• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Is content in NISX64 driver folder MALWARE?

Hello, I'm checking couple of things.

Norton Internet Security 2009 beta (installed over Norton 360 v2.x)

OS: Windows Vista Home premium, x64

1. start sysinternals tool 'autoruns'

2. select Drivers tab

Are following driver files proper for these installation?

SYMDNSDNS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symdns.sys    

SYMFW Firewall Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symfw.sys

SYMNDISVNDIS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symndisv.sys

SYMREDRVRedirector Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symredrv.sys   

This nisx64 folder isn't viewable in the drivers directory, it seems that it does not exist. Still Autoruns doesn't prompt 'file not found' for these.

I tried my luck and disabled these, but they appeared again after boot.

Google and Norton search doesn't say much about nisx64. Seems like problems. Are these mal?

Juha

--

www.olkkonen.net

Message Edited by juha on 09-12-2008 01:43 AM

Replies

Kudos0

Re: Is content in NISX64 driver folder MALWARE?

Hello, I'm checking couple of things.

Norton Internet Security 2009 beta (installed over Norton 360 v2.x)

OS: Windows Vista Home premium, x64

1. start sysinternals tool 'autoruns'

2. select Drivers tab

Are following driver files proper for these installation?

SYMDNSDNS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symdns.sys    

SYMFW Firewall Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symfw.sys

SYMNDISVNDIS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symndisv.sys

SYMREDRVRedirector Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symredrv.sys   

This nisx64 folder isn't viewable in the drivers directory, it seems that it does not exist. Still Autoruns doesn't prompt 'file not found' for these.

I tried my luck and disabled these, but they appeared again after boot.

Google and Norton search doesn't say much about nisx64. Seems like problems. Are these mal?

Juha

--

www.olkkonen.net

Message Edited by juha on 09-12-2008 01:43 AM
Kudos0

Re: Is content in NISX64 driver folder MALWARE?

If I double click these driver entries I can see the image path which is

\??\C:\Windows\system32\drivers\NISx64\1000000.078\SYMREDRV.SYS

I don't know anything about these so these \??\ make me wonder. Is this some rootkit black magic?

Kudos0

Re: Is content in NISX64 driver folder MALWARE?

There is nothing sinister about these files, they are the NIS driver files, installed in the drivers folder per Microsoft requirements.

Previous version of NIS installed them directly in the drivers folder, NIS 2009 installs them in a subfolder.

No changes to the directory permissions or visibility is made, nor are the files actively being hidden, if you can't see the files it may be your explorer settings or you may not have administrative permissions.

The operating system requires the drivers files to be registered using that particular convention.

See this article on MSDN that explains the \??\ convention:

MSDN link

Pieter

Message Edited by Tony_Weiss on 09-12-2008 04:02 PM

This thread is closed from further comment. Please visit the forum to start a new thread.