Hi, new here....

Wondering if anyone else has seen these, and what the seriousness level of these is :

This is from the initial scan performed during installation :

Application.Win32.NirCmd.~A(ID =0x66d829) Location C:\Windows\nircmd.exe
Unknown Malware (Dirty)(ID = 0x23f9a) - This second one actually shows up 18 times, different ID for each,
and is related, in every instance, to WinRAR.

I went ahead and deleted all, So I guess I’ll see if it ends up being a problem…

Hi Spewk, welcome to the forums.

NirCmd (by Nirsoft) is considered an unsafe application (mainly since it can allow the execution of remote commands & is used/deployed by some Malware). In itself, NirCmd is neither infected or dangerous. So, it’s a risk (like PsKill.exe)… not directly dangerous, but can be indirectly so. I believe nircmd.exe is also deployed (installed) by some legitimate applications. The only other thing of note, is that Nirsoft do not (as far as I know) deploy NirCmd in a RAR file. That’s a little suspicious.

I’m not sure about the second entry “Unknown Malware (Dirty)”. Any filename with that?


PS NirCmd is only found in C:\Windows\ to allow remote execution. By default, NirSoft doesn’t do that & I’m not aware of any legitimate deployments like that either. If you didn’t install NirCmd yourself, then removing it is a good call.[/i]

Thank you for the quick and informative response, but I clearly was not clear enough in my first post - The entry for nircmd.exe has nothing to do with the following 18 entries that are related to WinRAR.

“I’m not sure about the second entry “Unknown Malware (Dirty)”. Any filename with that?”

Apparently not that I can recover from the logs…The scan was run during install, and it would seem it doesn’t save THAT information to a log file ( though it really should, in my opinion ).
I can tell you that it related to accounts and user settings, all in regard to WinRAR, at some location or another ( user profiles, etc…)
But as for the details, they’re just lost.

Ah, sorry my bad. The other alerts related to the WinRAR installation itself? Sorry to ask this: Is the WinRAR installation… you know… legitimate? :slight_smile:

I agree that the Log should be more informative. Which version of CIS are you using?

Also, check CIS’s Quarantined Items (AV tab). By default, I think CIS quarantines all that it encounters.

“Sorry to ask this: Is the WinRAR installation… you know… legitimate? Smiley”

Well, uh, not entirely sure ( gotta be careful what I say here don’t want to violate any forum rules, lol)
So the safest answer is probably “no”…

It was part of a slipstreamed XP installation, SP3, so I guess if these are the only things that popped up then things can’t be too bad …ha ha watch me jinx myself in open forum ( errrr…)

Indeed. Sorry, had to ask. :frowning: Well, a Slip Streamed XP-SP3 installation doesn’t sound that bad… depending on where you got it from of course. But, obviously, a suspect installation of WinRAR is clearly possible. I believe there are quite few infected WinRAR installations floating around the Net.

I assume that your current installation of WinRAR is now well & truly broken (thanks to CIS)?

Did you find anything in CIS’s Quarantined Items?

No, the WinRAR isn’t even dented, let alone broken…
And nothing exists in the Quarantine list, empty as Jessica Simpson’s head…

So, what CIS removed wasn’t actually part of the WinRAR installation. When you said…

… what gave you the indication that the alerts were related to WinRAR? Was the WinRAR installation directory path displayed in the alerts or were these actual .RAR (.R00, .R01, etc…) files?

All I can do now, of course, is do a search for folders that still exist ( And, honestly, I couldn’t tell you if these folders are the same ones that showed up in the scan )

C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR

Now that I type that I DO remember there being other folders somewhere within C:\Windows.… that no longer appear with the name “WinRAR” contained in them.

Sorry, just can’t duplicate it at this point. Logging needs to be enabled during installation, and it’s not - couldn’t there be a logger that runs during installation and then parses the report to the program after reboot ?

I must admit, I previously thought that CIS’s AV scan, following the installation, was logged in the normal way… or, at least, I thought previous versions did (it’s been awhile since I ran the scan on install). Which version of CIS do you have?

However, that doesn’t really help & you’re right. Although… there is a possible course of action if you felt particularity brave and/or inquisitive… depending on your OS, you may have a valid System Restore point that was prior to CIS’s installation (and subsequent file removals). You could go back to that… re-install CIS, manually save the scan report (I think it has that option) and quarantine, rather than remove, the suspects.

I have Version 3.8.65951.477
Signature database : 1127

No restore points as this is a fresh, clean install of Windows forced upon me by the ■■■■■■ “reader_s” virus.