Customer keeps getting a warning about an infected file (cmdline.dll), which seems to have significantly slowed down her PC.
Once I take a look, it appears that she is running the an aol antivirus… it tries to remove the infected file, but the warning keeps coming back.
I’ve never seen the aol antivirus before, so I take a quick look, and it looks like its just a re-badged kaspersky antivir… but its no longer supported.
OK, I uninstall the existing antivirus, and install (and update) antivir & windows defender.
But the real-time protection of antivir doesn’t pickup anything.
I scan using defender but that also detects nothing.
I use defender in safe mode, but it still detects nothing
In safe mode, I delete cmdline.dll, but after a restart, it reappears again… even after disabling all the obscure startup programs.
So I use bhodemon to disable anything suspicious, but at the end, I seem to have stopped it from from actually running, but it still keeps reappearing in the users temp folder
By this stage, I was running out of time (and customer is happy with the speed increase). I don’t feel comfortable leaving the PC like this, but I decide to take a closer look when I return. I reckon its effectively disabled, except for the part that re-created the cmdline.dll file.
I later heard about a program called “starter”
With it, I can see everything that wants to start automatically… it also picks up on hidden registry entries. What makes a big difference is that I can view all running processes and find out which process is locking cmdline.dll.
I’ll be using it the next time I discover difficult to stop processes.