How to delete folders used in wow.dll malware

Archive
1

The malware can create an encrypted folder. This malware adds a folder of random characters to your directory C:\User\Username\AppData\local\temp\ as the following:

C:\User\Username\AppData\local\temp\newFolder\newFolder

with the wow.dll and wow64.dll files within this self created malware folder directory.

 

Note: wow64.dll is a legit dll file, but the one in this new folder is part of malware. It has nothing to do with the real one which is saved in C:\Windows\System32 directory. If you go to System32 directory, you will find the files wow64.dll, wow64win.dll and wow64cpu.dll. These files are GOOD, please don't touch them.

 

If you try to find the newly created malware folder by following the directory path (C >> User >> YourUserName >> AppData >> Local >> temp), you cannot see it in Temp folder or directory because it is super hidden. There are steps on how to unhidden these super hidden folder and remove it.

 

Step one :

Go to Start

  • Click Start
  • Type cmd or command and press enter.

In the command prompt, go to the current directory Temp in the following step by step case:

 

C:\Users\YourName > cd Appdata then Enter

C:\Users\YourName\Appdata > cd Local then Enter

C:\Users\YourName\Appdata\Local > cd temp then Enter

C:\Users\YourName\Appdata\Local/Temp >

 

then if you want to see if there is any files or folders is being hidden in this current directory, type the following command in the command prompt:

 

C:\Users\YourName\Appdata\Local/Temp > dir /ah then Enter

 

this prompt will show you a list of files or folders being hidden within theTemp directory. Most probably you may find a malware folder which was created by random characters name. For example svsxgd or any other folder which you think is suspicion.

 

Step two:

In order to make these suspicion folder available and displayed in the Temp folder, type the following command in the command prompt:

 

C:\Users\YourName\Appdata\Local/Temp > attrib suspiscionFolderName -R -A -S -H then Enter

 

(Notice: this command is to display any kind of files or folder from any directories. If you want to hide files or folders, you use the +plus sign, which is the opposite of -minus)

 

Step three:

If you want to make sure the previously hidden fmalware older is exposed or displayed in the C:\User\Username\AppData\local\temp\ directory, simply go to that directory from your computer's Explorer window (C >> User >> YourUserName >> AppData >> Local >> temp). If it shows up, simply right click , and delete the malware folder. Done!!

 

Notice, sometimes after you get done step two, it may say Access denied to display this file. If that is the case, the easiest solution for me was I fired up Linux(unbutu), and Go to the 'file system' then you will find host directory. It contains all the files of windows, then go C >> User >> YourUserName >> AppData >> Local >> temp. Then find the suspicion malware folder and simply delete it. The coolest thing about Linux (unbutu) is it is not like windows OS, it can have access all the way to supper hidden files of windows. But this last option is if you have unbutu or any other Linux OS partitioned in your PC.

GOOD LUCK!!