Is content in NISX64 driver folder MALWARE?

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

There is nothing sinister about these files, they are the NIS driver files, installed in the drivers folder per Microsoft requirements.

Previous version of NIS installed them directly in the drivers folder, NIS 2009 installs them in a subfolder.

 

No changes to the directory permissions or visibility is made, nor are the files actively being hidden, if you can't see the files it may be your explorer settings or you may not have administrative permissions.

 

The operating system requires the drivers files to be registered using that particular convention.

See this article on MSDN that explains the \??\ convention:

MSDN link

 

 

Pieter

 

Message Edited by Tony_Weiss on 09-12-2008 04:02 PM

Hello, I'm checking couple of things.

 

Norton Internet Security 2009 beta (installed over Norton 360 v2.x)

OS: Windows Vista Home premium, x64

 

1. start sysinternals tool 'autoruns'

2. select Drivers tab

 

Are following driver files proper for these installation?

 

SYMDNSDNS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symdns.sys    

SYMFW Firewall Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symfw.sys

SYMNDISVNDIS Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symndisv.sys

SYMREDRVRedirector Filter Driver    Symantec Corporation    c:\windows\system32\drivers\nisx64\1000000.078\symredrv.sys   

 

This nisx64 folder isn't viewable in the drivers directory, it seems that it does not exist. Still Autoruns doesn't prompt 'file not found' for these.

 

I tried my luck and disabled these, but they appeared again after boot.

 

Google and Norton search doesn't say much about nisx64. Seems like problems. Are these mal?

 

Juha

 

--

www.olkkonen.net

Message Edited by juha on 09-12-2008 01:43 AM

If I double click these driver entries I can see the image path which is

 

\??\C:\Windows\system32\drivers\NISx64\1000000.078\SYMREDRV.SYS

 

I don't know anything about these so these \??\ make me wonder. Is this some rootkit black magic?