JSI Tip 7716. When you start Windows XP, you receive 'Cannot find C:\Windows\System32\System32.exe'?

The subject error message is indicative of an incomplete removal of the W32.KWBot.C.Worm virus from the registry.

To remove the virus from the registry:

01. Open Regedit.exe.

02. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the SystemSAS Value Name exists, and contains the system32.exe data value, delete the Value Name.

03. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the CMD Value Name exists, and contains the cmd32.exe.exe data value, delete the Value Name.

04. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. If the SystemSAS Value Name exists, and contains the system32.exe data value, delete the Value Name.

05. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. If the CMD Value Name exists, and contains the cmd32.exe.exe data value, delete the Value Name.

06. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. If the SystemSAS Value Name exists, and contains the system32.exe data value, delete the Value Name.

07. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. If the CMD Value Name exists, and contains the cmd32.exe.exe data value, delete the Value Name.

08. Delete the HKEY_Local_Machine\Software\Krypton key if it exists.

09. If the Shell Value Name, at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon does NOT contain the correct shell, Explorer.exe by default, change it.

10. Navigate to HKEY_CURRENT_USER\SOFTWARE\Kazaa\LocalContent. Delete any Value Names that reference the %Windir%\UserTemp or %Windir%\User32 folders.

11. Navigate to HKEY_CURRENT_USER\SOFTWARE\iMesh\Client\LocalContent. Delete any Value Names that reference the %Windir%\UserTemp or %Windir%\User32 folders.

12. Exit the Registry Editor.

13. Shutdown and restart Windows XP.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish