Unable to delete spyware .dll file in Safe Mode with Command Promp

[C.O.]

I'm trying to delete a mosanugo.dll file in my C:\Windows\System32 folder,
and I'm unable to delete it, even using the del command in Safe Mode with
Command Prompt.

Any ideas? I tried using a VundoFix program in normal mode, but it detected
nothing.

 

[Patrick Keenan]

I'm trying to delete a mosanugo.dll file in my C:\Windows\System32 folder,
and I'm unable to delete it, even using the del command in Safe Mode with
Command Prompt.

Any ideas? I tried using a VundoFix program in normal mode, but it
detected
nothing.

Rename it, then reboot and delete it.

The reason you can't delete it is likely because you haven't disabled what
is calling it.

In the worst case, attach the drive to another system, and delete it from
there. Then, scan that drive for malware.

HTH
-pk

 

[C.O.]

Hmm, I don't think it's letting me rename it either.

I don't have a hard drive enclosure for this notebook drive, but
fortunately, I found a program called HijackThis by Trend Micro, and it had
the option to delete a file upon bootup. Somehow that worked, even though
Safe Mode from Command Prompt didn't.

Thanks though!

 

[Mick Murphy]

Download, install, and update these 2 programs in Normal mode.
Reboot into Safe mode, and scan your System with them.
Scan with your AV while you are there.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

 

[Bill P]

I'm trying to delete a mosanugo.dll file in my C:\Windows\System32 folder,
and I'm unable to delete it, even using the del command in Safe Mode with
Command Prompt.

Any ideas? I tried using a VundoFix program in normal mode, but it
detected
nothing.

You could try Killbox.
http://killbox.net/
Regards Bill

 

[PA Bear [MS MVP]]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Patrick Keenan]

If the OP can't delete it, what makes you think it can be renamed????

Because I've done this a number of times. Sometimes the file is not
totally locked. Also, you should be able to rename in Safe Mode.

HTH
-pk

 

[Carmens]

I have a similar problem. Symantec antivirus is not detecting this trojan,
but Spybot S&D finds it as virtumonde.sci and smitfraud-c. It is not able to
remove one file named xxyvVOEW.dll in system32 folder. I cannot delete or
rename this file even in cmd prompt. I scanned with bit defender and it see
it as Trojan.Vundo.GHM but is unable to delete it. Some of its files are
deleted but they end up reinstalling themselves again. I even tried hijack
this but it has not helped.

 

[Elmo]

I have a similar problem. Symantec antivirus is not detecting this trojan,
but Spybot S&D finds it as virtumonde.sci and smitfraud-c. It is not able to
remove one file named xxyvVOEW.dll in system32 folder. I cannot delete or
rename this file even in cmd prompt. I scanned with bit defender and it see
it as Trojan.Vundo.GHM but is unable to delete it. Some of its files are
deleted but they end up reinstalling themselves again. I even tried hijack
this but it has not helped.

Do all the following in Safe Mode. Avast! has a boot scan which might
remove the malware before it can take control. I believe McAfee has
this ability too. Another thing I would try:

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

Also press Ctrl/Alt-Delete and shut down many tasks that could be
malware. Explorer32.exe is malware, e.g. If you shut down the right
ones, they may not be able to protect their entries, you might gain
control in Safe Mode, and be able to run some of the a/v software
effectively. As it is, you may be getting false reports from the
malware anyway.