Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-BNK.Win32-Keylogger.gen


  • This topic is locked This topic is locked
13 replies to this topic

#1 imfiredup

imfiredup

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 14 March 2010 - 01:52 PM

Somehow this has appeared on my computer, a pop up keeps blocking my activity. It is sooooo annoying, can anyone help?

Edited by imfiredup, 14 March 2010 - 01:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 14 March 2010 - 04:01 PM

Hello and welcome. Let's try this..
Run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way as the malware programs will start again.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 imfiredup

imfiredup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 15 March 2010 - 07:12 AM

THANK YOU sooooooooo much! I had to use two computers to make this work tho, as the windows defender kept blocking access to the internet. I kept saving the links to a flash drive just in case anyone else was having the same problem. The IE is kinda messed up, but have managed to bypass that link, am sure I will be able to fix that also with just a little more patience.

Bless u and this site!!! I still have the question up on the Trend site and still no reply!

Liz

#4 imfiredup

imfiredup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 15 March 2010 - 07:20 AM

I just became a fan on facebook! Do you have any idea how that happened? The difference between the computers.....I installed skype and yesterday watched a Red Skelton video that someone posted on facebook, it must have come in from one or the other! again ty

Liz

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 15 March 2010 - 02:26 PM

Hello Liz, please post the MBAM log so I can see what was found.. You say you automatically or mysteriously becam e a fan (whose fan BC?)
We will need to run more tools.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 imfiredup

imfiredup
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 15 March 2010 - 04:02 PM

Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.


Is this what u wanted to c? .....A Bleeping Computer Fan on face book lol!

#7 SirSimeon2003

SirSimeon2003

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 15 March 2010 - 05:12 PM

boopme

Thank You for posting that.

The virus infected my PC about 5pm today.

Thank G-d for Task Manager and Process Explorer - I used those programmes to close down the virus.

I finally stumbled onto this thread at about 5:37pm.

Followed your blessed instructions.

Computer clean as of 6:00pm.

Had a handful of viruses before, and each and every time, this site has contained the information and tools needed to quickly contain and eliminate virus before any real damage is done.

Thank you again boopme, and people like you, who act quickly to help us save our computers.

G-d bless.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 15 March 2010 - 07:08 PM

You're both welcome abd I suspect still have some bits left...

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 travelynne1

travelynne1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 27 March 2010 - 06:57 PM

This helped me today!! Thank you so much! I did a full scan and things are back to normal!! THANKS THANKS THANKS!!!!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 27 March 2010 - 10:32 PM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 funbunch

funbunch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 27 June 2011 - 07:18 PM

Are thre any updates to the virus

Trojan-BNK.Win32-Keylogger.gen ?

The link wasn't found. It must be outdated.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 27 June 2011 - 08:52 PM

Hello. which link is that?

Trojan-BNK.Win32.Keylogger.gen is associated with several rogue fake antivirus programs so I assume your computer was invaded by one of those listed in the following link: http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 If you prefer to remove the malware yourself you can follow the instructions from Bleeping Computer Guide.

After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 katiedub

katiedub

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 04 August 2011 - 05:42 PM

Sorry to hijack this thread.

First of all - can I say a huge thank you! I am relatively computer illiterate but have managed to follow your step by step instructions perfectly. I know that this thread is for someone else's computer problems but I have done everything you say and (fingers crossed) my computer seems to be working fine now.

Here are my scan logs:

Symantec Endpoint Protection Notification:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Unvirex!gen1
File: C:\Documents and Settings\Miss Walsh\Local Settings\Application Data\oqn.exe
Location: Quarantine
Computer: MRLONGLFT
User: Miss Walsh
Action taken: Quarantine succeeded : Access denied
Date found: 04 August 2011 18:17:41

RKill notification:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/08/2011 at 18:16:16.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 04/08/2011 at 18:16:32.

Malwarebytes report:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6648

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/08/2011 18:26:57
mbam-log-2011-08-04 (18-26-57).txt

Scan type: Quick scan
Objects scanned: 194542
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OO1310T0QS (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SNJQ66R8MU (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Miss Walsh\Local Settings\Application Data\oqn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPErAntiSpyware scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2011 at 10:45 PM

Application Version : 5.0.1108

Core Rules Database Version : 7510
Trace Rules Database Version: 5322

Scan type : Quick Scan
Total Scan Time : 00:06:30

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 634
Memory threats detected : 0
Registry items scanned : 31842
Registry threats detected : 0
File items scanned : 8569
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@bs.serving-sys[2].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@questionmarket[2].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@adtech[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@content.yieldmanager[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@serving-sys[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@ad.yieldmanager[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@collective-media[1].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@doubleclick[2].txt
C:\Documents and Settings\Miss Walsh\Cookies\miss_walsh@googleads.g.doubleclick[2].txt

Trojan.Agent/Gen-Falcomp[RE]
C:\WINDOWS\SYSTEM32\PUBPRNQ.DLL

Malwarebytes:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6648

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/08/2011 23:34:48
mbam-log-2011-08-04 (23-34-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 276385
Time elapsed: 38 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:27 PM

Posted 04 August 2011 - 06:34 PM

Hello, I deleted the other topic on this as we will work here.
I am hooping you are clean but something bothers me.

Your log shows>>>>>>
Database version: 6648
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/08/2011 18:26:57
mbam-log-2011-08-04 (18-26-57).txt

So it shows the MBAM is a little old so we will rescan.
Also the date of scan is April 8 thats odd. Is your PC clock showing the correct date?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Also do another,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users