fra
www.symantec.com !
The W32.Sircam.Worm@mm Fix tool deletes the files infected with the W32.Sircam.Worm@mm worm and removes the changes that were made to a computer by this virus.
To obtain and run the tool:
1. Go to
http://www.sarc.com/avcenter/FixSirc.com2. Download the Fixsirc.com file to a convenient location, such as your download folder or the Windows desktop. If you are on a network, the removal tool should be applied on all computers, including the server.
3. To check the authenticity of the digital signature, refer the section The digital signature.
4. Close all programs before running the tool, including any antivirus scanners such as NAV Auto-Protect.
CAUTION: Do not skip this step (but also see the note that follows this caution). You must disable Auto-Protect before you run the tool. For instructions, see the document How to enable and disable Norton AntiVirus Auto-Protect.
NOTE: There is one exception to the requirement that you must disable Auto-Protect: If NAV has detected and quarantined the virus and NAV is no longer running due to the registry change that was made by the worm, you will not be able to disable Auto-Protect as it will not be running. However, you must make sure that NAV Auto-Protect is disabled by attempting to disable it as previously described.
5. If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.
CAUTION: Do not skip this step. You must disconnect from the network befor running the tool.
6. If you are using Windows Me, then disable System Restore. Please refer the section System Restore option in Windows Me for additional details.
NOTE: If you are running Windows Me, we strongly recommend that you do not skip this step.
7. Double-click the Fixsirc.com file to start the removal tool.
NOTE: If you downloaded the tool to a floppy disk, and want to run it from the floppy, see the section How to run the tool from a floppy disk at the end of this document for special instructions.
NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.
8. Click Start to begin the process, and then allow the tool to run.
9. If you are using Windows Me, then reenable System Restore.
10. Reenable Auto-Protect
NOTE:
If you see a message that the tool must re run in Safe mode, restart the computer in Safe mode and run the tool again. Please follow this instruction to ensure that the virus does not reinfect the computer. To restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode
The removal procedure might be unsuccessful in case of enabled System Restore under Windows\'ME because Windows prevents System Restore from being modified by outside programs. Because of this, any worm removal attempts made by the removal tool might fail.
When the procedure is finished, the removal tool may detect that you are using Windows\'ME and the System Restore remains disabled. In this case, you will see the reminder message to reenable this option.
If you need to run the tool in login scripts or batch files with no messages displayed, then use the following command line syntax for the \"Silent\" mode:
Fixsirc.com /s
When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results:
The total number of the scanned files.
The number of deleted files.
The number of registry keys that were fixed.
What the tool does
The W32.Sircam.Worm@mm removal tool does the following:
1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm.
2. The tool removes the following registry key:
HKEY_LOCAL_MACHINE\\Software\\SirCam
3. In the registry key
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\
Windows\\CurrentVersion\\RunServices
it deletes the following value:
Driver32
4. In the registry key
HKEY_CLASSES_ROOTexefile\\shell\\open\\command
the tool modifies the [Default] value by setting it to:
\"%1\" %*
5. The tool removes the line \"@win \\recycled\\sirc32.exe\" from the C:\\Autoexec.bat file.
6. The tool restores Rundll32.exe file, renamed by the worm.
The digital signature
FixSirc.com is digitally signed. Symantec recommends that you only use copies of FixSirc.com that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
1. Go to
http://www.wmsoftware.com/pub/chktrust.exe.2. Save the Chktrust.exe file to the same folder where you saved FixSirc.com, for example, C:\\Downloads
3. Click Start, point to Programs, and click MS-DOS Prompt.
4. Change to the folder where FixSirc.com and Chktrust.exe are stored, and then type:
chktrust -i FixSirc.com
For example, if you saved the file to the C:\\Downloads folder:
cd\\
cd downloads
chktrust -i FixSirc.com
Press Enter after typing each command.
5. If the digital signature is valid, you will see the following:
Do you want to install and run \"FixSirc.com\" signed on 7/31/2001 9:36 AM and distributed by Symantec Corporation.
NOTES:
The date and time that are displayed in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
If this dialog does not appear, do not use your copy of fixsirc.com. It is not from Symantec.
6. Click Yes to close the dialog box.
7. Type exit and then press Enter. This will close the MS-DOS session.
System Restore option in Windows Me:
One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts.
If the computer is infected with W32.Sircam.Worm@mm, then it is possible that the worm could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by the removal tool will fail. To work around this, you must disable System Restore, and restart the computer. This will purge the contents of the _RESTORE folder. You must then run the removal tool again.
NOTE: If System Restore cannot be run due to the registry change that was made by the worm, you will not be able to disable it. In that case, run the tool anyway. When you see the message indicating that System Restore is still active, click OK and follow any additional prompts. This will allow System Restore to run. Following this, disable System Restore by following these instructions and then run the tool again.
To disable System Restore:
1. Close all open programs. Then, right-click My Computer on the Windows desktop
2. Click Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore.
7. Click OK.
8. Click OK.
9. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.
Note: After running the FixSirc.com removal tool, repeat steps 1 through 9, except in step 6, uncheck Disable System Restore.
You can also find an additional information in the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder.
For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.
How to run the tool from a floppy disk
1. Insert the floppy disk that contains the Fixsirc.com file in the floppy disk drive.
2. Click Start and then click Run.
3. Type the following and then click OK:
a: fixsirc.com
NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.
4. Click Start to begin the process, and then allow the tool to run.
5. If you are using Windows Me, then reenable System Restore.
Write-up by: JP Duan and Brian Ewell
Ny bruger
Nybegynder
Opret
Preview
