Customer keeps getting a warning about an infected file (cmdline.dll), which seems to have significantly slowed down her PC.

Once I take a look, it appears that she is running the an aol antivirus… it tries to remove the infected file, but the warning keeps coming back.

I’ve never seen the aol antivirus before, so I take a quick look, and it looks like its just a re-badged kaspersky antivir… but its no longer supported.

OK, I uninstall the existing antivirus, and install (and update) antivir & windows defender.

But the real-time protection of antivir doesn’t pickup anything.

I scan using defender but that also detects nothing.

I use defender in safe mode, but it still detects nothing

In safe mode, I delete cmdline.dll, but after a restart, it reappears again… even after disabling all the obscure startup programs.

So I use bhodemon to disable anything suspicious, but at the end, I seem to have stopped it from from actually running, but it still keeps reappearing in the users temp folder

By this stage, I was running out of time (and customer is happy with the speed increase). I don’t feel comfortable leaving the PC like this, but I decide to take a closer look when I return. I reckon its effectively disabled, except for the part that re-created the cmdline.dll file.

I later heard about a program called “starter”

With it, I can see everything that wants to start automatically… it also picks up on hidden registry entries. What makes a big difference is that I can view all running processes and find out which process is locking cmdline.dll.

I’ll be using it the next time I discover difficult to stop processes.