[Declude.JunkMail] OT: Possible trojan?

[Imail Admin]

Hi All,

This is is off-topic, but the people here seemed to always be ahead of the
game with these kinds of problems.  I wanted to know if what I'm
experiencing is some sort of trojan or virus, or just bad luck.

We have had two unrelated systems (one desktop, the other a notebook, on
different networks in different states) experiencing the same problem with a
week of each other.  The short description of the problem is this:

The system hive under Windows XP Pro becomes corrupt (when you boot, this
leads to a message about \windows\system32\config\system being unreadable).
You can replace the system hive (typically, you boot to the Recovery Console
and then copy over the system hive from \windows\system32\repair), but that
version only works a short while before also becoming corrupt.  If you get
the System hive to be somewhat stable and boot into Safe Mode, the System
Restore Point software works sporadically or not at all.  Other services and
programs seem to crash randomly or not load at all.  Hardware failure has
been ruled out.  There are no major new software installations.  The systems
had been operating fine for at least a year previously.

Any ideas?  The fact that the problems persist (if the System hive just was
corrupt from a power failure, for example, then it would stay fixed after
being replaced) suggests a software issue.  Since there is no new software
installation on either system, that makes me suspect a trojan or backdoor or
something.

Sorry for being off-topic, but I do appreciate your help.

Thanks,

Ben
BC Web



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] PCRE tests

[Todd Richards]

Hi David -

Thanks for the tips - very good information for this beginner.  I changed
the "e-card" one below to only look at the subject, as that is the one that
I have seen.  However, I had another one for some stocks that I had set up
the same, and since I do want it to look "anywhere" I used your suggestion.

I did try (\bERMX\b) the other day, but didn't have it combined with the
?i:, so it wasn't working.  I will give this a shot.

Thanks!

Todd
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 09, 2007 7:47 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

Hi Todd,

A couple of suggestions

(?i:receive.*(postcard|greeting|ecard|e-card)) 

could also be written as:

(?i:receive.{0,50}(postcard|greeting|e.?card))

As you are checking anywhere you want to limit the amount of characters
between receive and the postcard etc. if you were using SUBJECT the .* would
be fine. Also the ecard|e-card is better written as e.?card that is
e.(anychar)?{0,1}card

Secondly (?i:ERMX) will produce false positives because of BASE64 encoding
which uses strings of "random" characters, it would be better to use the
word break which is \b so you could do it like (?i:\bERMX\b)

David

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 12:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

UGGH, it always takes sending something to a LOT of people for you to see
how dumb you are...

I thought I had the postcard test (which is what I had been troubleshooting)
set up for "ANYWHERE", but it's just looking in the body and probably not
finding a match.  It's been more common on the Subject. 

Let me change that and report back!

Todd
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 10:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

Hi David -

Yes, I just confirmed that I have 4.3.46.  Below are two that I just put in.
By the way, I warn at 15, fail at 20, and delete at 45.

Thanks!

Todd


# for the postcard greetings that are going through (aka "You've received a
postcard from a Partner!")
BODY10  PCRE
(?i:receive.*(postcard|greeting|ecard|e-card))


# for the stock spam coming through for ERMX (aka "Stock Watch ERMX")
BODY20  PCRE(?i:ERMX)


 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Friday, July 06, 2007 10:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

Todd, 

Ensure you have version 4.3.46 of Declude. The format of an expression is:

LOCATIONWEIGHT  PCRE(EXPRESSION)

Eg.

BODY5   PCRE(?i:Hello World)

Post some examples that you are using but not getting hits.

David

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 11:08 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE tests

Is there anything special that I need to have "turned on" to take advantage
of this?  I've been playing around with it, and really like what it can do.
Being a complete newbie to regex, I've been using Regex Buddy to test the
expressions before putting them into "production".  However, I'm not seeing
any hits in the emails.  

I have not turned on logging (sorry!) but was wondering if I need to add any
additional information to the config files for this to be noticed, or if it
is by default.  I am running the latest version.
 
Thanks!
 
Todd



---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to 

[Declude.JunkMail] automated response

[Marc Catuogno]

For the week of July 9th through July 13th I will be out of the office with 
limited access to voice mail and Email. Please contact [EMAIL PROTECTED] or 
[EMAIL PROTECTED] for immediate computer help.  Please contact [EMAIL 
PROTECTED] for any website issues.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] PCRE tests

[David Barker]

Hi Todd,

A couple of suggestions

(?i:receive.*(postcard|greeting|ecard|e-card)) 

could also be written as:

(?i:receive.{0,50}(postcard|greeting|e.?card))

As you are checking anywhere you want to limit the amount of characters
between receive and the postcard etc. if you were using SUBJECT the .* would
be fine. Also the ecard|e-card is better written as e.?card that is
e.(anychar)?{0,1}card

Secondly (?i:ERMX) will produce false positives because of BASE64 encoding
which uses strings of "random" characters, it would be better to use the
word break which is \b so you could do it like (?i:\bERMX\b)

David

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 12:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

UGGH, it always takes sending something to a LOT of people for you to see
how dumb you are...

I thought I had the postcard test (which is what I had been troubleshooting)
set up for "ANYWHERE", but it's just looking in the body and probably not
finding a match.  It's been more common on the Subject. 

Let me change that and report back!

Todd
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 10:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

Hi David -

Yes, I just confirmed that I have 4.3.46.  Below are two that I just put in.
By the way, I warn at 15, fail at 20, and delete at 45.

Thanks!

Todd


# for the postcard greetings that are going through (aka "You've received a
postcard from a Partner!")
BODY10  PCRE
(?i:receive.*(postcard|greeting|ecard|e-card))


# for the stock spam coming through for ERMX (aka "Stock Watch ERMX")
BODY20  PCRE(?i:ERMX)


 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Friday, July 06, 2007 10:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests

Todd, 

Ensure you have version 4.3.46 of Declude. The format of an expression is:

LOCATIONWEIGHT  PCRE(EXPRESSION)

Eg.

BODY5   PCRE(?i:Hello World)

Post some examples that you are using but not getting hits.

David

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 11:08 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE tests

Is there anything special that I need to have "turned on" to take advantage
of this?  I've been playing around with it, and really like what it can do.
Being a complete newbie to regex, I've been using Regex Buddy to test the
expressions before putting them into "production".  However, I'm not seeing
any hits in the emails.  

I have not turned on logging (sorry!) but was wondering if I need to add any
additional information to the config files for this to be noticed, or if it
is by default.  I am running the latest version.
 
Thanks!
 
Todd



---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.