STRELiTZIA wrote: Neither one nor the other :)If I'm not wrong, you are reading the "clean" copy of the driver that is showed by the rootkit itself. This won't work if the machine has been infected more times by TDL3 because of a bug in TDL3 rootkit. If the system has been infected more than a time by this rootkit, the clean image of the driver showed by the rootkit is not the real clean one, it's corrupted
The principle is quite simple, TDL3+ Cleaner copies infected driver(s) to Windows Temp folder and restore it to his
original path, this trick clear infected driver image.
But the rootkit reinfects the driver using Watchdog threads, so I used TDL3+ Cleaner Service to work at the moment when Windows shuts down.
A forum for reverse engineering, OS internals and malware analysis
This is very rare behavior mostly seen in testlab. Of course restoring original files from Windows CD is always better. Curing is more complex task and it is not necessary with this type of rootkits.
Ring0 - the source of inspiration
Actually I have been able to reproduce this really bizzarre behavior more times. This is why I'm not trusting this cleanup approach anymore. Well, I leave it as last attempt at least
Ring0 - the source of inspiration