System32 file as virus

[Martin]

I am using Norton Internet Security and it found a virus which is a System32
file. The file is cdrom.sys and Norton is telling me that it is a
Backdoor.TidServ.I!ink. This virus started coming on my machine last night
(Tuesday 27th April at 8:15pm)

I went on google to see if i can fix the file without removing it from the
System32 folder, but i can't seen to find anything.

I am using the following:

OS: Windows XP Home SP3
Processor: Intel P4 3.00GHz
RAM: 2.00GB
HDD: 40GB

Is there a way that i can fix the virus??

 

[Bert Hyman]

In

Is there a way that i can fix the virus??

Norton won't fix it for you?

Here's a link Symantec/Norton's fix procedure:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-120316-3836-99&tabid=3

 

[David H. Lipman]

From: "Martin" <[email protected]>

| I am using Norton Internet Security and it found a virus which is a System32
| file. The file is cdrom.sys and Norton is telling me that it is a
| Backdoor.TidServ.I!ink. This virus started coming on my machine last night
| (Tuesday 27th April at 8:15pm)

| I went on google to see if i can fix the file without removing it from the
| System32 folder, but i can't seen to find anything.

This is NOT a vurus. TidServ is a variant name of the TDSS or TDL3 RootKit which is a
trojan and does not slef replicate.

The TDL3 (TDSS level 3) does attack varying drivers.

Norman's TDSS Cleaner is said to be effective on TDL3

http://download.norman.no/public/Norman_TDSS_Cleaner.exe

 

[PA Bear [MS MVP]]

You've got a Trojan W32/Alureron-variant rootkit on your hands. Neither NIS
nor any other security application or scanner (including all anti-rootkit
apps) will be able to detect & remove this sucker.

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[David H. Lipman]

From: "PA Bear [MS MVP]" <[email protected]>

| You've got a Trojan W32/Alureron-variant rootkit on your hands. Neither NIS
| nor any other security application or scanner (including all anti-rootkit
| apps) will be able to detect & remove this sucker.

Not completely accurate Robear.

 

[Elmo]

I am using Norton Internet Security and it found a virus which is a System32
file. The file is cdrom.sys and Norton is telling me that it is a
Backdoor.TidServ.I!ink. This virus started coming on my machine last night
(Tuesday 27th April at 8:15pm)

I went on Google to see if I can fix the file without removing it from the
System32 folder, but I can't seeM to find anything.

I am using the following:

OS: Windows XP Home SP3
Processor: Intel P4 3.00GHz
RAM: 2.00GB
HDD: 40GB

Is there a way that I can fix the virus?

Download this Avira Antivir Rescue System program which will burn a CD
image to a blank CD. It's updated a few times per day. Insert the CD
into the damaged machine and let it do a scan of your system. Before
starting the scan, select "Configuration" and set to repair or rename
the infected files. Sometimes your machine won't restart after such a
repair process, so you might want to save needed files to another system
before using this. If you can't, then you can move the hard drive to
another machine to copy needed files. You can do that before, or after
this scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

AVG now has a Rescue CD that's free. They also have a free USB download
that should work on newer systems that can boot from a USB device. Get
them here:

http://www.avg.com/us-en/avg-rescue-cd

 

[PA Bear [MS MVP]]

Not completely accurate Robear.

If the computer got infected on "Tuesday 27th April at 8:15pm," there's a
very good chance that the most-used anti-rootkit app won't be able to detect
it yet.

 

[David H. Lipman]

From: "PA Bear [MS MVP]" <[email protected]>


| If the computer got infected on "Tuesday 27th April at 8:15pm," there's a
| very good chance that the most-used anti-rootkit app won't be able to detect
| it yet.


That would depend on if it is greater than TDL3 v273.

 

[Twayne]

In

I am using Norton Internet Security and it found a virus
which is a System32 file. The file is cdrom.sys and Norton
is telling me that it is a Backdoor.TidServ.I!ink. This
virus started coming on my machine last night (Tuesday 27th
April at 8:15pm)

I went on google to see if i can fix the file without
removing it from the System32 folder, but i can't seen to
find anything.

I am using the following:

OS: Windows XP Home SP3
Processor: Intel P4 3.00GHz
RAM: 2.00GB
HDD: 40GB

Is there a way that i can fix the virus??

When Norton saw it, the virus was either removed for you or if it couldn 't
be removed you were given onscreen instructions about how to look for a
manual procedure to remove it. Did you follow those instructions? What else
have you tried? Did NIS detect it or not? What did NIS do about it?

Go to norton.com (now part of symantec.com but the address still works) and
look up the virus for removal instructions. They're too much to print here.

HTH,

Twayne`

 

[David H. Lipman]

From: "Twayne" <[email protected]>

| In
| When Norton saw it, the virus was either removed for you or if it couldn 't
| be removed you were given onscreen instructions about how to look for a
| manual procedure to remove it. Did you follow those instructions? What else
| have you tried? Did NIS detect it or not? What did NIS do about it?

| Go to norton.com (now part of symantec.com but the address still works) and
| look up the virus for removal instructions. They're too much to print here.

| HTH,

| Twayne`



TidServ (aka; TDSS/TDL3 and Alureron) is NOT a virus!

It is a RootKit trojan.

 

[Martin]

Hi

Yes Norton did pick a the Virus, but it tells me that it has to be manual
removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
Windows, System32, Drivers and cdrom.sys).

What will happen to my cdroms if i do remove it. I am also running Windows
Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but they
don't pick up the virus.

Is it safe to remove the virus or not?

 

[David H. Lipman]

From: "Martin" <[email protected]>

| Hi

| Yes Norton did pick a the Virus, but it tells me that it has to be manual
| removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
| Windows, System32, Drivers and cdrom.sys).

| What will happen to my cdroms if i do remove it. I am also running Windows
| Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but they
| don't pick up the virus.

| Is it safe to remove the virus or not?

Do you read and NOT comprehend ?

Did you run the Norman's TDSS Cleaner as I prescribed ?

This was not and is NOT a "virus".

Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in the trojan sub-class of
malware.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
"Discovered: September 18, 2008
Updated: September 18, 2008 4:01:39 PM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft]
Type: Trojan"

Not all malware are viruses but all viruses are malware.

Here is the list of malware that MRT targets.

http://www.microsoft.com/security/malwareremove/families.aspx

Alureon is the name of the TDSS/TDL3 given by Microsoft (also shown in the cross-reference
in the Symantec writeup).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon

Why it doesn't catch it is unkown but that's the case and as for Windows Defender, it is
geared for the Adware/Spyware class of malware which also non-viral.

It could be Symantec falsely accuses it of being the TDSS.

The following is poor nomenclature..
(C Drive, Windows, System32, Drivers and cdrom.sys).

This is the correct noenclature...
c:\windows\system32\drivers\cdrom.sys
or alternatively...
%windir%\system32\drivers\cdrom.sys

You won't able to delete CDROM.SYS if is was trojanized by TDSS in Normal or Safe Mode
operation. But you can if the drive was on a surrogate PC or if you loaded the Recovery
Console.

Once it is deleted you will need it and restoring it is not hard if you have the Windows
XP distrubution disk or if the i386 folder from a XP distribution disk was ported to the
computer such as; c:\i386

The following commandline would restore the file...

expand c:\i386\cdrom.sy_ %windir%\system32\drivers\cdrom.sys

 

[PA Bear [MS MVP]]

Yes Norton did pick a the Virus, but it tells me that it has to be manual
removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
Windows, System32, Drivers and cdrom.sys).

What will happen to my cdroms if i do remove it. I am also running
Windows
Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but
they don't pick up the virus.

Is it safe to remove the virus or not?

Do you read and NOT comprehend ?

Did you run the Norman's TDSS Cleaner as I prescribed ?

This was not and is NOT a "virus".

Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in the trojan
sub-class of malware.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
"Discovered: September 18, 2008
Updated: September 18, 2008 4:01:39 PM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend],
Win32/Alureon [Microsoft] Type: Trojan"

Not all malware are viruses but all viruses are malware.

Here is the list of malware that MRT targets.

http://www.microsoft.com/security/malwareremove/families.aspx

Alureon is the name of the TDSS/TDL3 given by Microsoft (also shown in the
cross-reference in the Symantec writeup).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon

<snip>

Also see...

Microsoft Malware Protection Center: MSRT April Threat Reports & Alureon:
http://blogs.technet.com/mmpc/archive/2010/04/30/msrt-april-threat-reports-alureon.aspx

 

[Twayne]

In

TidServ (aka; TDSS/TDL3 and Alureron) is NOT a virus!

It is a RootKit trojan.

Ah, that's almost as good; there are online instructions for removin git
also.

HTH,

Twayne`

 

[Twayne]

In

Hi

Yes Norton did pick a the Virus, but it tells me that it
has to be manual removed. If i remove the virus myself as
the file is cdrom.sys (C Drive, Windows, System32, Drivers
and cdrom.sys).

What will happen to my cdroms if i do remove it. I am also
running Windows Defender and Microsoft Windows Malicious
Software Removal Tool v3.6, but they don't pick up the
virus.

Is it safe to remove the virus or not?

I don't know; it might require a file replacement. That's the reason for
going to Norton.com to get the manual removal instructions. Those will give
you all th einfo you need to get rid of it and repair whatever it breaks.
If Norton found a virus, chances are extremely good they have manual
removal instructions for it. I've seen a couple of references to root kits,
so if that's what Norton detected, perpare yourself for doing some work to
get rid of it.
Any chance you do backups? Can you just do a restore from a backup?

HTH,

Twayne`


TH,

Twayne`

 

[Twayne]

Regardless of what David said, go to Norton and get the manual removal
instructions. Because it's a rootkit doesn't mean that Norton couldn't see
it; it simply means the program does something somehow that Norton
recognized and tagged. Use a known experienced source like Norton - I do
know for a fact that Norton will find a lot of other malware besides only
viruses, but that's not important; what is important is that, if they can't
fix it, they always seem to have a manual removal process you can look up
for free.

HTH,

Twayne`


In

Hi

Yes Norton did pick a the Virus, but it tells me that it
has to be manual removed. If i remove the virus myself as
the file is cdrom.sys (C Drive, Windows, System32, Drivers
and cdrom.sys).

What will happen to my cdroms if i do remove it. I am also
running Windows Defender and Microsoft Windows Malicious
Software Removal Tool v3.6, but they don't pick up the
virus.

Is it safe to remove the virus or not?

Do you read and NOT comprehend ?

Did you run the Norman's TDSS Cleaner as I prescribed ?

This was not and is NOT a "virus".

Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in
the trojan sub-class of malware.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
"Discovered: September 18, 2008
Updated: September 18, 2008 4:01:39 PM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS
[Trend], Win32/Alureon [Microsoft] Type: Trojan"

Not all malware are viruses but all viruses are malware.

Here is the list of malware that MRT targets.

http://www.microsoft.com/security/malwareremove/families.aspx

Alureon is the name of the TDSS/TDL3 given by Microsoft
(also shown in the cross-reference in the Symantec writeup).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon

Why it doesn't catch it is unkown but that's the case and
as for Windows Defender, it is geared for the
Adware/Spyware class of malware which also non-viral.

It could be Symantec falsely accuses it of being the TDSS.

The following is poor nomenclature..
(C Drive, Windows, System32, Drivers and cdrom.sys).

This is the correct noenclature...
c:\windows\system32\drivers\cdrom.sys
or alternatively...
%windir%\system32\drivers\cdrom.sys

You won't able to delete CDROM.SYS if is was trojanized by
TDSS in Normal or Safe Mode operation. But you can if the
drive was on a surrogate PC or if you loaded the Recovery
Console.

Once it is deleted you will need it and restoring it is not
hard if you have the Windows XP distrubution disk or if the
i386 folder from a XP distribution disk was ported to the
computer such as; c:\i386

The following commandline would restore the file...

expand c:\i386\cdrom.sy_
%windir%\system32\drivers\cdrom.sys