Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4617 Views 3 Replies Latest reply: May 12, 2013 12:14 AM by Hayton RSS
luxor2 Newcomer 8 posts since
Oct 15, 2010
Currently Being Moderated

May 8, 2013 7:26 PM

What is malware Serw.Clicksor.w32 and how to remove

I received  a pop-up saying my computer was infected with this virus called   Serw.Clicksor.w32 and it stated the virus could take over my computer.

How do I get rid of it?

  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. May 8, 2013 8:32 PM (in response to luxor2)
    Re: What is malware Serw.Clicksor.w32 and how to remove

    I'm investigating. Microsoft don't know what it is, you know that already I think. Malwarebytes wasn't detecting it, but they may have updated the detections to include it. While I keep looking, get Malwarebytes Free and run a Quick Scan and see what it brings up.

     

    It's definitely suspicious, and is coming from serw.clicksor-dot-com; it seems to affect Firefox, probably as an unwanted add-on, so if you use FF check those for anything you don't recognise. I don't know yet about other browsers.

     

    ESET is said to recognise this, I don't know if McAfee has a detection for it yet. GetSusp might find it and flag it, but won't remove it (that's intentional, btw).


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    2. May 23, 2013 6:22 AM (in response to luxor2)
    Re: What is malware Serw.Clicksor.w32 and how to remove

    Google Safe Browsing confirms that serw.clicksor-dot-com is helping to spread malware, although it seems there's none on the site itself.

     

    urlquery shows an Intrusion Detection Alert implying that the IP address for the website is connected to the RBN (the Russian Business Network, aka the мафия - Mafia). The same applies, with a host of IDS warnings and alerts, to two websites that serw.clicksor.com will redirect you to if you're unfortunate enough to go there, or even to have a dynamic link to the site on another webpage (an iframe will silently connect to another site and run content from it on the page you're viewing. You don't even need to go to the site to get infected. That's the curse of iframes, which I think ought to be banned).

     

    The major warnings relate to the Russian Business Network and a redirect to a Sutra TDS (Traffic Direction System). Basically, hijacking your PC and sending you places to get infected.

     

    Edit - The scan results were a couple of weeks ago so I re-submitted the site and double-checked it in Sucuri. They've cleaned up the site but left it open to further infection by running an outdated version of WordPress. The redirects have now gone, but may come back (the RBN won't let go of clicksor that easily, it's a major online advertising site).

     

    So, serw.clicksor is definitely suspect. That warning you got was almost certainly genuine.

    (Edit, some time later : Oh no it wasn't. It's a fake. See below.)

    Where did the warning come from - Google, IE's SmartFilter, McAfee, SiteAdvisor?

     

    There are no reliable removal guides I can find (although there are some very unreliable ones). I think the reason is that no-one's properly analysed this yet to see what it does to a Pc, although I would hazard a guess that it modifies the registry, inserts itself into browsers, replaces Home Page and Default Search Engine settings, and hijacks search results. Several people mention a constant barrage of pop-ups.

     

    After you've run Malwarebytes, and regardless of what it finds, I advise that you try a System Restore. Take your PC back a week or so to before this started, and see if the symptoms go away. Again, even if that works, you may need to run a few scans just to be sure everything's okay.

     

    So as a start :

    - Malwarebytes

    - System Restore

    - Check with Microsoft and McAfee for updates (do a manual update for each)

    - Make sure that if you have Java, Adobe Reader, or Flash that these are all updated

    - Run a full McAfee scan

     

    I'll keep looking for some more details about this.

     

    If you want a full list of things to try, one of the Microsoft MVPs has provided as good a list as you're likely to find in one of the threads about this : see

    http://answers.microsoft.com/en-us/windows/forum/windows_other-security/i-have-a -clicksorcom-virus-and-defender-hasnt/c262dfae-3924-4411-987a-3388616be5d3?msgId =bf45373e-9fa1-4e6b-8026-0e19333a713b

     

    Message was edited by: Hayton on 09/05/13 04:00:03 IST

     

    Message was edited by: Hayton on 23/05/13 12:22:03 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    3. May 12, 2013 12:15 AM (in response to luxor2)
    Re: What is malware Serw.Clicksor.w32 and how to remove

    Ha. No wonder I couldn't find anything about this supposed malware on any of the reputable sites, and no wonder the disreputable ones were stuffed with removal advice for it.

     

    In short, this so-called malware infection is a hoax. A scam, a fraud, a fake. It doesn't exist. The glaring pop-up warning is a ruse designed to part you, the punter, from your hard-earned cash by putting the frighteners on you so that you call up some shady outfit - probably in India but doesn't have to be, could be in New Jersey or Moldova - who will remove a whole load of non-existent "infections" from your computer, for a price.

     

    Did the warning you saw look anything like this?  The screenshot is taken from a YouTube video about PC support scams.

     

    Clicksor scam.JPG

     

    The answer to your question then - how do I get rid of it (the supposed "serw.Clicksor.W32") is to ignore it. The infection alert was generated by some malicious code on a webpage somewhere that you went to. You aren't infected by this and never were.

     

    My thanks to Jerome Segura at Malwarebytes for this information. He's written about support scams recently on the Malwarebytes blog - see

    http://blog.malwarebytes.org/intelligence/2013/04/phone-scammers-call-the-wrong- guy-get-mad-and-trash-pc/

    http://blog.malwarebytes.org/intelligence/2013/05/online-pc-support-scams-turnin g-the-tables/

     

    Message was edited by: Hayton on 12/05/13 06:15:58 IST

    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points