Lovecraft
January 9th, 2009, 05:41 PM
I've just downloaded DrWeb Cureit from freedrweb.com and ran it, as usual... but this time, after a scan, it asked to reboot. I checked the memory with Root Repeal just in case, and noticed that these items appeared:
Name: MnbRWV2m.sys
Image Path: C:\WINDOWS\TEMP\MnbRWV2m.sys
Address: 0xF22CE000 Size: 142464 File Visible: No
Status: -
also these:
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF2DFF000 Size: 143360 File Visible: -
Status: Hidden from Windows API!
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF73C7000 Size: 574592 File Visible: -
Status: Hidden from Windows API!
(I also have regular, non-hidden Ntfs.sys and Fastfat.sys listed.)
None of these files, when dumped with RootRepeal, is flagged by anything on Virustotal.
The file apparently ran/installed/whatever by DrWeb is the MnbRWV2m.sys file, which is 142464 bytes when dumped with RootRepeal, and its CRC32 is EF2FECF5 then.
Did they add something or am I getting paranoid?
Name: MnbRWV2m.sys
Image Path: C:\WINDOWS\TEMP\MnbRWV2m.sys
Address: 0xF22CE000 Size: 142464 File Visible: No
Status: -
also these:
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF2DFF000 Size: 143360 File Visible: -
Status: Hidden from Windows API!
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF73C7000 Size: 574592 File Visible: -
Status: Hidden from Windows API!
(I also have regular, non-hidden Ntfs.sys and Fastfat.sys listed.)
None of these files, when dumped with RootRepeal, is flagged by anything on Virustotal.
The file apparently ran/installed/whatever by DrWeb is the MnbRWV2m.sys file, which is 142464 bytes when dumped with RootRepeal, and its CRC32 is EF2FECF5 then.
Did they add something or am I getting paranoid?