As soon as TDL3 kernel mode rootkit is active, the dropper drops 3 files into systems: tdlcmd.dll, "tdlswp.dll" and config.ini. onto its own storage. In details, TDL3 organizes itself a special storage mode rather than using traditional filesystem:
In order to access its files inside its own EFS, TDL3 constructs a random path such as "\Device\Ide\IdePort1\enticxfj.........". to redirect requests into its own filesystem stack.
TDL3 performs the installation: the real rootkit’s codes and overwritten "atapi.sys"’s data are placed into a buffer at 0×817e1000
That is also why if a security program removes "tdlswp.dll" that user can get a error dialog box to do with "\Device\Ide\IdePort1\enticxfj.........". not found
Yeah we have already had like 4 on this forum of various differences