CMD32.exe is not a Microsoft file, from what I can find it is part of the
KWBOT worm or one of it's variants. Probably this file was quarantined by
your antivirus software, but it left the entry behind. Here are some basic
instructions for removal. If you are not 100% comfortable in the system
registry, get professional assistance and DO NOT DO THIS:
a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit
Then click OK. (The Registry Editor opens.)
c. Navigate to each of the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
NOTE: All of these keys may not be found on all the systems.
d. From each key, in the right pane, delete the values if you find them:
SystemSAS system32.exe
CMD cmd32.exe
e. Navigate to and delete the key:
HKEY_Local_Machine\Software\Krypton,
f. Navigate to the key:
HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
NOTE: This key does not exist on all the systems. If you do not find it,
proceed to
step i.
g. In the right pane, double-click: Shell
h. Change the text in the Value data box so that it reads only:
Explorer.exe
i. Navigate to each of the keys:
HKEY_Current_User\Software\Kazaa\LocalContent
HKEY_Current_User\Software\iMesh\Client\LocalContent
j. In the right pane, delete any values that refer to the
C:\%Windir%\UserTemp or
C:\%Windir%\User32 folders. For example:
Dir? 012345:C:\%Windir%\UserTemp
NOTE: "?" in this value represents a number that the worm has chosen.
k. Exit the Registry Editor.
Reboot the system and the warning message should not appear.
--
Tim Newton [MSFT]
(e-mail address removed)
Search our Knowledge Base at
http://support.microsoft.com/directory
Visit the Windows 2000 Homepage at
http://www.microsoft.com/windows2000/default.asp
See the Windows NT Homepage at
http://www.microsoft.com/ntserver/
NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!
This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The views and opinions
expressed in this newsgroup posting are mine and do not necessarily express
or reflect the views and / or opinions of Microsoft.
