Solved

My Outlook is sending spam

Posted on 2008-10-14
11
1,351 Views
Last Modified: 2013-12-06
When I starts Oulook, the dialogbox Sending & Receivning tells me it sending message 6/80. Later I get lot of "Undelivered Mail Returned to Sender". If I check the e-mail returned it's spam!

It's likely a virus but I had NOD32 installed all time. After I got this problem I also installed AVG (in Windows safe mode) to search for virus, but nothing found. I do not have Delivery or Read Receipt activated and the e-mail from my computer is a spam!

Any ideas how to fix this? I just reinstalled my computer 1 week ago...
0
Comment
Question by:riverman
  • 7
  • 4
11 Comments
 
LVL 12

Expert Comment

by:Steve
ID: 22710453
install spybot and update to the latest definations and do a full scan as well..

http://www.safer-networking.org/en/download/

0
 

Author Comment

by:riverman
ID: 22710695
Thank you for your reply!

Could not find anything with Spybot. But I attach the log file.

Any idea?

SpybotSD.Report.txt
0
 
LVL 12

Expert Comment

by:Steve
ID: 22716169
well it all looks pretty good..

if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..

Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ? (You'll probably have to 'work offline' to remove them though)..

if you then shut down and restart do they reappear ?

next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  this will show us whether your machine is perhaps being controlled as a zombie by listening on non-standard ports..

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:riverman
ID: 22716789
Hi,
Thanks for your replay!

> if your NOD32 is fully up to date as is spybot, and youve don full scans with both not finding anything, then thats good..
Yes nothing reported by NOD or AVG.

> Now your outlook.. if you go to your outbox.. whats in it ? anything ? if there is, what are they ? canyou delete them ?
No it's empty, still Outlook reporting sending message 4/50 something...

> if you then shut down and restart do they reappear ?
N/A (no)

> next thing to do.. go to a CMD prompt (Start / programs / Command prompt) and do a 'netstat -a > c:\whatports.txt'  

I'll attach the c:\whatports.txt

Lot of connections it seems...


whatports.txt
0
 

Author Comment

by:riverman
ID: 22716839
Here is the same file but when Outlook is closed! Almost no connection to the world outside!
whatports2.txt
0
 

Author Comment

by:riverman
ID: 22717261
Hi again!

I have disable all addons in Outlook and this also seems to disable the spaming...

The addons are:
OLSIDESHOW.DLL - Microsoft Office Outlook Calendar Gadget for Windows SideShow
UmOutlookAddin.dll - Exchange Outlook UM addin
GrooveTransceiver.dll - Groove Transceiver Module
OMSMAIN.DLL - Microsoft Outlook Mobile Service
ONBttnOL.dll - Microsoft Office OneNote Outlook Add-in
ACCOLK.DLL - Access Outlook Data Collection Addin
ColleagueImport.dll - Microsoft Office SharePoint Server component
OUTLVBA.DLL - Outlook VBA Integration Add-In
mssphtb.dll - Outlook MSSearch Connector

Conclution should be that one or more of above plugins are the "virus"....

Another intresting after disable addons is that all the connection opend with outlook is gone!!! (see attached file)

The question now is how to narrow down the addon and to get back to original one?

whatports3.txt
0
 
LVL 12

Accepted Solution

by:
Steve earned 250 total points
ID: 22717346
ok.. you've got the following ports open :
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            river-wks8:0           LISTENING - Netbios OK
  TCP    0.0.0.0:445            river-wks8:0           LISTENING - Microsoft DS - Resource Sharing on win - OK
  TCP    0.0.0.0:3389           river-wks8:0           LISTENING - Microsoft Terminal Server - RDP Client
  TCP    0.0.0.0:5357           river-wks8:0           LISTENING - Web Service for devices ??

dynamic ports (below). (not registered)

  TCP    0.0.0.0:49152          river-wks8:0           LISTENING - BIT Torrent Sharing Port
  TCP    0.0.0.0:49153          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49154          river-wks8:0           LISTENING - BIT Torrent
  TCP    0.0.0.0:49158          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:49159          river-wks8:0           LISTENING - Bit Torrent
  TCP    0.0.0.0:59509          river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:25377        river-wks8:0           LISTENING - ???
  TCP    127.0.0.1:30606        river-wks8:0           LISTENING - ???

so.. after looking at this we get a pretty good idea.. firstly.. you have netbios open on your machine.. you need to secure it.

Bit Torrent Sharing.. man.. this is going to cause grief, because there is no way i can tell what you have or have not run on your machine.. for example if you've downloaded cracks or hacks or whatever you do, many of them have embedded mail servers etc which allow people to use you as a spam bot..

you really need to lock your ports down on your router to start with.. (if you can).. block those ports that you dont need the internet to access (probably all of them except if you HAVE to have bittorrent sharing)..

the next thing id be doing would be a system restore.. check out what restore points you have on your machine, and try to restore back to before the problem was occurring.. eg.. if you only reloaded a week ago, restore to then.. but make sure your ports are locked down on your router first..

that way you wont be susceptable to the same problem going forward..
0
 

Author Comment

by:riverman
ID: 22717632
Hi again!

I have used bittorent to download pbxinaflash (a open source pbx) no crack or hack stuff! I did this after my problems accord so bittorrent should not be the cause. My computer is behind a firewall.

However it's interesting that this ports are active and listening...

x: Windows Sockets initialization failed: 5
  TCP    192.168.4.114:64492    RIVER-SRV2:imap        ESTABLISHED
 [OUTLOOK.EXE]
  TCP    192.168.4.114:64794    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64797    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64799    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64800    adsl-71-139-244-137:http  TIME_WAIT
  TCP    192.168.4.114:64812    195.54.111.82:http     TIME_WAIT
  TCP    192.168.4.114:64818    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64822    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64824    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64826    207.46.198.247:http    TIME_WAIT
  TCP    192.168.4.114:64828    207.46.198.249:http    TIME_WAIT

It's Outlook.exe that makes connections over 64xxx ports to other sites! Port 49xxx was opend by Windows process: SSDPSRV.

Still it seams that something in Outlook, add on or similar cosing my problems...
0
 
LVL 12

Expert Comment

by:Steve
ID: 22717648
yeah i dont doubt it.. but.. just removing the add-in isnt going to fix the root of the problem. because there is nothing stopping it from coming back if you dont plug the hole..

you can always remove the plugins one at a time to see which one is the problem..

those addresses you've entered there are all http web browsing sites that you mustve been browsing to at the time you did the netstat.. one was microsoft etc etc..
0
 

Author Comment

by:riverman
ID: 22717748
Only one of the plugins are not signed and it's: mssphtb.dll - Outlook MSSearch Connector. Perhaps it shouln't be signed but at least its a suspect.

It was two ip-addresses on was MS and the other was from AT&T and was a adsl connection. I didn't have any browser started!

For now I have done following:
- I have deleted the exceptional rules for torrent in Windows Firewall.
- Disable above addon in outlook and renam the the file. (if it gets back I know it the virus).
- I have activate usage throttle at my mail server so if it for some reasons activates again, the damage will be less then 20 spam.

I will also keep my computer under control and reinstall it again soon.

Thank you for all help!
0
 

Author Closing Comment

by:riverman
ID: 31505839
Thanks again for your time and offert! You lead me into the netstat...

/Måns
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question