?
Solved

My Outlook is sending spam

Posted on 2008-10-14
11
Medium Priority
?
1,369 Views
Last Modified: 2013-12-06
When I starts Oulook, the dialogbox Sending & Receivning tells me it sending message 6/80. Later I get lot of "Undelivered Mail Returned to Sender". If I check the e-mail returned it's spam!

It's likely a virus but I had NOD32 installed all time. After I got this problem I also installed AVG (in Windows safe mode) to search for virus, but nothing found. I do not have Delivery or Read Receipt activated and the e-mail from my computer is a spam!

Any ideas how to fix this? I just reinstalled my computer 1 week ago...
0
Comment
Question by:riverman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 12

Expert Comment

by:Steve
ID: 22710453
install spybot and update to the latest definations and do a full scan as well..

http://www.safer-networking.org/en/download/

0
 

Author Comment

by:riverman
ID: 22710695
Thank you for your reply!

Could not find anything with Spybot. But I attach the log file.

Any idea?

SpybotSD.Report.txt
0
 
LVL 12

Expert Comment

by:Steve
ID: 22716169
well it all looks pretty good..

if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..

Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ? (You'll probably have to 'work offline' to remove them though)..

if you then shut down and restart do they reappear ?

next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  this will show us whether your machine is perhaps being controlled as a zombie by listening on non-standard ports..

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:riverman
ID: 22716789
Hi,
Thanks for your replay!

> if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..
Yes nothing reported by NOD or AVG.

> Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ?
No it's empty, still Outlook reporting sending message 4/50 something...

> if you then shut down and restart do they reappear ?
N/A (no)

> next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  

I'll attach the c:\whatports.txt

Lot of connections it seems...


whatports.txt
0
 

Author Comment

by:riverman
ID: 22716839
Here is the same file but when Outlook is closed! Almost no connection to the world outside!
whatports2.txt
0
 

Author Comment

by:riverman
ID: 22717261
Hi again!

I have disable all addons in Outlook and this also seems to disable the spaming...

The addons are:
OLSIDESHOW.DLL - Microsoft Office Outlook Calendar Gadget for Windows SideShow
UmOutlookAddin.dll - Exchange Outlook UM addin
GrooveTransceiver.dll - Groove Transceiver Module
OMSMAIN.DLL - Microsoft Outlook Mobile Service
ONBttnOL.dll - Microsoft Office OneNote Outlook Add-in
ACCOLK.DLL - Access Outlook Data Collection Addin
ColleagueImport.dll - Microsoft Office SharePoint Server component
OUTLVBA.DLL - Outlook VBA Integration Add-In
mssphtb.dll - Outlook MSSearch Connector

Conclution should be that one or more of above plugins are the "virus"....

Another intresting after disable addons is that all the connection opend with outlook is gone!!! (see attached file)

The question now is how to narrow down the addon and to get back to original one?

whatports3.txt
0
 
LVL 12

Accepted Solution

by:
Steve earned 750 total points
ID: 22717346
ok.. you've got the following ports open :
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            river-wks8:0           LISTENING - Netbios OK
  TCP    0.0.0.0:445            river-wks8:0           LISTENING - Microsoft DS - Resource Sharing on win - OK
  TCP    0.0.0.0:3389           river-wks8:0           LISTENING - Microsoft Terminal Server - RDP Client
  TCP    0.0.0.0:5357           river-wks8:0           LISTENING - Web Service for devices ??

dynamic ports (below). (not registered)

  TCP    0.0.0.0:49152          river-wks8:0           LISTENING - BIT Torrent Sharing Port
  TCP    0.0.0.0:49153          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49154          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49158          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:49159          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:59509          river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:25377        river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:30606        river-wks8:0           LISTENING - ???

so.. after looking at this we get a pretty good idea.. firstly.. you have netbios open on your machine.. you need to secure it.

Bit Torrent Sharing.. man.. this is going to cause grief, because there is no way i can tell what you have or have not run on your machine.. for example if you've downloaded cracks or hacks or whatever you do, many of them have embedded mail servers etc which allow people to use you as a spam bot..

you really need to lock your ports down on your router to start with.. (if you can).. block those ports that you dont need the internet to access (probably all of them except if you HAVE to have bittorrent sharing)..

the next thing id be doing would be a system restore.. check out what restore points you have on your machine, and try to restore back to before the problem was occurring.. eg.. if you only reloaded a week ago, restore to then.. but make sure your ports are locked down on your router first..

that way you wont be susceptable to the same problem going forward..
0
 

Author Comment

by:riverman
ID: 22717632
Hi again!

I have used bittorent to download pbxinaflash (a open source pbx) no crack or hack stuff! I did this after my problems accord so bittorrent should not be the cause. My computer is behind a firewall.

However it's interesting that this ports are active and listening...

x: Windows Sockets initialization failed: 5
  TCP    192.168.4.114:64492    RIVER-SRV2:imap        ESTABLISHED
 [OUTLOOK.EXE]
  TCP    192.168.4.114:64794    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64797    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64799    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64800    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64812    195.54.111.82:http     TIME_WAIT
  TCP    192.168.4.114:64818    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64822    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64824    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64826    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64828    207.46.198.249:http    TIME_WAIT

It's Outlook.exe that makes connections over 64xxx ports to other sites! Port 49xxx was opend by Windows process: SSDPSRV.

Still it seams that something in Outlook, add on or similar cosing my problems...
0
 
LVL 12

Expert Comment

by:Steve
ID: 22717648
yeah i dont doubt it.. but.. just removing the add-in isnt going to fix the root of the problem. because there is nothing stopping it from coming back if you dont plug the hole..

you can always remove the plugins one at a time to see which one is the problem..

those addresses you've entered there are all http web browsing sites that you mustve been browsing to at the time you did the netstat.. one was microsoft etc etc..
0
 

Author Comment

by:riverman
ID: 22717748
Only one of the plugins are not signed and it's: mssphtb.dll - Outlook MSSearch Connector. Perhaps it shouln't be signed but at least its a suspect.

It was two ip-addresses on was MS and the other was from AT&T and was a adsl connection. I didn't have any browser started!

For now I have done following:
- I have deleted the exceptional rules for torrent in Windows Firewall.
- Disable above addon in outlook and renam the the file. (if it gets back I know it the virus).
- I have activate usage throttle at my mail server so if it for some reasons activates again, the damage will be less then 20 spam.

I will also keep my computer under control and reinstall it again soon.

Thank you for all help!
0
 

Author Closing Comment

by:riverman
ID: 31505839
Thanks again for your time and offert! You lead me into the netstat...

/Måns
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Overload?
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question