posted 07-24-2001 01:53 AM                  

I ran the FixSirc.com virus program posted here earlier but the program told me this;

**************************************
Attention:

The FixSircam could not delete 9 W32.Sricam.Worm@mm files from your PC,
Please restart the computer in Safe Mode and run the removal tool again.

If the problem persists, then contact Technical Support.
**************************************

I went ahead and did the following so that the FixSircam program would delete the 9 infected files.

Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
Registry Entries:
The W32/SirCam@MM virus makes changes to the registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
HKLM\Software\Sircam
In Infected state: HKCR\exefile\shell\open\command \Default="C:\recycled\SirC32.exe" "%1"%*
In Clean state this should be: HKCR\exefile\shell\open\command \Default=""%1"%*"

After all this, I am disenfected.

That is one nasty virus...

posted 07-24-2001 02:08 AM                  

It came from here http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360

W32/SirCam@MM Help Center

DESCRIPTION - What virus is this?

This is a HIGH RISK virus that is spread to email recipients found in the Windows Address Book and addresses found in cached files. The infected email can come from addresses that you recognize. Attached is a file with two different extensions. The file name itself varies.
The email message can appear as follows:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---

Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.

PAYLOAD - What can this virus do?

When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.
The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies of these documents to email recipients found in the Windows Address Book and addresses found in cached files.

Scan Your System for Infected Files
McAfee.com VirusScan Online and Clinic users, click here to perform a Scan.
If W32/SirCam@MM is found, use the delete option to remove it.

Rename the Windows Registry Editor
Click on the Start button.

Highlight Run.

Type in COMMAND and hit the OK button. A window will then appear with a black background. The last line of text in the window will look something like C:\Windows> (followed by a blinking cursor).

Type in the following at the prompt: COPY REGEDIT.EXE REGEDIT.BAT EXIT The window will then disappear.
Boot into Safe Mode
Shut the computer down so the power is off.

Wait 20 seconds or so.

Turn the computer on and immediately begin pressing the F8 key on the keyboard, once every second repeatedly. Do this until the Windows Startup Menu appears. If you get a keyboard error, press F1 to resume and then continue pressing the F8 key once every second.

Select Safe Mode from the Windows Startup Menu, then press the Enter key on the keyboard.

Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.

At the end of the boot process a dialog box will appear informing you that Windows is in Safe Mode. Click OK on this dialog box.

Windows is now in Safe Mode.
Backup the Registry
Click on the Start button.

Click on Run.

Type REGEDIT.BAT in the Open field.

Click the OK button. The Registry Editor window will appear.

Click on the Registry pull-down menu.

Click on Export Registry File.

In the File Name field type "backup" (without the quotation marks).

In the Save In field be sure that the desktop is selected (if it is not, click on the pull down menu and select "Desktop").

Select "All" in the Export Range group box.

Click on the Save button. The registry will then be saved.

Click the X in the top right corner to close the Registry Editor.

posted 07-24-2001 09:26 AM                    

I had a co-worker that got infected and I had to help him get his computer cleaned last night at work - fun stuff :0

posted 07-30-2001 08:27 PM                  

After running a scan with our virus software, it found 3 infected files. When we tried to "clean" the file, it wouldn't. Hubby deleted one of the files.

When I restarted the computer, it came up with a window stating that the file "C:\SirC32.exe" could not be found and the file was necessary to run any "application". I could not access internet, email, program, Windows Explorer, NOTHING. Tried to access my Windows 98 disc to find file and copy and couldn't do that either.

Got help today from an expert and we reloaded the Windows 98 through Boot Disk. Everything is working fine again and the virus seems to be gone (fingers crossed)!

He said that the "window" was "lying". That is a virus file, not a file in W98. It was the virus blocking me from accessing anything and making me look for a file that does not exist!!

Hope this solves the problem!

------------------
CJ - The One and Only - 1999 Black
Mopar Exhaust System
Splash Guards
Matching Prowler Trailer
PProwler Vanity Plate

posted 07-31-2001 12:17 PM                    

What I did is delete the infected file, change the regedit.exe to regedit.com, run the registry editor and remove the association, reboot and change the regedit.com back to regedit.exe.

Sure beats having to reinstall windows... yeech.

Oh yea - you have to edit the .ini files too because it puts a run statement in them.

------------------
Cliff Watson

posted 07-31-2001 12:28 PM                  

Thanks Norton Antivirus,

------------------
See me WAX a Roush
See me WAX a Cobra

posted 07-31-2001 01:32 PM                  

So sorry I was not there to help you. I was in southern california celebrating my wifes parents 50th anniversary.

I got home this morning at 2:00am. At this time I received John Davies voice mail about calling you to help you and later this morning got the other voicemail at work. It was John Davies telling me to call you also.

Sure glad things worked out and realize this was a scarry moment.

Cliff,

Don't know what John Davies is talking about.... I understood you fully.

Later...