Is this a threat?

TrishaM

My avira antivirus picked this up today TR/Horse/OQN, Malwarebytes scan and got this
Would appreciate it if someone with more knowledge than me could look at it for me.


https://www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

03/08/2010 13:23:23
mbam-log-2010-08-03 (13-23-23).txt

Scan type: Quick scan
Objects scanned: 167797
Time elapsed: 17 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Then I run anti virus scan and got this
vira AntiVir Personal
Report file date: Tuesday, August 03, 2010 17:57

Scanning for 2671665 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TRISH-Z84EKH85V

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 09/03/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 20/11/2009 11:50:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 11:50:25
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 11:50:25
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 18:07:29
VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 21:20:07
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 09:02:21
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 16:39:08
VBASE006.VDF : 7.10.7.218 2294784 Bytes 02/06/2010 20:18:49
VBASE007.VDF : 7.10.9.165 4840960 Bytes 23/07/2010 10:03:47
VBASE008.VDF : 7.10.9.166 2048 Bytes 23/07/2010 10:03:48
VBASE009.VDF : 7.10.9.167 2048 Bytes 23/07/2010 10:03:48
VBASE010.VDF : 7.10.9.168 2048 Bytes 23/07/2010 10:03:48
VBASE011.VDF : 7.10.9.169 2048 Bytes 23/07/2010 10:03:48
VBASE012.VDF : 7.10.9.170 2048 Bytes 23/07/2010 10:03:48
VBASE013.VDF : 7.10.9.198 157696 Bytes 26/07/2010 10:03:49
VBASE014.VDF : 7.10.9.255 997888 Bytes 29/07/2010 10:03:52
VBASE015.VDF : 7.10.10.28 139264 Bytes 02/08/2010 19:16:53
VBASE016.VDF : 7.10.10.29 2048 Bytes 02/08/2010 19:16:53
VBASE017.VDF : 7.10.10.30 2048 Bytes 02/08/2010 19:16:53
VBASE018.VDF : 7.10.10.31 2048 Bytes 02/08/2010 19:16:53
VBASE019.VDF : 7.10.10.32 2048 Bytes 02/08/2010 19:16:54
VBASE020.VDF : 7.10.10.33 2048 Bytes 02/08/2010 19:16:54
VBASE021.VDF : 7.10.10.34 2048 Bytes 02/08/2010 19:16:54
VBASE022.VDF : 7.10.10.35 2048 Bytes 02/08/2010 19:16:54
VBASE023.VDF : 7.10.10.36 2048 Bytes 02/08/2010 19:16:54
VBASE024.VDF : 7.10.10.37 2048 Bytes 02/08/2010 19:16:54
VBASE025.VDF : 7.10.10.38 2048 Bytes 02/08/2010 19:16:54
VBASE026.VDF : 7.10.10.39 2048 Bytes 02/08/2010 19:16:54
VBASE027.VDF : 7.10.10.40 2048 Bytes 02/08/2010 19:16:54
VBASE028.VDF : 7.10.10.41 2048 Bytes 02/08/2010 19:16:54
VBASE029.VDF : 7.10.10.42 2048 Bytes 02/08/2010 19:16:55
VBASE030.VDF : 7.10.10.43 2048 Bytes 02/08/2010 19:16:55
VBASE031.VDF : 7.10.10.49 111104 Bytes 03/08/2010 11:38:11
Engineversion : 8.2.4.32
AEVDF.DLL : 8.1.2.1 106868 Bytes 03/08/2010 11:38:22
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 03/08/2010 11:38:21
AESCN.DLL : 8.1.6.1 127347 Bytes 12/05/2010 17:15:22
AESBX.DLL : 8.1.3.1 254324 Bytes 24/04/2010 12:09:40
AERDL.DLL : 8.1.8.2 614772 Bytes 03/08/2010 11:38:20
AEPACK.DLL : 8.2.3.3 471414 Bytes 03/08/2010 11:38:19
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 03/08/2010 11:38:18
AEHEUR.DLL : 8.1.2.10 2830711 Bytes 03/08/2010 11:38:17
AEHELP.DLL : 8.1.13.2 242039 Bytes 03/08/2010 11:38:13
AEGEN.DLL : 8.1.3.18 393589 Bytes 03/08/2010 11:38:13
AEEMU.DLL : 8.1.2.0 393588 Bytes 24/04/2010 12:09:35
AECORE.DLL : 8.1.16.2 192887 Bytes 03/08/2010 11:38:12
AEBB.DLL : 8.1.1.0 53618 Bytes 24/04/2010 12:09:33
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 09/09/2009 14:34:03
AVREP.DLL : 8.0.0.7 159784 Bytes 19/02/2010 22:47:00
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 27/04/2009 16:52:08
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 09/06/2009 18:38:37
RCTEXT.DLL : 9.0.73.0 86785 Bytes 20/11/2009 11:50:23

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, ,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, August 03, 2010 17:57

Starting search for hidden objects.
'92435' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'FWService.exe' - '1' Module(s) have been scanned
Scan process 'uMgiSvr.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'SAgent2.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'FirewallGUI.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{2BB4270F-E6C7-4208-92AE-9B500568B530}\RP297\A0071741.exe
[DETECTION] Is the TR/Horse.OQN Trojan
C:\System Volume Information\_restore{2BB4270F-E6C7-4208-92AE-9B500568B530}\RP298\A0071942.exe
[DETECTION] Is the TR/Horse.OQN Trojan
Begin scan in 'D:\'
\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.

Beginning disinfection:
C:\System Volume Information\_restore{2BB4270F-E6C7-4208-92AE-9B500568B530}\RP297\A0071741.exe
[DETECTION] Is the TR/Horse.OQN Trojan
[NOTE] The file was moved to '4c88576b.qua'!
C:\System Volume Information\_restore{2BB4270F-E6C7-4208-92AE-9B500568B530}\RP298\A0071942.exe
[DETECTION] Is the TR/Horse.OQN Trojan
[NOTE] The file was moved to '4df67594.qua'!


End of the scan: Tuesday, August 03, 2010 18:51
Used time: 54:22 Minute(s)

The scan has been done completely.

10674 Scanned directories
420659 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
420654 Files not concerned
2946 Archives were scanned
3 Warnings
5 Notes
92435 Objects were scanned with rootkit scan
0 Hidden objects were found

should I do anything else or is it a false positive?

Vuze

It says there are 2 malicious infections found (a trojan horse), and by looking at the file names I am guessing it is part of the Windows system restore utility. It also says both files have been moved to quarantine, therefore you should be fine now and don't need to take any further remedial action. However, for added peace of mind you could consider doing some additional scans - you don't have to install new anti virus programs, you can try these 2 online scanners:

http://housecall.trendmicro.com/uk/

http://www.eset.com/online-scanner

TrishaM

Very strange Trendmicro no threats found. But while this was scanning Avira picked up TR/Crypt.XPACK.gen, and avira had just finished doing a scan. I sent it to quarantine.

TrishaM

Nothing showed up in the ESET scan. Should I do a Hijack scan?

rmg1

You've only done a quick scan with Malwarebytes.
I'd do a full scan and post that log for someone to look at.

TrishaM

Posted a full scan and seems nothing to report.



Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

03/08/2010 23:36:56
mbam-log-2010-08-03 (23-36-56).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 232118
Time elapsed: 1 hour(s), 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)