So anyway I am not sure if TDDSKiller has a weird bug or if I am infected and its the rootkit avoiding TDDSKiller but when I run it, a bit later I will notice absent legacy devices in hardware devices.
I use this flag in system variables https://support.microsoft.com/en-us/kb/315539
If you use it in command line it will reset on reboot.
And in device manager I select show hidden devices.
What I see are a few files with 8 seemingly random numbers which are absent. They have no additional info but share a GUID with legitimate files. There is nothing leading me from searching in regedit.
They are .sys driver files that do not show up in recuva and are not on the drive.
Using resource monitor I sometimes see one as a loaded module in the CPU tab. its like I am trying to tell people if they can see ghosts too:(
I have ran many AVs and it seems to hide extremely well.
I would like to know if anyone can replicate and if not how I can retrieve this file to send for analysis.
Edited by MoreParanoidThanThou, 01 October 2016 - 12:52 PM.