Jump to content

Installation Problems due to Malware Detected


Recommended Posts

Good morning guys I hope you can help me reinstall my NOD32

been using it way back 2016, and I remember it was working well often, and there were the regular notifications and warnings it gives from time to time. I have gotten busy recently, and I never noticed these notifs disappearing. I finally noticed and checked that my NOD32 was not installed anymore, (when I was going to reactivate my expiring 1yr account.

So I downloaded the installer, was able to register the license, and would be installing it again now.

Thing is, I received and installation failed due to malware (Image 1). I followed the onscreen instructions for the Specialized cleaner, downloaded and ran it (image 2) and got a success notification (Image 3)

But when I repeated the installation, I got the same error (Image 4) I repeated this 3 times

NOD32 1.JPG

NOD32 2.JPG

NOD32 3.JPG

NOD32 4.JPG

Link to post
Share on other sites
On 7/9/2020 at 1:02 PM, Marcos said:

Does the problem persist after running the Uninstall tool in safe mode?

im stuck at restarting in safe mode with network

 

the pop-ups are different when i follow the instructions. no startup settings in my screen

107612550_10157542168632794_2796720435673820642_n.jpg

107832987_10157542168752794_6090253101159988293_n.jpg

Link to post
Share on other sites

actually no its all good. I took the screenshot as soon as everything loaded and worked. But was still doing the initializing and full scan. 

but yes its working 100% now since yesterday

image.png.3d179115a20e3c7342806a6e2d1bf65b.png

Link to post
Share on other sites

(I'm not sure if I should start a new topic or just continue it here.. let me know if I should just make a new topic)

so, ESET NOD32 has been working perfectly fine since, thanks guys

but ever since, every time I shutdown and turn my PC back on I get two popup errors

image.png.d281ed2687ae19e17d8fcdf46cff2985.png

one is "StartUpCheckLibrary.dll" and the other is "winscomrssrv.dll"

I checked NOD32 quarantine and saw that they were there

image.png.bd5835ebb4fdebff89c25062994ec40d.png

what is the solution here?

is it a false positive since it seems to be a legit Windows file?
or is it a real threat, and if so, how do I avoid the error pop up every time? (since seeing this means something's not working right)

 

Link to post
Share on other sites
9 minutes ago, rbkaiser said:

I checked NOD32 quarantine and saw that they were there

image.png.bd5835ebb4fdebff89c25062994ec40d.png

what is the solution here?

Check the Eset Detection log for entries associated with this quarantine activity. Post the file hashes from the Eset Detection log entries associated with those two files.

Link to post
Share on other sites
11 minutes ago, rbkaiser said:

is this the one?

image.thumb.png.f747088b0a69400ea12b84460cc3364c.png

Yes. Copy the complete hash for each entry and post it a your next reply.

To do do, open notepad.exe . Copy each Eset log entry by left mouse clicking on the entry and select "Copy." Then Paste the entry into notepad. Finally, copy the hash value from the notepad based log entry into your next reply.

Link to post
Share on other sites

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/21/2020 11:40:16 AM;Startup scanner;file;c:\windows\system32\startupchecklibrary.dll;a variant of Win64/Agent.RL trojan;cleaned by deleting;;;B916C068F5FB448649214F55B667BE661E626114;12/14/2018 9:03:26 PM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/21/2020 11:40:15 AM;Startup scanner;file;c:\windows\system32\winscomrssrv.dll;Win64/Agent.NK trojan;cleaned by deleting;;;5E2B7048D92F193ED9E8A7CBECA00A9C294AFF39;2/25/2019 7:47:22 AM
 

Link to post
Share on other sites
  • Administrators

Is it detected repeatedly after a reboot? The detection is almost 1 year old. Haven't you recently disabled real-time protection or used performance exceptions which could allow the malware to get to the disk and later be detected by the startup scanner? After a reboot, run a full disk scan and then provide ELC logs.

Link to post
Share on other sites

Those files are definitely malicious. Many AV vendor detection's for them at VirusTotal.

They also are not valid Win OS files. I can find no reference to them on my Win 10 2004 build in my System32 directory.

Appears there are still remnants of the malware on your device that is causing the popup at system shutdown startup time. Most likely a scheduled task or registry entry. -EDIT- Also could be a Win startup directory entry.

Also it appears your device might be compromised as far as Win permissions go. Malware should not be able to gain access to System32 directory unless it also was successful in elevating to full Admin or System privileges.

Edited by itman
Link to post
Share on other sites

For starters, check this directory, C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any entries related to these two files. Better yet, post a screen shot of what is shown in that directory.

Link to post
Share on other sites

ah here's the backstory. Had this PC since 2016, and got ESET since. its always been installed and once in a while, makes a notif on warnings. the scan was pretty much automatic and in the background so not much notifs on that. so yeh, it was there and did its job

just recently this pandemic/lockdown, i wanted to make a specific scan and noticed the "scan with ESET NOD32" option was not in the rightclick menu anymore. That's when I noticed that ESET seemed uninstall (or partially) and that's why i was asked to try to uninstall-reinstall to fix the problem (before the start of this topic).

i do not know exactly when the previous one was gone. I didnt get to use the PC much prior to lockdown, just used a few mins a day and around 4days a week

i am doing a full scan this morning as Marcos requested

this is the startup directory. That's the only thing here. 

 

image.png.be97962f8ccb0cab1b87826b0c25177e.png

Link to post
Share on other sites
  • Administrators

Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner?

Link to post
Share on other sites
1 hour ago, rbkaiser said:

image.thumb.png.3abe4f7c7229e598afc7dcf97392ce20.pngimage.thumb.png.93261e730bb6fd60af032477297b0c9a.png

Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. 

Link to post
Share on other sites
8 hours ago, Marcos said:

Looks like the machine should be already clean since only a PUA was detected during the scan. Are you still getting detections from the startup scanner?

yes I got that notification also when i turned it on before the scan

something is always looking for those 2 files and saying "error" because they are quarantined

7 hours ago, SeriousHoax said:

Off topic maybe, please consider ditching utorrent for something like qBittorrent. utorrent installer usually comes bundled with pup and has other risks also and as you can see it's detected by ESET too. 

il try that software. I've been using this every since, it was fine. it only started that this recently (since last sunday)

Link to post
Share on other sites

Right mouse click on the Rainmeter shortcut. Select Properties and take a screen shot of what is shown. Post screen shot in your forum reply.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...