How to delete a self replicating undeletable dll file

September 22nd, 2008 |Ajay M | 8,240 views | Windows, Windows Vista, Windows XP | Comments (33)

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Let me start with some refresher about DLL file. A DLL file is the abbreviation for Dynamic Link Library file. These are the files which contains a lot of function calls and utilized by many executable files or other dll files for operation of a Windows based computer (I am not sure about MAC as I have never touched one). These DLL files are very imporatnt for a computer to function properly. If you open C:\Windows:\System32 folder you can find tons of them. As most of these dll files are unknown to many users and a general computer user never bother to look at them the virus/spyware makers take the advantage and create some dll files and hide them in the system32 folder to cause havoc in the PC.

One of my friend faced a similar issue by which he was exhausted with all steps to get rid off a couple of unknown dll files (which does not have any reference in google too). The malware name is still unknown (let’s call that as CRAP) but some of the symptoms he has noticed. Over to Sunieet’s experience with the malware.

I always thought I am capable to delete any kind of virus/malware with much ease as that is the one thing I enjoy most. But this malware gave a me a tough competition and I was about to break my mettle.

Till now I am not sure about the name of the malware as I have googled a no of time but did not find anything. After getting my laptop virus infected!! it generated urqQiJYP.dll & ssqQgFWM.dll files in C:\WINNT\System32 folder. I was able to delete ssqQgFWM.dll file by rebooting the laptop in Safe mode with Command Prompt but the main suspicious file “urqQiJYP.dll” was not deletable and was creating a couple of other dlls like acwzvo.dll, rqRBTKA.dll, jqtpskxy.dll, ssqQkJde.dll, qjemve.dll, nnnkLfef.dll in C:\WINNT\System32 folder.

This specific piece of malware has been written in such a way that not a single Antivirus application like Norton, AVG, McAfee, Trend Micro were able to detect it and fix it. It will automatically show a lot of pop ups related to porn sites as soon as the infected PC/laptop is connected to Internet. I had also tried to use Hijack This considered as the most popular application to play with Virus and Malware, but in this case I was not able to open this application. Tried some other tools like Hijack Pro, Pview, Tlist, Kill.exe but no success.

About the Dlls, most of the valid DLLs will have proper description and company name. But these DLLs do not have any description, company name but have some suspiciously strange names. In order to make sure that this DLL is indeed a malware, we can double click the DLL name and check the strings within the DLLs. See if there are some suspicious strings within the DLL. Strings like worm, password, or name of some suspicious website are indicating that it is indeed a malware.

Finally guess what, yes I was able to delete the crap from my lappy. And here is how I won in the battle?

You need the following two tools:

> Sysinternals Process Explorer

> FreeCommander (A Replacement for File explorer)

Steps to remove the CRAP:

- Install & Run FreeCommander so that we can browse and delete files.

- Start Process Explorer and search for the dll file. You may find the dll files are running inside no of processes like Explorer.exe, Winlogon.exe.

- Now we will kill Explorer.exe, winlogon.exe and smss.exe

- We are killing Explorer because most of the time explorer.exe is infected so as a precautionary measure we are killing it.

- Now its time to kill winlogon.exe, if the process is running with it. First we have to kill Smss.exe, because this process monitors winlogon.exe and will shutdown the machine if it finds that winlogon is not running.
After killing Smss.exe, you can safely kill winlogon.exe.

- After winlogon is gone and all the process ended, we can safely delete the malware.

- Press Alt+Tab key to open Free Commander and browse to that location and delete the dlls and whatever suspicious things you find.

This method can be used to delete any of the stubborn virus/malware or dll files which are not easily deletable.

This post is out of a personal experience from Sunieet who is a good friend and a brother. He used to write for the blog but due to some other commitments he is no longer able to write here.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Comment by David Engfer on 23 September 2008:

I have dealt with this malware before. It is a beast to get rid of.

It is a winlogon malware piece; it installs an entry into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify while it is running. If you delete one of those that points to the random-named dll’s, it will create another one.

If you don’t have access to those tools there is another way to do it with just command line tools
1) Find the dll’s with funky random names in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

2) Open a command line and run:
2a) cacls C:\path-to-randomsdf902.dll /D Everyone
2b) attrib -R -A -S -H C:\path-to-randomsdf902.dll
* These programs will deny all access for this dll to run or do anything

3) Reboot and make sure that no more entries were put in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

All spyware stuff should be removed in Safe Mode (keep pressing F8 on reboot – choose safe mode with no networking); this helps out a lot especially if the machine is really bad and bogged down

Comment by Ajay M on 23 September 2008:

Hey David, that’s a nice suggestion. Let me check those steps by regenerating the issue in my PC.

Comment by Olly on 24 September 2008:

Thanks for taking the time to document this – viruses/malware can be a real pain and huge amounts of times can be taken trying to resolve it.

I’m certain your article will help many people

Comment by philip tang on 25 September 2008:

thanks for all the tips

Comment by Kacy Arch on 25 September 2008:

Thanks for this great tip. Bookmarked. I just hope i wont come in situation to use this solution

Comment by Mark Garland on 26 September 2008:

Great information. I am assuming that you couldn’t just boot into safe mode and delete the culprit files…?

Comment by Ajay M on 27 September 2008:

Hello Mark, You can boot into safe mode but it will still not allow u to delete the file in safe mode too.

Comment by Sage on 27 September 2008:

Great tips. Really like each one of it. And the comments are awesome. tell me through this can we delete hidden files as well?

Comment by Jill on 27 September 2008:

Thanks for the great article. BUT I have two problems.
1. When I hit F* during reboot, I get a screen asking for a new boot disc location rather than the mode screen. I’ve also tried to “rudely” shut down the machine and still no option for safe mode; so I cannot try that.

2. When I go through the process discussed above, I get to the step to end smss.exe and windows tells me I cannot end that process because it is a system process.

3. When I try to restart in diagnostic mode through msconfig, it tells me I cannot because I am not an administrator, but I am, and I’m the only user for the machine.

What the heck have I done wrong? I have Windows XP home edition with SP2.

Thanks for any help. The .dll I’m trying to remove is attached to the winlogon.exe accoring to “Process Explorer” and is some sort of an add on from a trial program I decided not to keep.

Comment by Anoop on 27 September 2008:

wow, thatz a very informative post.. . A few weeks earlier i installed a software (regrun 5) and it created an autorun.inf folder on each of my drives (the folder has just a 0kb file with the name > ” lpt3.Drive_is_protected_against_flash_viruses_by_RegRun ” . I removed the softwareas it was a trial version only. Btw now i am not able to delete that folder or the 0 kb file in it.
plz tell me a solution for it.. will i be able to delete it with the same method state in post?

Update:

OIC, I have to “kill” it using Process Explorer instead of task manager. That worked for both smss and winlogon. Thanks!

Comment by Buddy Shearer on 27 September 2008:

I have dealt with viruses before in a previous IT life but a DLL running rampant was a new on me. Well actually it happened on my daughters computer so after about $60 in spyware downloads and various other sources I finally beat it. Wish I had seen your Blog post first. I would still have my $60.

Buddy

Comment by wilson on 29 September 2008:

I have looking for this method since long time ago and thank goodness that I finally found it here…

I will try it now! Thanks for the useful tips, mate

Comment by Sunieet on 30 September 2008:

@ Anoop,

Please try to delete the file using Command Prompt (RD command) or In Safe Mode. If no luck then reinstall the application and perform the How to unprotect: steps in the following URL:

http://www.greatis.com/webhelp/regrun___detailed_instructions/usb_flash_stick_protection/usb_flash_stick_protection.htm

and then uninstall the application. However, u may try the steps mentioned in the post… Good luck

Comment by Johnnie Debt on 2 October 2008:

Great proposal, David. It really works.

Comment by cool gadgets on 2 October 2008:

Thanks for the tips, I’m going to look into those applications you’ve referenced. I have a couple of people who’s computers I fix periodically and to them, I usually suggest not running under the admin account but rather using a limited account.

This reduces the chance of a virus, but does pose it’s own challenges such as doing updates for Windows and/or Antivirus which have to run under the admin account. Sometimes they remember, other times they forget.

Comment by Roger Hamilton on 3 October 2008:

Thanks for the useful and great tips . The post is very informative.

Comment by Sharon F on 3 October 2008:

Sharing this post with my tech manager tomorrow – spyware is causing us such grief. This may solve the problem we’ve been having. Thanks for this information.

Comment by george on 7 October 2008:

I had the same problem….
I have tryed everything, with no result….
then i found UnHackMe program and everything was solved.

the very best malware, rootkit etc program i have tryed, and very light
try it and you will see the difference.

Comment by Gamer on 16 October 2008:

Great guide, if only I had known this some years back. Those pesky viruses were hard to remove back in the day.

Also, it’s important to note that not all spyware apps. have such DLL files, some of them can be removed right away. I had a keylogger installed once a long time ago and after getting rid of the DLL files along with the other crap, it never came back.

Comment by Andy on 19 October 2008:

Thanks for all these tips – they’ve proved useful and I’ve bookmarked your site

Comment by Rich on 21 October 2008:

Great post.

Previously I “scraped away” everything but the undeletable dll. Your tip worked for me (Windows XP Pro SP3) just as described.

Thanks!

Comment by Amanda on 1 November 2008:

I hate vista((

Comment by Olaf Neuigkeit on 7 November 2008:

I have had so much trouble with these pesky dll malware files. They really take the mick out of me! Not to sound like an annoying mac fanboy, but this is one of the reasons that I have enjoyed having my mac now . . . I don’t deal with any of this, and I don’t have an antivirus program running constantly in the back of my computer slowing things down for me.
However, I still have a pc, and although this is a lot of effort, this is the first way I have seen to get rid of these files!
So Cheers!

Comment by Carrie on 7 November 2008:

Thanks for this. My husband has been having trouble with a dll file on his new computer, so I’ll forward him this post to see if it helps him.

Comment by Roger Hamilton on 15 November 2008:

Thanks for the tip! Will come in handy!

Comment by Kenneth Holland on 16 November 2008:

A friend of mine used this same procedure to eliminate some pesky dll’s and he messed up his PC. He might have done it wrong but he told me if you do this a Windows rollback will not work for this.

Is he right? I would like to do this…I’m just a little nervous.

Comment by Gabe G.H. on 6 December 2008:

Nice information! Thanks for it. So far I have had no problems with these files, but I hope I wont have in the future either. I am afraid of deleting anything like this, becase I am sure that my PC will start malfunctioning after that……

Comment by montyloree on 7 January 2009:

Is this virus related.? I think i’ve had problems with this… anyway… good to know.

Comment by Janet Bondrucker on 16 January 2009:

Thanks for the info

Comment by WebUser on 20 January 2009:

Ajay –

You’re a life saver. This is the ONLY relevant piece I’ve found in quite a bit of searching. It helped me get rid of a problematic .dll file after hours of trying!

One addendum for note to others doing this: I had to go into regedit from inside File Commander (while in safe mode) via the “Run” option in one of the dropdown menus and delete references to the .dll file of interest. FileCommander still wouldn’t let me delete the file, but I rebooted into safe mode again and then was able to delete the file. Somehow, despite having killed WINLOGON.exe and explorer.exe (the only two processes that had been using the dll), it said it was still in use. Oh well, it’s gone now!

Thanks again Ajay.

Comment by Ajay M on 20 January 2009:

I am glad that it worked for you and you have been able to get rid of the notorious virus.
Bookmark the site for future reference as I will be posting more life saving tips.