Microsoft KB Archive/311446

= You cannot start programs when your computer is infected with the SirCam virus =

Article ID: 311446

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-



This article was previously published under Q311446



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
If you click Yes, download the updated Setup files (Recommended) in the Get Updated Setup Files dialog box while the Setup program is running, you may receive the following message in the Upgrade report:

Setup found some blocking issues. You must address these issues before you can continue upgrading you computer. For more information, click Full Report.

Bad System Configuration

If you click Full Report, you receive the following message:

Setup detected an invalid system configuration, which is typically caused by a virus. See KB Article Q311446 and follow the instructions there.

If you click No, skip this step and continue installing Windows in the Get Updated Setup Files dialog box during Setup, you may experience any one of the following symptoms:  If you try to start a program (.exe file), the program may not start, and you may receive any one of the following error messages:  

The specific path does not exist. Check the path and try again.

 

Windows cannot find ' '. Make sure you typed the name correctly, and then try again. To search for a file, click Start, and then click Search.



Note If you receive a &quot;Path to program_name is not a valid Windows application&quot; error message or the error message references the Files32.vxd file, please see the following Microsoft Knowledge Base article:

310585 You are unable to start a program with an .exe file extension

 Additionally, if you upgrade your computer, you may receive the following message, where  is the full path and the specific file mentioned in the message:

Windows cannot find C:\

In this case, when you start Registry Editor, you may receive the following error message:

Windows cannot find C:\Windows\Regedit.exe





CAUSE
The W32.Sircam.Worm@mm worm virus can cause this issue. The W32/Sircam virus spreads itself through e-mail messages or unprotected network file shares and can reveal or delete information on your computer. To verify that your computer is infected with this kind of virus: <ol> Restart your computer, press F8 at the Windows XP Startup menu, and then select Safe Mode with Command Prompt.</li> At the command prompt, type regedit, and press ENTER.</li> If the following registry key is set to C:\recycled\sirc32.exe &quot;%1&quot; %*, your computer is infected with the W32/SirCam worm virus:

HKEY_CLASSES_ROOT\exefile\shell\open\command

Note If this registry setting is anything other than

&quot;%1&quot; %*

your computer may be infected with a different virus.</li></ol>

<div class="resolution_section">

RESOLUTION
Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to see the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

<div class="moreinformation_section">

MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

How to try to prevent the virus from running
Important The following procedure only prevents the virus from running so that you can run an updated antivirus program or W32/Sircam virusremoval tool. While you work to resolve this issue, physically disconnect all your infected computers from the Internet or any other network. For detailed instructions about how to recover an infected computer, please see the following Carnegie Mellon Web site:

http://www.cert.org/tech_tips/root_compromise.html

<ol> Verify that your computer is infected with the W32.Sircam.Worm@mm worm virus.

For information about how to do this, view the steps that are included in the &quot;Cause&quot; section of this article. If your computer is infected with the W32.Sircam.Worm@mm worm virus, continue to step 2. If your computer is not infected with the W32.Sircam.Worm@mm worm virus, skip the remaining steps, and then follow the instructions that are included in the &quot;Resolution&quot; section of this article.</li> Use Registry Editor to change the (Default) string value in the following registry key to &quot;%1&quot; %* (with quotation marks):

HKEY_CLASSES_ROOT\exefile\shell\open\command\

</li> At a command prompt, type cd \, and then press ENTER.</li> At a command prompt, type del /f /s /a sirc32.exe, and then press ENTER.</li> At a command prompt, type del /f /s /a scam32.exe, and then press ENTER.</li> At a command prompt, type shutdown -r, and then press ENTER.</li> Follow the instructions that are included in the &quot;Resolution&quot; section of this article.</li></ol>

The W32.Sircam.Worm@mm worm virus modifies the registry so that all executable (.exe) files are started through the virus file, Sirc32.exe, which reside in the C:\recycled folder. When you make this change to the registry, executable files are forced to to run as a command line argument to the Sirc32.exe file. Through the course of the upgrade to Windows XP, the Sirc32.exe file is removed.

The removal of the Sirc32.exe virus without modification of the HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command key will invalidate every executable file on the computer because, according to this line in the registry, the executable files are to be run as a command line parameter to the Sirc32.exe file which no longer exists. This prompts the &quot;Windows cannot find&quot; message when you try to start the executable file.

Additional information about how to remove W32/Sircam virus
For additional information about how to correctly remove the W32/Sircam virus, please see the following third-party Web sites:

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

http://www.datafellows.com/v-descs/sircam.shtml

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SIRCAM.A

Availability of W32.Sircam.Worm@mm Removal tools
For information about tools you can use to correctly remove the W32/Sircam virus, please see the following third-party Web sites:

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSIRCAM%2EA&VSect=Sn

For more information about the W32/Sircam virus and additional antivirus vendor references, please view the &quot;CA-2001-22 W32/Sircam Malicious Code&quot; CERT Advisory at the following Carnegie Mellon Web site:

http://www.cert.org/advisories/CA-2001-22.html

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

306913 Error message caused by Sircam32 virus when you start a program

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Additional query words: rundll32 exe null

Keywords: kbhotfixserver kbqfe kbbug kbenv kberrmsg kbfix kbsetup KB311446

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.