You say regedit don't work. Try finding the file, make a
copy of it and rename it to regedit.com (Remember that you
need to be able to see the whole extension)
Here is what Trend has to say: (also remember to disable
system restore)
Solution:
Terminating the Malware Program
This procedure terminates the running malware process from
memory.
Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate either or both
processes:
System32.exe
Cmd32.exe
Select one of the processes, then press either the End
Task or the End Process button, depending on the version
of Windows on your system.
Do the same for all running malware processes.
To check if the malware process has been terminated, close
Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Task Manager may
not show certain processes. You may use a third party
process viewer to terminate the malware process.
Otherwise, continue with the next procedure, noting
additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the
malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type
REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Runonce
In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
In the left panel, double-click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft>Windows>
CurrentVersion>Runonce
In the right panel, locate and delete the entry or entries:
SystemSAS = "system32.exe"
CMD = "cmd32.exe"
Removing Malware Registry Key
In Registry Editor, in the left panel, double-click the
following:
HKEY_LOCAL_MACHINE>Software>Krypton
Still in the left panel, delete the subkey:
Krypton
Close Registry Editor
And this is Symantec:
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\RunServices
For each one, look in the right pane, and delete this
value:
Windows Explorer Update Build 1142
Click Registry, and click Exit.
Just make sure what version of KWBOT virus it is.
Hope this counts as something
