Jump to content

Suspicious log file


autobotranger
 Share

Recommended Posts

I just ran a custom full scan as admin with Eset Nod32 Antivirus 9.0.408.1 and found something different in the log file after the scan had been completed. The scanning also took an additional 10 minutes which I found odd.

It is the "deobfuscated.exe" and "SMARTASSEMBLY" parts I'm especially concerned with as I have never seen these appear in the log before.

Any ideas? :(

EDIT** I neglected the golden rule of mentioning which OS my system has installed. I'm running with Windows 7 Home Premium 64-bit on this machine.

After calming down a little and looking at the log file, it seems like this is coming from the video game "Painkiller Hell & Damnation" folder?

Log file:

Log
Scanningslog
Version af virussignaturdatabase: 15161 (20170328)
Dato: 28-03-2017  Klokkeslæt: 12:54:50
Scannede diske, mapper og filer: Hukommelse (RAM);Bootsektor;C:\Bootsektor;C:\;D:\Bootsektor;D:\;E:\Bootsektor;E:\;G:\Bootsektor;G:\
MBR-sektor for 2. fysisk disk - fejl ved åbning af  [4]
C:\hiberfil.sys - fejl ved åbning af  [4]
C:\pagefile.sys - fejl ved åbning af  [4]
C:\System Volume Information\{069313ea-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{06931447-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{4cf8617d-13a4-11e7-a2de-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{5bffe9fc-fdcd-11e6-a182-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{7f9dd97d-0e3b-11e7-aff8-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{b67727fd-10a5-11e7-a9b9-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{b78b23fc-0347-11e7-b497-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\Installer\25e0a.msi » MSI » media1.cab » CAB - fejl ved læsning af arkiv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.17514_none_141b1b1223b1ada7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18523_none_141c340a23b0aa84\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18529_none_141bab5a23b1444a\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.19091_none_1423663a23aa2435\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22733_none_fd4f8d703d572432\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22740_none_fd50d2123d55f0a6\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.23290_none_fd55d61e3d516aeb\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.17514_none_05d4965a61a326fa\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18523_none_05d5af5261a223d7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18529_none_05d526a261a2bd9d\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.19091_none_05dce182619b9d88\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22733_none_ef0908b87b489d85\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22740_none_ef0a4d5a7b4769f9\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.23290_none_ef0f51667b42e43e\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
Bootsektor for disk D: - fejl ved åbning af  [4]
D:\ - fejl ved åbning af  [4]
E:\Video Games\Steam 2\steamapps\common\Painkiller Hell & Damnation\Binaries\Redist\dotNetFx40_Full_x86_x64.exe » 7ZIP » netfx_Core.mzz » CAB » system_data_sqlxml_dll_amd64 » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
Bootsektor for disk G: - fejl ved åbning af  [4]
G:\ - fejl ved åbning af  [4]
Antal scannede objekter: 799343
Antal trusler fundet: 0
Tidspunkt for fuldførelse: 13:20:48  Samlet scanningstid: 1558 sek. (00:25:58)

Bemærkninger:
[4] Objekt kan ikke åbnes. Det er muligvis i brug af et andet program eller operativsystem.

7375757474.png

Edited by autobotranger
Link to comment
Share on other sites

  • Administrators

If those files didn't appear in logs before, it could be that they didn't exist before or unpacking of SmartAssembly stuff has been added or adjusted recently. What does the error say in English?

Link to comment
Share on other sites

Thank you so much for the swift reply :)

"Handlingen kan ikke udføres" is Danish and can be translated to "The action can not be executed".

Edited by autobotranger
Link to comment
Share on other sites

Instead of using a screenshot I should have included a copy&paste of the log file. That'll likely make things more easy to investigate.

Updating my first post as well with this:

Log
Scanningslog
Version af virussignaturdatabase: 15161 (20170328)
Dato: 28-03-2017  Klokkeslæt: 12:54:50
Scannede diske, mapper og filer: Hukommelse (RAM);Bootsektor;C:\Bootsektor;C:\;D:\Bootsektor;D:\;E:\Bootsektor;E:\;G:\Bootsektor;G:\
MBR-sektor for 2. fysisk disk - fejl ved åbning af  [4]
C:\hiberfil.sys - fejl ved åbning af  [4]
C:\pagefile.sys - fejl ved åbning af  [4]
C:\System Volume Information\{069313ea-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{06931447-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{4cf8617d-13a4-11e7-a2de-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{5bffe9fc-fdcd-11e6-a182-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{7f9dd97d-0e3b-11e7-aff8-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{b67727fd-10a5-11e7-a9b9-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\System Volume Information\{b78b23fc-0347-11e7-b497-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af  [4]
C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\Installer\25e0a.msi » MSI » media1.cab » CAB - fejl ved læsning af arkiv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.17514_none_141b1b1223b1ada7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18523_none_141c340a23b0aa84\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18529_none_141bab5a23b1444a\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.19091_none_1423663a23aa2435\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22733_none_fd4f8d703d572432\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22740_none_fd50d2123d55f0a6\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.23290_none_fd55d61e3d516aeb\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.17514_none_05d4965a61a326fa\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18523_none_05d5af5261a223d7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18529_none_05d526a261a2bd9d\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.19091_none_05dce182619b9d88\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22733_none_ef0908b87b489d85\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22740_none_ef0a4d5a7b4769f9\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.23290_none_ef0f51667b42e43e\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
Bootsektor for disk D: - fejl ved åbning af  [4]
D:\ - fejl ved åbning af  [4]
E:\Video Games\Steam 2\steamapps\common\Painkiller Hell & Damnation\Binaries\Redist\dotNetFx40_Full_x86_x64.exe » 7ZIP » netfx_Core.mzz » CAB » system_data_sqlxml_dll_amd64 » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres
Bootsektor for disk G: - fejl ved åbning af  [4]
G:\ - fejl ved åbning af  [4]
Antal scannede objekter: 799343
Antal trusler fundet: 0
Tidspunkt for fuldførelse: 13:20:48  Samlet scanningstid: 1558 sek. (00:25:58)

Bemærkninger:
[4] Objekt kan ikke åbnes. Det er muligvis i brug af et andet program eller operativsystem.

Edited by autobotranger
Link to comment
Share on other sites

Appears the game mfgr. is protecting his source code by obfuscating it. I assume you installed the game software?

You can submit deobfuscated.exe to VirusTotal for a scan and see if any of the AV scanners there detect anything. 

Link to comment
Share on other sites

I installed the game via Steam from quite a long time ago, which is why I find these new inclusions in the scan log to be so odd. That and Nod32 suddenly takes an additional 10 minutes to complete a system scan.

The issue is that I cannot seem to actually locate "deobfuscated.exe" as a file, so I'm not entirely certain how I would submit it to VirusTotal.

Link to comment
Share on other sites

2 hours ago, autobotranger said:

The issue is that I cannot seem to actually locate "deobfuscated.exe" as a file, so I'm not entirely certain how I would submit it to VirusTotal.

C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe

Look in the above underlined directory for it and anything called SMARTASSEMBLY. Also note the date System.Data.SqlXml.dll was modified.

Link to comment
Share on other sites

1 hour ago, itman said:

C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe

Look in the above underlined directory for it and anything called SMARTASSEMBLY. Also note the date System.Data.SqlXml.dll was modified.

When I type the underlined "C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089" from your post into the file explorer it doesn't give me any results at all.

However, if I manually navigate from the C:\ Drive, click on the Windows folder, find the folder titled "assembly" I'm getting the list pictured in screenshot 1.

If I manually navigate from the C:\ Drive, click on the Windows folder, find the folder titled "Microsoft.NET", then from within that the folder titled "assembly" I see 3 folders titled "GAC-32", "GAC_64" and "GAC_MSIL". In the folder GAC_MSIL there is a folder titled "System.Data.SqlXml" which then contains a folder titled "v4.0_4.0.0.0__b77a5c561934e089" which contains the file "System.Data.SqlXml.dll" pictured in screenshot 2.

Is this where I need to be looking SMARTASSEMBLY and the date for System.Data.SqlXml.dll, or am I doing it completely wrong? It's been a long day, so please forgive me :(

 

1.png

2.png

Link to comment
Share on other sites

2 hours ago, autobotranger said:

When I type the underlined "C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089" from your post into the file explorer it doesn't give me any results at all.

It exists on my PC. See the below screen shot. Also your Eset log entry states the directory exists.

I believe what the Eset log is showing is that it found a reference to deobfuscated.exe that is contained within SMARTASSEMBLY which is in turn part of System.Data.SqlXml.dll. If this is the case, then you can't extract deobfuscated.exe.

This is the reason I asked you to check the file properties for System.Data.SqlXml.dll to determine if it was recently modified. My version is the same w/o changes since it was installed by the Win 10 ver. 1607 upgrade. See the second screen shot.

Eset_Assmbly.png

Eset_SqlXml.png

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

It exists on my PC. See the below screen shot. Also your Eset log entry states the directory exists.

I believe what the Eset log is showing is that it found a reference to deobfuscated.exe that is contained within SMARTASSEMBLY which is in turn part of System.Data.SqlXml.dll. If this is the case, then you can't extract deobfuscated.exe.

This is the reason I asked you to check the file properties for System.Data.SqlXml.dll to determine if it was recently modified. My version is the same w/o changes since it was installed by the Win 10 ver. 1607 upgrade. See the second screen shot.

It would seem that "C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll" indeed is listed in the log, but I cannot find that location for whatever reason. Also, I can't believe I neglected the golden rule of mentioning which OS is installed on my system. I'm on Windows 7 Home Premium 64-bit, if that is somehow related to the different locations? That doesn't explain the log though.

You can see all the results I'm getting when typing "System.Data.SqlXml.dll" into the search bar on the attached screenshot. Question is which ones to check up on and if this looks right.

52528902525725.thumb.png.a39e76406ad6b9bb1d9e3bd3b6eabc27.png

I'm a little concerned regarding all of this, especially after performing a Google search for deobfuscated.exe and reading some of the results, against my better judgement of doing so.

Link to comment
Share on other sites

I'm on Win 10.

On Win 7, the directory may be "hidden" and/or considered an "OS" file. So when you open file explorer, you will have to enable those options in the "View" setting for file explorer. If you can find this file, System.Data.SqlXml.dll, in this directory, C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\, then open your browser and go to VirusTotal. Then you can scan the .dll there. Once you are done, make sure you reset file explorer "hidden" and or "OS" files view options to what there were originally.

You can also try this.

Uninstall the game software. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log. If it doesn't, your done. If not, do the following.

Open an admin level command prompt window. Type "SFC /scannow" less the quote marks. It will run for a while. When completed, it will let you know if it detected any system file discrepancies and if it was able to repair those. If repairs were done, then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

If deobfuscated.exe still exists, your only option is to do a system restore using a restore point prior in time to when you noticed the issue. Run system restore from safe mode to avoid any issues with Eset. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

Edited by itman
Link to comment
Share on other sites

On ‎29‎-‎03‎-‎2017 at 0:47 AM, itman said:

I'm on Win 10.

On Win 7, the directory may be "hidden" and/or considered an "OS" file. So when you open file explorer, you will have to enable those options in the "View" setting for file explorer. If you can find this file, System.Data.SqlXml.dll, in this directory, C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\, then open your browser and go to VirusTotal. Then you can scan the .dll there. Once you are done, make sure you reset file explorer "hidden" and or "OS" files view options to what there were originally.

You can also try this.

Uninstall the game software. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log. If it doesn't, your done. If not, do the following.

Open an admin level command prompt window. Type "SFC /scannow" less the quote marks. It will run for a while. When completed, it will let you know if it detected any system file discrepancies and if it was able to repair those. If repairs were done, then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

If deobfuscated.exe still exists, your only option is to do a system restore using a restore point prior in time to when you noticed the issue. Run system restore from safe mode to avoid any issues with Eset. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

Hello again. Sorry for the late reply, but life got in the way as it sometimes does.

I have now attempted all of your suggestions from the post above, without success unfortunately. This post will be rather long as I have documented the entire run through:

Quote

On Win 7, the directory may be "hidden" and/or considered an "OS" file. So when you open file explorer, you will have to enable those options in the "View" setting for file explorer. If you can find this file, System.Data.SqlXml.dll, in this directory, C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\, then open your browser and go to VirusTotal. Then you can scan the .dll there. Once you are done, make sure you reset file explorer "hidden" and or "OS" files view options to what there were originally.

I already had my file explorer set to show hidden folders and files. Despite this, GAC_MSIL can still not be found under the specific directory. I even attempted to find it while in safe-mode.

Quote

Uninstall the game software. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log. If it doesn't, your done. If not, do the following.

I uninstalled the game via the Steam client and ran Ccleaner afterwards followed by a reboot of the system. Unfortunately, the problem still persists, plus a couple of new additions. Though I'm not certain if those are caused from an update I cancelled for the game Team Fortress 2.

58dd3ba983ece_ScanlogpostPKuninstall1.thumb.png.9120f461a69b417cd6f4c6992e899a92.png

58dd3bcb4fb3d_ScanlogpostPKuninstall2.thumb.png.f1b62450bbe1871d9e1a12cacc8f5fb8.png

MBR-sektor for 2. fysisk disk - fejl ved åbning af

C:\hiberfil.sys - fejl ved åbning af

C:\pagefile.sys - fejl ved åbning af

C:\System Volume Information\{069313ea-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{06931447-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{4cf8617d-13a4-11e7-a2de-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{5bffe9fc-fdcd-11e6-a182-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{7f9dd97d-0e3b-11e7-aff8-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{b67727fd-10a5-11e7-a9b9-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\System Volume Information\{b78b23fc-0347-11e7-b497-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af

C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\Installer\25e0a.msi » MSI » media1.cab » CAB - fejl ved læsning af arkiv

C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.17514_none_141b1b1223b1ada7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18523_none_141c340a23b0aa84\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18529_none_141bab5a23b1444a\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.19091_none_1423663a23aa2435\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22733_none_fd4f8d703d572432\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22740_none_fd50d2123d55f0a6\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.23290_none_fd55d61e3d516aeb\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.17514_none_05d4965a61a326fa\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18523_none_05d5af5261a223d7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18529_none_05d526a261a2bd9d\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.19091_none_05dce182619b9d88\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22733_none_ef0908b87b489d85\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22740_none_ef0a4d5a7b4769f9\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.23290_none_ef0f51667b42e43e\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

Bootsektor for disk D: - fejl ved åbning af

D:\ - fejl ved åbning af

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38.dll - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64.cat - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64_xp.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » Jun2008_d3dx9_38_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » infinst.exe - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40.dll - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64.cat - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64_xp.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » Nov2008_d3dx9_40_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » infinst.exe - arkivet er beskadiget - filen kunne ikke pakkes ud.

Bootsektor for disk G: - fejl ved åbning af

G:\ - fejl ved åbning af

"Arkivet er beskadiget - filen kunne ikke pakkes ud" can be translated into "The archive is damaged - the file could not be unpacked".
 

Quote

 

Open an admin level command prompt window. Type "SFC /scannow" less the quote marks. It will run for a while. When completed, it will let you know if it detected any system file discrepancies and if it was able to repair those. If repairs were done, then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

 

I did the following and the system found no errors. Afterwards I scanned with Eset and got the same results as above.

58dd3c62210f1_SFCScannowresultsnoerrors.png.1487ef603917f876fcbf79df7ce8df41.png

Quote

If deobfuscated.exe still exists, your only option is to do a system restore using a restore point prior in time to when you noticed the issue. Run system restore from safe mode to avoid any issues with Eset. Then run another Eset scan to determine if deobfuscated.exe still shows in the Eset log.

This is where things get rather frustrating. I booted into safe-mode and ran system restore as admin as you suggested. Unfortunately I had to try 4 different restore points before Windows stopped giving me the following error message:

58dd3cdc5eccc_Systemrestoreerror.png.1e8f3e8845d96a15ec06680727c34ceb.png

The text under details basically translates into "Unpacking the file (C:\) from the restore point was not successful. An unspecific error occurred doing system restore."

It took until the 4th restore point for the process to be completed successfully. Again, all of this was performed via safe-mode.

58dd3d7575406_Systemrestoresuccess.png.afe4e358bd03c686ca63465cc548f467.png

After the successful system restore point I ran a scan with Eset, but unfortunately the odd entries are still present in the scan log:

58dd3dc443520_Scanlogpostsystemrestore1.thumb.png.0cf045691ad7e33853665563f41bffa6.png

58dd3dd4eba34_Scanlogpostsystemrestore2.thumb.png.9dacf806adba6eaf0ce92385245f569c.png

Log

Scanningslog

Version af virussignaturdatabase: 15175 (20170330)

Dato: 30-03-2017 Klokkeslæt: 19:32:20

Scannede diske, mapper og filer: Hukommelse (RAM);Bootsektor;C:\Bootsektor;C:\;D:\Bootsektor;D:\;E:\Bootsektor;E:\;G:\Bootsektor;G:\

MBR-sektor for 2. fysisk disk - fejl ved åbning af [4]

C:\hiberfil.sys - fejl ved åbning af [4]

C:\pagefile.sys - fejl ved åbning af [4]

C:\System Volume Information\{069313ea-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{06931447-095d-11e7-8a6f-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{4cf8617d-13a4-11e7-a2de-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{5bffe9fc-fdcd-11e6-a182-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{7f9dd97d-0e3b-11e7-aff8-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{b67727fd-10a5-11e7-a9b9-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\System Volume Information\{b78b23fc-0347-11e7-b497-d8cb8ac74018}{3808876b-c176-4e48-b7ae-04046e6cc752} - fejl ved åbning af [4]

C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\Installer\25e0a.msi » MSI » media1.cab » CAB - fejl ved læsning af arkiv

C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.17514_none_141b1b1223b1ada7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18523_none_141c340a23b0aa84\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.18529_none_141bab5a23b1444a\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.19091_none_1423663a23aa2435\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22733_none_fd4f8d703d572432\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.22740_none_fd50d2123d55f0a6\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.23290_none_fd55d61e3d516aeb\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.17514_none_05d4965a61a326fa\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18523_none_05d5af5261a223d7\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.18529_none_05d526a261a2bd9d\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.19091_none_05dce182619b9d88\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22733_none_ef0908b87b489d85\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.22740_none_ef0a4d5a7b4769f9\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

C:\Windows\winsxs\msil_system.data.sqlxml_b77a5c561934e089_6.1.7601.23290_none_ef0f51667b42e43e\System.Data.SqlXml.dll » SMARTASSEMBLY » deobfuscated.exe - handlingen kan ikke udføres

Bootsektor for disk D: - fejl ved åbning af [4]

D:\ - fejl ved åbning af [4]

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38.dll - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64.cat - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » d3dx9_38_x64_xp.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » Jun2008_d3dx9_38_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\JUN2008_d3dx9_38_x64.cab » CAB » infinst.exe - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40.dll - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64.cat - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » d3dx9_40_x64_xp.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » Nov2008_d3dx9_40_x64.inf - arkivet er beskadiget - filen kunne ikke pakkes ud.

E:\Video Games\Steam 2\steamapps\downloading\440\_CommonRedist\DirectX\Jun2010\Nov2008_d3dx9_40_x64.cab » CAB » infinst.exe - arkivet er beskadiget - filen kunne ikke pakkes ud.

Bootsektor for disk G: - fejl ved åbning af [4]

G:\ - fejl ved åbning af [4]

Antal scannede objekter: 778124

Antal trusler fundet: 0

Tidspunkt for fuldførelse: 19:54:06 Samlet scanningstid: 1306 sek. (00:21:46)

 

Bemærkninger:

[4] Objekt kan ikke åbnes. Det er muligvis i brug af et andet program eller operativsystem.

In addition to all of this, for some reason, Eset Nod32 Antivirus 9 is now giving me a warning that the program isn't updated

58dd3e219b2f9_Esetaftersystemrestore2.png.11071881cfab6861fc46d4d48e7d3608.png

58dd3e2c5c5ae_Esetaftersystemrestore1.png.19918612f4c3068eff9442ff558f6e9a.png

The Windows security centre is claiming the same, but the Virus signature database version appears to be the latest?

*EDIT* So it looks like the system restoring affected the clock as it suddenly was an hour ahead. We've very recently had to adjust for daylight saving time in my region. The time on my system is now correct once more, but NOD32 still claims that it doesn't have the latest updates

.

So all of this is rather mystifying and frustrating. At this point I'm very tempted to get this machine professionally formatted by my local PC guy as that would surely be the end of it?

Out of curiosity, should I attempt and update Eset Nod32 Antivirus 9 to the latest version of Nod32 Antivirus 10 and see if it still picks up on all of this?

*EDIT* I decided to take a look at my profiles for scanning with NOD32 and I now see that the C:\Windows\assembly\GAC_MSIL directory is visible to NOD32 as shown below

58dd45c0984bf_Esetscansettings.thumb.png.da6747710743f84ecd343787e5e3ffcf.png

I still cannot get access to this myself as mentioned earlier, but apparently NOD32 can see it and therefor scan it.

Edited by autobotranger
Link to comment
Share on other sites

First if you haven't run Win Updates, make sure you do to bring your system current with all system updates since the restore point.

As far as the Eset update issue, go into Control Panel -> Programs -> Uninstall program. Double click on Eset Smart Security. Click "Next". Eset will ask whether you want to Repair or Uninstall. Click on Repair. Once Repair completes Eset will be back to the ver. 9 release you originally installed. So you will have to manually update it to the lastest ver. 9 release if the currently installed release is not the latest. Now see if Eset's updating works properly.

Alternatively and recommended, download the latest Eset ver. 10 and install that. Prior to installation if you have any custom ver. 9 settings, you should export those so they can be imported to ver. 10 after it is installed. Although Eset ver. 10 can be installed on top of ver. 9 w/o uninstalling ver. 9, it is recommended to uninstall ver. 9 and reboot. Then install ver. 10.

As far as why you can view the C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml directory in Eset's file explorer but not Win 7's, I have no explanation other than something might amiss with Win 7's file explorer.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...