edited by Stephan7231, 31 July 2011 - 01:31 PM.


#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:30 AM

Posted 31 July 2011 - 01:34 PM

Post the latest log and then continue with other steps.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users