Win32:Trojano-305

I picked up a Trojan that Avast! identifies as Win32:Trojano-305. The Avast! warning window popped up and told me I was infected and gave me several fix options; I chose to move it to the Virus Chest (Avast's recommendation). I then ran Avast! in its 'thorough scan' mode (including archive files); the program found nothing. I decided to run AdAware SE before I rebooted; the check was interrupted by the same Avast! warning I'd gotten earlier (and I followed the same procedure as before). I finished the AdAware scan and then followed the procedures listed here.

The Trend Micro and McAfee Stinger scans showed no infection. The Symantec Security Check showed one item, but it was a bit of adware in the Bear Share program. None of the alternative scans came up with anything. I ran Avast! and AdAware (all these are up-to-date) again this morning with no problems found. I haven't gotten the warning pop-up again, either. I still have System Restore turned off; I didn't see any point in turning it back on until I was sure my system is clean. Oh - Symantec didn't show this Trojan in their database, and I couldn't find anything at Alwil or on a Google search.

So what's next? Your help will be greatly appreciated.

 

Welcome

We ask that you first try to do ALL the TUTORIAL listed below. We then ask you for a HJT log. It must not be inline but rather as a .log or .txt attachment. HJT must be placed in it's own folder and not run from a zipped file. Be sure to close all unnecessary programs, it makes it much easier to read the HJT log.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone will help you. Everyone is quite busy, as you can see by the number of posts, so hang in there.
Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

OK... here's my HJT logfile. Nothing jumped out at me, but maybe you'll see something I didn't.

 

There is not much that looks terribly menacing to me either. I see a few things to fix. As of our last post it sounds like you are not having the original problem anymore. Is that correct? Also I am not going to fix a few things because I believe you installed them on purpose.
Are these OK?
Did you install this AOL toolbar on purpose?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Did you install this New Boundry\PrismXL software?
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Now for a few things to fix.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

Do use recognize this next line, if not fix it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

The original problem is either gone or buried somewhere that I can't find. I haven't noticed any ill effects, but the contents of my computer could be posted on the net somewhere. The frustrating thing is that Avast! warned me repeatedly of this trojan but never found it during scans. The warnings have stopped (hopefully that means it's been removed) but none of the removal methods I tried showed that they removed anything.

Anyways, thanks for your help. It's good to have resources like Geeks and people like you that are willing to help.

 

Send me a final log and then watch for my final post.

 

Here's my new HJT logfile. It seems PrismXL is essential, so I didn't delete it.

Sorry this took so long; my printer decide to screw up too.

 

Looks good to me. Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

 

Thanks again for the help!