Solution:
Terminating the Malware Program
This procedure terminates the running malware process from memory.
1.. Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
2.. In the list of running programs, locate either or both processes:
System32.exe
Cmd32.exe
3.. Select one of the processes, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
4.. Do the same for all running malware processes.
5.. To check if the malware process has been terminated, close Task
Manager, and then open it again.
6.. Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain
processes. You may use a third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure, noting additional
instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
1.. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then
press Enter.
2.. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Runonce
3.. In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
4.. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
5.. In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
6.. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
7.. In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
8.. In the left panel, double-click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft>Windows>
CurrentVersion>Runonce
9.. In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
Removing Malware Registry Key
1.. In Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Krypton
2.. Still in the left panel, delete the subkey:
Krypton
3.. Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory, as
described in the previous procedure, restart your system in safe mode.
Quote:
> I too am infected with the virus. I ran Norton in safe
> mode and made the changes to the registry described in
> the instructions, but still get messages about infected
> files and am still not able to use the CD or A drive that
> have been disabled by the virus. Any suggestions would be
> greatly appreciated.
> Michael McElroy
> >-----Original Message-----
> >You need run Norton AV under Safe Mode.
> >here is removal Instraction
> >http://securityresponse.symantec.com/avcenter/venc/data/w
> 32.kwbot.c.worm.html
> >.