TechSpot

Please help with New Malware.n (trojan)

By Yuran
Jul 4, 2007
  1. Hello Guys,
    Here is a problem description.
    I stupidly download a file named "check.exe" from this link //24489.ruikinyunhfenduansterdin.com/3128/494 that came to me via friend's MSN Messenger alert. Don't download it if face!!!
    McAfee detected it as a Trojan New Malware.n in the file C:\WINDOWS\System32\kbdemsdm.exe or .dll. It proposes to delete it, than reboot the system but failed to fix each time system is rebooted again.
    I've done the thread proposed by howard_hopkinso in Viruses/Spyware removal instructions. Hijackthis detect the file but failed to delete it as system reboots.
    I attach the logs for it.
    Does anybody have an idea how to fix it?
    Please help as i am powerless to do that,
    Hope to get any suggestions ASAP,
    Best,
    Yuran
    P.s. AVG Antirootkit scan result is nothing found.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi Yuran and welcome to techspot. =)

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type msconfig. Press the enter key.
    Search for the following services. Uncheck them and press ok. Do not restart your system yet.

    gcauthc

    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    gcauthc

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    gcauthc.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.migtel.ru/
    O4 - HKCU\..\Run: [gcauthc] C:\Program Files\gcauthc\gcauthc.exe
    O20 - Winlogon Notify: kbdemsdm - C:\WINDOWS\system32\kbdemsdm.dll

    Close HJT.

    I notice you have WildTangent related software installed on your system. Please note that "WildTanget's privacy policy used to state that they also collect and share individuals information" although "this is no longer the case". Removing is up to your preference though.

    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Yuran only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...