On Outlook it Bitdefender keeps saying virus found in incoming emails email blocked but the sender is the one of the accounts in outlook e.g outlook is sending this.

I've done all the scans and everything comes back clean.

What else can I do? I am dont'; want to give up on this one. Has anybody come across this before?

I honestly don't understand your question. Please explain a little better...

ok all the spyware scanners inc combofix all say the system is clean.

The system runs ok but is very slow. When I run outlook when I do send and recieve it the anti virus software keeps saying a virus has been found in the incoming messages, but the incoming messages are being sent by one of the accounts setup in outlook. So outlook is sending out spam.

ok all the spyware scanners inc combofix all say the system is clean.

When I run outlook when I do send and recieve it the anti virus software keeps saying a virus has been found in the incoming messages

Okay, all the antivirus scanners will say the system is clean.. because, maybe, it is clean. It's only the email attachments which it sees as being potentially dangerous - and since I'm guessing the antivirus is then set to not allow the attachments to be downloaded the system should not get infected. Although it's not an ideal situation.

So outlook is sending out spam.

It doesn't necessarily have to be Outlook though, it could be anyone or any system with the username and password to send email from those accounts. If the system has been compromised in the past and account details obtained then email could be being sent from the accounts setup in Outlook, but not necessarily from the machine in front of you. (If I explained that well enough). I would get the password changed on the potentially compromised email accounts and see what the effect is.

Tom I think you are right it is now 2:00am and have been studying this machine since 10:00pm.

I noticed from netstat that there is no activity at all from SMPT, I cannot send any emails form the machine because its a different ISP. I think most of these emails came from when the system was infected. If the password/username was compromised it wouldn't work because the SMPT server is restricted to that ISP.

I will get the POP password changed just in case though.

Tomorrow I will hand the system back to the client and while I am there I will rebuild outlook backing up his old PST file. He has a spam system called inboxer which also appears to causing lots of problems too so I shall remove that and use spamjab instead.

I've been studying the hijack this reports too and I again it looks mostly fine. He does have a huge amount of software installed though making it quite tricky.

Hopefully I will solve this issue :)

The complicated is that he said if I needed to reinstall it the other IT guy he usualy uses would have to it, his system dosn't have any COA stickers and he dosn't have the CD, I suspect the IT person he uses is using his own co-operate licences. It passes WGA. This entire job has been a bit of a nightmare really. Now going to have to re-arrange a job tomorrow because of it. Its 2:09am now I just feel like I am burning out :(

I just need to stop this message because its not good when the antivirus software says virus has been found in the incoming message and it is my own customer who is apparantly sending the message! Even though I know for certain it isn't because there is no SMTP activity at all.

I would listen to your gut feeling ... if it feels slower than it should be given the amount of RAM and background programs, you might be dealing with a rootkit. I've seen a few of these lately and have had good success with removing the hard drive, connecting it to my working PC with a USB adapter, and running scans with Dr. Web Cure It and MalwareBytes. Obviously, a rootkit can't hide itself if the system that is infected isn't actually booted up.

Marc

It was slow because of the huge amount of background services running when doing scans etc, it was using about 600MB of RAM, now its down to 330MB but there is a lot of legit software running in the background. It also had stuff like realplayer running in the background.

Thanks I am going to slave it just to be on the save side :) Explained to my client what was going on :o