Jon Jeffels

My friend, colleague, and brother-in-law Paul Hite and I had a client who was the unfortunate victim of an SMTP-Auth attack on their SMTP server. You can read about the issue, how we diagnosed it, and how we resolved it here.

The TDL series of rootkits has certainly been prevalent amongst Windows machine recently, and the recent release of the TDL4 variant certainly has presented itself as a thorn in the side of many a technician. Assuming that you have removed all other threats from the machine, the newest version of MBR by GMER has successfully removed the virus from it’s current hiding place in the MBR.

I would also heartily recommend combofix by sUBs. Whilst this virus removal automatic swiss army knife does contain mbr.exe, I would recommend running MBR.exe on it’s own first before using combofix just in case your variant of the virus blocks parts of combofix and makes the machine unbootable.