Win 32: Trojan-gen {Other}

[shortwave]

Firstly apologies for posting in the general section a few days back: http://forum.avast.com/index.php?topic=36773.0.
I should have scrolled down a bit further and done it here.
As per that post Avast popped up when I was running Spybot to say it had found a Trojan in my Temp folder. when I moved it to the Virus Chest it found another. After this I re-ran Spybot (All O.K.) and then ran a thorough scan with Avast! (All O.K.) and Adaware 2007 (All O.K.)

I followed the instructions for sending them to VirusTotal and got back two identical reports:

MD5:     aaaf28a090437dfcda65a80bc013ef9e
First received:    06.23.2008 10:53:01 (CET)
Date:    06.25.2008 00:01:19 (CET) [>8D]
Results:    9/33
Permalink:    analisis/ae5b8e6b1ff485f1aac71c724772d0d4

I have also Emailed them to Avast! using the direct function within the Virus Chest, but haven't had a reply yet.
Having looked at some other similar posts I notice much more comprehensive details from VirusTotal in some of them. Have I done something wrong, or are my "Infections" not considered serious?

The computer seems to be behaving fine, and I haven't had any further reports pop up.  Is there any more I can do at the moment?  Running a NEC M5210 XP2 Home edition with Avast! 4.8.1201, Zone Alarm free, Spybot 1.5.2, & Adaware 2007.

Regards.

[FreewheelinFrank]

You need to hover over the permalink and right click, then select 'Copy link location' or similar, or simply cut and paste the result of the analysis.

Eg:

http://www.virustotal.com/analisis/caaa217c726b73495da4b4d99a0dccf5

Or:

Antivirus    Version    Last Update    Result
AhnLab-V3    2008.7.4.1    2008.07.05    -
AntiVir    7.8.0.64    2008.07.04    -
Authentium    5.1.0.4    2008.07.04    -
Avast    4.8.1195.0    2008.07.04    Win32:Trojan-gen {Other}
AVG    7.5.0.516    2008.07.05    -
BitDefender    7.2    2008.07.05    -
CAT-QuickHeal    9.50    2008.07.04    -
ClamAV    0.93.1    2008.07.04    Trojan.LdPinch-3455
DrWeb    4.44.0.09170    2008.07.05    -
eSafe    7.0.17.0    2008.07.03    Suspicious File
eTrust-Vet    31.6.5929    2008.07.05    -
Ewido    4.0    2008.07.05    -
F-Prot    4.4.4.56    2008.07.04    -
F-Secure    7.60.13501.0    2008.07.03    -
Fortinet    3.14.0.0    2008.07.05    -
GData    2.0.7306.1023    2008.07.05    Win32:Trojan-gen
Ikarus    T3.1.1.26.0    2008.07.05    -
Kaspersky    7.0.0.125    2008.07.05    -
McAfee    5332    2008.07.04    -
Microsoft    1.3704    2008.07.05    -
NOD32v2    3244    2008.07.05    -
Norman    5.80.02    2008.07.04    -
Panda    9.0.0.4    2008.07.05    Suspicious file
Prevx1    V2    2008.07.05    -
Rising    20.51.42.00    2008.07.04    -
Sophos    4.31.0    2008.07.05    -
Sunbelt    3.1.1509.1    2008.07.04    -
Symantec    10    2008.07.05    -
TheHacker    6.2.96.371    2008.07.04    -
TrendMicro    8.700.0.1004    2008.07.05    -
VBA32    3.12.6.8    2008.07.04    -
VirusBuster    4.5.11.0    2008.07.04    -
Webwasher-Gateway    6.6.2    2008.07.05    -

[shortwave]

Here's the first one:(7m3nhdbd.exe)

Antivirus    Version    Last Update    Result
AhnLab-V3    -    -    -
AntiVir    -    -    TR/Dldr.FraudLoad.vaah
Authentium    -    -    -
Avast    -    -    -
AVG    -    -    -
BitDefender    -    -    Trojan.FakeAlert.TE
CAT-QuickHeal    -    -    -
ClamAV    -    -    -
DrWeb    -    -    -
eSafe    -    -    -
eTrust-Vet    -    -    -
Ewido    -    -    -
F-Prot    -    -    -
F-Secure    -    -    -
Fortinet    -    -    Adware/FakeAlert
GData    -    -    Trojan-Downloader.Win32.FraudLoad.vaah
Ikarus    -    -    Trojan-Downloader.Win32.FraudLoad.vaah
Kaspersky    -    -    Trojan-Downloader.Win32.FraudLoad.xa
McAfee    -    -    -
Microsoft    -    -    -
NOD32v2    -    -    -
Norman    -    -    -
Panda    -    -    -
Prevx1    -    -    Fraudulent Security Program
Rising    -    -    -
Sophos    -    -    -
Sunbelt    -    -    -
Symantec    -    -    -
TheHacker    -    -    -
TrendMicro    -    -    Cryp_Pai-5
VBA32    -    -    -
VirusBuster    -    -    -
Webwasher-Gateway    -    -    Trojan.Dldr.FraudLoad.vaah


And the second: (pqna8zfh.exe)

Antivirus    Version    Last Update    Result
AhnLab-V3    -    -    -
AntiVir    -    -    TR/Dldr.FraudLoad.vaah
Authentium    -    -    -
Avast    -    -    -
AVG    -    -    -
BitDefender    -    -    Trojan.FakeAlert.TE
CAT-QuickHeal    -    -    -
ClamAV    -    -    -
DrWeb    -    -    -
eSafe    -    -    -
eTrust-Vet    -    -    -
Ewido    -    -    -
F-Prot    -    -    -
F-Secure    -    -    -
Fortinet    -    -    Adware/FakeAlert
GData    -    -    Trojan-Downloader.Win32.FraudLoad.vaah
Ikarus    -    -    Trojan-Downloader.Win32.FraudLoad.vaah
Kaspersky    -    -    Trojan-Downloader.Win32.FraudLoad.xa
McAfee    -    -    -
Microsoft    -    -    -
NOD32v2    -    -    -
Norman    -    -    -
Panda    -    -    -
Prevx1    -    -    Fraudulent Security Program
Rising    -    -    -
Sophos    -    -    -
Sunbelt    -    -    -
Symantec    -    -    -
TheHacker    -    -    -
TrendMicro    -    -    Cryp_Pai-5
VBA32    -    -    -
VirusBuster    -    -    -
Webwasher-Gateway    -    -    Trojan.Dldr.FraudLoad.vaah

[FreewheelinFrank]

I think the malware was found in your browser cache and was not run and so didn't infect your computer. You did the right thing to close the pop-up window without accepting the invitation to install the scam anti-virus on offer.

[shortwave]

Thanks, would it be O.K. to empty the chest, and since I have "Eraser" on my P.C. use this to clear the extracted files in the "Suspect" folder?

[Lisandro]

Since I have "Eraser" on my P.C. use this to clear the extracted files in the "Suspect" folder?

If you 'erase' the files they will be gone. But it will be good to follow the general cleaning procedures to be sure you're clean:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

Also, try RogueRemover, a utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities. Rogue applications are applications that rather than remove spyware, provide false positives, distribute malware or spyware, advertise, or provide useless uninstallers. The main point is that rogue applications are useless and eat up system resources.

Check http://www.malwarebytes.org/rogueremover.php

[FreewheelinFrank]

I can't better this advice from Tarq57:

http://forum.avast.com/index.php?topic=36511.msg306171#msg306171

[shortwave]

Further to "Tech's" post, I disabled System Restore and ran Spybot's own "RootAlyz",  ran CCleaner, then did a complete scan with Dr Web CureIT!  (It took over 2hours!) This found 2 infections:
1/ A file related to Spybot: "regLocal.reg" at C\Documents & Settings\All Users\Application Data\Spybot - Search & Destroy\Backups.
2/ "POSTOOBE.NEC" at C\DRIVERS - type VBS.Generic.278 which I let it "Cure" - it deleted it.

Haven't gone any further yet, should I re-enable System Restore and run Super Antispyware?

[Lisandro]

Haven't gone any further yet, should I re-enable System Restore and run Super Antispyware?

Yes, it will be good.

[FreewheelinFrank]

You wouldn't have a Packard Bell by any chance, would you?

[shortwave]

You wouldn't have a Packard Bell by any chance, would you?

No, it's a NEC M5210 laptop.

[FreewheelinFrank]

Hmmm... The POSTOOBE.NEC detection seems to be associated with Packard Bells and DrWeb. I suspect it may be a false positive.

The regLocal.reg is DrWeb thinking the Spybot registry backup is a malicious script: definitely a false positive.

[FreewheelinFrank]

Ah-ha! NEC is now part of Packard Bell!

POSTOOBE.NEC is something put there by the computer manufacturer or I'm a Vogon's grandmother.

[shortwave]

Well I guessed that the Spybot entry was not serious so I'm not touching that.  As to the NEC entry it's been deleted so I'm not sure what I can do about it now.

I've installed and run SuperAntispyware and all it found was a tracking cookie, so I'm feeling a bit happier...

I think I will see how things go, I don't really want to put any more security programmes on this machine.  I probably picked the malaware up in places I shouldn't have been, so I will treat it as a valuable lesson!

Thanks