Trojan-BNK.Win32.Keylogger.gen

Hi Grif

Would just like to say thanks so much for taking the time to write such a full, easy to unerstand and helpful answer. Your advice really helped me my computer is now working fine again and the constant updates have stopped.

Thanks again

M

thanks a whole bunch i was able to repair my pc in a couple of minutes because of you and it works perfectly now

Thank you so much this worked!

Thanks for the help, your suggestions worked great and took care of most of the issues on my XP Pro SP3 box. My last issue is that the automatic updates service dissapeared completely, so the red shield appears in the task bar and updates cannot be turned on. I tried updating from the Microsoft update web site and I get error code 0x80070424. I followed Microsoft directions to reinstall in and it tells that it's already installed. BITS service is enabled and started so is workstation. Should I assume malware may still be lingering about? Should I considered system restore to a date before infection happened? I'd rather not have to re-install XP. Any and all suggestions are greatly appreciated.
Marlee

Frist, be sure to run the previous removal toosl REPEATEDLY till nothing is detected.. It may take a while to get it done but frequently, the first round of removals doesn't remove all the remnants.

Next, try the steps below to get you updates working again.


Re-register the Windows Update DLL with the commands below
Click Start, click Run, type cmd, and then click OK.
Type the following commands. Press ENTER after each command.
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll

Attempt to run Windows Update


Hope this helps.

Grif

Thanks Grif, will give it a shot as suggested.

Did all as indicated and windows updates is running like a charm once again. Thanks!

Is there anything I should be looking at in the registry going forward? I see some blank entries in the startup tab - Any thoughts?

Thanks a mill again.

If you're referring to the "msconfig" startup tab, there are a number of reasons for blank entries.. For most, UNCHECK them and forget about them.. You might or might not be able to remove them safely, but UNCHECKing them will prevent them from running and you can move on.

As to the registry itself, the best recomendation is to leave well enough alone until you can know exactly what your changing.

Hope this helps.

Grif

Yes Grif, I meant msconfig's startup tab. There are only two blanks with only this showing:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I will uncheck and leave it be. I'm not too keen on messing with the registry, ever!

Thanks for all your great help!
Marlee

I followed your directions for removing the virus by running Rkill once and Malwarebytes & SuperAntispyware several times until nothing was detected by both, but I am still having a problem with Automatic Updates being disabled.

I tried your suggestion above, but every time I enter the commands I receive a message that says the command "is not recognized as an internal or external command, operable program or batch file". When I attempt to run Windows Update, I receive the error 0x80070424.

My operating system is WinXP. When I type in the commands, I am not connected to the internet. I was only connecting to the internet to try to run the Windows Update. Do I need to be connected when I am typing in the commands or is there any other help you could supply?

The security center says that automatic updates is disabled, but if I go to automatic updates in the control panel, it is showing that the "notify me but don't automatically download or install them" is still checked.
dcritch

You don't need to be connected to the internet. I'll guess that you are typing the command incorrectly. Please note there is a "single space" after each of the regsvr32 commands. For example, at a command prompt, you should be typing: regsvr32(singlespace)wuapi.dll

Obviously, don't type the (singlespace) text but you should get the idea. No other spaces are required in the line.

Hope this helps.

Grif

Thank you for the help. That was exactly what I was doing wrong. My computer is now fixed.

Thanks much,
dcritch

Thank you so much for your easy to follow instructions, fixed my son's and daughter-in-laws computer no problem. Really appreciate it.
B

I freaked when I had this virus. Fortunately, I was able to do a search on my husbands laptop before I powered mine off and found your post. Thank you, thank you!

Hi Grif,

thanks for the instructions, I went through all of the steps and it seemed like it removed everything. After the SuperAntiSpyware ran, it asked to reboot the computer to make sure everything was removed. I did that and when it restarted, the internet does not work (same issue that happened after getting the Trojan-BNK.Win32.Keylogger.genmessage). Went through the steps again, rebooted again and still internet not working.

Are there any additional steps I need to do or anything else that I am missing?

Thanks.

1. Open Internet Explorer and go to Tools-InternetOptions-Connection Tab. Click on the LAN settings button. IF there is acheck mark next to "Use a proxy server for your LAN", uncheck it. ClickOK. Then OK, again.

2. Unfortunately, you didn't give us the operating system you're using but see the information below for resetting your winsocks internet software:

a) If you're using Windows XP, please click on the link below and download the free WinsockXPFix tool.. Once it's on your desktop, run it.

http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html

b) For Windows Vista or Win7, perform the command line steps in both of the links below:

http://www.mydigitallife.info/reinstall-and-reset-tcpip-internet-protocol-in-windows-vista-2003-and-xp/

http://www.mydigitallife.info/repair-and-reset-windows-vista-tcpip-winsock-catalog-corruption/

Hope this helps.

Grif

Dude you are the best!!! I appreciated it!!!!!

I have a PC which is having this problem. I'm trying to download the information above onto my mac, but it's not downloading. Is there any way to do this?

Hi Grif, thanks for the instructions. I have XP on my infected PC I'm not particularly computer literate. Feeling a bit desperate.
I cannot get the Grinler tool to install. l was able to copy and save it to my flashdrive but it won't install on the infected PC. I have also typed the address directly into my browser window but the virus blocks it from installing that way as well.
As an alternative I tried skipping the Grinler tool, went direct to the website and tried to run malwarebytes from there, but the virus prevents it from running.
Last, can you please give me some instructions on copying and renaming the Malwarebytes Installer Download Link, and then saving it to my flashdrive. I just keep clicking on it and getting sent to the website; i don't understand how to copy it to my flash drive.
Any advice you have would be much appreciated. I am assuming my problem is operator error since so many people have been able to follow your directions and fix their computers!

...At the links provided by Carol below, you'll see variations of the Rkill tool, specifically renamed to "iexplore.exe". There is also a "FixNCR.reg" registry fix that may be required as well. The registry fix and the Rkill tool will need to be run before Malwarebytes or any other removal tool will work.

http://www.bleepingcomputer.com/virus-removal/remove-xp-internet-security-2012

Generally, it's best to copy all of the removal files to a flash drive, then start the infected computer into "Safe Mode with Networking", then copy all of the tools over to the problem machine.. Once there, run the Rkill tool repeatedly till it gets things done, (in your case, renaming it first would be beneficial), and once it's run, then install, update, and run Malwarebytes. by copying from the flash drive

Hope this helps.

Grif

Hi Grif,

Firstly I want to thank you for the instructions! I stopped receiving those messages. However, I soon experienced error in installing norton antivirus 2012. Each time I installed, the error message of 8506 422 appeared. So I uninstalled it and tried other free trials of antivirus softwares. Each time, they cannot be installed and seemed to hint that the problem lied with my pc. Do you have a solution to it? Thanks.

There is a discussion in the Norton forums about the error you're receiving.A poster named "Shamrock" seems to have fixed the problem there.... See the link below:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Error-8506-422/td-p/577922/page/2

I suggest running all the scans again and deleting anything they find, just to be sure everything's gone.. Once that's done, download the Norton Removal Tool to make sure all things Norton are gone from the computer.. Next, clean out all the Temp and Temporary Internet Files folders on the computer..

After that, you can try reinstalling Norton if you choose..... Or.....try downloading one of the free antivirus programs from the links below.. I actually prefer them over the Norton product but such is a personal thing..

Avast Free Antivirus
http://www.avast.com/download-software

Avira Free
http://www.avira.com/en/avira-free-antivirus

Hope this helps.

Grif

Hi Grif,
Thank you for taking the time to answer my question. First, I followed your instructions but the same error message appeared. Then I tried shamrock's and same thing happened too. So I gave up and tried Avast which was successfully installed. Checked with a couple of ppl and they also agreed with me that norton is problematic. Guess I wasted my money.

This is the first time I faced such issues with my pc and being a technology idiot (I did not install antivirus for my pc!), I want to thank you once again for helping me solve these issues!

Just want to express my big gratitude to your advice. I was very frustrated with the issue and seemed helpless until I followed your instruction. The issue is now gone and I couldn't be happier. Thank you!