Installation Problems due to Malware Detected

[rbkaiser 0]

Good morning guys I hope you can help me reinstall my NOD32

been using it way back 2016, and I remember it was working well often, and there were the regular notifications and warnings it gives from time to time. I have gotten busy recently, and I never noticed these notifs disappearing. I finally noticed and checked that my NOD32 was not installed anymore, (when I was going to reactivate my expiring 1yr account.

So I downloaded the installer, was able to register the license, and would be installing it again now.

Thing is, I received and installation failed due to malware (Image 1). I followed the onscreen instructions for the Specialized cleaner, downloaded and ran it (image 2) and got a success notification (Image 3)

But when I repeated the installation, I got the same error (Image 4) I repeated this 3 times

[Marcos 5,074]

Does the problem persist after running the Uninstall tool in safe mode?

[rbkaiser 0]

hello thanks for the suggestion. Let me check out that link and try it out

i'll update you ASAP if it works

[rbkaiser 0]

On 7/9/2020 at 1:02 PM, Marcos said:

Does the problem persist after running the Uninstall tool in safe mode?

im stuck at restarting in safe mode with network

 

the pop-ups are different when i follow the instructions. no startup settings in my screen

[JozefG 9]

@rbkaiser Microsoft moved Startup settings under See more recovery options.

[rbkaiser 0]

thanks guys ! it works now!

 

[Marcos 5,074]

Isn't it stuck at Initializing protection?

[rbkaiser 0]

actually no its all good. I took the screenshot as soon as everything loaded and worked. But was still doing the initializing and full scan. 

but yes its working 100% now since yesterday

[rbkaiser 0]

(I'm not sure if I should start a new topic or just continue it here.. let me know if I should just make a new topic)

so, ESET NOD32 has been working perfectly fine since, thanks guys

but ever since, every time I shutdown and turn my PC back on I get two popup errors

one is "StartUpCheckLibrary.dll" and the other is "winscomrssrv.dll"

I checked NOD32 quarantine and saw that they were there

what is the solution here?

is it a false positive since it seems to be a legit Windows file?
or is it a real threat, and if so, how do I avoid the error pop up every time? (since seeing this means something's not working right)

 

[itman 1,659]

9 minutes ago, rbkaiser said:

I checked NOD32 quarantine and saw that they were there

what is the solution here?

Check the Eset Detection log for entries associated with this quarantine activity. Post the file hashes from the Eset Detection log entries associated with those two files.

[Marcos 5,074]

Unfortunately the screen shot is cut. Please provide logs collected with ESET Log Collector.

[rbkaiser 0]

is this the one?

[Marcos 5,074]

Please follow Using Process Monitor to create log files and upload the generated archive here.

[itman 1,659]

11 minutes ago, rbkaiser said:

is this the one?

Yes. Copy the complete hash for each entry and post it a your next reply.

To do do, open notepad.exe . Copy each Eset log entry by left mouse clicking on the entry and select "Copy." Then Paste the entry into notepad. Finally, copy the hash value from the notepad based log entry into your next reply.

[rbkaiser 0]

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/21/2020 11:40:16 AM;Startup scanner;file;c:\windows\system32\startupchecklibrary.dll;a variant of Win64/Agent.RL trojan;cleaned by deleting;;;B916C068F5FB448649214F55B667BE661E626114;12/14/2018 9:03:26 PM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/21/2020 11:40:15 AM;Startup scanner;file;c:\windows\system32\winscomrssrv.dll;Win64/Agent.NK trojan;cleaned by deleting;;;5E2B7048D92F193ED9E8A7CBECA00A9C294AFF39;2/25/2019 7:47:22 AM
 

[Marcos 5,074]

Is it detected repeatedly after a reboot? The detection is almost 1 year old. Haven't you recently disabled real-time protection or used performance exceptions which could allow the malware to get to the disk and later be detected by the startup scanner? After a reboot, run a full disk scan and then provide ELC logs.

[itman 1,659]

Those files are definitely malicious. Many AV vendor detection's for them at VirusTotal.

They also are not valid Win OS files. I can find no reference to them on my Win 10 2004 build in my System32 directory.

Appears there are still remnants of the malware on your device that is causing the popup at system shutdown startup time. Most likely a scheduled task or registry entry. -EDIT- Also could be a Win startup directory entry.

Also it appears your device might be compromised as far as Win permissions go. Malware should not be able to gain access to System32 directory unless it also was successful in elevating to full Admin or System privileges.

Edited July 22, 2020 by itman

[itman 1,659]

For starters, check this directory, C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any entries related to these two files. Better yet, post a screen shot of what is shown in that directory.

[rbkaiser 0]

ah here's the backstory. Had this PC since 2016, and got ESET since. its always been installed and once in a while, makes a notif on warnings. the scan was pretty much automatic and in the background so not much notifs on that. so yeh, it was there and did its job

just recently this pandemic/lockdown, i wanted to make a specific scan and noticed the "scan with ESET NOD32" option was not in the rightclick menu anymore. That's when I noticed that ESET seemed uninstall (or partially) and that's why i was asked to try to uninstall-reinstall to fix the problem (before the start of this topic).

i do not know exactly when the previous one was gone. I didnt get to use the PC much prior to lockdown, just used a few mins a day and around 4days a week

i am doing a full scan this morning as Marcos requested

this is the startup directory. That's the only thing here. 

 

[rbkaiser 0]

[Marcos 5,074]

Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner?

[SeriousHoax 83]

1 hour ago, rbkaiser said:

Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. 

[rbkaiser 0]

8 hours ago, Marcos said:

Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner?

yes I got that notification also when i turned it on before the scan

something is always looking for those 2 files and saying "error" because they are quarantined

7 hours ago, SeriousHoax said:

Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. 

il try that software. I've been using this every since, it was fine. it only started that this recently (since last sunday)

[itman 1,659]

12 hours ago, rbkaiser said:

this is the startup directory. That's the only thing here. 

 

Do you have any software installed named "Rainmeter"? Based on this: https://www.rainmeter.net/ , it is a desktop customization tool.

[itman 1,659]

Right mouse click on the Rainmeter shortcut. Select Properties and take a screen shot of what is shown. Post screen shot in your forum reply.