@RedNose commented on the blog I put up recently about the tool my Russian colleagues have made available for dumping TDL's hidden file system: I'm going to respond here in case anyone else is confused about this.
"I ran the tool and it did not show anything. Does it mean that TDSS is not present?"
No, that's not exactly what it means. In the event that the tool doesn't find the TDL file system, it should show a message along the lines of
No TDL hidden file system detected.If you're unsure about what the output was, run the tool from the command line cmd.exe using the -v (verbose) option:
tdlfsreader.exe -vIt must be run from the command line, and from an account with administrator privileges.
However, this isn't specifically designed to check for the presence of TDL. If that's all you want, it would be better to use the removal tool (or, better still, a frequently updated full scanner):
- http://download.eset.com/special/EOlmarikTdl4Cleaner.exe (for TDL4)
- http://download.eset.com/special/EOlmarikRemover.exe (for TDL3/TDL3+)
Obviously, I can't guarantee that any AV tool will detect the presence of all TDSS infections.
Thanks, Eugene, for the clarification.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
