Shoutbox

Hi all. Have done some extensive searching, but I have come up with nothing, and hoping that someone here can help me out.

My brother was on my computer last night, and he received a file from a friend of his. A .pif file. Anyway, being the clueless ass that he is, he opened it, and now I have problems. Here is what has happened:

Upon executing the file, he was thrown to a webpage, with a cartoon picture of Bill Gates and a hit counter, shortly after which, the file was sent to all online contacts (although I pulled the network cable out before anyone accepted I hope). So, after searching, I figure it could very well be the Bropia Worm. But if it is, it is like none of the variants that I can find information on. The symptoms that I have discovered so far are:

- Cannot access folder options from the tools option on the menu bar
- Cannot see the system restore tab on the properties of My Computer
- The task manager, regedit and cmd all close within seconds of opening
- The Symantec removal tool for certain Bropia variations is closed soon after opening
- The virus closed and will not let me re-open my anti-virus (AVG)
- I was browsing an image folder, and it closed the browser when I moved onto a file called task.jpg, which I could view once renamed
- Winamp will close whenever I click anywhere on it

So, using a separate registry viewer, I managed to see the different files with .pif extensions which it has put on my computer, which are: Bungee-F**k.pif, Death of crazy frog!.pif, Hot Babe!.pif, lol Busted Are Gay.pif, Me at the Beach!.pif, My Piccy.pif, Paris Hilton Sex Tape.pif, Really Cute.pif and Saddam Song.pif.

Any help much appreciated.

Aruz

its the bropia worm...

http://securityresponse.symantec.com/avcenter/ven....removal.tool.html

. that will remove it for you .

Nope. That is the Symantec tool which I mentioned in the original post. Once I open it, it trys to close straight away. To overcome this, i hit enter as soon as I opened the application. This then forced a quit confirmation message to be displayed before the program can exit. I keep my finger on the 'n' key for about 8 or 10 minutes, until the message simply stops appearing. The scan continues as normal, but once it has done, I am told that it couldn't detect the Bropia worm.

It could also be the W32/Crog.worm.
If the bropia worm removal tool doesn't remove it try this one, sounds like it to me:
http://securityresponse.symantec.com/avcenter/FixSflog.exe
I think it closes you browser when you go to anything related to antivirus' etc. so if the link above doesn't work, try this mirror:
http://www.virushelp.nl/download/fixsflog.exe

See this thread for more information

if you cannot download, then I will host it for you.

Thats it! Or, Serflog as Symantec call it. After looking around, mine looks to be Serflog.C, which is top of their latest virus threats. It has all of the same file names and the symptoms. Well at least I have identified it. Thanks for the help all, and the offer traxor, but I am in a fortunate position where I have acess to many computers, so if one goes down, I can get the web through someone else's machine.

Currently have the fix that was posted  scanning my computer as I type, but I doubt it will fix it, at least completely. Will have to wait for a fix for the C variant that I apparently have.

Once again, thanks all very much for your help. Very much appreciated!

Note that in order to execute a decent virusscan or virusremoval you need to start your computer in safe mode at the least! This is explained on the Symantec website and the download page of the tool.

Also to remove a virus with a special tool you need to read the instructions first, and very carefully, and do exactly what is told (often only simply downloading and running the tool is not enough and will have no effect!) This is again also explained on the Symantec website and the download page of the tool.*

Even better would be if you could start up with another Windows installation, which has access to the infected drive. If this is possible, do it that way. And after removing the infected files, start up in the original Windows installation and rerun every virusscan and virusremover to remove the left overs.

The reason why the tool doesn't work is most likely because it is blocked by the virus itself or something. Hence the _need_ to start up in at least safe mode or in another Windows installation and to read and follow the instructions on the download page of the tool.

* PS: @ProblemWvAuthority: this is also the reason why I strongly suggest not to post direct links to removal tools, but rather to the download page itself.

quote:

---

Originally posted by CookieRevised
this is also the reason why I strongly suggest not to post direct links to removal tools, but rather to the download page itself

---

Kk fnx il do dat nxt time. Forgot 2 say bout safe mode lol. normly do (to so many ppl on me contact list now)

Okay. I had exactly the same virus yesterday. The steps I used to clean it were as follows on an XP running laptop:-

1. Open up the host file (C:\Windows\system32\drivers\etc\hosts) and remove the entries that redirect you to 212.58.240.33.  Save the file and you should be able to access the online virus checkers (as your one wont be working if you have one!).

Below are the entries that you should remove from the file.  Open and close the hosts file using notepad if you didnt know already.

212.58.240.33 www.symantec.com
212.58.240.33 www.sophos.com
212.58.240.33 www.mcafee.com
212.58.240.33 www.viruslist.com
212.58.240.33 www.f-secure.com
212.58.240.33 www.avp.com
212.58.240.33 www.kaspersky.com
212.58.240.33 www.networkassociates.com
212.58.240.33 www.ca.com
212.58.240.33 www.my-etrust.com
212.58.240.33 www.nai.com
212.58.240.33 www.trendmicro.com
212.58.240.33 www.grisoft.com
212.58.240.33 securityresponse.symantec.com
212.58.240.33 symantec.com
212.58.240.33 sophos.com
212.58.240.33 mcafee.com
212.58.240.33 liveupdate.symantecliveupdate.com
212.58.240.33 viruslist.com
212.58.240.33 f-secure.com
212.58.240.33 kaspersky.com
212.58.240.33 kaspersky-labs.com
212.58.240.33 avp.com
212.58.240.33 networkassociates.com
212.58.240.33 ca.com
212.58.240.33 mast.mcafee.com
212.58.240.33 my-etrust.com
212.58.240.33 download.mcafee.com
212.58.240.33 dispatch.mcafee.com
212.58.240.33 secure.nai.com
212.58.240.33 nai.com
212.58.240.33 update.symantec.com
212.58.240.33 updates.symantec.com
212.58.240.33 us.mcafee.com
212.58.240.33 liveupdate.symantec.com
212.58.240.33 customer.symantec.com
212.58.240.33 rads.mcafee.com
212.58.240.33 trendmicro.com
212.58.240.33 grisoft.com
212.58.240.33 sandbox.norman.no
212.58.240.33 www.pandasoftware.com
212.58.240.33 uk.trendmicro-europe.com

2. Next step was to get someone to send me an antivirus software from www.pandasoftware.com to remove the virus. I had no other alternative as symantec/trend micro and mac afee would not start up on my machine for some reason due to the virus closing windows abruptly.

I got someone to generously send me the free software at:-

http://www.pandasoftware.com/register.asp?CodigoP...ountry=US&sec=down

You will have to register first please note.  Once installed it cleaned the virus of my machine.

3. I then ran AD-Aware SE, then rebooted.

All okay.

http://sarc.com/avcenter/venc/data/w32.serflog.c.html also has more techinical info as thats the virus, you should also remove the registry settings manually which are found on here.  I found, in general, that following the symantec instructions to be informative, though not technically correct as it didnt fully work for me - hence the playing around was needed.

[i accept no liability, this is just what i did to correct the issue on my laptop and am just documenting it].