From: "Martin" <Martin@discussions.microsoft.com>
| Hi
| Yes Norton did pick a the Virus, but it tells me that it has to be manual
| removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
| Windows, System32, Drivers and cdrom.sys).
| What will happen to my cdroms if i do remove it. I am also running Windows
| Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but they
| don't pick up the virus.
| Is it safe to remove the virus or not?
Do you read and NOT comprehend ?
Did you run the Norman's TDSS Cleaner as I prescribed ?
This was not and is NOT a "virus".
Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in the trojan sub-class of
malware.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
"Discovered: September 18, 2008
Updated: September 18, 2008 4:01
9 PM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft]
Type: Trojan"
Not all malware are viruses but all viruses are malware.
Here is the list of malware that MRT targets.
http://www.microsoft.com/security/malwareremove/families.aspx
Alureon is the name of the TDSS/TDL3 given by Microsoft (also shown in the cross-reference
in the Symantec writeup).
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon
Why it doesn't catch it is unkown but that's the case and as for Windows Defender, it is
geared for the Adware/Spyware class of malware which also non-viral.
It could be Symantec falsely accuses it of being the TDSS.
The following is poor nomenclature..
(C Drive, Windows, System32, Drivers and cdrom.sys).
This is the correct noenclature...
c
windows\system32\drivers\cdrom.sys
or alternatively...
%windir%\system32\drivers\cdrom.sys
You won't able to delete CDROM.SYS if is was trojanized by TDSS in Normal or Safe Mode
operation. But you can if the drive was on a surrogate PC or if you loaded the Recovery
Console.
Once it is deleted you will need it and restoring it is not hard if you have the Windows
XP distrubution disk or if the i386 folder from a XP distribution disk was ported to the
computer such as; c
i386
The following commandline would restore the file...
expand c
i386\cdrom.sy_ %windir%\system32\drivers\cdrom.sys
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp