STRELiTZIA wrote: Neither one nor the other :)If I'm not wrong, you are reading the "clean" copy of the driver that is showed by the rootkit itself. This won't work if the machine has been infected more times by TDL3 because of a bug in TDL3 rootkit. If the system has been infected more than a time by this rootkit, the clean image of the driver showed by the rootkit is not the real clean one, it's corrupted
The principle is quite simple, TDL3+ Cleaner copies infected driver(s) to Windows Temp folder and restore it to his
original path, this trick clear infected driver image.
But the rootkit reinfects the driver using Watchdog threads, so I used TDL3+ Cleaner Service to work at the moment when Windows shuts down.