Finding and Removing WWWCool Mal-Ware using Registry Manager© and the XP Recovery Console
WWWCool has many versions, one of the more rare versions employs registry data hiding techniques to discuise one of its two components.
NOTICE: WWWCool has now got litterally hundreds of variants. The information provided here may not apply to your variant of WWWCool virus.
To find and remove the
'super' hidden component you need to find the
real value of the registry value:
| Value Name | AppInit_DLLs |
| Key Name | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
To find this value, download the trial version of
Registry Manager (and/or purchase the full version if you like it) and browse to the above named value (at which point a
tamper evident warning will be given).
Registry Manager will display the
real value of "
AppInit_DLLs".
Write this value down because you will not be able to delete it from within windows whilst the Mal-Ware application is running and its not accessible from the recovery console.
Next reboot from the XP CD and use the recovery console to delete the named file.
KVK Consultancy provides the following advice 'as is' and takes no responsibility
for any damage caused in the attempt to carry out this procedure
To delete a file using the recovery console (by VERY carefull, serious damage can be done if done wrong)
| 1) | Boot from XP CD. |
| 2) | Select 'R' "Repair using recovery console" from the menu. |
| 3) | Choose your installation (usually 1) |
| 4) | Logon using the Administrator password (blank by default) |
| 5) | type : CD \WINDOWS\System32 |
| 6) | Type :DEL [file name] |
|
|
Where [file name] is the name of the file hidden in the AppInit_DLLs.
|
|
| Reboot into windows.. use a SpyWare scanner to clean any other lingering components and associated files. |