Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

StartupCheckLibrary.dll, winscomrssrv.dll and Win Defender

3K views 19 replies 3 participants last post by  iMacg3 
#1 ·
Hello, I have an issue with my Windows 10.
1 month ago the "microsoft windows defender" DISAPPEARED from my windows 10 installation.
At the same time, the "windows update" stopped working due to the absence of "Win Defender".
In addition, a sign began to appear when you start windows that cannot find the StartupCheckLibrary.dll and winscomrssrv.dll files

I installed the immunet antivirus and now I am scanning with Eset online.

Could you help me?
thanks!!

(English is not my birth language, sorry)
 
#8 ·
Hi Fer13,

Going over your logs I noticed that you have BitTorrent and qBittorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent and qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via the following:

  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program(s) on the list:
    BitTorrent
    qBittorrent
  • Select the above program(s) and click Uninstall.
  • Restart the computer if prompted.

If you wish to keep it, please do not use it until your computer is cleaned.

---------------------------------------------------

Did you enable web push notifications from the following sites?

Code:
drive.google.com
freebitco.in
httpswwwviacargocomar.webpush.freshchat.com
mail.google.com
telecentro.com.ar
web.whatsapp.com
online-convert.com
---------------------------------------------------
Uninstall Chrome Extension(s)

  • Open Google Chrome. Type chrome://extensions in the address bar and press Enter.
  • Click the trash can icon next to the following extension(s):
    Search Manager
  • A confirmation dialog will appear. Click Remove.

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

  • Highlight the contents of the below code box and press Ctrl + C on your keyboard:
    Code:
    Start::
    CreateRestorePoint:
    CloseProcesses:
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-2351393210-478338056-927649151-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
    C:\Program Files (x86)\Lavasoft
    IFEO\LogTransport2.exe: [Debugger] 0
    Task: {3EB5B9D0-C00A-4483-B423-FE34AB9A67C6} - System32\Tasks\Microsoft\Windows\Application Experience\StartupCheckLibrary => rundll32.exe StartupCheckLibrary.dll,DllMainRunLibrary <==== ATENCIÓN
    Task: {5EC77C09-F21A-4A7E-827D-9513C1B2874B} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\winrmsrv => winrmsrv.exe <==== ATENCIÓN
    Task: {A0C727AD-4B16-46B6-9AEF-26B8756B8862} - System32\Tasks\Microsoft\Windows\WDI\SrvHost => rundll32.exe winscomrssrv.dll,SrvMainHost <==== ATENCIÓN
    Task: {D7C14404-DDF3-42C3-9FF5-4A76604C0489} - System32\Tasks\Microsoft\Windows\Wininet\Winlogui => winlogui.exe <==== ATENCIÓN
    HKU\S-1-5-21-2351393210-478338056-927649151-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10440__191224
    SearchScopes: HKU\S-1-5-21-2351393210-478338056-927649151-1001 -> DefaultScope {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_cekvtqg5_19_40_ssg00&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutC0CtC0BtD0D0F0D0DyB0Bzy0AyCyDyBtN0D0Tzu0StBzztAtCtN1L2XzuyEtFyDyCtFtDtFyDyCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyByDzy0EzyyCyC0AtGyB0FtC0DtGyDtD0CzytGyDyC0FyBtG0A0CzyyCtDyEzz0CtA0A0FtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz1T1RtAtBzyyC1TtGzztBtCtBtGyEtAyCzztG1S1Q1QyDtGzzyBzz1TzytCtC1TyEyD1OyB2QtN0A0LzutBtN1B2Z1V1T1S1NzutBtAyBzzzztN1Q2Z1B1P1RzutCyDyBtDtDyDzyyDyByE%26cr%3D1050274081%26a%3Dwbf_cekvtqg5_19_40_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-2351393210-478338056-927649151-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_cekvtqg5_19_40_ssg00&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutC0CtC0BtD0D0F0D0DyB0Bzy0AyCyDyBtN0D0Tzu0StBzztAtCtN1L2XzuyEtFyDyCtFtDtFyDyCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyByDzy0EzyyCyC0AtGyB0FtC0DtGyDtD0CzytGyDyC0FyBtG0A0CzyyCtDyEzz0CtA0A0FtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz1T1RtAtBzyyC1TtGzztBtCtBtGyEtAyCzztG1S1Q1QyDtGzzyBzz1TzytCtC1TyEyD1OyB2QtN0A0LzutBtN1B2Z1V1T1S1NzutBtAyBzzzztN1Q2Z1B1P1RzutCyDyBtDtDyDzyyDyByE%26cr%3D1050274081%26a%3Dwbf_cekvtqg5_19_40_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-2351393210-478338056-927649151-1001 -> {993F5746-4C15-42BC-99C1-064A1764271B} URL = hxxps://securesearch.org?q={searchTerms}
    FF Extension: (Search Manager) - C:\Users\rofed\AppData\Roaming\Mozilla\Firefox\Profiles\7x2ef6u2.default\Extensions\{24436206-088d-4a1a-8d0e-cf93ca7a2d23}.xpi [2019-10-02] [UpdateUrl:hxxps://qupotomu.com/update?x=restype=ffjson]
    FF HKU\S-1-5-21-2351393210-478338056-927649151-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\rofed\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => no encontrado
    C:\Users\rofed\AppData\Roaming\ACEStream
    CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce]
    CHR HKLM\...\Chrome\Extension: [pdpcpceofkopegffcdnffeenbfdldock]
    CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej]
    CHR HKU\S-1-5-21-2351393210-478338056-927649151-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo]
    CHR HKU\S-1-5-21-2351393210-478338056-927649151-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce]
    CHR HKU\S-1-5-21-2351393210-478338056-927649151-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pdpcpceofkopegffcdnffeenbfdldock]
    CHR HKU\S-1-5-21-2351393210-478338056-927649151-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej]
    CHR HKLM-x32\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce]
    CHR HKLM-x32\...\Chrome\Extension: [pdpcpceofkopegffcdnffeenbfdldock]
    CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej]
    CustomCLSID: HKU\S-1-5-21-2351393210-478338056-927649151-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2020\Inventor Server\Bin\TestServer.dll => Ningún archivo
    CustomCLSID: HKU\S-1-5-21-2351393210-478338056-927649151-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2020\Inventor Server\Bin\TestServer.dll => Ningún archivo
    CustomCLSID: HKU\S-1-5-21-2351393210-478338056-927649151-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2020\Inventor Server\Bin\TestServer.dll => Ningún archivo
    ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> Ningún archivo
    ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> Ningún archivo
    ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> Ningún archivo
    ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> Ningún archivo
    ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> Ningún archivo
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Ningún archivo
    ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> Ningún archivo
    IE trusted site: HKU\S-1-5-21-2351393210-478338056-927649151-1001\...\webcompanion.com -> hxxp://webcompanion.com
    HKU\S-1-5-21-2351393210-478338056-927649151-1001\...\StartupApproved\Run: => "Web Companion"
    cmd: netsh advfirewall reset
    VirusTotal: C:\Program Files (x86)\hicloud\update_server\startUp.exe
    EmptyTemp:
    End::
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Fix button just once and wait.
    Note: No need to paste the script into FRST.
  • Restart the computer if prompted.
  • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
  • Please copy and paste its contents into your reply.

---------------------------------------------------
Farbar Recovery Scan Tool - Search

  • Double-click FRST.exe/FRST64.exe to run it.
  • Copy and paste the following into the Search: box:
    Code:
    StartupCheckLibrary.dll;winrmsrv.exe; winscomrssrv.dll;winlogui.exe
  • Press the Search Files button.
  • When complete, FRST will generate a log in the same location it was run from (Search.txt)
  • Please copy and paste its contents into your reply.

---------------------------------------------------

In your next reply, please include:
  • Fixlog.txt
  • Search.txt
 
#13 ·
Hi Fer13,

This fix will remove the notifications

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

  • Highlight the contents of the below code box and press Ctrl + C on your keyboard:
    Code:
    Start::
    CHR Notifications: Default -> hxxps://drive.google.com; hxxps://freebitco.in; hxxps://httpswwwviacargocomar.webpush.freshchat.com; hxxps://mail.google.com; hxxps://telecentro.com.ar; hxxps://web.whatsapp.com; hxxps://www.online-convert.com
    End::
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Fix button just once and wait.
    Note: No need to paste the script into FRST.
  • Restart the computer if prompted.
  • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
  • Please copy and paste its contents into your reply.

---------------------------------------------------
Re-scan with FRST
  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste the logs in your next reply.

---------------------------------------------------

In your next reply, please include:
  • Fixlog.txt
  • FRST.txt
  • Addition.txt
 
#15 ·
The "StartupCheckLibrary.dll" and "winscomrssrv.dll" signs are gone, thank you! But the Windows Defender/Windows Update problem continue. I thought that when solving this problem the Windows Defender and the Windows Update would work again, but apparently not.
What do you suggest I try?

Thank you very much for your help!
 
#18 ·
Hi Fer13,

Please do this:

---------------------------------------------------
Farbar Recovery Scan Tool - Fix

  • Highlight the contents of the below code box and press Ctrl + C on your keyboard:
    Code:
    Start::
    ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    End::
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Double-click FRST.exe/FRST64.exe to run it.
  • Press the Fix button just once and wait.
    Note: No need to paste the script into FRST.
  • Restart the computer if prompted.
  • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
  • Please copy and paste its contents into your reply.

---------------------------------------------------
Farbar Service Scanner

Download Farbar Service Scanner and save it to your desktop.
  • Right-click FSS.exe and select Run as Administrator.
  • Check the following boxes:
    Code:
    Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

---------------------------------------------------

In your next reply, please include:
  • Fixlog.txt
  • FSS.txt
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top