Can't remove Trojan

[Willy]

Some how I've got the W32.Trojandownloader Agent on my PC and I'm using AVG
(Updated daily), Windows Defender and it makes 4 Registry entries and is
constantly running in the background. I've run Ad-Aware and delete them but
they come back. I've run a scan from the Symantec site and it tells me that
C:\Windows\osa9.exe is infected with above Trojan. I've run a scan also
from the Microsoft Site and it to found it but can't fix it. Each time the
PC starts the 4 entries come back into the Registry as evidenced by numerous
Ad-Aware scans. From my understanding osa9.exe is an Office 2000/XP file
which I've not had on this PC. I currently have Office 2003.
The Trojan really slows down my PC as evidenced by program loads and System
Resource meter some times shows that 100% of my CPU is being used. I've
gone into MSCONFI Startup Tab and unchecked C:\Windows\osa9.exe and click
Apply, PC freezes. I've tried to delete osa9.exe but it won't let me. No
Office 2003 Programs are running.
Any suggestions or help?

 

[DL]

Youve switched off system restore, and run your scans in safe mode?

 

[John]

Some how I've got the W32.Trojandownloader Agent on my PC

Use HiJackThis. Read this link 1st, it has step by step.
http://www.wilderssecurity.com/showthread.php?t=50662
Important: Create a specific folder on your hard drive called
HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double
click on C: then right click and select New then Folder and name it
HijackThis. Download and unzip HijackThis.exe into this folder.
http://www.merijn.org/downloads.html Or, http://tomcoyote.com/hjt/
If possible run HJT in Normal mode ( not Safe ) with all your normal
startup's working.
HijackThis Tutorial - How to Analyse your own log.
http://spywarewarrior.com/viewtopic.php?t=3624
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
HijackThis log file analysis ( online )
http://hijackthis.de/index.php?langselect=english
Or,
http://startup.networktechs.com/page-68.html
http://hjt.iamnotageek.com

 

[Willy]

Yes I've switched off System Restore but how can I run an on-line scan when
in Safe mode? Drivers wouldn't load to get on the net.

 

[Willy]

John,
Before I go through this process, here is what's happening, I went into Safe
Mode, Deleted the infected file from C:\Windows\osa9.exe. I ran Ad-Aware
and it found the below infections in the Registry:
--------------------------------------------------------------
WIN32.TROJANDOWNLOADER.AGENT.AM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : software\microsoft\active setup\installed
components\{9b71d88c-c598-4935-c5d1-43aa4db90836}
obj[1]=Regkey : software\wget
obj[2]=RegValue : software\wget "plg1"
obj[3]=Regkey : software\wget
---------------------------------------------------------------
I deleted them, Restarted PC and ran Ad-Aware again and the same 4 Registry
Entries were there, deleted them again, restart, same thing all over, did
this 5 or more times, can't get rid of it and to top all that off, when I
click Ctrl-Alt-Delete, it shows that 100% of CPU is being used before
deleting those Registry Entries above.

 

[John]

John,
Before I go through this process, here is what's happening,

Normal Willy, once you get badly infected, no one process will work,
that is why you have to do as per my post.

 

[Willy]

Hi John,
I think all that scanning per your instructions got it. I've Restarted &
run AdAware (that's when it always was found) 4 times and it doesn't show up
again. So I think all that done the trick. Question, can I now un-install
all them just downloaded programs?
Also as a side issue that was noticed after the infections was when I do a
Ctrl-Alt-Delete, The window opens but the Tabs are missing as is the
Minimize, Maximize, & Close Icons in upper right corner plus any selections
that were above the Tabs. It just opens to what normally would be the 1st
tab. Any way of fixing that? Know of an easy way to do a fix on my WIN XP
SP2 to fix any other files that may have been corrupted or deleted during
this ordeal. I've got a Retail Upgrade that I purchased to upgrade from
Windows ME about a month ago.
Appreciate all your help.

 

[DL]

You can run the system file checker, see win help

 

[Willy]

Win Help, where is it?

 

[John]

Question, can I now un-install all them just downloaded programs?
Which one's did you install Bill?

Also as a side issue that was noticed after the infections was when I do a
Ctrl-Alt-Delete.

Task Manager Tabs are Missing
http://www.worldstart.com/tips/tips.php/1676
http://www.winxptutor.com/taskmgr.htm

"Know of an easy way to do a fix on my WIN XP
SP2 to fix any other files that may have been corrupted or deleted
during
this ordeal."
Yes System File Checker ( SFC ) is one way, here is another.
Advanced WindowsCare
http://www.softpedia.com/get/Tweak/System-Tweak/Advanced-WindowsCare.shtml
http://www.iobit.com/WindowsCare.htm

 

[Willy]

John,

Which one's did you install Bill?

All but AdAware, Windows Defender & ZoneAlarm Internet Security (Which I
already had installed).

I reply to rest after I get a chance to look at links you provided.

 

[John]

Win Help, where is it?

Start > Help and Support, or anytime you don't understand anything, put
it into a search engine.

Example > System File Checker.

http://www.google.com.au/search?hl=en&q=System+File+Checker&btnG=Search&meta=

 

[Willy]

John,
Was wondering how you came up with the right fixes. The one for the Task
Manager worked. Is it normal for it to show 100% CPU when 1st opened? It
then drops to around 30-35%.

I run SFC and all seems well now. Would that affect any of the
updates/Hotfixes from MS?

 

[John]

Was wondering how you came up with the right fixes.

I have had a computer about 6 years now Bill & started answering
questions on stuff I knew the answer for, about 5 years ago, as a
consequence I learn't more & have kept notes on most of my new info
ever since, because I soon realized that it was to hard too remember
all the fixes.
The other is as mentioned, Google, Google, Google, Google everything.

Is it normal for it to show 100% CPU when 1st opened? It then drops to
around 30-35%.
I would say no, but you are quite welcome to send me screenshots, so I
can double check.
Screen Capture ( make sure you select jpeg, anything else is a bigger
size )
If you are in any windows based program, just hit the Print Screen key
on your keyboard ( or Ctrl + V ) and you have a full screenshot.
If you hold down the 'Alt' key with the Print Screen key, you will
capture only the window that is on your screen, not the whole desk top.
This sends it to Clipboard, now you can Paste it into Paint ( go to
Edit ) or any other Windows based graphics program.
Save as...
Save as type, select JPEG etc.
Image Resizer
http://www.microsoft.com/windowsxp/pro/downloads/powertoys.asp
http://download.microsoft.com/download/whistler/Install/2/WXP/EN-US/ImageResizerPowertoySetup.exe
This PowerToy enables you to resize one or many image files with a
right-click.
Here is how to get it smaller, right click on the file & select >
Resize Pictures, I use 640 x 480. Makes it a lot easier to upload or
email.

I run SFC and all seems well now. Would that affect any of the
updates/Hotfixes from MS?

No, easy to double check. Start > All Programs, up the top > Windows
Update.

Email, (e-mail address removed)
Quote this link.
http://groups-beta.google.com/group...t/browse_thread/thread/4b553ddacf59e874?hl=en

 

[John]

Bill, matt follows j on my email address.

 

[Willy]

John,
You had that okay in your previous post.

Oh, No answer from you yet about all the programs I installed via them
instructions.

I'll work on trying to get you some screenshots of TM as the PC seems so
much slower now, may be cause of them other programs being active.

 

[Willy]

Just Emailed you screenshots. I have TweakUI already but thanks for the
PowerToy to resize pics, that is a good one. I ran Windows Update, none
needed it said, I've got it set to auto download & notify me of any then
I'll install.