Hello everyone,

I think I have a problem and your guidance would be greatly appreciated. Bear with me while I explain:

I use MS Outlook as my mail client on an office desktop computer (Dell Dimension, Windows XP Pro 2002 SP3, Intel Core 2 Quad Q6600 @ 2.4 GHz, 2 GB RAM).

When sending emails, I see the usual notification down at the bottom right hand corner of the screen - “sending message 1 of 3” etc.

I have noticed that the number of emails leaving (the total number being sent) is always higher than the actual number of emails I am trying to send. For example, I write one email, click “send” and it goes to my outbox; I then click “send and receive” and it gets sent, but instead of reading “sending message 1 of 1”, I see "sending message 1 of 24 " or some other weird number. Even if I have no emails in my outbox, when sending and receiving this will always indicate that I am actually sending emails. Just now I checked and I apparently was sending 24 emails from an empty outbox.

What worries me more is that I have recently received spam emails which appear to have been sent from my own email address (apparently, I am offering people free Vicodin, free college degrees and a larger willy…!), which makes me think my PC is sending spam…

So, have I been hacked? Or am I part of a botnet? If not, what can I do to stop spam flying around which appears to be from my email address? I work in international circles and this could be very problematic.

Avast has not found anything odd, and I run MBAM regularly. I ran MBAM a short while ago and it found a file (see report attached) but I don’t think it was responsible for much because MBAM found nothing yesterday or the day before, and this issue has been going on for a while. I will run OTL now and post the results here in a separate message.

Thanks!
MP

I see you scanned with MBAM database 5742, it is now at 5767 so you should update and run a new quick scan

also open MBAM > settings > warn if database is outdated by > sett it to 1 day ( default is 7 )
malwarebytes can have up to 10 updates on a day

Thanks Pondus, good tip! Never knew that setting was there…

Here are the OTL logs and the new MBAM file. I notice MBAM found the same bug it did last time (Broken.OpenCommand), even though I removed it and rebooted.

MP

Thanks Pondus, good tip! Never knew that setting was there...

Essexboy is notified…
he is usually in here at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/

Hi there - if you use USB’s they are infected and need cleaning. We are probably looking at something here that is disguised - so I need to use a stronger tool

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O33 - MountPoints2\{0d333d6a-dec6-11dc-988f-0019d1916395}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autoruns.exe O33 - MountPoints2\{0d333d6a-dec6-11dc-988f-0019d1916395}\Shell\open\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autoruns.exe O33 - MountPoints2\{4a98af31-26c7-11de-999e-0019d1916395}\Shell\AutoRun\command - "" = E:\wd_windows_tools\WDSetup.exe O33 - MountPoints2\{8b7a97c8-c8cf-11dc-9872-0019d1916395}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autoruns.exe O33 - MountPoints2\{8b7a97c8-c8cf-11dc-9872-0019d1916395}\Shell\open\command - "" = E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autoruns.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hello essexboy,

Thanks for taking the time to go through this.

Here are the OTL and ComboFix logs as requested.

MP

Are you still getting notifications of spam e-mail as that revealed nothing. If you are I will look deeper

Yes MS Outlook is still indicating that I’m sending emails when there is nothing in my outbox. I also received some more spam emails from myself offering free Viagra…

OK lets look with an analysis of running drivers and BHO’s

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg

The sscan took well over three hours, and found over 400 infected files, most of which were located in a quarantine file in the Program files\Norton antivirus folder (which I didn’t know was there, as I had uninstalled Norton 3 years ago!)
Most of the files identified seem to have been associated with spam that had Norton screened out when active.

I’ll send the .zip file to you by email.

Ta you have my mail address ?

Yep, check yer inbox! We were in contact before.

OK that looked to be normal. No untoward elements at all there. I will need to do a bit of research on this area of outlook to see if there are known loopholes

Thank you sir

Could you clear all of your deleted e-mails from outlook as there is a possibility that it may be running from your PST file

Sorry for the hiatus, family matters kept me offline for a while.

I have cleared out all junk mail and deleted items, run virus scans of archive.pst files, and still I appear to be sending phantom emails.

Now, perhaps when MS Outlook tells me its sending messages that I haven’t written, it might actually be a bug in the programme… but if that was the case then I’m sure some update would have rectified it in the past 5 years.

However, I have not as yet received any further spam from myself since I did the clear out, so maybe half of the problem has been solved.

I have checked Spamhaus, and my IP address is listed in the PBL - http://www.spamhaus.org/query/bl?ip=194.46.231.184 - but I’m not exactly sure what that means!