Dr Web now installs a driver...?

Discussion in 'other anti-virus software' started by Lovecraft, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    I've just downloaded DrWeb Cureit from freedrweb.com and ran it, as usual... but this time, after a scan, it asked to reboot. I checked the memory with Root Repeal just in case, and noticed that these items appeared:

    Name: MnbRWV2m.sys
    Image Path: C:\WINDOWS\TEMP\MnbRWV2m.sys
    Address: 0xF22CE000 Size: 142464 File Visible: No
    Status: -

    also these:
    Name: Fastfat.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
    Address: 0xF2DFF000 Size: 143360 File Visible: -
    Status: Hidden from Windows API!

    Name: Ntfs.sys
    Image Path: Ntfs.sys
    Address: 0xF73C7000 Size: 574592 File Visible: -
    Status: Hidden from Windows API!

    (I also have regular, non-hidden Ntfs.sys and Fastfat.sys listed.)

    None of these files, when dumped with RootRepeal, is flagged by anything on Virustotal.

    The file apparently ran/installed/whatever by DrWeb is the MnbRWV2m.sys file, which is 142464 bytes when dumped with RootRepeal, and its CRC32 is EF2FECF5 then.

    Did they add something or am I getting paranoid?
     
  2. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    Now I noticed it's updated to v5.0 from the previous 4.44. I guess that should be the reason...

    I have not yet restarted yet, but for some reason, after I ran it CureIt again, it has not asked me to restart now.

    Edit: I restarted, ran Cureit again, and it again asks me to restart after completing scanning... what is this, was this introduced in v5? Will it keep happening after every scan, and why?
     
    Last edited: Jan 9, 2009
  3. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Don't know about CureIt but Dr.Web AV 5.0 uses atleast 2 drivers, spider.sys as a file system monitor and dwprot.sys for self-protection. But it doesn't sound "OK" that it asks for you to reboot after each scan, do you have some other software that prevents driver installations or even writing them to HD? I assume they use some kind of driver in CureIt too and it sounds like something pervents it.
     
  4. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    unless im mistaken, cureit used to use a driver and remove it when you exit from the program, dont know if this is still the case.
     
  5. format_c

    format_c Registered Member

    Joined:
    May 6, 2008
    Posts:
    116
    no, you're right ;) Dr.Web/CureIt scanner loads Dr.Web Shield (anti-rootkit) driver at its start-up time
     
Loading...
Thread Status:
Not open for further replies.