Ideas: Patch your machines - XP SP2 is no longer supported. Get to SP3, and get all the patches after that, including today's emergency patch.
Patch your Wind2k3 server, too. Current is SP2, and you're not there, so you're *WAY* behind. Get UBCD4WIN, and boot any suspect machines with it and see what VIPRE Rescue and Malwarebytes find when run that way. Block port 25 outbound at your firewall (and probably port 587 - submission) for all machines except your Exchange server, then record which machines are bouncing off of the firewall from the inside after that. Oh heck, block everything outbound at your firewall for your workstations except ports 80 and 443, and anything that you have an actual business case for opening up. That will tell you oodles about your environment. Kurt On Mon, Aug 2, 2010 at 10:46, Osborne, Richard <[email protected]> wrote: > Has anyone seen malware that creates an Outlook rule that moves all new > mail to Deleted Items and then sends out a bunch of spam? I have a few > users that have been hit with something I can't find. I scanned the PCs > with VIPRE, MalwareBytes, & Symantec's online scanner and didn't find > anything. Then I turned off the PCs and something is still accessing > their mailboxes. I scanned the Exchange server also. I am not seeing > anything in Exchange User Monitor or Windows Security logs and our > network guys say they don't see any unusual traffic to our Exchange > server. > > Google finds a couple of people reporting the same thing but no > resolution. > > Windows XP SP2 clients with Outlook 2002 & 2003; Exchange Server 2003 > SP2 on Server 2003 SP1. > > Thanks for any ideas. > > > > Richard Osborne > Information Systems > Jackson-Madison County General Hospital > > NOTICE: (1) The foregoing is not intended to be a legally binding or > legally effective electronic signature. (2) This message may contain > legally privileged or confidential information. If you are not the > intended recipient of this message, please so notify me, disregard the > foregoing message, and delete the message immediately. I apologize for > any inconvenience this may have caused. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
