sirc32.exe 2

[Xtian]

Hi,

I got infected this morning by TROJ SIRCAM.A

I didn't have the last pattern files uptodate :-(

After I got the last updated files, Norton Anti-Virus detected that SirC32.exe and SCam32.exe were infected. I chose to repair and delete them.

Unfortunately, as SirC32.exe is missing I can't run others application than IE.

Anyone running WINDOWS 98 (2nd Edition) could send to me these 2 files ( SirC32.exe and Scam32.exe) to clegall2000@yahoo.com ?

Thanks in advance,
Christian,

 

[paulwood]

If you mean W32/SirCam@MM, it creates a registry key HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
which means that all attempts to run a file will run the virus instead. You don't want copies of those files, they are the virus, you need to repair the registry.

For further info check out

http://vil.nai.com/vil/virusSummary.asp?virus_k=99141

 

[butchrecon]

Are you runnng Win95 or Win98? If Win98 you can boot to a DOS prompt (F8 then Choose Boot to command Prompt) then type:
scanreg /restore
Choose a date to before your system was infected. This will restore the registry to a date prior to the infection. Problem is you would have had to have scanreg running in the backgroud on prior boots. A lot of people take this out of the startup using msconfig. As you see it is needed from time to time. James Collins
Systems Support Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[Xtian]

THANKS A LOT !

Yes, these files were the virus and I had to update my registry as described on antivirus web sites.

Going to DOS-mode after shutdown I restored the registry from 20/07/01 and everything is fine now.

Have a great day both Paul & James,
Christian,

 

[paulwood]

Thanks for the reminder James, I had forgotten about that

 

[butchrecon]

No problem. I have had to use it a few times where I work. I ensure it takes a snapshop when each user boots up. The users here have a habit of playing with the registry and installing usless programs as well. Since we are not allowed to restrict the systems from users doing that, I get a lot of time fixing minor registry and corrupt file issues. James Collins
Systems Support Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[jacuflea]

Boot up in Dos and do a copy regedit.exe regedit.com
then type start regedit.com and the registry will open .
then go to hkey_classes_root\exefile\shell\open\command and your Vaule Data should be
"%1 %*"

But everytime you open a program you reinitialize the virus. Even when opening your virus software. This was a tricky one. To get rid of this you have to run the scan in dos mode and then check autoexec.bat and win.ini to see if command lines for the sircam were put in. The check your registry for the sircam folder under local machine.

 

[Bgal]

Seems this virus is very busy at the moment, just had it myself. Reloading windows seems to have done the trick for me.