Removal and Disinfection
(You'll be leaving the Internet
soon, so print these instructions now).
A. Download and save the undosirc.reg file to a floppy disk by following these instructions:
1. Go Here: www.ukans.edu/acs/virus/undosirc.reg
2. In the Save dialog box, select My Computer from the Save in: pull-down menu at the top of the page.
3. Double-click the A:\ drive.
4. Click the Save button.
II. Disconnect from the Internet.
III. In Windows, click the Start
button on your Taskbar
and select Run...
A. In the box, type A:\undosirc.reg and click the OK button.
B. A Windows dialog box will display with the following question:
Are you sure you want to add the information in A:\undosirc.reg to the registry?
C. A Windows dialog box will display the following confirmation:
Information in the c:\undosirc.reg has successfully entered into the registry.
Click OK .
D. Remove the line "@win \recycled\SirC32.exe" (if present) from the AUTOEXEC.BAT file.
1. Open Notepad (click the Start button, select Programs, then select Accessories, then click Notepad).
E. Shut down, then restart your computer.
2. In Notepad, go to File/Open. In the File name: box, type in C:\autoexec.bat and click Open.
3. Look for a line reading "@win \recycled\SirC32.exe". If there is such a line, highlight and delete it. If not, exit Notepad without saving.
4. Click the File menu and choose Save, then exit Notepad.
F. After your computer has restarted:
1. Empty the Recycle Bin.
2. In Windows, click the Start button on your Taskbar and select Find -> and Files or Folders. Make sure the Look In box (bottom most box) is to set to look in the hard drive (C:, usually).
3. In the Named box, type scam32.exe.
4. Click the Find Now button.
5. scam32.exe should appear in the lower window of the finder and should be highlighted (if not highlighted, click it once to select it).
6. Press the DELETE key (on your keyboard).
Note: This virus infects computers in several ways, depending on how it was transmitted, so some of the following files may not be present on your computer.
7. In the Named box, replace scam32.exe with scmx32.exe, and click the Find Now button.
8. If you find a file with this name, click once on it to select it and press the DELETE key.
9. In the Named box, replace scmx32.exe with sircam32.exe, and click the Find Now button.
10. If you find a file with this name, click once on it to select it and press the DELETE key.
11. In the Named box, replace sircam32.exe with Microsoft Internet Office.exe, and click the Find Now button.
12. If you find a file with this name, click once on it to select it and press the DELETE key.
13. In the Named box, replace Microsoft Internet Office.exe with run32.exe, and click the Find Now button.
14. If you find a file with this name, DON'T DELETE IT! This file has been renamed by the virus, but is not part of the infection. If run32.exe is found, complete these additional steps:
a. In the Named box, replace run32.exe with rundll32.exe, and click the Find Now button.
15. Empty the Recycle bin.
b. When found, click once on rundll32.exe to select it and press the DELETE kay.
c. search for run32.exe again, and rename it to rundll32.exe.
To rename a file, right-click it and select Rename, type in the new name (rundll32.exe), and press Enter to accept the change.