I've just downloaded DrWeb Cureit from freedrweb.com and ran it, as usual... but this time, after a scan, it asked to reboot. I checked the memory with Root Repeal just in case, and noticed that these items appeared: Name: MnbRWV2m.sys Image Path: C:\WINDOWS\TEMP\MnbRWV2m.sys Address: 0xF22CE000 Size: 142464 File Visible: No Status: - also these: Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xF2DFF000 Size: 143360 File Visible: - Status: Hidden from Windows API! Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF73C7000 Size: 574592 File Visible: - Status: Hidden from Windows API! (I also have regular, non-hidden Ntfs.sys and Fastfat.sys listed.) None of these files, when dumped with RootRepeal, is flagged by anything on Virustotal. The file apparently ran/installed/whatever by DrWeb is the MnbRWV2m.sys file, which is 142464 bytes when dumped with RootRepeal, and its CRC32 is EF2FECF5 then. Did they add something or am I getting paranoid?