Endpoint Protection

Hi,

Everytime i start my computer(windows vista) , i see a notification from symatec endpoint antivirus saying that there are some threats found, when i click on the message i see the following,



even after restarting as the message starts i see the same pop up again. When i click on Details, i see this:



I selected the following from action: clean, put into quarantine, delete but none of them worked. I tried to locate the rpencdd.sys but there is only a dll and no sys file. I tried scanning with malware but even that did not work.

Can some one please help about what i should do to get rid of this risk

Thanks

Try this and see if it helps
How to fix Backdoor.Tidserv!inf

http://www.symantec.com/connect/forums/how-fix-backdoortidservinf

Backdoor.Tidserv!inf - Removal
http://www.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3

Run TDSSKiller from Kaspersky

http://support.kaspersky.com/viruses/solutions?qid=208280684

Did you run the  removal tools , suggested by Prachand above? Are you still getting these detections, and remediation unsucessful? If yes, then you may have to open a ticket with support, I think...

This is a SYS file ( driver file )
So its most probably a rootkit and you wont be able to find this file without using rootkits tools.
This file will not get deleted normally
Once you can try scanning the machine in Safe mode..as 3rd party drivers dont load in safe mode and it can get detected.

I would suggest you to use Icesword1.2 or GMER and remove this file using it.

Check this article for rootkits and tools useful in removing it
https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

I had a customer  with the  same detection, and remediation status was unsuccessful....came out as an un repairable threat....

You may have to replace the file from another  computer...

Can you try a scan in safe mode?  

Note, there is some trickery if it's still a "feature" where SEP will say something like "do you want to start the SEP services?"  Clicking no is what you want to do when in safe mode.

Safemode has never worked for me with this rootkit, mainly because it's a critical system driver which Windows always has locked. I've found that replacing it with a known good file using BartPE does the trick. This one is a real pain to say the least.

Then why not the SERT disc then?  This is the bootable ISO available on fileconnect

SERT is used when your  computer  would not  boot at  all...and  is used to scan with the  current  definitions,at those  situations. Over here, this  is not the  case...

Have you  installed ru6 mp1?

The problem is this rootkit completely replaces the valid .sys file so even if it is cleaned, deleted, whatever, Windows still needs the file to function correctly. It needs to be completely replaced with a valid one so there will be more manual intervention than just running a scan. At least that is what I have found with the few clients I've had.

SERT is also useful when the system is infected with a rootkit so you can boot from the CD and not load any malware.  The SERT disk along with current defs should identify the malware and hopefully remove it.  I don't think it is only for use when the system is not bootable.

This from Symantec tech support "The Symantec Endpoint Recovery Tool is an image that you can burn on a disc, which you can use to scan and remove malware from client computers. You use this tool for the computers that are too infected for Symantec  Endpoint Protection to clean effectively."  Full details are located at:

https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert