Virus question.

TetraNitroCubane

Hi everyone. Sorry if this is a stupid or trivial question, but I'm a little concerned about something that recently occured, and I'd like some opinions.

I check my email from two locations: At home on a Desktop running WinXP SP3, protected by the latest update of NOD32 v2.7 - And on a Laptop at work running OSX 10.5.5 protected by Symantec (Don't ask. It's work-required and I hate it).

Anyhow, tonight something weird happened. My home computer is ever-vigilent, and hasn't found any virus to speak of as it regularly scans once a week and has all the typical monitoring processes in place. My laptop also scans once a week - But this time the laptop found a 'downloader' virus that upon closer inspection was contained in the Opera mail files. Because I use IMAP for my mail, this means that the virus was in both locations (the infected file was dated several days ago, long enough to be there for both schedules scans).

I deleted the file from the IMAP server, but I'm concerned that Symantec might've caught something that NOD32 let slip through. I never opened any attachments or ran any suspicious programs, and I haven't been noticing anything weird with my XP desktop, but the fact that there was a virus in the email files is enough to make me concerned. All scans come back clean, but now I'm wondering if that's not because NOD got compromised.

I guess I'm uncertain if having a virus in an email on the HDD is enough to compromise a system. Is there any way a virus in an email attachment can wreck any havoc without having been executed or opened from an archive? Opera's website says no, but if that were the case I'd expect the scanner to have at least found the infected file. I'm not sure if my computer is compromised at this point, so I've attached a Hijackthis log in the spoiler below (Links in the log have been changed to hxxp). Any advice would be much appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:54 AM, on 10/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]hxxp://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]hxxp://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]hxxp://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]hxxp://go.microsoft.com/fwlink/?LinkId=69157[/url]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185681252156[/url]
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

bowen

No, you're okay bud. Unless you have the preview pane open, which I'm suspecting you do, however the chances are very unlikely unless you ran the infected file.

TetraNitroCubane

bowen wrote: »

No, you're okay bud. Unless you have the preview pane open, which I'm suspecting you do, however the chances are very unlikely unless you ran the infected file.

I'm not sure if I ever opened that specific message on my desktop in th preview pane, but I'll just be reassured by your input, since I never actually excuted anything. I guess those things can 'sleep' and not infect anything if you don't run them, then delete them. Thanks!

bowen

Do you use outlook (or express) by any chance? There's still a possibility that opening the email via the preview pane will cause this but it so rarely happens. Nothing looks out of the ordinary and you're not feeling any effects, so I'd just rule it out.

JaysonFour

Oh, and turn off your preview pane. May as well keep this from happening again.

TetraNitroCubane

No, actually. I avoid Outlook like the plauge, for this reason exactly. My family is less than computer savy, so I always anticipated one day their computers would try to infect my own via email.

I'm using Opera's mail client instead, which they claim is safe because it disables all scripting. But if it's actually a risk, I'll glady disable the preview pane! I just don't know quite how to do that in Opera. I'll hunt around.

Thanks for the advice!

Ruckus

I suspect NAV found it because symantec probably has an integration plugin for your OSX mail client, where as NOD32 probably doesn't have integrated scanning for Opera.