Here is the point.
I set Windows to display all the hidden files and protected operating system files but even after that, my antivirus (Kaspersky) is still getting a ".dll" file on "c:\windows\system32" saying it's a riskware 'Hidden.Object'.
I tried to find this file everytime but it's not there. So I asked one of the developers to create a service that verifies the folder each 5 seconds and, if it founds the file, copies to another place.
If it copies to another place with the same name and extension, I still can't find the file on the other folder but Kaspersky now founds both. If I keep the same name but with a different extension, like ".temp123", I still can't find the file. Lastly, I created an empty text file and renamed with the same name as the other one, the file just gone too.
After all this research It's clear that every file with this same name on this specific server gets cloak, doesn't matter the file extension. I created a file with this same name on another server and nothing happens, the file is still there without problem.
How can I found this kind of file? How can I "uncloak" it? How can I know what this file is doing?
Best Answer
looks like rootkit, use rootkit revealer from sysinternals suite http://technet.microsoft.com/en-us/sysinternals/bb897445 , or boot to rescue mode (may or may not help) or boot another system (linux from cd for example) or insert disk to another computer