Fw: viris that disabled my mcafee system-#4300328082#-

["baskhana" <baskhana@email.msn.com>]

I got this after sending an email to them.  I had it off by the time I got
the email back.  It had disabled mcafee and I had to use my dell recovery cd
to get my pc back up.  VERY frustrating as I did not know how I got it.
Maybe it doesn't always show as an attachement.   But McAfee recongnized it
when it arrived but it still shut me down.  They are sneaky.  I have several
email accounts as I move a lot so it is hard to know just where I got it.
During that time I had not sent any emails to ridecamp. I don't send much
out as have limited tme for 'ALL' in my life.  Hope this helps someone.
Mary Ann
----- Original Message -----
From: McAfee.com Technical Support <virus_support@mcafee.com>
To: baskhana <baskhana@email.msn.com>
Sent: Saturday, September 15, 2001 9:44 PM
Subject: RE: viris that disabled my mcafee system-#4300328082#-


> Dear
>  baskhana
> Thank you for contacting Mcafee.com support. Sorry for the inconvenience
that you experienced.
> In this e-mail I will include the instructions that will remove the virus
you have. Please follow the instructions carefully, it will resolve your
problem.
>
>
> Removal of the W32/SirCam@MM Worm
>
> --- Manual Removal Instructions ---
>
> Note: These directions use specific directory pathnames that are commonly
used. You may need to modify the drive letter used, and folder paths for the
WINDOWS SYSTEM directory.
>
> --- Registry Removal Instructions ---
>
> 1) Click START|RUN, type COMMAND /C COPY %WINDIR%\REGEDIT.EXE
%WINDIR%\REGEDIT.COM and hit ENTER
> 2) Click START | RUN, type regedit.com and hit ENTER
> 3) Click the (+) left of each of following:
>
> HKEY_CLASSES_ROOT
> exefile
> shell
> open
> command
>
> 4) In the right panel, right-click the (Default) value, then choose
Modify, then remove [C:\Recycled\SirC32.exe].
>     Note: It should contain only this value (not including brackets) :
["%1" %*]. The Registry editor will automatically enclose this string inside
quotation marks in some versions of windows.
> 5) Delete the following registry keys:
>     Click the (+) left of each of following:
>
>
>
> HKEY_LOCAL_MACHINE
>    # Software
>    # Microsoft
>    # Windows
>    # CurrentVersion
>    # RunServices
>    # Driver32
>
> 6) In the right panel, right click and delete the registry value called
Driver32
> 7) Click the (+) left of each of following:
>
>
>
> HKEY_LOCAL_MACHINE
> Software
> Sircam
>
> 8) Click Sircam and press delete key
>
> ---Infected File Removal Instructions ---
>
> Note: Failure to complete the Registry Removal Instructions before
starting these file removal instructions will result in the in ability to
run applications. Do not proceed until the registry has been corrected as
mentioned above!
>
> 1) Click START | RUN type, command.com and hit ENTER
> 2) Type, deltree c:\recycled\sirc32.exe and hit ENTER
> 3) Type 'Y' to confirm the deletion and hit ENTER.
>
> Win9x/ME users only:
> 4) Type, deltree c:\windows\system\scam32.exe and hit ENTER
> 5) Type, 'Y' for (Y)es to confirm the deletion and hit ENTER
> 6) Type, move c:\windows\run32.exe c:\windows\rundll32.exe and hit ENTER
> If prompted for Overwrite the file, choose (Y)es
> If Cannot move ... appears then the virus did not move the Rundll32.exe
file.
>
> WinNT/2000 users only:
> 4) Type, deltree c:\winnt\system\scam32.exe and hit ENTER
> 5) Type, 'Y' for (Y)es to confirm the deletion and hit ENTER
> 6) Type, move c:\winnt\run32.exe c:\winnt\rundll32.exe and hit ENTER
> If prompted for Overwrite the file, type Y for (Y)es
> If Cannot move ... appears then the virus did not move the Rundll32.exe
file.
>
> Win9x/ME/NT/2000 users:
> (Note: as the Autoexec.bat file is not modified in all instances, steps 9,
10, and 11 may fail for some users. If this happens, then they were not
required.)
> 7) Type exit and hit ENTER
> 8) Click START | RUN, type write c:\autoexec.bat and hit ENTER
> 9) Click EDIT | REPLACE, type @win \recycled\sirc32.exe and click REPLACE
ALL
> 10) Click OK
> 11) Click FILE | EXIT and choose YES to save your changes
>
>
>
> Additional information for Windows ME users:
> NOTE: Windows ME utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected file
could be stored there as a backup file, and VirusScan will be unable to
delete these files. These instructions explain how to remove the infected
files from the C:\_Restore folder.
>
>
> Disabling the Restore Utility
> 1. Right click the My Computer icon on the Desktop, Properties.
> 2. Click on the Performance Tab.
> 3. Click on the File System button.
> 4. Click on the Troubleshooting Tab.
> 5. Put a check mark next to "Disable System Restore".
> 6. Click the Apply button.
> 7. Click the Close button.
> 8. Click the Close button again.
> 9. You will be prompted to restart the computer. Click Yes.
> NOTE: The Restore Utility will now be disabled.
> 10. Restart the computer in Safe Mode.
> 11. Run an online scan to delete all infected files. Or write down the
locations of the infected files and delete them in DOS prompt. (see DOS file
removal instructions)
>
> 12. After removing the desired files, restart the computer.
>
> NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
remove the check mark next to "Disable System Restore". The infected files
are removed and the System Restore is once again active.
>
> ---DOS file removal instructions---
>
> 1) Click START | RUN type, command.com and hit ENTER
> 2) Type cd c:\recycled - (drive:\location) and hit ENTER
> 3) Type attrib <infectedfilename>.* -h - r and hit ENTER ->  ( ex: attrib
adrsbk2.* -h r )
> 4) Type del <infectedfilename>.* and hit ENTER -> ( ex: del adrsbk2.*  )
> 5) Follow steps 3-4 to delete more infected files
> 6) To delete infected files in different folders, follow steps 2-3 and
specify the correct location of the infected files in step 2 - (ex: cd
c:\windows\systems).
> 7) Type Exit and hit ENTER
> 8) Restart the computer.
>
> --- End of Infected Files Manual Removal Instructions ---
>
> Scan Your Computer for Infected Files
>
> 1. Connect to the Internet.
> 2. Go to http://www.mcafee.com
> 3. Enter your password and email address, and click the Login button.
> 4. Near the top-left of the page, locate the "Site Shortcuts" drop-down
menu.
> 5. Click the drop-down arrow and choose Scan, from under VirusScan Online.
A new page will then load.
> 6. Click the "Start" link in the box: Current users click here to start.
> 7. If you are using this service for the first time you will then see a
page with a "Start Download" link. Click on the "Start Download" link to
download the necessary components.
> 8. In the Scan In box select the drive you would like to scan (C: drive,
etc). Then click the Scan button located in the lower right corner.
> 9. The program will then scan the selected drive for viruses. If a virus
is found a notification will appear in the Scan Results box. Delete infected
files if they can not be cleaned.
>
> More information can be found at the following address
http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360
>
> McAfee Technical Support
>
>
> Kind regards
> Mcafee.com Tech support
> -----Original Message-----
> From: baskhana (baskhana@email.msn.com)
> Sent: Aug 30, 2001 8:29:24 AM
> Subject: viris that disabled my mcafee system
>
> On 8-28-01 my mcafee grabbed a viris. I tried to clean it. My pc
> stalled.  So I deleted it and mcafee said the file was saved in backup.
> Then every time I clicked on anything dealing with windows it said I was
> missing SirC32.exe and was supposed to look for it to perform the
> application. I looked for the SirC32 on my windows 98 cd and on my
> mcafee cd and then got suspicious that it had not been neutralized. ANY
> time I clicked on anything, including my antiviris scan program, it
> popped up the window saying the application was missing and asked where
> to look for it.  The first time mcafee grabbed it and said it was a
> viris, it was called 'system\SCAM32.exe'  I tried to run my antiviris
> and it would not open. After than nothing on my on my win98 OS would
> open except my msn server, modem, and AIM.  ICQ would not open.  I was
> surprised that is disabled my antiviris system so am informing you of
> all of this.
>
> I got  my system back up using my cd recovery from Dell.  Then worked
> thru safe mode.  Even tho it was deleted it made my system UNUSABLE.  I
> almost did a format on C: to start over, but talked to one of my sons
> who works with computers and he told me to do the safe mode thing.
> Luckily I did not loose anything off my harddrive but it was incredibley
> frustrating as I am a beginner at this pc stuff.
>
> It should be of interest to you that it disabled my mcafee scan system.
> I had updated my mcafee just last week so maybe it would have been worse
> if I had not.  I did not see it listed in your recent viris problems
> list.  So am bringing it to your attention.  I do not know if it came
> via an email off my hotmail account or via ICQ as I use both.  But I did
> click on a mysterious email that came thru my hotmail account that had
> only a series of symbols as the subject.
>
> Thanks for listening and hope you are able to fix the problem in case of
> future reinfestation of this viris.
>
> Mary Ann Spencer
> I have several emails besides this one which I only use to access the
> net as I move a lot. I may be in your system under ltcmas@yahoo.com
>
>
>