Finding and Removing WWWCool Mal-Ware using Registry Manager© and the XP Recovery Console
WWWCool has many versions, one of the more rare versions employs registry data hiding techniques to discuise one of its two components.
To find and remove the 'super'
hidden component you need to find the real
value of the registry value:
|Key Name||HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
To find this value, download the trial version of Registry Manager
(and/or purchase the full version if you like it) and browse to the above named value (at which point a tamper evident
warning will be given). Registry Manager
will display the real
value of "AppInit_DLLs
". Write this value down because you will not be able to delete it from within windows whilst the Mal-Ware application is running and its not accessible from the recovery console.
Next reboot from the XP CD and use the recovery console to delete the named file.
KVK Consultancy provides the following advice 'as is' and takes no responsibility
To delete a file using the recovery console (by VERY carefull, serious damage can be done if done
for any damage caused in the attempt to carry out this procedure
|1)|| Boot from XP CD.
|2)|| Select 'R' "Repair using recovery console" from the menu.
|3)|| Choose your installation (usually 1)
|4)|| Logon using the Administrator password (blank by default)
|5)|| type : CD \WINDOWS\System32
|6)|| Type :DEL [file name]
Where [file name] is the name of the file hidden in the AppInit_DLLs.
|Reboot into windows.. use a SpyWare scanner to clean any other lingering components and associated files.