Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem removing Tidserv.Activity.2


  • Please log in to reply

#166
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
OK. I've sent you my email address via PM. We are rolling out the heavy guns now and the files get too big for the forum.

Make sure you have Oracle closed.

Download Process Monitor from
http://technet.micro...ernals/bb896645

It's a zip file so you will have to right click and Extract all then when you get to procmon.exe, right click and run as admin.

bring up Oracle. Wait until you get the can't connect message then in Process Monitor, File uncheck Capture Events. Now go to Filter, Filter then Change the first dropdown box from Architecture to Process Name then the blank dropdown box to Opera.exe hit the Add button then Apply and OK

The display should change to show mostly Opera stuff. File, Save, (it should have Events Displayed Using Current Filter selected if not select it.) You can change the save path to your desktop or just remember where it is. OK. Close Process Monitor

rename the file extension to .txt

Attach it to an email and send it to me. IF your email chokes on it then open a gmail.com account and use that.

Ron
  • 0

Advertisements


#167
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
On its way
  • 0

#168
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Scratch that - 35 megs - will resend from my gmail
  • 0

#169
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
That isnt working either I keep getting an Error #008 - I have tried running it through Minefield and through IE 9.

Received the same error through both browsers.
  • 0

#170
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Ahhh. Google limits to 20 megs
  • 0

#171
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Resent it in Comma Separated Value if that helps
  • 0

#172
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Got it. Mine was only 6m so I guess I was faster turning it off.

What I see is it is having a problem talking to

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters

We are going to have to go into regedit to work on it. Be very careful. Ask if something is not clear.

Start, Run, regedit, OK then Continue.

Find: HKEY_LOCAL_MACHINE and click on the + in front of it to open up the subkeys. In the subkeys find:

System and click on its +

Then CurrentControlSet and click on its +

Then Services

Then WinSock2

then click on Parameters.

Right click on Parameters and select Export. It will open up a file save box. Save the file to your desktop as winsock2.

zip up winsock2.reg or change the ext to .txt and attach it to a reply.

Back in Regedit:

Right click on Parameters and select Permissions.
Under Group or Use Names you should have 4 entries. If you click on Creator Owner it will show in the bottom pane that only Special Permissions is checked. Click on System and it should have Full Control and Read checked. Does it?
Click on Administrators and it should also show Full Control and Read checked. Does it?
Click on Users and it should have only Read checked.

Are any of these different? Which ones and what do they say? (Administrators and Users will have your computer named tacked on at the end)
Are any missing?

If one is different, click on it and select Advanced then Owner. It should say that the Administrators are the owner. Does it?

Ron
  • 0

#173
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Winsock.txt

Attached Files


  • 0

#174
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
All the permissions are as you listed
  • 0

#175
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
I have worked in the registry sparingly, but some. However, considering that at this point this machine can function for two things - limited internet and a doorstop - even if something goes wrong, it isnt going to do too much damage. Feel free to edit anything you want.
  • 0

Advertisements


#176
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
OK. Still looking through the data. What URL goes your Opera go to when it opens?

Ron
  • 0

#177
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
I set it to try Google
  • 0

#178
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I found a difference between yours and mine. Yours says:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"

mine says:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\system32\NLAapi.dll"

This is what NLAapi is supposed to do:

Network Location Awareness Service
Windows XP Embedded

The Network Location Awareness Service component supports the Network Location Service. This component provides the infrastructure that informs applications and the operating system of the network connections on a specific computer and to adapt to that computer's connectivity. This component implements the NS_NLA Windows Sockets namespace.

This component allows applications to enumerate network connections, obtain information about each connection, and request notification when the connections change. The connection information provides important networking data, such as the connection speed and connection type.
Services


Let's see what happens if we change yours to look like mine:

Open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters as before. Under Parameters find

NameSpace_Catalog5 and under that find

Catalog_Entries and then under it click on

000000000001

In the right pane double click on

LibraryPath

a new little window should pop up. Change the text in the window from

%SystemRoot%\System32\mswsock.dll

to

%SystemRoot%\system32\NLAapi.dll

(You should be able to click on the end of the line and backspace over the mswsock.dll and just type in NLAapi.dll)

then OK

Close regedit


Before you reboot. See if there really is a c:\windows\system32\NLAapi.dll file.

Reboot.


Any change?
  • 0

#179
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Will give it a try shortly... working to get a printer connection to print it off just in case i need to undo it and cannot get back to this post....
  • 0

#180
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Hopefully this is the magic bullet because I have to go off-island in about 30 minutes. Won't be back until late Friday.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP