[Elite]

Detection routine during kernel scan in MSE is currently effective at detecting the latest builds, but fails at removal.

However...
http://blogs.technet.com/b/enginenotifi ... -2010.aspx

Maybe. Just maybe.

[USForce]

Cannot reproduce :?

I made quick test.

Clean machine, from repository, XP SP3.

infected machine with this sample, file: termdd.sys, rebooted.
installed tdss remover, rebooted when asked
scanned with tdss remover, it detected tdl3, "fixed it", rebooted.

After reboot tdl3 is successfully removed.

Actually I've only run a quick test, maybe I could be wrong. Though I'm starting to be tired of TDL3 bugs :roll:

[nullptr]

For anyone that cares to know or doesn't know ;)
MSE 1.0.1963.0, esage TDSS remover and Strelitzia's tool will all remove latest TDL 3 with a little help from RKu.
(They're the only ones I've tested that at some stage have worked)

- Remove Load Image callback notification (not necessary for MSE)
- remove user mode NtxxxVirtualMemory code hooks from explorer.exe and svchost.exe

Run remover or Quick Scan for MSE

[Elite]

MSE engine update today, so I'll do some tests after I receive the new update.

[SecConnex]

I know that HIPS would probably be evaded, but what if it is paired with MSE, and then tested against TDL3?

[Meriadoc]

The Case of TDL3 Rootkit http://northsecuritylabs.blogspot.com/2 ... otkit.html

Let us check out the new facilities of Hypersight Rootkit Detector using a sample of TDL3 rootkit. This epic rootkit was a nightmare for virus analysts recently.

System requirements:
* Processor: Intel with VT-x support
* Operating system: Windows XP x86, Windows Server 2003 x86, Windows Vista x86, Windows 7 x86 with PAE enabled
Uninstall Hypersight Rootkit Detector in Safe Mode
Known issues
* Virtual machine images (VMware, VirtualBox) must be stopped when monitoring is turned on
* Windows Aero is not supported at present time

Download here : http://northsecuritylabs.com/download_new.aspx
scroll down press Download button.

[nullptr]

Microsoft Security Essentials Version: 1.0.1963.0
Antimalware Client Version: 2.1.6805.0
Engine Version: 1.1.6004.0
Antivirus definitions: 1.87.23.0
Antispyware definitions: 1.87.23.0

Successfully removing latest TDL 3.

[Meriadoc]

Will the initial Security Essentials install update with an already active TDL3?..without an update SE will do nothing at all?

pumpin' iron
pumpin' iron
pumpin' iron
pumpin' iron
CompanyName
C21 H23 NO5

lol :)

[nullptr]

Will the initial Security Essentials install update with an already active TDL3?..without an update SE will do nothing at all?

As expected, MSE is unable to update due to TDL3 user mode hooks. To work around it, the easiest way is to remove hooks from wuauclt.exe, explorer.exe and svchost.exe. Then MSE will update and remove infection.

[Meriadoc]

Will the initial Security Essentials install update with an already active TDL3?..without an update SE will do nothing at all?

As expected, MSE is unable to update due to TDL3 user mode hooks. To work around it, the easiest way is to remove hooks from wuauclt.exe, explorer.exe and svchost.exe. Then MSE will update and remove infection.

Thanks :) ;)just wanted to point that out.