Endpoint Protection

  • Private Community
 View Only

  • 1.  Hit with Tidserv warnings and Rudll power up errors

    Posted Jul 29, 2010 04:58 PM
    One of the laptops I manage which has Symantec End Point Protection, now issues warnings it blocked an IP address and TidServ Request was detected.  Also when I power up I get this error; Rundll missing module: dddbba.dll.  I have run Sybot, MalwareBytes and the Symantec visrus scan - all come back clean.. The computer operates normally except for the Symantec warnings.  I suspect there is a problem in my registry - have run "registry programs" they indicate errors - but not registered the sofware - not sure if this is the right solution.

    Anyone can help me?? please let me know - Mike


  • 2.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Jul 29, 2010 05:26 PM

    Is the tidserv traffic message flagging on incoming or outgoing traffic?

    Are there any indications that something was recently detected and removed from this machine?  Possibly the missing dll is something that was removed but something is still looking for it to run.

    What does Load Point Analysis (part of the SEP Support Tool) have to say?

    sandra


  • 3.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Jul 29, 2010 05:32 PM
    Try Hijakthis 
    or use Sysinternals autoruns and remove all handles for dddbba.dll


  • 4.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Aug 11, 2010 03:28 PM
    I took the computer in for repair.  They fixed the registry errors - "rundll" and the the system restore works.  But I am still plagued with incoming msg from Symantec End Protection:  [SID23621] Http Tidserv Request Detected.  after this message, I get: "Traffic from IP address 91.212.226.67 was blocked."

    I have ran Symantec Virus scan - all ok, run Malaware Bytes and Spybot - Ok and nothing stops this msg.

    Anyone have any suggestions, please let me know.  Thanks!!! ~Michael


  • 5.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Aug 11, 2010 03:47 PM

    If it's incoming, determine what websites the user is going to. It appears that the IPS is doing it's job by blocking these requests. I had this similar issue and after checking proxy logs, I was able to determine the user was visiting an infected site and we cut off access to it. Messages from SEPM / SEP client then stopped and problem solved.


  • 6.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Aug 11, 2010 05:07 PM
    Thank Brian..

    But how determine what website its from?  or coming from?  where would I find the 'proxy logs"  Please advise. i have Symantec End Point Protect and a firewall.

    Thanks! ~Mike


  • 7.  RE: Hit with Tidserv warnings and Rudll power up errors

    Posted Aug 12, 2010 08:59 AM

    I'm able to do this by checking our proxy server logs, I'm not sure if you have a proxy server in place though.

    If not, my suggestion would be install Winspy, http://www.acesoft.net/winspy/, on the PC as it will show you a list of all sites visited. From there you should be able to determine more as to what site(s) could be causing this.