Unsolved
This post is more than 5 years old
2.5K Posts
0
10066
W32.Serflog.A (Symantec) W32/Crog.worm (McAfee)
This virus which is claimed to be difficult to remove has both a Symantec and McAfee removal method posted on their respective sites. For those having difficultly getting to the Symantec site seach for W32.Serflog.A, which will list alternate sites for the removal tool Panda also has an online scan for it. Some on this form advocating that further testing be performed before the tool should be used, I believe that if both Symantec and McAfee have removal methods that either can safely be used now.
zbestwun2001
8.8K Posts
0
March 15th, 2005 17:00
Now that's some good information.
Thanks we all can use that.
Steve
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
March 15th, 2005 18:00
W32.Serflog.A (also know as W32/Sumom-A) is being spread by MSN messenger (and P2P networks).
Here are some symptoms/consequences... This worm:
1) blocks access to all the common anti-virus websites (including Symantec, McAfee, F-Secure, Sophos, Kaspersky, Computer Associates, Network Associates, AVG/Grisoft, Trend Micro, e-trust), so once you're infected by it, you can't run an online scan, nor download the fix
2) blocks System Restore, Task Manager, MSConfig, and RegEdit from running
3) DEactivates all the common A/V programs, so you can't run an offline virus scan
4) looks for certain keywords (e.g., "Clean") when you start running a program, in an attempt to block/disable anti-spyware programs from running
5) reconfigures Windows Explorer NOT to show hidden files
6) copies itself into several files, EACH OF WHICH can replace any of the others, if you only delete some of them.
7) It can access your contact list (address book) to spread itself to those people's accounts.
8) Upon boot-up, it may advise you that there are files waiting to be written to a CD-R
In short, it is a most insidious virus, that does everything it can to prevent someone from removing it.
Fortunately, the presence of this worm is very easy to confirm via a HiJack Log:
There will be a long list (42 entries, if I haven't miscounted) of O1 Browser redirection entries, from all the common Anti-Virus webpages, to the site 64.233.167.104 ; and
The O4 startup section will include at least one (if not all three) of the files:
SERBW.EXE
MSMBW.EXE
FORMATSYS.EXE
It is imperative that all 3 be removed together... because, as indicated above, removing only one (or two) of them will simply have the remaining one re-insert the virus
As indicated in my comment earlier in this thread, there is no danger in running the Symantec removal tool even on a "clean" machine. That being the case, I guess everyone might as well download it now, while you still can, and then, "tuck it away" just in case. Again, just keep in mind that this tool works on just the one worm --- no more, no less.
Hope this detailed explanation is now fully satisfactory to all parties.
Message Edited by ky331 on 03-15-2005 02:51 PM
msgale
2.5K Posts
0
March 15th, 2005 18:00
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
March 15th, 2005 18:00
Message Edited by ky331 on 03-15-2005 02:12 PM