• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

System32 file as virus

M

Martin

Flightless Bird
I am using Norton Internet Security and it found a virus which is a System32
file. The file is cdrom.sys and Norton is telling me that it is a
Backdoor.TidServ.I!ink. This virus started coming on my machine last night
(Tuesday 27th April at 8:15pm)

I went on google to see if i can fix the file without removing it from the
System32 folder, but i can't seen to find anything.

I am using the following:

OS: Windows XP Home SP3
Processor: Intel P4 3.00GHz
RAM: 2.00GB
HDD: 40GB

Is there a way that i can fix the virus??
 
D

David H. Lipman

Flightless Bird
From: "Martin" <Martin@discussions.microsoft.com>

| I am using Norton Internet Security and it found a virus which is a System32
| file. The file is cdrom.sys and Norton is telling me that it is a
| Backdoor.TidServ.I!ink. This virus started coming on my machine last night
| (Tuesday 27th April at 8:15pm)

| I went on google to see if i can fix the file without removing it from the
| System32 folder, but i can't seen to find anything.

This is NOT a vurus. TidServ is a variant name of the TDSS or TDL3 RootKit which is a
trojan and does not slef replicate.

The TDL3 (TDSS level 3) does attack varying drivers.

Norman's TDSS Cleaner is said to be effective on TDL3

http://download.norman.no/public/Norman_TDSS_Cleaner.exe

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
P

PA Bear [MS MVP]

Flightless Bird
You've got a Trojan W32/Alureron-variant rootkit on your hands. Neither NIS
nor any other security application or scanner (including all anti-rootkit
apps) will be able to detect & remove this sucker.

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.



Martin wrote:
> I am using Norton Internet Security and it found a virus which is a
> System32
> file. The file is cdrom.sys and Norton is telling me that it is a
> Backdoor.TidServ.I!ink. This virus started coming on my machine last night
> (Tuesday 27th April at 8:15pm)
>
> I went on google to see if i can fix the file without removing it from the
> System32 folder, but i can't seen to find anything.
>
> I am using the following:
>
> OS: Windows XP Home SP3
> Processor: Intel P4 3.00GHz
> RAM: 2.00GB
> HDD: 40GB
>
> Is there a way that i can fix the virus??
 
E

Elmo

Flightless Bird
Martin wrote:
> I am using Norton Internet Security and it found a virus which is a System32
> file. The file is cdrom.sys and Norton is telling me that it is a
> Backdoor.TidServ.I!ink. This virus started coming on my machine last night
> (Tuesday 27th April at 8:15pm)
>
> I went on Google to see if I can fix the file without removing it from the
> System32 folder, but I can't seeM to find anything.
>
> I am using the following:
>
> OS: Windows XP Home SP3
> Processor: Intel P4 3.00GHz
> RAM: 2.00GB
> HDD: 40GB
>
> Is there a way that I can fix the virus?

Download this Avira Antivir Rescue System program which will burn a CD
image to a blank CD. It's updated a few times per day. Insert the CD
into the damaged machine and let it do a scan of your system. Before
starting the scan, select "Configuration" and set to repair or rename
the infected files. Sometimes your machine won't restart after such a
repair process, so you might want to save needed files to another system
before using this. If you can't, then you can move the hard drive to
another machine to copy needed files. You can do that before, or after
this scan.

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

AVG now has a Rescue CD that's free. They also have a free USB download
that should work on newer systems that can boot from a USB device. Get
them here:

http://www.avg.com/us-en/avg-rescue-cd

--
Joe =o)
 
P

PA Bear [MS MVP]

Flightless Bird
David H. Lipman wrote:
>> You've got a Trojan W32/Alureron-variant rootkit on your hands. Neither
>> NIS nor any other security application or scanner (including all
>> anti-rootkit apps) will be able to detect & remove this sucker.
>
> Not completely accurate Robear.

If the computer got infected on "Tuesday 27th April at 8:15pm," there's a
very good chance that the most-used anti-rootkit app won't be able to detect
it yet.
 
D

David H. Lipman

Flightless Bird
From: "PA Bear [MS MVP]" <PABearMVP@gmail.com>

| David H. Lipman wrote:
>>> You've got a Trojan W32/Alureron-variant rootkit on your hands. Neither
>>> NIS nor any other security application or scanner (including all
>>> anti-rootkit apps) will be able to detect & remove this sucker.

>> Not completely accurate Robear.

| If the computer got infected on "Tuesday 27th April at 8:15pm," there's a
| very good chance that the most-used anti-rootkit app won't be able to detect
| it yet.


That would depend on if it is greater than TDL3 v273.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
T

Twayne

Flightless Bird
In news:04BD71DA-4162-474A-8F7C-985B6D603404@microsoft.com,
Martin <Martin@discussions.microsoft.com> typed:
> I am using Norton Internet Security and it found a virus
> which is a System32 file. The file is cdrom.sys and Norton
> is telling me that it is a Backdoor.TidServ.I!ink. This
> virus started coming on my machine last night (Tuesday 27th
> April at 8:15pm)
>
> I went on google to see if i can fix the file without
> removing it from the System32 folder, but i can't seen to
> find anything.
>
> I am using the following:
>
> OS: Windows XP Home SP3
> Processor: Intel P4 3.00GHz
> RAM: 2.00GB
> HDD: 40GB
>
> Is there a way that i can fix the virus??

When Norton saw it, the virus was either removed for you or if it couldn 't
be removed you were given onscreen instructions about how to look for a
manual procedure to remove it. Did you follow those instructions? What else
have you tried? Did NIS detect it or not? What did NIS do about it?

Go to norton.com (now part of symantec.com but the address still works) and
look up the virus for removal instructions. They're too much to print here.

HTH,

Twayne`
 
D

David H. Lipman

Flightless Bird
From: "Twayne" <nobody@spamcop.net>

| In news:04BD71DA-4162-474A-8F7C-985B6D603404@microsoft.com,
| Martin <Martin@discussions.microsoft.com> typed:
>> I am using Norton Internet Security and it found a virus
>> which is a System32 file. The file is cdrom.sys and Norton
>> is telling me that it is a Backdoor.TidServ.I!ink. This
>> virus started coming on my machine last night (Tuesday 27th
>> April at 8:15pm)

>> I went on google to see if i can fix the file without
>> removing it from the System32 folder, but i can't seen to
>> find anything.

>> I am using the following:

>> OS: Windows XP Home SP3
>> Processor: Intel P4 3.00GHz
>> RAM: 2.00GB
>> HDD: 40GB

>> Is there a way that i can fix the virus??

| When Norton saw it, the virus was either removed for you or if it couldn 't
| be removed you were given onscreen instructions about how to look for a
| manual procedure to remove it. Did you follow those instructions? What else
| have you tried? Did NIS detect it or not? What did NIS do about it?

| Go to norton.com (now part of symantec.com but the address still works) and
| look up the virus for removal instructions. They're too much to print here.

| HTH,

| Twayne`



TidServ (aka; TDSS/TDL3 and Alureron) is NOT a virus!

It is a RootKit trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
M

Martin

Flightless Bird
Hi

Yes Norton did pick a the Virus, but it tells me that it has to be manual
removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
Windows, System32, Drivers and cdrom.sys).

What will happen to my cdroms if i do remove it. I am also running Windows
Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but they
don't pick up the virus.

Is it safe to remove the virus or not?

"Twayne" wrote:

> In news:04BD71DA-4162-474A-8F7C-985B6D603404@microsoft.com,
> Martin <Martin@discussions.microsoft.com> typed:
> > I am using Norton Internet Security and it found a virus
> > which is a System32 file. The file is cdrom.sys and Norton
> > is telling me that it is a Backdoor.TidServ.I!ink. This
> > virus started coming on my machine last night (Tuesday 27th
> > April at 8:15pm)
> >
> > I went on google to see if i can fix the file without
> > removing it from the System32 folder, but i can't seen to
> > find anything.
> >
> > I am using the following:
> >
> > OS: Windows XP Home SP3
> > Processor: Intel P4 3.00GHz
> > RAM: 2.00GB
> > HDD: 40GB
> >
> > Is there a way that i can fix the virus??
>
> When Norton saw it, the virus was either removed for you or if it couldn 't
> be removed you were given onscreen instructions about how to look for a
> manual procedure to remove it. Did you follow those instructions? What else
> have you tried? Did NIS detect it or not? What did NIS do about it?
>
> Go to norton.com (now part of symantec.com but the address still works) and
> look up the virus for removal instructions. They're too much to print here.
>
> HTH,
>
> Twayne`
>
>
> .
>
 
D

David H. Lipman

Flightless Bird
From: "Martin" <Martin@discussions.microsoft.com>

| Hi

| Yes Norton did pick a the Virus, but it tells me that it has to be manual
| removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
| Windows, System32, Drivers and cdrom.sys).

| What will happen to my cdroms if i do remove it. I am also running Windows
| Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but they
| don't pick up the virus.

| Is it safe to remove the virus or not?

Do you read and NOT comprehend ?

Did you run the Norman's TDSS Cleaner as I prescribed ?

This was not and is NOT a "virus".

Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in the trojan sub-class of
malware.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
"Discovered: September 18, 2008
Updated: September 18, 2008 4:01:39 PM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft]
Type: Trojan"

Not all malware are viruses but all viruses are malware.

Here is the list of malware that MRT targets.

http://www.microsoft.com/security/malwareremove/families.aspx

Alureon is the name of the TDSS/TDL3 given by Microsoft (also shown in the cross-reference
in the Symantec writeup).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon

Why it doesn't catch it is unkown but that's the case and as for Windows Defender, it is
geared for the Adware/Spyware class of malware which also non-viral.

It could be Symantec falsely accuses it of being the TDSS.

The following is poor nomenclature..
(C Drive, Windows, System32, Drivers and cdrom.sys).

This is the correct noenclature...
c:/windows\system32\drivers\cdrom.sys
or alternatively...
%windir%\system32\drivers\cdrom.sys

You won't able to delete CDROM.SYS if is was trojanized by TDSS in Normal or Safe Mode
operation. But you can if the drive was on a surrogate PC or if you loaded the Recovery
Console.

Once it is deleted you will need it and restoring it is not hard if you have the Windows
XP distrubution disk or if the i386 folder from a XP distribution disk was ported to the
computer such as; c:/i386

The following commandline would restore the file...

expand c:/i386\cdrom.sy_ %windir%\system32\drivers\cdrom.sys


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
P

PA Bear [MS MVP]

Flightless Bird
David H. Lipman wrote:
>> Yes Norton did pick a the Virus, but it tells me that it has to be manual
>> removed. If i remove the virus myself as the file is cdrom.sys (C Drive,
>> Windows, System32, Drivers and cdrom.sys).
>
>> What will happen to my cdroms if i do remove it. I am also running
>> Windows
>> Defender and Microsoft Windows Malicious Software Removal Tool v3.6, but
>> they don't pick up the virus.
>
>> Is it safe to remove the virus or not?
>
> Do you read and NOT comprehend ?
>
> Did you run the Norman's TDSS Cleaner as I prescribed ?
>
> This was not and is NOT a "virus".
>
> Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in the trojan
> sub-class of malware.
> http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
> "Discovered: September 18, 2008
> Updated: September 18, 2008 4:01:39 PM
> Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend],
> Win32/Alureon [Microsoft] Type: Trojan"
>
> Not all malware are viruses but all viruses are malware.
>
> Here is the list of malware that MRT targets.
>
> http://www.microsoft.com/security/malwareremove/families.aspx
>
> Alureon is the name of the TDSS/TDL3 given by Microsoft (also shown in the
> cross-reference in the Symantec writeup).
>
> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon
<snip>

Also see...

Microsoft Malware Protection Center: MSRT April Threat Reports & Alureon:
http://blogs.technet.com/mmpc/archive/2010/04/30/msrt-april-threat-reports-alureon.aspx
 
T

Twayne

Flightless Bird
In news:-ONL63KK6KHA.5848@TK2MSFTNGP06.phx.gbl,
David H. Lipman <DLipman~nospam~@Verizon.Net> typed:
> From: "Twayne" <nobody@spamcop.net>
>
>> In news:04BD71DA-4162-474A-8F7C-985B6D603404@microsoft.com,
>> Martin <Martin@discussions.microsoft.com> typed:
>>> I am using Norton Internet Security and it found a virus
>>> which is a System32 file. The file is cdrom.sys and Norton
>>> is telling me that it is a Backdoor.TidServ.I!ink. This
>>> virus started coming on my machine last night (Tuesday
>>> 27th April at 8:15pm)
>
>>> I went on google to see if i can fix the file without
>>> removing it from the System32 folder, but i can't seen to
>>> find anything.
>
>>> I am using the following:
>
>>> OS: Windows XP Home SP3
>>> Processor: Intel P4 3.00GHz
>>> RAM: 2.00GB
>>> HDD: 40GB
>
>>> Is there a way that i can fix the virus??
>
>> When Norton saw it, the virus was either removed for you
>> or if it couldn 't be removed you were given onscreen
>> instructions about how to look for a manual procedure to
>> remove it. Did you follow those instructions? What else
>> have you tried? Did NIS detect it or not? What did NIS do
>> about it?
>
>> Go to norton.com (now part of symantec.com but the address
>> still works) and look up the virus for removal
>> instructions. They're too much to print here.
>
>> HTH,
>
>> Twayne`
>
>
>
> TidServ (aka; TDSS/TDL3 and Alureron) is NOT a virus!
>
> It is a RootKit trojan.

Ah, that's almost as good; there are online instructions for removin git
also.

HTH,

Twayne`
 
T

Twayne

Flightless Bird
In news:28A5524C-0756-402E-B4EB-0228FFBF6C41@microsoft.com,
Martin <Martin@discussions.microsoft.com> typed:
> Hi
>
> Yes Norton did pick a the Virus, but it tells me that it
> has to be manual removed. If i remove the virus myself as
> the file is cdrom.sys (C Drive, Windows, System32, Drivers
> and cdrom.sys).
>
> What will happen to my cdroms if i do remove it. I am also
> running Windows Defender and Microsoft Windows Malicious
> Software Removal Tool v3.6, but they don't pick up the
> virus.
>
> Is it safe to remove the virus or not?

I don't know; it might require a file replacement. That's the reason for
going to Norton.com to get the manual removal instructions. Those will give
you all th einfo you need to get rid of it and repair whatever it breaks.
If Norton found a virus, chances are extremely good they have manual
removal instructions for it. I've seen a couple of references to root kits,
so if that's what Norton detected, perpare yourself for doing some work to
get rid of it.
Any chance you do backups? Can you just do a restore from a backup?

HTH,

Twayne`


TH,

Twayne`

> "Twayne" wrote:
>
>> In news:04BD71DA-4162-474A-8F7C-985B6D603404@microsoft.com,
>> Martin <Martin@discussions.microsoft.com> typed:
>>> I am using Norton Internet Security and it found a virus
>>> which is a System32 file. The file is cdrom.sys and Norton
>>> is telling me that it is a Backdoor.TidServ.I!ink. This
>>> virus started coming on my machine last night (Tuesday
>>> 27th April at 8:15pm)
>>>
>>> I went on google to see if i can fix the file without
>>> removing it from the System32 folder, but i can't seen to
>>> find anything.
>>>
>>> I am using the following:
>>>
>>> OS: Windows XP Home SP3
>>> Processor: Intel P4 3.00GHz
>>> RAM: 2.00GB
>>> HDD: 40GB
>>>
>>> Is there a way that i can fix the virus??
>>
>> When Norton saw it, the virus was either removed for you
>> or if it couldn 't be removed you were given onscreen
>> instructions about how to look for a manual procedure to
>> remove it. Did you follow those instructions? What else
>> have you tried? Did NIS detect it or not? What did NIS do
>> about it?
>>
>> Go to norton.com (now part of symantec.com but the address
>> still works) and look up the virus for removal
>> instructions. They're too much to print here.
>>
>> HTH,
>>
>> Twayne`
>>
>>
>> .
 
T

Twayne

Flightless Bird
Regardless of what David said, go to Norton and get the manual removal
instructions. Because it's a rootkit doesn't mean that Norton couldn't see
it; it simply means the program does something somehow that Norton
recognized and tagged. Use a known experienced source like Norton - I do
know for a fact that Norton will find a lot of other malware besides only
viruses, but that's not important; what is important is that, if they can't
fix it, they always seem to have a manual removal process you can look up
for free.

HTH,

Twayne`


In news:%239oClkT6KHA.3880@TK2MSFTNGP04.phx.gbl,
David H. Lipman <DLipman~nospam~@Verizon.Net> typed:
> From: "Martin" <Martin@discussions.microsoft.com>
>
>> Hi
>
>> Yes Norton did pick a the Virus, but it tells me that it
>> has to be manual removed. If i remove the virus myself as
>> the file is cdrom.sys (C Drive, Windows, System32, Drivers
>> and cdrom.sys).
>
>> What will happen to my cdroms if i do remove it. I am also
>> running Windows Defender and Microsoft Windows Malicious
>> Software Removal Tool v3.6, but they don't pick up the
>> virus.
>
>> Is it safe to remove the virus or not?
>
> Do you read and NOT comprehend ?
>
> Did you run the Norman's TDSS Cleaner as I prescribed ?
>
> This was not and is NOT a "virus".
>
> Tidserv (aka; TDSS/TDL3 and Alureon) is a RootKit and is in
> the trojan sub-class of malware.
> http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
> "Discovered: September 18, 2008
> Updated: September 18, 2008 4:01:39 PM
> Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS
> [Trend], Win32/Alureon [Microsoft] Type: Trojan"
>
> Not all malware are viruses but all viruses are malware.
>
> Here is the list of malware that MRT targets.
>
> http://www.microsoft.com/security/malwareremove/families.aspx
>
> Alureon is the name of the TDSS/TDL3 given by Microsoft
> (also shown in the cross-reference in the Symantec writeup).
>
> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32/Alureon
>
> Why it doesn't catch it is unkown but that's the case and
> as for Windows Defender, it is geared for the
> Adware/Spyware class of malware which also non-viral.
>
> It could be Symantec falsely accuses it of being the TDSS.
>
> The following is poor nomenclature..
> (C Drive, Windows, System32, Drivers and cdrom.sys).
>
> This is the correct noenclature...
> c:/windows\system32\drivers\cdrom.sys
> or alternatively...
> %windir%\system32\drivers\cdrom.sys
>
> You won't able to delete CDROM.SYS if is was trojanized by
> TDSS in Normal or Safe Mode operation. But you can if the
> drive was on a surrogate PC or if you loaded the Recovery
> Console.
>
> Once it is deleted you will need it and restoring it is not
> hard if you have the Windows XP distrubution disk or if the
> i386 folder from a XP distribution disk was ported to the
> computer such as; c:/i386
>
> The following commandline would restore the file...
>
> expand c:/i386\cdrom.sy_
> %windir%\system32\drivers\cdrom.sys
 
You must log in or register to reply here.
Top