Solved

My Outlook is sending spam

Posted on 2008-10-14
11
1,318 Views
Last Modified: 2013-12-06
When I starts Oulook, the dialogbox Sending & Receivning tells me it sending message 6/80. Later I get lot of "Undelivered Mail Returned to Sender". If I check the e-mail returned it's spam!

It's likely a virus but I had NOD32 installed all time. After I got this problem I also installed AVG (in Windows safe mode) to search for virus, but nothing found. I do not have Delivery or Read Receipt activated and the e-mail from my computer is a spam!

Any ideas how to fix this? I just reinstalled my computer 1 week ago...
0
Comment
Question by:riverman
  • 7
  • 4
11 Comments
 
LVL 12

Expert Comment

by:Steve
ID: 22710453
install spybot and update to the latest definations and do a full scan as well..

http://www.safer-networking.org/en/download/

0
 

Author Comment

by:riverman
ID: 22710695
Thank you for your reply!

Could not find anything with Spybot. But I attach the log file.

Any idea?

SpybotSD.Report.txt
0
 
LVL 12

Expert Comment

by:Steve
ID: 22716169
well it all looks pretty good..

if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..

Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ? (You'll probably have to 'work offline' to remove them though)..

if you then shut down and restart do they reappear ?

next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  this will show us whether your machine is perhaps being controlled as a zombie by listening on non-standard ports..

0
 

Author Comment

by:riverman
ID: 22716789
Hi,
Thanks for your replay!

> if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..
Yes nothing reported by NOD or AVG.

> Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ?
No it's empty, still Outlook reporting sending message 4/50 something...

> if you then shut down and restart do they reappear ?
N/A (no)

> next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  

I'll attach the c:\whatports.txt

Lot of connections it seems...


whatports.txt
0
 

Author Comment

by:riverman
ID: 22716839
Here is the same file but when Outlook is closed! Almost no connection to the world outside!
whatports2.txt
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:riverman
ID: 22717261
Hi again!

I have disable all addons in Outlook and this also seems to disable the spaming...

The addons are:
OLSIDESHOW.DLL - Microsoft Office Outlook Calendar Gadget for Windows SideShow
UmOutlookAddin.dll - Exchange Outlook UM addin
GrooveTransceiver.dll - Groove Transceiver Module
OMSMAIN.DLL - Microsoft Outlook Mobile Service
ONBttnOL.dll - Microsoft Office OneNote Outlook Add-in
ACCOLK.DLL - Access Outlook Data Collection Addin
ColleagueImport.dll - Microsoft Office SharePoint Server component
OUTLVBA.DLL - Outlook VBA Integration Add-In
mssphtb.dll - Outlook MSSearch Connector

Conclution should be that one or more of above plugins are the "virus"....

Another intresting after disable addons is that all the connection opend with outlook is gone!!! (see attached file)

The question now is how to narrow down the addon and to get back to original one?

whatports3.txt
0
 
LVL 12

Accepted Solution

by:
Steve earned 250 total points
ID: 22717346
ok.. you've got the following ports open :
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            river-wks8:0           LISTENING - Netbios OK
  TCP    0.0.0.0:445            river-wks8:0           LISTENING - Microsoft DS - Resource Sharing on win - OK
  TCP    0.0.0.0:3389           river-wks8:0           LISTENING - Microsoft Terminal Server - RDP Client
  TCP    0.0.0.0:5357           river-wks8:0           LISTENING - Web Service for devices ??

dynamic ports (below). (not registered)

  TCP    0.0.0.0:49152          river-wks8:0           LISTENING - BIT Torrent Sharing Port
  TCP    0.0.0.0:49153          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49154          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49158          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:49159          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:59509          river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:25377        river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:30606        river-wks8:0           LISTENING - ???

so.. after looking at this we get a pretty good idea.. firstly.. you have netbios open on your machine.. you need to secure it.

Bit Torrent Sharing.. man.. this is going to cause grief, because there is no way i can tell what you have or have not run on your machine.. for example if you've downloaded cracks or hacks or whatever you do, many of them have embedded mail servers etc which allow people to use you as a spam bot..

you really need to lock your ports down on your router to start with.. (if you can).. block those ports that you dont need the internet to access (probably all of them except if you HAVE to have bittorrent sharing)..

the next thing id be doing would be a system restore.. check out what restore points you have on your machine, and try to restore back to before the problem was occurring.. eg.. if you only reloaded a week ago, restore to then.. but make sure your ports are locked down on your router first..

that way you wont be susceptable to the same problem going forward..
0
 

Author Comment

by:riverman
ID: 22717632
Hi again!

I have used bittorent to download pbxinaflash (a open source pbx) no crack or hack stuff! I did this after my problems accord so bittorrent should not be the cause. My computer is behind a firewall.

However it's interesting that this ports are active and listening...

x: Windows Sockets initialization failed: 5
  TCP    192.168.4.114:64492    RIVER-SRV2:imap        ESTABLISHED
 [OUTLOOK.EXE]
  TCP    192.168.4.114:64794    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64797    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64799    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64800    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64812    195.54.111.82:http     TIME_WAIT
  TCP    192.168.4.114:64818    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64822    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64824    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64826    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64828    207.46.198.249:http    TIME_WAIT

It's Outlook.exe that makes connections over 64xxx ports to other sites! Port 49xxx was opend by Windows process: SSDPSRV.

Still it seams that something in Outlook, add on or similar cosing my problems...
0
 
LVL 12

Expert Comment

by:Steve
ID: 22717648
yeah i dont doubt it.. but.. just removing the add-in isnt going to fix the root of the problem. because there is nothing stopping it from coming back if you dont plug the hole..

you can always remove the plugins one at a time to see which one is the problem..

those addresses you've entered there are all http web browsing sites that you mustve been browsing to at the time you did the netstat.. one was microsoft etc etc..
0
 

Author Comment

by:riverman
ID: 22717748
Only one of the plugins are not signed and it's: mssphtb.dll - Outlook MSSearch Connector. Perhaps it shouln't be signed but at least its a suspect.

It was two ip-addresses on was MS and the other was from AT&T and was a adsl connection. I didn't have any browser started!

For now I have done following:
- I have deleted the exceptional rules for torrent in Windows Firewall.
- Disable above addon in outlook and renam the the file. (if it gets back I know it the virus).
- I have activate usage throttle at my mail server so if it for some reasons activates again, the damage will be less then 20 spam.

I will also keep my computer under control and reinstall it again soon.

Thank you for all help!
0
 

Author Closing Comment

by:riverman
ID: 31505839
Thanks again for your time and offert! You lead me into the netstat...

/Måns
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Outlook Free & Paid Tools
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now