petermeachem
Programmer
Not a virus, but I can't think of a better place to ask.
It's a customers pc running win98.
It is sending a stream of emails every minute or so. Sample below of part of the bounce back of invalid addresses it sent:-
Content-type: text/rfc822-headers
Received: from 218.165.105.47 by user3 ([82.69.14.49] running VPOP3) with ESMTP; Tue, 30 Dec 2003 10:14:09 -0000
From: =?Big5?B?uvS49KbmvlCqQbDIpKSk37Nxqr4uLi4=?= <k7wnk.2wrjy@zdl.net>
Subject: =?big5?B?wdmmYqXOtseyzqahqrqm5r5QpOiqa7bcP6bzpKO41bjVuXGkbKbmvlAss8y1dc==?= =?big5?B?rsm2oaS6s8yk1qq6uXe64iyn4qdBqrqyo6t+sGWo7FVTRVKqurK0q2W=?=
To: =?Big5?B?uvSttqxbs10splez5qbmvlAspU6ryLVvq0gsq0/D0sX9p0G6obdOqrqqQbDI?= <nds2343@yahoo.com.tw>
Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="BIG-5"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: "ºô¸ô¦æ¾PªA°È¤¤¤ß³qª¾..." <k7wnk.2wrjy@zdl.net>
Date: Tue, 30 Dec 2003 18:14:34 +0800
X-Priority: 1
X-Library: Dynamailer®Ö¤ß§Þ³N
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE
roduced By Mircosoft MimeOLE V6.00.2600.0000
Message-Id: <VPOP31.5.0e.20031230101411.760.7.24.143f15df@user3>
X-Server: VPOP3 V1.5.0e - Registered
User 3 if the name of the pc. The pc use Vpop to send mail and you can see the bad mail going out of the vpop status window. OE is used as a client, but doesn't need to be running to send the bad mail. The other pc connected to this one is not to blame.
Spybot came up with a couple of things, Alexa and a Media Player exploit, which I cleared. Didn't fix the problem. Nortons doesn't find anything nor does Pestpatrol.
When I looked at it originally, Zonealarm was allowing a programme called psybnc internet access. The staff say they neither downloaded it nor let Zonealarm run it. This seems to be a Unix irc programme? Removed, but still thesame problem. Msinfo showed that hwinfo.exe was in the start list with psybnc as a name, now removed. Hwinfo hadn't been changed, just added to the start list.
SFC came up with nothing bad.
Stopping vpop stops the problem, but is a bit incovenient.
I assume something is executing and using the smtpserver address from the registry to send email. This would send via Vpop.
Has anyone got the slightest idea what is going on here? I am completely stuck. If I can't fix it soon, I shall have to format the disc and reinstall everything. I'd rather avoid that as it takes a time.
It's a customers pc running win98.
It is sending a stream of emails every minute or so. Sample below of part of the bounce back of invalid addresses it sent:-
Content-type: text/rfc822-headers
Received: from 218.165.105.47 by user3 ([82.69.14.49] running VPOP3) with ESMTP; Tue, 30 Dec 2003 10:14:09 -0000
From: =?Big5?B?uvS49KbmvlCqQbDIpKSk37Nxqr4uLi4=?= <k7wnk.2wrjy@zdl.net>
Subject: =?big5?B?wdmmYqXOtseyzqahqrqm5r5QpOiqa7bcP6bzpKO41bjVuXGkbKbmvlAss8y1dc==?= =?big5?B?rsm2oaS6s8yk1qq6uXe64iyn4qdBqrqyo6t+sGWo7FVTRVKqurK0q2W=?=
To: =?Big5?B?uvSttqxbs10splez5qbmvlAspU6ryLVvq0gsq0/D0sX9p0G6obdOqrqqQbDI?= <nds2343@yahoo.com.tw>
Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="BIG-5"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: "ºô¸ô¦æ¾PªA°È¤¤¤ß³qª¾..." <k7wnk.2wrjy@zdl.net>
Date: Tue, 30 Dec 2003 18:14:34 +0800
X-Priority: 1
X-Library: Dynamailer®Ö¤ß§Þ³N
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE
roduced By Mircosoft MimeOLE V6.00.2600.0000Message-Id: <VPOP31.5.0e.20031230101411.760.7.24.143f15df@user3>
X-Server: VPOP3 V1.5.0e - Registered
User 3 if the name of the pc. The pc use Vpop to send mail and you can see the bad mail going out of the vpop status window. OE is used as a client, but doesn't need to be running to send the bad mail. The other pc connected to this one is not to blame.
Spybot came up with a couple of things, Alexa and a Media Player exploit, which I cleared. Didn't fix the problem. Nortons doesn't find anything nor does Pestpatrol.
When I looked at it originally, Zonealarm was allowing a programme called psybnc internet access. The staff say they neither downloaded it nor let Zonealarm run it. This seems to be a Unix irc programme? Removed, but still thesame problem. Msinfo showed that hwinfo.exe was in the start list with psybnc as a name, now removed. Hwinfo hadn't been changed, just added to the start list.
SFC came up with nothing bad.
Stopping vpop stops the problem, but is a bit incovenient.
I assume something is executing and using the smtpserver address from the registry to send email. This would send via Vpop.
Has anyone got the slightest idea what is going on here? I am completely stuck. If I can't fix it soon, I shall have to format the disc and reinstall everything. I'd rather avoid that as it takes a time.
