When you log in to your Windows computer, the following error message windows may pop up:
RunDLL There was a problem starting StartupCheckLibrary.dll The specified module could not be found.
RunDLL There was a problem starting winscomrssrv.dll The specified module could not be found.
Additionally, you may see the following error:
There was a problem starting StartupCheckLibrary.dll Operation did not complete successfully because the file contains a virus or potentially unwanted software.
The modules StartupCheckLibrary.dll and Winscomrssrv.dll are 100% malicious programs that can steal information from your computer. You do NOT need these files on your computer. The related module
winlogui.exe is a coin miner trojan. These kinds of programs come with illegal/cracked computer software and video games.
This malware can disable the Microsoft Defender anti-virus and perform other configuration changes on the computer. The script (
maintenance.vbs) will drop the coin miner trojan named winlogui.exe in the
Windows\System32 folder and then do a cleanup of all malicious files (
In some cases, the Microsoft Defender security options may turn blank and only display the “Security at glance” message after infection. Refer to the article Windows Defender Service Missing; Security at a glance page is Empty.
The malware files run at startup via scheduled tasks instead of the regular startup locations in the registry or Startup folder.
The modules StartupCheckLibrary.dll and Winscomrssrv.dll have the “Microsoft Corporation” name in the DLL properties. But these are fake and unsigned modules that try to pose as legitimate Microsoft files.
Copyright: © Microsoft Corporation. All rights reserved. Product: Microsoft® Windows® Operating System Description: Startup Check Library DLL Original Name: StartupCheckLibrary.dll File Version 10.0.16299.15 Copyright: Microsoft Corporation. All rights reserved. Product Name: Microsoft Windows Operating System Description: winscomrssrv Original Name: winscomrssrv.dll FileVersion: 10.0.16299.15
(Malwarebytes anti-virus classifies these types of files as Trojan.FakeMS)
Microsoft Defender may successfully thwart the attack. Trojan:Win32/Tiggre!plock is the name that Microsoft has assigned to the trojan. Here’s an instance where Microsoft Defender antivirus has successfully blocked the modules
Fix: StartupCheckLibrary.dll and Winscomrssrv.dll Error at Startup
Even if Microsoft Defender has successfully eliminated or quarantined the malware files, it’s advisable to run a thorough scan using a third-party scanner like Malwarebytes Antimalware (free) and perhaps with Malwarebytes Anti Rookit.
A thorough scan with updated definition files should eliminate all traces of the malware from the file system and the registry.
Here are some of the important items that would be cleared:
- Microsoft\Windows\Wininet\Winlogui => winlogui.exe
- Microsoft\Windows\WDI\SrvHost => rundll32.exe winscomrssrv.dll,SrvMainHost
- Microsoft\Windows\Application Experience\StartupCheckLibrary => rundll32.exe StartupCheckLibrary.dll,DllMainRunLibrary
- Microsoft\Windows\Windows Error Reporting\winrmsrv => winrmsrv.exe
- winlogui.exe (Coinminer.MALXMR)
- winrmsrv.exe (Application.CoinMiner)
- winscomrssrv.dll (Trojan.Generic)
- StartupCheckLibrary.dll (Trojan.Generic)
Want to Delete the Tasks and Files manually?
In case you want to delete the scheduled tasks manually, you can do so using Task Scheduler.
- Open Task Scheduler.
- Expand “Task Scheduler Library”
- Expand Microsoft → Windows → Wininet. Delete the Winlogui task.
- Similarly, delete the other three tasks (
winrmsrv) from the branches below:
- Microsoft → Windows → WDI → Delete SrvHost
- Microsoft → Windows → Application Experience → Delete StartupCheckLibrary
- Microsoft → Windows → Windows Error Reporting → Delete winrmsrv
- Quit Task Scheduler.
Optionally, you can use Microsoft Sysinternals’s Autoruns utility to delete these entries.
Once done, restart Windows and re-run a thorough scan for malware.
I hope the startup errors relating to StartupCheckLibrary.dll and Winscomrssrv.dll are now resolved.