Article ID: 311446 - View products that this article applies to.
This article was previously published under Q311446
Expand all | Collapse all

On This Page

SYMPTOMS

If you click Yes, download the updated Setup files (Recommended) in the Get Updated Setup Files dialog box while the Setup program is running, you may receive the following message in the Upgrade report:
Setup found some blocking issues. You must address these issues before you can continue upgrading you computer. For more information, click Full Report.

Bad System Configuration
If you click Full Report, you receive the following message:
Setup detected an invalid system configuration, which is typically caused by a virus. See KB Article Q311446 and follow the instructions there.
If you click No, skip this step and continue installing Windows in the Get Updated Setup Files dialog box during Setup, you may experience any one of the following symptoms:
  • If you try to start a program (.exe file), the program may not start, and you may receive any one of the following error messages:
    • The specific path does not exist. Check the path and try again.
    • Windows cannot find 'program_file'. Make sure you typed the name correctly, and then try again. To search for a file, click Start, and then click Search.
    Note If you receive a "Path to program_name is not a valid Windows application" error message or the error message references the Files32.vxd file, please see the following Microsoft Knowledge Base article:
    310585 You are unable to start a program with an .exe file extension
  • Additionally, if you upgrade your computer, you may receive the following message, where filename is the full path and the specific file mentioned in the message:
    Windows cannot find C:\Filename


    In this case, when you start Registry Editor, you may receive the following error message:
    Windows cannot find C:\Windows\Regedit.exe

CAUSE

The W32.Sircam.Worm@mm worm virus can cause this issue. The W32/Sircam virus spreads itself through e-mail messages or unprotected network file shares and can reveal or delete information on your computer. To verify that your computer is infected with this kind of virus:
  1. Restart your computer, press F8 at the Windows XP Startup menu, and then select Safe Mode with Command Prompt.
  2. At the command prompt, type regedit, and press ENTER.
  3. If the following registry key is set to C:\recycled\sirc32.exe "%1" %*, your computer is infected with the W32/SirCam worm virus:
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    Note If this registry setting is anything other than
    "%1" %*
    your computer may be infected with a different virus.

RESOLUTION

Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to see the article in the Microsoft Knowledge Base:
49500 List of Antivirus Software Vendors

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

How to try to prevent the virus from running

Important The following procedure only prevents the virus from running so that you can run an updated antivirus program or W32/Sircam virusremoval tool. While you work to resolve this issue, physically disconnect all your infected computers from the Internet or any other network. For detailed instructions about how to recover an infected computer, please see the following Carnegie Mellon Web site:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
  1. Verify that your computer is infected with the W32.Sircam.Worm@mm worm virus.

    For information about how to do this, view the steps that are included in the "Cause" section of this article. If your computer is infected with the W32.Sircam.Worm@mm worm virus, continue to step 2. If your computer is not infected with the W32.Sircam.Worm@mm worm virus, skip the remaining steps, and then follow the instructions that are included in the "Resolution" section of this article.
  2. Use Registry Editor to change the (Default) string value in the following registry key to "%1" %* (with quotation marks):
    HKEY_CLASSES_ROOT\exefile\shell\open\command\
  3. At a command prompt, type cd \, and then press ENTER.
  4. At a command prompt, type del /f /s /a sirc32.exe, and then press ENTER.
  5. At a command prompt, type del /f /s /a scam32.exe, and then press ENTER.
  6. At a command prompt, type shutdown -r, and then press ENTER.
  7. Follow the instructions that are included in the "Resolution" section of this article.
The W32.Sircam.Worm@mm worm virus modifies the registry so that all executable (.exe) files are started through the virus file, Sirc32.exe, which reside in the C:\recycled folder. When you make this change to the registry, executable files are forced to to run as a command line argument to the Sirc32.exe file. Through the course of the upgrade to Windows XP, the Sirc32.exe file is removed.

The removal of the Sirc32.exe virus without modification of the HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command key will invalidate every executable file on the computer because, according to this line in the registry, the executable files are to be run as a command line parameter to the Sirc32.exe file which no longer exists. This prompts the "Windows cannot find" message when you try to start the executable file.

Additional information about how to remove W32/Sircam virus

For additional information about how to correctly remove the W32/Sircam virus, please see the following third-party Web sites:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
http://www.datafellows.com/v-descs/sircam.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SIRCAM.A

Availability of W32.Sircam.Worm@mm Removal tools

For information about tools you can use to correctly remove the W32/Sircam virus, please see the following third-party Web sites:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSIRCAM%2EA&VSect=Sn
For more information about the W32/Sircam virus and additional antivirus vendor references, please view the "CA-2001-22 W32/Sircam Malicious Code" CERT Advisory at the following Carnegie Mellon Web site:
http://www.cert.org/advisories/CA-2001-22.html
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
306913 Error message caused by Sircam32 virus when you start a program
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Properties

Article ID: 311446 - Last Review: March 29, 2007 - Revision: 4.6
APPLIES TO
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
Keywords: 
kbhotfixserver kbqfe kbbug kbenv kberrmsg kbfix kbsetup KB311446

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com