Swarms of envelopes in the Taskbar - is my system infected?

[FatKat]

I have a 3 year old P4 running on XP, with a DSL internet connection.
My machine has Systemworks 2003 installed, along with both Norton AV &
McAfee Viruscan 8 (I got VS cheap when I couldn't find a cheap version
of Norton AV). Lately, I've found that my taskbar gets inundated with
the white-envelope icon - dozens of them actually. Clicking on them
does nothing, though holding the mouse over them gets a blinking
message (barely readable) that Symantec is checking it. Has anybody
seen this? Is this a virus that's tricking my machine into
mass-mailing spam?

 

[Vanguard]

I have a 3 year old P4 running on XP, with a DSL internet connection.
My machine has Systemworks 2003 installed, along with both Norton AV &
McAfee Viruscan 8 (I got VS cheap when I couldn't find a cheap version
of Norton AV). Lately, I've found that my taskbar gets inundated with
the white-envelope icon - dozens of them actually. Clicking on them
does nothing, though holding the mouse over them gets a blinking
message (barely readable) that Symantec is checking it. Has anybody
seen this? Is this a virus that's tricking my machine into
mass-mailing spam?

You installed Norton Systemworks which, I believe, includes Norton
Antivirus. You also installed Norton Antivirus (don't know how since it
should've detected that it was already installed as part of
Systemworks). You then installed yet another anti-virus product,
McAfee. Having multiple anti-virus products on the same host is not
necessarily a bad thing unless they clash with each, but only ONE of
them should have their on-access scanner running. These run as
kernel-mode filter drivers that chain into the system's API for file
read/write. You only want one of them in the chain (which incurs its
own penalty regarding performance and stability). So decide if you want
to use the on-access scanner from NAV or VS, then configure the other
one to NOT load on Windows startup (but you can still use it to perform
on-demand scans). However, since they are performing a similar function
and will usually entwine themself into the operating system using
similar methods, it is possible they will interfere with each simply due
to their coexistence on the same host despite only one on-access scanner
being active.

If you insist on running concurrent on-access anti-virus scanners from
different software developers, see if disabling e-mail scanning in
either or both of them gets rid of the problem.

 

[David W. Hodgins]

message (barely readable) that Symantec is checking it. Has anybody
seen this? Is this a virus that's tricking my machine into
mass-mailing spam?

Assuming your ip 67.105.189.66 is relatively stable, then yes
your system is sending spam.

http://www.senderbase.org/search?searchString=67.105.189.66
shows they've identified an average of about a 1,000 message per
day, coming from that computer.

Nmap shows port 25 (smtp) is open, and it is responding. As well,
1723 is open. It's used to log into your system, using an encrypted
(tunnel) connection, from elswhere on the internet. I strongly suggest
taking this computer off the net, till you get this fixed. I don't usually
reccomned this, but in this case backup your data, format, and reinstall
from scratch would best. There's no way to know what changes, or
other back doors have been installed, that scanners will not detect.

Get a copy of http://isc.sans.org/presentations/xpsurvival.pdf
and follow the instructions there, before reconnecting the
computer to the net.

This is assuming of course, that you aren't intentionally running
the smtp and vpn servers, yourself, and sending 1,000+ msgs
per day, to senderbase customers.

Regards, Dave Hodgins