Looks like I've got it too...

[DMLloyd]

Alright, here we go...

It all started this morning when I started up my laptop and felt like getting back into some Neverwinter Nights 2.  Having just woken up, and being extremely lazy, I decided I didn't want to go searching for the disc (that I legally own).  I headed over to Game Copy World to find a No-CD fixed EXE, when a veritable smorgasbord of pop-ups filled my screen.  I thought 'Oh great, some ad-ware' and fired up AVG 8, which is when all my problems began.

The Windows Security Center icon flashed red in the system tray and told me that my firewall, automatic updates, and virus protection had all been turned off.  I clicked the balloon, hoping to remedy the problem.  As the Security Center popped up, it's window border kept flashing, as if it was losing focus and regaining it, on the order of once or twice per second.  I put everything back the way it was and exited hastily.

Now back in AVG, it couldn't connect to the update server, then all the different components of AVG started shutting down and starting up on their own.  After it finished it's little fit, I went ahead with the scan, which showed me a Trojan by the name of SHeur2.GAS mascarading as csrssc.exe in my Temp folder.  After moving the file and it's associated registry key to the virus vault, it prompted me to reboot, which I did.

After the reboot, I proceeded on to Firefox to learn some more about SHeur2.GAS, which a) led me to this forum, and b) showed that I definitely did not cure the entire infection as after I clicked the link to this forum, I was instead redirected to some advertisement page which spawned a number of pop-ups.  Cue exiting Firefox upon noticing that my network download speed was maintaining a steady 60k/sec with no Internet activity on my part.  I also disabled all network connections to my laptop, and am now broadcasting from my roommate's PC.

I read the topic regarding what to do before posting and here are all the necessary logs.

I only hope the specialists see fit to smile upon me in my time of need. 

[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- O20 - AppInit_DLLs: avgrsstx.dll cghckd.dll
- O20 - Winlogon Notify: khfEtSlM - khfEtSlM.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Alcmtr"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[DMLloyd]

So far, so good!  The registry edit worked and ComboFix ran through to completion, so here is the log.

[attachment deleted by admin]

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
d:\windows\Tasks\mqrhbrgx.job

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[DMLloyd]

Here's the results from OTMoveIt3:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
d:\windows\Tasks\mqrhbrgx.job moved successfully.
========== COMMANDS ==========
File delete failed. D:\DOCUME~1\David\LOCALS~1\Temp\etilqs_Y3L0cFM2wWZFmfj1laKf scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_55c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12212008_202519

Files moved on Reboot...
File D:\DOCUME~1\David\LOCALS~1\Temp\etilqs_Y3L0cFM2wWZFmfj1laKf not found!
File move failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File D:\WINDOWS\temp\Perflib_Perfdata_55c.dat not found!
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_001_ moved successfully.
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_002_ moved successfully.
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_003_ moved successfully.
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\Cache\_CACHE_MAP_ moved successfully.
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\urlclassifier3.sqlite moved successfully.
D:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\6gp6iy9l.default\XUL.mfl moved successfully.


Now, as for Kaspersky Online Scanner...

It downloaded, updated the database, all of that.  Ran the scan, then two hours later clicked on 'Save Report As...' and nothing happened, no save prompt or anything, but it did disable the 'Save Report As...' button, so it looks like I'll have to run the scan again and hope it decides to work next time.

I did notice that it found one thing in an mp3 file, specifically Trojan-Downloader.WMA.GetCodec.i

[evilfantasy]

If that one won't work use this one.

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[DMLloyd]

Here she be:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3712 (20081222)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=fd3840ba7bace54892a86d93ad8e0055
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-23 04:07:18
# local_time=2008-12-22 08:07:18 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=560628
# found=1
# scan_time=4029
D:\WINDOWS\Help\KEYGEN.EXE   probably a variant of Win32/Agent trojan (unable to clean - deleted)   00000000000000000000000000000000

[evilfantasy]

Looks good. Only one file removed. Is the computer running OK now?


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

1. Double click

OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt3

.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[DMLloyd]

Amazing skill you have there, evilfantasy!

My computer is running like nothing ever happened.

Thank you, thank you, thank you!

[evilfantasy]

Your welcome.

Safe surfing...