A user at our company had the sirc32.exe virus (W32/sircam@mm). I cleaned the virus but now his applications will not open. It says "Windows cannot find sirc32.exe (the file the virus put on his PC) "This program is needed for opening files of type Application". I went into file types in the folder options and found that for the file type Application it opens with sirc32. How do I change this to open with executables. It will not let me edit or remove this file type. :-(
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SIRC32.EXE VIRUS 1
- Thread starter hchman
- Start date
jgoodman00
Programmer
- Jan 23, 2001
- 1,510
You can set this within the windows registry, but that is by no means a solution to your problem. Using regedit you should be able to correctly set all of the file-type declarations, but I fear to solve your problem properly you will need to install win98 again, & probably as a clean installation. It sounds as though this virus is particularly hostile. James Goodman
j.goodman00@btinternet.com
j.goodman00@btinternet.com
- Thread starter
- #4
From symantec's help page, copy regedit.exe to regedit.com and open it.
Suggest you look to their writeup on this , as it gives a complete manual method, along with a downloadable clean program that will auto mat the process. Ed Fair
efair@atlnet.com
Any advice I give is my best judgement based on my interpretation of the facts you supply.
Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.
Suggest you look to their writeup on this , as it gives a complete manual method, along with a downloadable clean program that will auto mat the process. Ed Fair
efair@atlnet.com
Any advice I give is my best judgement based on my interpretation of the facts you supply.
Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.
The Sircam virus corrupts the registry in such a way that your best option is to restore from a previous backup.
When you "cleaned the virus" you were simply removing infected files. However, the entries in the registry remain.
For Win98 and Win98SE users:
- restart in MS-DOS mode
- type scanreg and hit enter at the C:> prompt
- choost the "restore" option
- choose a date that is earlier than the time of infection
restart and you should be ok without having to reinstall Windows
also keep in mind that rundll32 was infected by the virus, so you may have to replace it. It is renamed to run32.exe.
When you "cleaned the virus" you were simply removing infected files. However, the entries in the registry remain.
For Win98 and Win98SE users:
- restart in MS-DOS mode
- type scanreg and hit enter at the C:> prompt
- choost the "restore" option
- choose a date that is earlier than the time of infection
restart and you should be ok without having to reinstall Windows
also keep in mind that rundll32 was infected by the virus, so you may have to replace it. It is renamed to run32.exe.
-
1
- #8
hchman,
To restore the EXE association, open Notepad and copy and paste the following between the lines and save the file as exefix.reg. Double-click on the file to merge the contents into the registry. Do it on another computer and transfer via floppy.
=========BEGIN CUT==================
REGEDIT4
[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"
[HKEY_CLASSES_ROOT\.exe\ShellEx]
[HKEY_CLASSES_ROOT\.exe\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{88C9E8DE-8D28-11D3-8F3C-00A0249EABF4}"
[HKEY_CLASSES_ROOT\exefile]
"EditFlags"=hex:d8,07,00,00
@="Application"
[HKEY_CLASSES_ROOT\exefile\shell]
@=""
[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
============END CUT=================
============================================================
If tha6t diesn;t work,
Copy and paste the following text between the lines into Notepad and save as Fixexe.inf on your desktop. Right-click on the file and choose install. Now shutdown and restart.
==================BEGIN CUT=======================
[Version]
signature=$CHICAGO$
[DefaultInstall]
AddReg=EnableRegandexe
[EnableRegandexe]
HKCR,\.reg,,,"regfile"
HKCR,\regfile,,,"Registration Entries"
HKCR,\regfile\DefaultIcon,,,"C:\WINDOWS\regedit.exe,1"
HKCR,\regfile\shell,,,""
HKCR,\regfile\shell\open,,,"Mer&ge"
HKCR,\regfile\shell\open\command,,,"regedit.exe %1"
HKCR,\regfile\shell\print,,,""
HKCR,\regfile\shell\print\command,,,"C:\WINDOWS\NOTEPAD.EXE /p %1"
HKCR,\regfile\shell\edit,,,"&Edit"
HKCR,\regfile\shell\edit\command,,,"C:\WINDOWS\NOTEPAD.EXE %1"
HKCR,\.exe,,,"exefile"
HKCR,\.exe,"Content Type",,"application/x-msdownload"
HKCR,\exefile,,,"Application"
HKCR,\exefile,EditFlags,1,D8,07,00,00
HKCR,\exefile\shell,,,""
HKCR,\exefile\shell\open,,,""
HKCR,\exefile\shell\open\command,,,""%1" %*"
HKCR,\exefile\DefaultIcon,,,"%1"
====================END CUT=======================
reghakr
To restore the EXE association, open Notepad and copy and paste the following between the lines and save the file as exefix.reg. Double-click on the file to merge the contents into the registry. Do it on another computer and transfer via floppy.
=========BEGIN CUT==================
REGEDIT4
[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"
[HKEY_CLASSES_ROOT\.exe\ShellEx]
[HKEY_CLASSES_ROOT\.exe\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{88C9E8DE-8D28-11D3-8F3C-00A0249EABF4}"
[HKEY_CLASSES_ROOT\exefile]
"EditFlags"=hex:d8,07,00,00
@="Application"
[HKEY_CLASSES_ROOT\exefile\shell]
@=""
[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
============END CUT=================
============================================================
If tha6t diesn;t work,
Copy and paste the following text between the lines into Notepad and save as Fixexe.inf on your desktop. Right-click on the file and choose install. Now shutdown and restart.
==================BEGIN CUT=======================
[Version]
signature=$CHICAGO$
[DefaultInstall]
AddReg=EnableRegandexe
[EnableRegandexe]
HKCR,\.reg,,,"regfile"
HKCR,\regfile,,,"Registration Entries"
HKCR,\regfile\DefaultIcon,,,"C:\WINDOWS\regedit.exe,1"
HKCR,\regfile\shell,,,""
HKCR,\regfile\shell\open,,,"Mer&ge"
HKCR,\regfile\shell\open\command,,,"regedit.exe %1"
HKCR,\regfile\shell\print,,,""
HKCR,\regfile\shell\print\command,,,"C:\WINDOWS\NOTEPAD.EXE /p %1"
HKCR,\regfile\shell\edit,,,"&Edit"
HKCR,\regfile\shell\edit\command,,,"C:\WINDOWS\NOTEPAD.EXE %1"
HKCR,\.exe,,,"exefile"
HKCR,\.exe,"Content Type",,"application/x-msdownload"
HKCR,\exefile,,,"Application"
HKCR,\exefile,EditFlags,1,D8,07,00,00
HKCR,\exefile\shell,,,""
HKCR,\exefile\shell\open,,,""
HKCR,\exefile\shell\open\command,,,""%1" %*"
HKCR,\exefile\DefaultIcon,,,"%1"
====================END CUT=======================
reghakr
If all of the above hasn't resolved the issue, go to to download the removal tool.
- Thread starter
- #10
Oops, sorry I mis-understood. You can copy regedit.exe to regedit.com so it runs and change the associations as follows
1) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
2) Click START|RUN, type REGEDIT.COM and hit ENTER
3) Remove references to the virus from these keys of the registry
HKCR\exefile\shell\open\command
HKLM\Software\CLASSES\exefileshell\open\command
They should contain only the value (not including brackets)
["%1" %*].
4) Delete the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32
HKLM\Software\Sircam
Good luck
1) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
2) Click START|RUN, type REGEDIT.COM and hit ENTER
3) Remove references to the virus from these keys of the registry
HKCR\exefile\shell\open\command
HKLM\Software\CLASSES\exefileshell\open\command
They should contain only the value (not including brackets)
["%1" %*].
4) Delete the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32
HKLM\Software\Sircam
Good luck
- Thread starter
- #12
EVERYONE...For future reference, if someone can't run programs due to a virus or trojan, running the EXEfix08.com file at either link will restore the correct .exe info to the registry. Bookmark these sites.
Unzipped files:
Zipped files:
Unzipped files:
Zipped files:
A very easy way to run regedit when you have this virus is rename regedit.exe to regedit.com. Then run it, works fine!
Alot easier than copying it from another PC.
There's a few registry deletions you have to do, go to for full 'removal process' instructions.
Peace,
Chadda
Alot easier than copying it from another PC.
There's a few registry deletions you have to do, go to for full 'removal process' instructions.
Peace,
Chadda
- Status
