Finding and Removing WWWCool Mal-Ware using Registry Manager© and the XP Recovery Console

WWWCool has many versions, one of the more rare versions employs registry data hiding techniques to discuise one of its two components.

To find and remove the 'super' hidden component you need to find the real value of the registry value:

Value NameAppInit_DLLs
Key NameHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

To find this value, download the trial version of Registry Manager (and/or purchase the full version if you like it) and browse to the above named value (at which point a tamper evident warning will be given). Registry Manager will display the real value of "AppInit_DLLs".

Write this value down because you will not be able to delete it from within windows whilst the Mal-Ware application is running and its not accessible from the recovery console.

Next reboot from the XP CD and use the recovery console to delete the named file.

KVK Consultancy provides the following advice 'as is' and takes no responsibility
for any damage caused in the attempt to carry out this procedure

To delete a file using the recovery console (by VERY carefull, serious damage can be done if done wrong)

1) Boot from XP CD.
2) Select 'R' "Repair using recovery console" from the menu.
3) Choose your installation (usually 1)
4) Logon using the Administrator password (blank by default)
5) type : CD \WINDOWS\System32
6) Type :DEL [file name]
Where [file name] is the name of the file hidden in the AppInit_DLLs.
Reboot into windows.. use a SpyWare scanner to clean any other lingering components and associated files.

Download Trial Version

Buy Full Version