rbkaiser 0 Posted July 8, 2020 Share Posted July 8, 2020 Good morning guys I hope you can help me reinstall my NOD32 been using it way back 2016, and I remember it was working well often, and there were the regular notifications and warnings it gives from time to time. I have gotten busy recently, and I never noticed these notifs disappearing. I finally noticed and checked that my NOD32 was not installed anymore, (when I was going to reactivate my expiring 1yr account. So I downloaded the installer, was able to register the license, and would be installing it again now. Thing is, I received and installation failed due to malware (Image 1). I followed the onscreen instructions for the Specialized cleaner, downloaded and ran it (image 2) and got a success notification (Image 3) But when I repeated the installation, I got the same error (Image 4) I repeated this 3 times Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 9, 2020 Administrators Share Posted July 9, 2020 Does the problem persist after running the Uninstall tool in safe mode? Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 9, 2020 Author Share Posted July 9, 2020 hello thanks for the suggestion. Let me check out that link and try it out i'll update you ASAP if it works Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 11, 2020 Author Share Posted July 11, 2020 On 7/9/2020 at 1:02 PM, Marcos said: Does the problem persist after running the Uninstall tool in safe mode? im stuck at restarting in safe mode with network the pop-ups are different when i follow the instructions. no startup settings in my screen Link to comment Share on other sites More sharing options...
ESET Staff JozefG 10 Posted July 13, 2020 ESET Staff Share Posted July 13, 2020 @rbkaiser Microsoft moved Startup settings under See more recovery options. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 18, 2020 Author Share Posted July 18, 2020 thanks guys ! it works now! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 18, 2020 Administrators Share Posted July 18, 2020 Isn't it stuck at Initializing protection? Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 19, 2020 Author Share Posted July 19, 2020 actually no its all good. I took the screenshot as soon as everything loaded and worked. But was still doing the initializing and full scan. but yes its working 100% now since yesterday Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 22, 2020 Author Share Posted July 22, 2020 (I'm not sure if I should start a new topic or just continue it here.. let me know if I should just make a new topic) so, ESET NOD32 has been working perfectly fine since, thanks guys but ever since, every time I shutdown and turn my PC back on I get two popup errors one is "StartUpCheckLibrary.dll" and the other is "winscomrssrv.dll" I checked NOD32 quarantine and saw that they were there what is the solution here? is it a false positive since it seems to be a legit Windows file? or is it a real threat, and if so, how do I avoid the error pop up every time? (since seeing this means something's not working right) Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 22, 2020 Share Posted July 22, 2020 9 minutes ago, rbkaiser said: I checked NOD32 quarantine and saw that they were there what is the solution here? Check the Eset Detection log for entries associated with this quarantine activity. Post the file hashes from the Eset Detection log entries associated with those two files. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 22, 2020 Administrators Share Posted July 22, 2020 Unfortunately the screen shot is cut. Please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 22, 2020 Author Share Posted July 22, 2020 is this the one? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 22, 2020 Administrators Share Posted July 22, 2020 Please follow Using Process Monitor to create log files and upload the generated archive here. Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 22, 2020 Share Posted July 22, 2020 11 minutes ago, rbkaiser said: is this the one? Yes. Copy the complete hash for each entry and post it a your next reply. To do do, open notepad.exe . Copy each Eset log entry by left mouse clicking on the entry and select "Copy." Then Paste the entry into notepad. Finally, copy the hash value from the notepad based log entry into your next reply. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 22, 2020 Author Share Posted July 22, 2020 Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/21/2020 11:40:16 AM;Startup scanner;file;c:\windows\system32\startupchecklibrary.dll;a variant of Win64/Agent.RL trojan;cleaned by deleting;;;B916C068F5FB448649214F55B667BE661E626114;12/14/2018 9:03:26 PM Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 7/21/2020 11:40:15 AM;Startup scanner;file;c:\windows\system32\winscomrssrv.dll;Win64/Agent.NK trojan;cleaned by deleting;;;5E2B7048D92F193ED9E8A7CBECA00A9C294AFF39;2/25/2019 7:47:22 AM Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 22, 2020 Administrators Share Posted July 22, 2020 Is it detected repeatedly after a reboot? The detection is almost 1 year old. Haven't you recently disabled real-time protection or used performance exceptions which could allow the malware to get to the disk and later be detected by the startup scanner? After a reboot, run a full disk scan and then provide ELC logs. Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 22, 2020 Share Posted July 22, 2020 (edited) Those files are definitely malicious. Many AV vendor detection's for them at VirusTotal. They also are not valid Win OS files. I can find no reference to them on my Win 10 2004 build in my System32 directory. Appears there are still remnants of the malware on your device that is causing the popup at system shutdown startup time. Most likely a scheduled task or registry entry. -EDIT- Also could be a Win startup directory entry. Also it appears your device might be compromised as far as Win permissions go. Malware should not be able to gain access to System32 directory unless it also was successful in elevating to full Admin or System privileges. Edited July 22, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 22, 2020 Share Posted July 22, 2020 For starters, check this directory, C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any entries related to these two files. Better yet, post a screen shot of what is shown in that directory. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 25, 2020 Author Share Posted July 25, 2020 ah here's the backstory. Had this PC since 2016, and got ESET since. its always been installed and once in a while, makes a notif on warnings. the scan was pretty much automatic and in the background so not much notifs on that. so yeh, it was there and did its job just recently this pandemic/lockdown, i wanted to make a specific scan and noticed the "scan with ESET NOD32" option was not in the rightclick menu anymore. That's when I noticed that ESET seemed uninstall (or partially) and that's why i was asked to try to uninstall-reinstall to fix the problem (before the start of this topic). i do not know exactly when the previous one was gone. I didnt get to use the PC much prior to lockdown, just used a few mins a day and around 4days a week i am doing a full scan this morning as Marcos requested this is the startup directory. That's the only thing here. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 25, 2020 Author Share Posted July 25, 2020 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted July 25, 2020 Administrators Share Posted July 25, 2020 Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner? Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted July 25, 2020 Share Posted July 25, 2020 1 hour ago, rbkaiser said: Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. Link to comment Share on other sites More sharing options...
rbkaiser 0 Posted July 25, 2020 Author Share Posted July 25, 2020 8 hours ago, Marcos said: Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner? yes I got that notification also when i turned it on before the scan something is always looking for those 2 files and saying "error" because they are quarantined 7 hours ago, SeriousHoax said: Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. il try that software. I've been using this every since, it was fine. it only started that this recently (since last sunday) Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 25, 2020 Share Posted July 25, 2020 12 hours ago, rbkaiser said: this is the startup directory. That's the only thing here. Do you have any software installed named "Rainmeter"? Based on this: https://www.rainmeter.net/ , it is a desktop customization tool. Link to comment Share on other sites More sharing options...
itman 1,790 Posted July 25, 2020 Share Posted July 25, 2020 Right mouse click on the Rainmeter shortcut. Select Properties and take a screen shot of what is shown. Post screen shot in your forum reply. Link to comment Share on other sites More sharing options...
Recommended Posts