Background: I run my own mail server, and I have a small number of clients who use it for their email.
Two of my clients currently are infected with something that hammers my mail server, two or three outgoing mail message attempts per second, as long as they are on line. Sending is not successful because the server requires authentication and the virus does not seem to be able to scrape authentication settings from Thunderbird, but the mail server does drop into rate limiting and prevent real emails from being sent.
I have access to one of the clients, and have not found anything that will remove the virus or even detect it, including Avast Free boot-time scans and everything that could be suggested on the Bleeping Computer forums. A check with a network monitoring tool show that the connections to the mail server are being made from a process with PID 0, the system idle process. The other client has run several Avast clean cycles, both standard and boot-time, and has found and removed several other viruses, but attacks on my server continue.
How do I go about removing this virus, or extracting enough of it so that it can be identified and added to the list of known viruses?