I'm investigating. Microsoft don't know what it is, you know that already I think. Malwarebytes wasn't detecting it, but they may have updated the detections to include it. While I keep looking, get Malwarebytes Free and run a Quick Scan and see what it brings up.
It's definitely suspicious, and is coming from serw.clicksor-dot-com; it seems to affect Firefox, probably as an unwanted add-on, so if you use FF check those for anything you don't recognise. I don't know yet about other browsers.
ESET is said to recognise this, I don't know if McAfee has a detection for it yet. GetSusp might find it and flag it, but won't remove it (that's intentional, btw).
Google Safe Browsing confirms that serw.clicksor-dot-com is helping to spread malware, although it seems there's none on the site itself.
urlquery shows an Intrusion Detection Alert implying that the IP address for the website is connected to the RBN (the Russian Business Network, aka the мафия - Mafia). The same applies, with a host of IDS warnings and alerts, to two websites that serw.clicksor.com will redirect you to if you're unfortunate enough to go there, or even to have a dynamic link to the site on another webpage (an iframe will silently connect to another site and run content from it on the page you're viewing. You don't even need to go to the site to get infected. That's the curse of iframes, which I think ought to be banned).
The major warnings relate to the Russian Business Network and a redirect to a Sutra TDS (Traffic Direction System). Basically, hijacking your PC and sending you places to get infected.
Edit - The scan results were a couple of weeks ago so I re-submitted the site and double-checked it in Sucuri. They've cleaned up the site but left it open to further infection by running an outdated version of WordPress. The redirects have now gone, but may come back (the RBN won't let go of clicksor that easily, it's a major online advertising site).
So, serw.clicksor is definitely suspect. That warning you got was almost certainly genuine.
(Edit, some time later : Oh no it wasn't. It's a fake. See below.)
Where did the warning come from - Google, IE's SmartFilter, McAfee, SiteAdvisor?
There are no reliable removal guides I can find (although there are some very unreliable ones). I think the reason is that no-one's properly analysed this yet to see what it does to a Pc, although I would hazard a guess that it modifies the registry, inserts itself into browsers, replaces Home Page and Default Search Engine settings, and hijacks search results. Several people mention a constant barrage of pop-ups.
After you've run Malwarebytes, and regardless of what it finds, I advise that you try a System Restore. Take your PC back a week or so to before this started, and see if the symptoms go away. Again, even if that works, you may need to run a few scans just to be sure everything's okay.
So as a start :
- System Restore
- Check with Microsoft and McAfee for updates (do a manual update for each)
- Make sure that if you have Java, Adobe Reader, or Flash that these are all updated
- Run a full McAfee scan
I'll keep looking for some more details about this.
If you want a full list of things to try, one of the Microsoft MVPs has provided as good a list as you're likely to find in one of the threads about this : see
Message was edited by: Hayton on 09/05/13 04:00:03 IST
Ha. No wonder I couldn't find anything about this supposed malware on any of the reputable sites, and no wonder the disreputable ones were stuffed with removal advice for it.
In short, this so-called malware infection is a hoax. A scam, a fraud, a fake. It doesn't exist. The glaring pop-up warning is a ruse designed to part you, the punter, from your hard-earned cash by putting the frighteners on you so that you call up some shady outfit - probably in India but doesn't have to be, could be in New Jersey or Moldova - who will remove a whole load of non-existent "infections" from your computer, for a price.
Did the warning you saw look anything like this? The screenshot is taken from a YouTube video about PC support scams.
The answer to your question then - how do I get rid of it (the supposed "serw.Clicksor.W32") is to ignore it. The infection alert was generated by some malicious code on a webpage somewhere that you went to. You aren't infected by this and never were.
My thanks to Jerome Segura at Malwarebytes for this information. He's written about support scams recently on the Malwarebytes blog - see