Please help with New Malware.n (trojan)

[Yuran]

Hello Guys,
Here is a problem description.
I stupidly download a file named "check.exe" from this link //24489.ruikinyunhfenduansterdin.com/3128/494 that came to me via friend's MSN Messenger alert. Don't download it if face!!!
McAfee detected it as a Trojan New Malware.n in the file C:\WINDOWS\System32\kbdemsdm.exe or .dll. It proposes to delete it, than reboot the system but failed to fix each time system is rebooted again.
I've done the thread proposed by howard_hopkinso in Viruses/Spyware removal instructions. Hijackthis detect the file but failed to delete it as system reboots.
I attach the logs for it.
Does anybody have an idea how to fix it?
Please help as i am powerless to do that,
Hope to get any suggestions ASAP,
Best,
Yuran
P.s. AVG Antirootkit scan result is nothing found.

 

[momok]

Hi Yuran and welcome to techspot. =)

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type msconfig. Press the enter key.
Search for the following services. Uncheck them and press ok. Do not restart your system yet.

gcauthc

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

gcauthc

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

gcauthc.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.migtel.ru/
O4 - HKCU\..\Run: [gcauthc] C:\Program Files\gcauthc\gcauthc.exe
O20 - Winlogon Notify: kbdemsdm - C:\WINDOWS\system32\kbdemsdm.dll

Close HJT.

I notice you have WildTangent related software installed on your system. Please note that "WildTanget's privacy policy used to state that they also collect and share individuals information" although "this is no longer the case". Removing is up to your preference though.

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Yuran only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.