Let me start with some refresher about DLL file. A DLL file is the abbreviation for Dynamic Link Library file. These are the files which contains a lot of function calls and utilized by many executable files or other dll files for operation of a Windows based computer (I am not sure about MAC as I have never touched one). These DLL files are very imporatnt for a computer to function properly. If you open C:\Windows:\System32 folder you can find tons of them. As most of these dll files are unknown to many users and a general computer user never bother to look at them the virus/spyware makers take the advantage and create some dll files and hide them in the system32 folder to cause havoc in the PC.

One of my friend faced a similar issue by which he was exhausted with all steps to get rid off a couple of unknown dll files (which does not have any reference in google too). The malware name is still unknown (let’s call that as CRAP) but some of the symptoms he has noticed. Over to Sunieet’s experience with the malware.

 I always thought I am capable to delete any kind of virus/malware with much ease as that is the one thing I enjoy most. But this malware gave a me a tough competition and I was about to break my mettle. 

Till now I am not sure about the name of the malware as I have googled a no of time but did not find anything. After getting my laptop virus infected!! it generated urqQiJYP.dll & ssqQgFWM.dll files in C:\WINNT\System32 folder. I was able to delete ssqQgFWM.dll file by rebooting the laptop in Safe mode with Command Prompt but the main suspicious file “urqQiJYP.dll” was not deletable and was creating a couple of other dlls like acwzvo.dll, rqRBTKA.dll, jqtpskxy.dll, ssqQkJde.dll, qjemve.dll, nnnkLfef.dll in C:\WINNT\System32 folder.

This specific piece of malware has been written in such a way that not a single Antivirus application like Norton, AVG, McAfee, Trend Micro were able to detect it and fix it. It will automatically show a lot of pop ups related to porn sites as soon as the infected PC/laptop is connected to Internet. I had also tried to use Hijack This considered as the most popular application to play with Virus and Malware,  but in this case I was not able to open this application. Tried some other tools like Hijack Pro, Pview, Tlist, Kill.exe but no success. 

About the Dlls, most of the valid DLLs will have proper description and company name. But these DLLs do not have any description, company name but have some suspiciously strange names.  In order to make sure that this DLL is indeed a malware, we can double click the DLL name and check the strings within the DLLs. See if there are some suspicious strings within the DLL. Strings like worm, password, or name of some suspicious website are indicating that it is indeed a malware.

Finally guess what, yes I was able to delete the crap from my lappy. And here is how I won in the battle?

You need the following two tools:

> Sysinternals Process Explorer

> FreeCommander (A Replacement for File explorer)

Steps to remove the CRAP:

- Install & Run FreeCommander so that we can browse and delete files.

- Start Process Explorer and search for the dll file. You may find the dll files are running inside no of processes like Explorer.exe, Winlogon.exe. 
 

- Now we will kill Explorer.exe, winlogon.exe and smss.exe

- We are killing Explorer because most of the time explorer.exe is infected so as a precautionary measure we are killing it.

- Now its time to kill winlogon.exe, if the process is running with it. First we have to kill Smss.exe, because this process monitors winlogon.exe and will shutdown the machine if it finds that winlogon is not running.
After killing Smss.exe, you can safely kill winlogon.exe.

- After winlogon is gone and all the process ended, we can safely delete the malware.

- Press Alt+Tab key to open Free Commander and browse to that location and delete the dlls and whatever suspicious things you find.

This method can be used to delete any of the stubborn virus/malware or dll files which are not easily deletable.

This post is out of a personal experience from Sunieet who is a good friend and a brother. He used to write for the blog but due to some other commitments he is no longer able to write here.

If you enjoyed this post, make sure you subscribe to my RSS feed!