Sunday, September 7, 2008

SIRCAM/Recycled Virus to Clean ?

This is bad, when I check my PC in this morning, my Windows XP invected by SIRCAM/Recycled Virurs, I try to find how clean this dam problem. After I googling, I found some tutorial. And this is the results.

First Tutorial
1. Go to command prompt.
2. Type CD\ in drive C to go the root directory
3. Type DIR /AH and press ENTER key. This will display all hidden files in your drive C
4. If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
5. Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected.

To remove it download and install a trial version of Trendmicro and scan your system.

To manually remove it follow the following steps (This is the step I take when i repair my computer without an internet connection. Note you should understand what you’re about to do, you try it at your own risk!)

1. Boot your system in Safemode
2. Go to command prompt, in Drive C do the following commands.
3. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
4. Type -> DEL AUTORUN.INF then press enter
5. Type -> ATTRIB -H -R -S Recycled then press enter
6. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
7. Repeat Step 3 to 6 for all drives of your system including the USB drive.
8. Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)

To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:

1. Click Start->Run->type REGEDIT.EXE
2. Go to this key from the register HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
3. Look for the entry NoDriveTypeAutoRun, double click the entry
4. Type a new value : 03ffffff for the NoDriveTypeAutoRun and press ENTER
5. Reboot the system.


Second Tutorial
You can download and run the automatic cleaning tool for SIRCAM or Follow the directions below to manually remove it.

1. First, rename REGEDIT.EXE to REGEDIT.COM. If you want to use the fix tool, there is no need to rename the file
2. Click Start, Run, type REGEDIT and then press Enter.
3. In the left panel, click the (+) left of each of the below:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices
4. In the right panel, look for and then delete the registry value called Driver32.
5. In the left panel, click the (+) left of each of the below:
HKEY_LOCAL_MACHINE
Software
SirCam
6. Click SirCam and then press the Delete key.
7. In the left panel, click the (+) left of each of the below:
HKEY_CLASSES_ROOT
exefile
shell
open
command
8. In the right panel, right-click the (Default) value, then choose Modify.
9. Change “C:\Recycled\SirC32.exe””%1”%* to “%1” %*. In other words, remove “C:\Recycled\SirC32.exe”.

Remove the dropped files:

1. Open an MS-DOS box or Command Prompt
2. Go to the System directory (C:\Windows\System or C:\Winnt\System32).
3. Type ATTRIB -S -H -R SCAM32.EXE to unhide the Trojan file.
4. Type DEL SCAM32.EXE to delete the Trojan file.
5. Go to the Recycled folder (C:\Recycled folder)

Note: Emptying the recycle bin does not effectively delete the dropped Trojan files in the folder. It is suggested that the command prompt be used when deleting the dropped files.

1. Type ATTRIB -S -H -R SIRC32.EXE.
2. Type DEL SIRC32.EXE to delete the Trojan file.

Remove the Worm reference from AUTOEXEC.BAT:

1. Look for the AUTOEXEC.BAT file.
2. Search and remove the string “@win \recycled\Sirc32.exe”

Restore your RUNDLL32.EXE:

1. Search for RUN32.EXE in your WINDOWS folder. If not found, then the worm did not overwrite your RUNDLL32.EXE.
2. If found, delete RUNDLL32.EXE and rename RUN32.EXE to RUNDLL32.EXE.
3. Restart your system

Note: If you found the worm entry in the AUTOEXEC.BAT file or if you found the RUN32.EXE file in the Windows directory, this means that other computers in your network are also infected. For protection, minimize giving full access to your drives and as much as possible DO NOT share your Windows and System folder.