Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help from a TDDSKiller user please


  • Please log in to reply
No replies to this topic

#1 MoreParanoidThanThou

MoreParanoidThanThou

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 01 October 2016 - 12:50 PM

Dunno why the activation email went to gmail spam even though signup has 2 robot tests.

So anyway I am not sure if TDDSKiller has a weird bug or if I am infected and its the rootkit avoiding TDDSKiller but when I run it, a bit later I will notice absent legacy devices in hardware devices.

I use this flag in system variables https://support.microsoft.com/en-us/kb/315539
If you use it in command line it will reset on reboot.

And in device manager I select show hidden devices.

What I see are a few files with 8 seemingly random numbers which are absent. They have no additional info but share a GUID with legitimate files. There is nothing leading me from searching in regedit.

They are .sys driver files that do not show up in recuva and are not on the drive.
Using resource monitor I sometimes see one as a loaded module in the CPU tab. its like I am trying to tell people if they can see ghosts too:(

I have ran many AVs and it seems to hide extremely well.

I would like to know if anyone can replicate and if not how I can retrieve this file to send for analysis.

Thanks

Edited by MoreParanoidThanThou, 01 October 2016 - 12:52 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users