dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1426
share rss forum feed


joepwpb
Premium
join:2000-12-15
West Palm Beach, FL

Norton Power Eraser Findings

Norton Power Eraser found 5 unknown files it cannot identify and I am not sure if I should take the Fix option. Does anyone recognize these files??

Threat Details
File Location
File:c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_cf3b1c90\mscorlib.dll
____________________________
Threat Details
File Location
File:c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f0629595\system.windows.forms.dll
____________________________
Threat Details
File Location
File:c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_f8347c67\system.xml.dll
____________________________
Threat Details
File Location
File:c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_6c5976ef\system.dll
________________________________________________________
Threat Details
File Location
File:c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_3f4a0b39\system.drawing.dll

I navigated to C:\windows\assembly but did not find the "native images" folder. I searched the drive for one of the files, mscorlib.dll, and found it several Microsoft.net folders. I then checked it at Virustotal and it was clean.

Any ideas??

Joe P


norwegian
Premium
join:2005-02-15
Outback


NET Framework files for version 1.1.4322



joepwpb
Premium
join:2000-12-15
West Palm Beach, FL

said by norwegian:

NET Framework files for version 1.1.4322

Please elaborate.

Thanks

Joe P

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 edit

said by joepwpb:

Please elaborate

from what norwegian posted, they are "microsoft"-files, used by microsoft's "NETFramework 1.x"


joepwpb
Premium
join:2000-12-15
West Palm Beach, FL

said by redwolfe_98:

said by joepwpb:

Please elaborate

they are "microsoft"-files, used by microsoft's "NETFramework 1.x"

Yes I do understand that part but I failed to be more precise in asking if ALL of the files belong to.net framework and are legitimate.

Joe P

redwolfe_98
Premium
join:2001-06-11
kudos:1

i would just assume that the files are OK..

you said you uploaded one of the files to "virustotal".. if you are concerned about the other ones, i suppose you could upload those to "virustotal" as well..



norwegian
Premium
join:2005-02-15
Outback
reply to joepwpb

To start with, you could either scan at VirusTotal or check the md5 checksum. Something like this:

»systemexplorer.net/file-database···18348596

There are a few sites that specifically lists files/checksums. I'm not sure if Process explorer can check image paths by using the crl.microsoft database. There maybe other ways to check a files authenticity too.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

Just what is it that Norton Power Eraser proposes to do with those files?
(Just what is Norton Power Eraser?)

You could post the (MD5 should be sufficient) hashes & sizes of those files, & the OS you're running & others could compare your findings to what they have for similar. (Suspect there would be a lot of "me too's".)


dsilvers

join:2009-05-17
Canyon Lake, TX

1 edit
reply to joepwpb

Click for full size
said by joepwpb :
I navigated to C:\windows\assembly but did not find the "native images" folder. I searched the drive for one of the files, mscorlib.dll, and found it several Microsoft.net folders. I then checked it at Virustotal and it was clean.

A quick check of W7X64 did not reveal the files at the path you posted. The file names are legitimate and I have all five but not at the /native images path which does not exist on this install. In fact I have multiple copies of all five file names with different MD5's with different paths. I have 28 instances of mscorlib.dll with different paths and different sizes, some signed by Microsoft, some not. I get similar results for XPx32. Perhaps someone could check a Windows 8 install for you.

A file can be named anything so scanning a file at a different path is fruitless. I am also unfamiliar with Norton Power Eraser. Does it want to remove these files? Maybe ask at Norton!

Edit:

said by Norton :
Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully. If you accidentally remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.



Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
Reviews:
·Comcast Formerl..

1 recommendation

reply to therube

or you could open them up in the registry..........that should ID the source 4ya........when you discover they are relevant files....... put them in the ignore pile..........that way you won't suffer heart failure every time symantec's antics concern you.....imho......of course.....or ......ask name game......he'll know more
--
101ST ABN Div. (AirAssault) "Rendezvous With Destiny!" "Night Stalkers/Phoenix Flight" For Buddy...who lived it! Whiskey for my men and beer for my horses! H.A.L.O!, 5th Grp., MACV SOG, 160TH AVN SOG, Death From Above, VFW, AmLegion



joepwpb
Premium
join:2000-12-15
West Palm Beach, FL
reply to joepwpb

Thanks everyone for the input...

The System in question was a Win XP Home SP3 and the Norton Power Eraser detected those files but did not recognize them and there was an option to check them "in the cloud" which I did and it found nothing.

I chose to ignore the findings considering all of the other scans I ran which detected nothing after I removed the "XP Scareware"

For those who are not familiar with NPE:

Norton Power Eraser

Eliminates deeply embedded and difficult to remove crimeware that traditional virus scanning doesn't always detect.


»security.symantec.com/nbrt/overview.aspx?

Thanks again, all !!!

Joe P



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

2 recommendations

reply to Phoenix22

said by Phoenix22:

or you could open them up in the registry..........

IMO, whenever a solution involves regedit the downside should be mentioned.

Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows to correct them."
Use this tool at your own risk.


This has nothing to do with the OP & everything to do about the anon noob stumbling into the thread.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to therube

said by therube:

(Just what is Norton Power Eraser?)

»security.symantec.com/nbrt/npe.aspx

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 edit
reply to joepwpb

said by joepwpb:

I navigated to C:\windows\assembly but did not find the "native images" folder.

I searched the drive for one of the files..

when using windows "search", to search for files on your computer, there are options that can be used, like "search system files", "search hidden files and folders" and "search subfolders"..

to adjust the settings for "search", after you have opened "search" and clicked "all files and folders", look at "more advanced options" and enable "search system files", "search hidden files and folders" and "search subfolders".. then the search-results will include hidden files and folders..

in my experience, you can access the hidden files from within the search-results even though they otherwise would be hidden..

also, you can adjust windows explorer's "folder view settings" so that, then, hidden files and folders will be accessible.. there are two settings options for that.. one is "show hidden files and folders" and the other is to disable "hide protected operating system files"..

to adjust the folder-view-settings, in order to show hidden files and folders, with "explorer" open, go to "tools"/"options"/"view" and adjust the settings, there..

if you wanted to access the hidden "NativeImages1_v1.1.4322" folder, you could try just enabling "show hidden files and folders", without disabling "hide protected operating system files".. if that doesn't work, then you could try (temporarily) disabling "hide protected operating system files"..

i have always enabled "show hidden files and folders", because it enables access to hidden files and folders, which i want to have.. however, i don't normally have "hide protected operating system files" disabled..

after fooling around with windows explorer's "folder view settings", see if you then are able to access the files within the hidden "NativeImages1_v1.1.4322" folder..

just for your information, in my experience, using windows "search", to search for files and folders, will not include searching within the "dllcache" folder, at "c:\windows\system32\dllcache", even when the search-option for "search hidden files and folders" is enabled, not unless "hide protected operating system files", in windows explorer's "folder view settings", is disabled..

i will mention that, a couple of times, i have run across files that were flagged by antimalware-programs that were not visible even when "show hidden files and folders" was enabled and "hide protected operating system files" was disabled..

the "c:\windows\assembly\nativeimages1_v1.1.4322\" folder belongs to microsoft's "NETFramework 1.1" and, so, i would assume that the files within the folder are OK..


Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
reply to Snowy

my advice was 2look.......not change.............



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Phoenix22:

my advice was 2look.......not change.............

Yes, I was aware of that however advice was not limited to editing the registry, it was about
"involves regedit"
which I intended to be seen as anything involved with regedit, with would include only lookin'