Jump to content

Nativeimages?


mapmap
 Share

Recommended Posts

I restored the files, but now Malwarebytes can't find them and I read that restored files can be detected again by Malwarebytes if they're infected. Also "C:\Windows\assembly" is full of files which cannot be copied, but does those files redirect to "C:\Windows\Microsoft.NET\Framework" and "C:\Windows\Microsoft.NET\Framework64" which have some of the previously detected files with similar names? 

 

assembly.png.4398bd4b840fb7788d5314ec0ed0ed1b.png

Link to post
Share on other sites

  • Staff

Ahh yes, I forgot about that. The assembly folder is a bit special lol..
Windows explorer does not display files in the assembly folder like other folders.
We'll have to grab some copies using good ole cmd.
If you are unsure of the instructions, please let me know before proceeding.

Create a folder in c:\ and name it "test" (let's use this name so the below works as I want it to)
In the search box by your start menu, search for cmd
Once results show, right click the cmd.exe result and click "run as administrator".
OK the UAC prompt if you get one.
Copy the following lines one at a time from inside the code box  into the cmd box (have to hilight the text, right click, select copy, right click in cmd box, select paste) and hitting enter after each line:

cd C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.WSMAN.MAN#\6DFD24D01FB18FEFF9E2019EF8A4EC76

copy MICROSOFT.WSMAN.MANAGEMENT.NI.DLL c:\test

cd C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.CONFIGURATIO#\F0B751CC18E18C5FF975FF463CEDC829

copy SYSTEM.CONFIGURATION.INSTALL.NI.DLL c:\test

Note any error messages if any. (screenshots work great for this)
Close the cmd window.
Once you have done that, go back to the test folder, zip up those 2 files and attach them here.
You can delete those files after if you like, keep the test folder for now in case we need more files from the log you provided.

Thanks!

Link to post
Share on other sites

When I copied those files with cmd prompt (thanks), I did scan them again and it gave me same detections. Afterwards I deleted all those 10 detected files using cmd prompt, and so far I haven't gotten any OS, software or game errors. So I guess it was OK to delete them? :D

Link to post
Share on other sites

  • Staff

If you mean delete the files out of the original location (out of the assembly\....\ folder, no.. don't delete them. They are part of your .NET install. 
If you mean, the files you copied to "test" using cmd, yes, you can delete those.
Let's try this:

Shut down Malwarebytes by right clicking icon by the clock and choose "shutdown Malwarebytes"
(OK UAC prompt and prompt from MBAM if asked)

Open cmd again (search menu>> search for cmd>> right click and run as admin).
Copy/paste the following lines one at a time into cmd and hit enter after each one:

 cd C:\ProgramData\Malwarebytes\MBAMService
del hubblecache

exit cmd

Once done, restart Malwarebytes and re-scan. You can just double click the desktop shortcut to get it going again.
Yes it will take a moment to restart and if you look, hubblecache will be back.. just replaced with a fresh one.
If you don't want to wait the 2+ hours to scan, go ahead and scan the C:\Windows\Assembly folder itself.

Let me know how it goes.

Thanks!

Link to post
Share on other sites

I did delete them from the "C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\" path 😅 Didn't want to have those possible threads chillin' in my hard drive. But as I said earlier I haven't noticed any errors so far.

Would it be possible to reinstall/fix .NET Framework if I run into trouble/errors by using "Turn Windows features on or off" or sfc /scannow?

Link to post
Share on other sites

  • Staff

Those sub directories in the assembly folder have many versions of .NET files from multiple versions of .NET. Perhaps you don't see any errors now but I wouldn't be all that surprised if something pops up later on. 
Those files are legit. Something in our heuristics detected them. I suspect the issue has already been fixed.
I'm not sure which version you would need to re-install. Let me see if I can find someone else to pop in to have a look here.
Don't delete anything else ...

Link to post
Share on other sites

Ya, I hear you, It's possible I just haven't used a software yet which utilizes .NET 2.0(?).

I definitely got the detection multiple times though. Once in "C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\..." and once in "C:\test\" after I copied those couple files into it.

Link to post
Share on other sites

  • Staff

Decent chance that next time you run a program that requires the old .NET you will likely be offered to re-install it. (if anything is using such an old version)

In any case, I just realised you are running an older version of MBAM itself. 
-Software Information-
Version: 4.1.2.73
We are currently at 4.3.0.98 which should fix the issues with those files.
If you are not already being prompted to update, open MBAM >> click the gear looking button at top right>> click "check for updates". Follow instructions for installing the updates.
You may be required to reboot.
Should be good to go after that.

 

Link to post
Share on other sites

  • Staff

Did you delete the files from recycle bin that were in the test folder? If they are still in the trash, can you restore them back to the test folder, rescan that folder and post the new log here please.

If you already emptied the trash, then you can go ahead and delete the test folder we made too. As long as everything is running OK, we won't need that folder any more.

Thanks!

Link to post
Share on other sites

  • 6 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.