Originally posted by: redbeard1
up
It isn't that difficult ... imagine a device driver (kind of like the driver that lets your graphics card work) that hides all files that match svga.sys. Bingo - we can easily put a file called svga.sys into your system, and you'd never be the wiser. That's easy.
Now, let's imagine a device driver that can hide *itself* too, so not only can it put that svga.sys file on your hard drive (which can do whatever it wants to your computer), but it *also* is invisible from within both RegEdit and any other editing or viewing tools you might have, like, say, MPS Reports.
Sometimes you can see svga.sys if you look at the directory where it is located from *another* computer, but it's possible even that can be hidden if it could hit your network layers.
Pretty tricky, but not uncommon.
Lots of times you can pick that up by looking at an NTBACKUP backup of the system files - it will be visible in that registry. Or you can boot with WinPE or Recovery Console, make a backup of the registry, and then mail the registry off to someone so they can look at it and see the bad service/driver that's installed. Sometimes you can see the malware in safe mode, but that's beatable too, so even safe mode isn't a perfectly reliable indication, either.
