Computer Help forum

General discussion

Trojan-BNK.Win32.Keylogger.gen

by adkinsjr / February 23, 2010 3:05 PM PST
Post a reply
Discussion is locked
You are posting a reply to: Trojan-BNK.Win32.Keylogger.gen
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Trojan-BNK.Win32.Keylogger.gen
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Please Try This
by Grif Thomas Forum moderator / February 23, 2010 11:43 PM PST

Download ALL of the tools below on a friend or family member's, CLEAN computer and copy them to a CD or flash drive, then transfer them to the problem machine.

First, please download and run the following tool to help allow the removal programs below to run. (courtesy of Grinler at BleepingComputer.com)
There are 4 different versions. If one of them won't run then try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif
_____________________

IMMEDIATELY after running the "Rkill" tool above, run/install the Malwarebytes and SuperAntispyware installer and update files from the links below which you've also copied to a CD or flash drive, and transfered to the problem machine. Do NOT restart the computer after running Rkill.

Once downloaded and before transferring Malwarebytes and SuperAntispyware to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe

Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Next, install and run a full system scan with the SuperAntispyware program and the manual updater from the links below. As before, you may need to rename the installer file to get the program to install.:

SuperAntispyware
http://www.superantispyware.com/

SuperAntispyware Manual Updater
http://www.superantispyware.com/definitions.html
____________

In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder....
_____________________


Hope this helps.

Grif

Collapse -
re: please try this
by mallymally / August 10, 2010 10:16 PM PDT
In reply to: Please Try This

Hi Grif

Would just like to say thanks so much for taking the time to write such a full, easy to unerstand and helpful answer. Your advice really helped me my computer is now working fine again and the constant updates have stopped.

Thanks again

M

Collapse -
hey grif
by luisito8730 / May 29, 2011 11:00 AM PDT
In reply to: Please Try This

thanks a whole bunch i was able to repair my pc in a couple of minutes because of you and it works perfectly now

Collapse -
THANKS
by missfoxyfoxy / June 14, 2011 2:15 AM PDT
In reply to: Please Try This

Thank you so much this worked!

Collapse -
Hi Grif - One more question
by mleongold / June 27, 2011 2:31 AM PDT
In reply to: Please Try This

Thanks for the help, your suggestions worked great and took care of most of the issues on my XP Pro SP3 box. My last issue is that the automatic updates service dissapeared completely, so the red shield appears in the task bar and updates cannot be turned on. I tried updating from the Microsoft update web site and I get error code 0x80070424. I followed Microsoft directions to reinstall in and it tells that it's already installed. BITS service is enabled and started so is workstation. Should I assume malware may still be lingering about? Should I considered system restore to a date before infection happened? I'd rather not have to re-install XP. Any and all suggestions are greatly appreciated.
Marlee

Collapse -
Suggestions...
by Grif Thomas Forum moderator / June 27, 2011 4:29 AM PDT

Frist, be sure to run the previous removal toosl REPEATEDLY till nothing is detected.. It may take a while to get it done but frequently, the first round of removals doesn't remove all the remnants.

Next, try the steps below to get you updates working again.


Re-register the Windows Update DLL with the commands below
Click Start, click Run, type cmd, and then click OK.
Type the following commands. Press ENTER after each command.
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll

Attempt to run Windows Update


Hope this helps.

Grif

Collapse -
RE: Suggestions...
by mleongold / June 27, 2011 2:36 PM PDT
In reply to: Suggestions...

Thanks Grif, will give it a shot as suggested.

Collapse -
Awesome Grif
by mleongold / June 29, 2011 3:39 PM PDT
In reply to: Suggestions...

Did all as indicated and windows updates is running like a charm once again. Thanks!

Is there anything I should be looking at in the registry going forward? I see some blank entries in the startup tab - Any thoughts?

Thanks a mill again.

Collapse -
Probably No Reason To Worry
by Grif Thomas Forum moderator / June 30, 2011 4:10 AM PDT
In reply to: Awesome Grif

If you're referring to the "msconfig" startup tab, there are a number of reasons for blank entries.. For most, UNCHECK them and forget about them.. You might or might not be able to remove them safely, but UNCHECKing them will prevent them from running and you can move on.

As to the registry itself, the best recomendation is to leave well enough alone until you can know exactly what your changing.

Hope this helps.

Grif

Collapse -
Blanks
by mleongold / June 30, 2011 1:06 PM PDT

Yes Grif, I meant msconfig's startup tab. There are only two blanks with only this showing:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I will uncheck and leave it be. I'm not too keen on messing with the registry, ever!

Thanks for all your great help!
Marlee

Collapse -
Still need help
by dcritch / December 21, 2011 2:53 AM PST
In reply to: Suggestions...

I followed your directions for removing the virus by running Rkill once and Malwarebytes & SuperAntispyware several times until nothing was detected by both, but I am still having a problem with Automatic Updates being disabled.

I tried your suggestion above, but every time I enter the commands I receive a message that says the command "is not recognized as an internal or external command, operable program or batch file". When I attempt to run Windows Update, I receive the error 0x80070424.

My operating system is WinXP. When I type in the commands, I am not connected to the internet. I was only connecting to the internet to try to run the Windows Update. Do I need to be connected when I am typing in the commands or is there any other help you could supply?

The security center says that automatic updates is disabled, but if I go to automatic updates in the control panel, it is showing that the "notify me but don't automatically download or install them" is still checked.
dcritch

Collapse -
Running Those Commands At Anytime Should Work
by Grif Thomas Forum moderator / December 21, 2011 4:10 AM PST
In reply to: Still need help

You don't need to be connected to the internet. I'll guess that you are typing the command incorrectly. Please note there is a "single space" after each of the regsvr32 commands. For example, at a command prompt, you should be typing: regsvr32(singlespace)wuapi.dll

Obviously, don't type the (singlespace) text but you should get the idea. No other spaces are required in the line.

Hope this helps.

Grif

Collapse -
Thank you!
by dcritch / December 21, 2011 5:08 AM PST

Thank you for the help. That was exactly what I was doing wrong. My computer is now fixed.

Thanks much,
dcritch

Collapse -
(NT) Good Job !
by Grif Thomas Forum moderator / December 21, 2011 8:33 AM PST
In reply to: Thank you!
Collapse -
re please try this
by Crash1111 / June 28, 2011 12:28 PM PDT
In reply to: Please Try This

Thank you so much for your easy to follow instructions, fixed my son's and daughter-in-laws computer no problem. Really appreciate it.
B

Collapse -
Thank you!
by dcnwheaton / December 3, 2011 2:08 AM PST
In reply to: Please Try This

I freaked when I had this virus. Fortunately, I was able to do a search on my husbands laptop before I powered mine off and found your post. Thank you, thank you! Happy

Collapse -
Internet connection not working after process completed
by kidiri / December 10, 2011 3:37 PM PST
In reply to: Please Try This

Hi Grif,

thanks for the instructions, I went through all of the steps and it seemed like it removed everything. After the SuperAntiSpyware ran, it asked to reboot the computer to make sure everything was removed. I did that and when it restarted, the internet does not work (same issue that happened after getting the Trojan-BNK.Win32.Keylogger.genmessage). Went through the steps again, rebooted again and still internet not working.

Are there any additional steps I need to do or anything else that I am missing?

Thanks.

Collapse -
Please Try These Extra Steps
by Grif Thomas Forum moderator / December 12, 2011 12:47 AM PST

1. Open Internet Explorer and go to Tools-InternetOptions-Connection Tab. Click on the LAN settings button. IF there is acheck mark next to "Use a proxy server for your LAN", uncheck it. ClickOK. Then OK, again.

2. Unfortunately, you didn't give us the operating system you're using but see the information below for resetting your winsocks internet software:

a) If you're using Windows XP, please click on the link below and download the free WinsockXPFix tool.. Once it's on your desktop, run it.

http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html

b) For Windows Vista or Win7, perform the command line steps in both of the links below:

http://www.mydigitallife.info/reinstall-and-reset-tcpip-internet-protocol-in-windows-vista-2003-and-xp/

http://www.mydigitallife.info/repair-and-reset-windows-vista-tcpip-winsock-catalog-corruption/

Hope this helps.

Grif

Collapse -
Thanks!
by domjorjao / December 17, 2011 12:57 AM PST
In reply to: Please Try This

Dude you are the best!!! I appreciated it!!!!!

Collapse -
Can I do this from a mac?
by NaimaShakura / December 25, 2011 12:23 AM PST
In reply to: Please Try This

I have a PC which is having this problem. I'm trying to download the information above onto my mac, but it's not downloading. Is there any way to do this?

Collapse -
Wow, totally mystified
by UTamy / December 25, 2011 10:29 AM PST
In reply to: Please Try This

Hi Grif, thanks for the instructions. I have XP on my infected PC I'm not particularly computer literate. Feeling a bit desperate.
I cannot get the Grinler tool to install. l was able to copy and save it to my flashdrive but it won't install on the infected PC. I have also typed the address directly into my browser window but the virus blocks it from installing that way as well.
As an alternative I tried skipping the Grinler tool, went direct to the website and tried to run malwarebytes from there, but the virus prevents it from running.
Last, can you please give me some instructions on copying and renaming the Malwarebytes Installer Download Link, and then saving it to my flashdrive. I just keep clicking on it and getting sent to the website; i don't understand how to copy it to my flash drive.
Any advice you have would be much appreciated. I am assuming my problem is operator error since so many people have been able to follow your directions and fix their computers!

Collapse -
Rkill May Need To Be Renamed Or...
by Grif Thomas Forum moderator / December 26, 2011 10:51 AM PST
In reply to: Wow, totally mystified

...At the links provided by Carol below, you'll see variations of the Rkill tool, specifically renamed to "iexplore.exe". There is also a "FixNCR.reg" registry fix that may be required as well. The registry fix and the Rkill tool will need to be run before Malwarebytes or any other removal tool will work.

http://www.bleepingcomputer.com/virus-removal/remove-xp-internet-security-2012

Generally, it's best to copy all of the removal files to a flash drive, then start the infected computer into "Safe Mode with Networking", then copy all of the tools over to the problem machine.. Once there, run the Rkill tool repeatedly till it gets things done, (in your case, renaming it first would be beneficial), and once it's run, then install, update, and run Malwarebytes. by copying from the flash drive

Hope this helps.

Grif

Collapse -
Problem installing antivirus softwares after removal of troj
by wgssgang / December 8, 2012 9:19 PM PST
In reply to: Please Try This

Hi Grif,

Firstly I want to thank you for the instructions! I stopped receiving those messages. However, I soon experienced error in installing norton antivirus 2012. Each time I installed, the error message of 8506 422 appeared. So I uninstalled it and tried other free trials of antivirus softwares. Each time, they cannot be installed and seemed to hint that the problem lied with my pc. Do you have a solution to it? Thanks.

Collapse -
Regarding That Error...
by Grif Thomas Forum moderator / December 9, 2012 10:51 AM PST

There is a discussion in the Norton forums about the error you're receiving.A poster named "Shamrock" seems to have fixed the problem there.... See the link below:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Error-8506-422/td-p/577922/page/2

I suggest running all the scans again and deleting anything they find, just to be sure everything's gone.. Once that's done, download the Norton Removal Tool to make sure all things Norton are gone from the computer.. Next, clean out all the Temp and Temporary Internet Files folders on the computer..

After that, you can try reinstalling Norton if you choose..... Or.....try downloading one of the free antivirus programs from the links below.. I actually prefer them over the Norton product but such is a personal thing..

Avast Free Antivirus
http://www.avast.com/download-software

Avira Free
http://www.avira.com/en/avira-free-antivirus

Hope this helps.

Grif

Collapse -
Same error
by wgssgang / December 11, 2012 12:43 AM PST

Hi Grif,
Thank you for taking the time to answer my question. First, I followed your instructions but the same error message appeared. Then I tried shamrock's and same thing happened too. So I gave up and tried Avast which was successfully installed. Checked with a couple of ppl and they also agreed with me that norton is problematic. Guess I wasted my money.

This is the first time I faced such issues with my pc and being a technology idiot (I did not install antivirus for my pc!), I want to thank you once again for helping me solve these issues!

Collapse -
(NT) Good Job & Thanks For Posting Back !
by Grif Thomas Forum moderator / December 11, 2012 5:07 AM PST
In reply to: Same error
Collapse -
Thanks!
by Pates64 / December 25, 2012 1:00 AM PST
In reply to: Please Try This

Just want to express my big gratitude to your advice. I was very frustrated with the issue and seemed helpless until I followed your instruction. The issue is now gone and I couldn't be happier. Thank you!

Collapse -
Rogue Programs w/ FAKE Alert: "Trojan-BNK.Win32.Keylogger"
by Carol~ Forum moderator / December 26, 2011 10:16 AM PST
FYI:

Below are some of the rogue programs, which display the following (Firewall) fake security alert on infected computers:

"[color=red]Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen[/color]"

Remove XP Internet Security 2012 (Uninstall Guide)

Remove XP Antivirus 2012 (Uninstall Guide)

Remove XP Antispyware 2012 (Uninstall Guide)

Remove XP Home Security 2012 (Uninstall Guide)

Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)

The first 4 are variants of the last. The last being referred to as the "2012 name-changing" rogue program. Additional information within the guides.

Carol
Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Smartphone tip

Hoarding photos on your phone?

Those picture are hogging memory and could be slowing down your phone.