Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

msgale

2.5K Posts

10066

March 15th, 2005 17:00

W32.Serflog.A (Symantec) W32/Crog.worm (McAfee)

This virus which is claimed to be difficult to remove has both a Symantec and McAfee removal method posted on their respective sites.  For those having difficultly getting to the Symantec site seach for W32.Serflog.A, which will list alternate sites for the removal tool    Panda also has an online scan for it.  Some on this form advocating that further testing be performed before the tool should be used, I believe that if both Symantec and McAfee have removal methods that either can safely be used now. 

zbestwun2001

8.8K Posts

March 15th, 2005 17:00

msgale,
Now that's some good information.

Thanks we all can use that.

Steve

ky331

3 Apprentice

 • 

15.2K Posts

March 15th, 2005 18:00

W32.Serflog.A (also know as W32/Sumom-A) is  being spread by MSN messenger (and P2P networks). 

Here are some symptoms/consequences... This worm:
1) blocks access to all the common anti-virus websites (including Symantec, McAfee, F-Secure, Sophos, Kaspersky, Computer Associates, Network Associates, AVG/Grisoft, Trend Micro, e-trust), so once you're infected by it, you can't run an online scan, nor download the fix
2) blocks System Restore, Task Manager, MSConfig, and RegEdit from running
3) DEactivates all the common A/V programs, so you can't run an offline virus scan
4) looks for certain keywords (e.g., "Clean") when you start running a program, in an attempt to block/disable anti-spyware programs from running
5) reconfigures Windows Explorer NOT to show hidden files
6) copies itself into several files, EACH OF WHICH can replace any of the others, if you only delete some of them.

7) It can access your contact list (address book) to spread itself to those people's accounts.

8) Upon boot-up, it may advise you that there are files waiting to be written to a CD-R

In short, it is a most insidious virus, that does everything it can to prevent someone from removing it.

 

Fortunately, the presence of this worm  is very easy to confirm via a HiJack Log:

There will be a long list (42 entries, if I haven't miscounted) of O1 Browser redirection entries, from all the common Anti-Virus webpages, to the site 64.233.167.104 ; and

The O4 startup section will include at least one (if not all three) of the files:

SERBW.EXE

MSMBW.EXE

FORMATSYS.EXE

It is imperative that all 3 be removed together... because, as indicated above, removing only one (or two) of them will simply have the remaining one re-insert the virus

 

As indicated in my comment earlier in this thread, there is no danger in running the Symantec removal tool even on a "clean" machine.  That being the case, I guess everyone might as well download it now, while you still can, and then, "tuck it away" just in case.   Again, just keep in mind that this tool works on just the one worm --- no more, no less.

Hope this detailed explanation is now fully satisfactory to all parties.

 

Message Edited by ky331 on 03-15-2005 02:51 PM

msgale

2.5K Posts

March 15th, 2005 18:00

Actually the McAfee tool is an updated signature file which it is claimed to detect and remove the problem.  Obviously only for McAfee users.  I also assume that Symantec and other AV companies will or have updated their signature files to close the doors to this problem

ky331

3 Apprentice

 • 

15.2K Posts

March 15th, 2005 18:00

" This virus which is claimed to be difficult to remove"...
It is, in fact, a highly resilient worm which IS difficult to remove without the proper tool (s).  One forum member suffered through a laborious 4-page thread, and numerous attempts to analyze/fix a HiJack Log, before ultimately applying the tool to fully rid himself/herself of the virus.
 
"Panda also has an online scan for it." 
The problem, however, is that, once you've been infected by it, this worm will restrict you from accessing Panda's site (as well as Symantec's, McAfee's, AVG's, and most of the other common anti-virus websites)!  So by then, it's too already too late.
 
The Symantec Tool is completely safe, in that, you can run it on a clean (i.e., UNinfected) machine, without causing any problems. (I do not have any knowledge of the McAfee Tool).
The Symantec Tool, named   FixSflog.exe  , can also be downloaded from   http://majorgeeks.com/download4523.html
Note:  If, for any reason, you cannot perform/complete the download from this site, then you'll have to go to another "clean" PC (a friend's, at work, etc.), download it there, copy it to a floppy (it's a very small file), and then, bring it back to your infected P.C.
This tool must be run TWICE, rebooting your system between the runs .
 
It must be noted that the tool being discussed is only effective against this one particular worm... it does NOT "cure" any other worm/virus/spyware problem.
 
(I'll post more details in short while....)

Message Edited by ky331 on 03-15-2005 02:12 PM

View More

View All

No Events found!

Top