Don’t fall into misleading information about Trojan-BNK.Win32.Keylogger.gen which can be announced to be detected on your machine. In reality, it’s only XP Internet Security 2010, Internet Security 2013 or Win 7 Protection 2013 rogueware which uses such invented threats to make you scared about your Pc’s security. Trojan-BNK.Win32.Keylogger.gen is an imaginary infection, a made-up virus which is expected to push PC users into purchasing XPInternetSecurity2010. Ripping people off is the main reason why all these roguewares are constantly invented because they promise to remove every parasite “detected” on your PC. However, in reality every rogue anti-spyware is useless and even dangerous, so be aware and do not fall into them.
Trojan-BNK.Win32.Keylogger.gen generally appears on fake system security alerts. This imaginary infection is announced for a user to be detected after scanning the system for malware and according to XP Internet Security 2010 if it is ignored, private data might be stolen by third parties, including credit card details and passwords.
Don’t take any infection, including Trojan-BNK.Win32.Keylogger.gen, reported by XP Internet Security 2010 serious because your PC is probably clean. Only XP Internet Security 2010 is the one that must be deleted as soon as possible, so don’t waste any minute. Keep in mind that you will need a reputable anti-spyware when removing.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
Found this a very useful article. Same problem occured on my pc running Vista. I used the manual method described and edited the Registry. I found similar entries:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*
At first I deleted the two entries but I had an issue with .exe files not starting up. I rebooted in safe mode with cmd option and in the registry entries above I entered the value “%1” %*
Seems to work ok now. I was unable to locate av.exe or WRblt8464P entries but no further messages are appearing. Thanks for advise.
I followed the steps and it works for me as well.
Thanks.
I tried the manual remover by running cmd/regedit and removed/deleted the infected registries but I set their values to “%1” %* and Im back online. Thanks so much!
Some more info. In my case the virus name was ete.exe. In addition to registry keys mentioned in comments above, I’ve had to modify registry entries for firefox and IE:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
Cheers,
Irfan
can anyone list the steps for manual removal on a windows vista??
Follow the steps given below to remove spyware entries from registry@bj
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “av.exe” /START “firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “av.exe” /START “firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “av.exe” /START “iexplore.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?
I caught the Trojan-BNK. Win32….from Facebook. What a feaking you know what.
1) I was running Microsoft Security essentials at the time.
2) I tried running Malware, it wouldn’t open.
3) I tried Spyware,but it costs.
4) I read a ton of ways to fix this problem including….
5) I tried to get into my Vista registry via REGEDIT to do what has been put on on this site, but the computer states it requires THE ADMINSTRATOR. How do I get into my registry or become the Administrator via Vista? This is my own laptop. It is not connected to anything other than the internet.
6) What freeware is out there that can solve this problem?
7) And how do I get rid of the Vista warning popup?
Thanks for your advice. Please send it via my email address.
I don’t understand this article. First it says the trojan-bnk.win32.keylogger.gen is a fake virus detected by rogue software with the purpose of luring you into buying XP Internet Security 2010, and that your computer is actually clean. You only need delete XP Internet Security 2010.
Then it goes on to talk about how dangerous the above mention Trojan virus is.
Well which is it? Is it real or fake? Or does the author mean that there IS the actual Trojan virus which is dangerous, but that if it is reported by XP Internet Security 2010 then it is fake? I seemed to have gotten rid of the XP Internet Security and it’s warning of the above mentioned Trojan virus by using Windows Defender (after trying Malware which the computer would not let me download off the net or a disc)but after reading this article I’m wondering if the Trojan virus is that dangerous then could it be embedded in my system without detection? While trying to fix this problem it seemed to be playing a cat and mouse game with me – from baraging me with pop ups telling me to buy the XP Security software, not letting me onto the internet, not letting me download anything, to allowing me internet access, changing the pop up configurations, and finally to no pop ups at all (but the fake anti-virus icon still present at the bottom left of screen).To be safe should I just wipe everything off the hard drive and start clean?
DS: There is a real version of this trojan. However, if you had a fake antivirus, then you do not have the real version of Trojan-BNK.Win32.Keylogger.
I have the same issue as “DS” but the pop up security says “2011” instead of “2010” i don’t know if the registries are the same or not, I looked through my computer and they’re not the same. Freaking me out
@admin
I have the fake antivirus Vista telling me that I have this Trojan and many others. I ran my Trendmicro and its not getting rid of the Vista and it doesnt detect any of the things the Vista says I have. I dont know how to tell if I have the trojan or its this Vista. How can I make the Vista go away? It tries to block me from Google chrome but I found if I right click on the icon and run it as administrator I can access the internet. Thanks
Brandi: everything Vista antivirus detects, is false. Try updating Trendmicro and scanning again, or try one of anti-malware programs.
@admin
Trend Micro was updated when I ran it but Im trying again. I tried running ARO 2011 but it didnt remove it and now wants me to pay for it to finish removing errors. Do you have any suggestions for a free anti-malware program? Thanks for your help.
Brandy: Malwarebytes, SuperAntiSpyware, Hitman Pro (for 30 days). All of these programs do not have real-time protection in free mode (and Hitman Pro is scanner only), so for protection you will have to purchase full version.
All i did was click on one of the top links for something I had searched for on Google and BAM – it immediately shut down both browsers I had up and all hell started breaking loose – constant fake warning messages. Don’t be fooled by any of them – just get rid of this thing. Its no fun thats for sure – it toys with you in various ways – hijacks your browsers – won’t let you on the internet – messes with your spyware removal program etc. I spent a few hours researching and trying different things. Here’s what finally worked for me – I booted up in safe Windows mode (F8 immediately at start up). I then ran Super Anti-spyware in safe mode and got rid of what it found. Malware Bytes or others are probably fine too but you have to already have 1 installed on your system – other wise good luck. Once it was removed, i was still getting some residual pop up warnings and stuff so then I tried what I had read somewhere else and got into Backup and Restore (can’t remember how I got there – sorry) and backed my computer up to 2 days before it happened. This completely got rid of the problem. I rebooted and ran Malware Bytes in regular mode and it didn’t find anything so it was gone. This BNK Keylogger thing certainly proved to me that its important to have antispyware already installed before something like this happens. Both that I mentioned are free and work well. I couldn’t imagine trying to install something by flash drive or whatever when the system was acting up this bad. Good Luck
I currently have this virus on my laptop and need help removing it. Can anyone help please?
I have the same virus in my laptop. please help me to remove this
Update: – I got this thing again – Unbelievable! – Didn’t take hours to figure out this time though. I ran super anti-spyware in safe mode and removed the problems it found but after it rebooted I was still having pop-ups as before. Tried to get to System Restore (Start>All Programs>Accessories>System Tools>System Restore) but the pop ups wouldn’t let me in – the thing was blocking me from System Restore. #!*@%#! – OK so here’s the way in. (I have XP but assume its the same for later versions) Turn the system off – turn it back on and hit F8 key just as its booting up. Choose regular Safe Mode (not Safe Mode w/ Internet because the keylogger will block everything if you are online). When it starts to boot up in Safe Mode a box pops up and says “Windows is running in safe mode… blah blah… If you prefer to use System Restore to restore your computer to a previous state click NO. This Is What You Want!! – Click NO button and System Restore will pop up and you can choose a previous date to boot from – the system will then do its thing and reboot from a previous checkpoint a day or whatever earlier. Abracadabra – Keylogger piece of #@%! GONE. Again – hope this helps someone – I couldn’t remember how I got there before so rewrote this while it was fresh in mind. Peace All
Mike: One suggestion: Get an antivirus 🙂 If you get infected more than once, thats it.
MIKE YOU ARE DA MAN!!!! I was literally dealing with this virus today and saw your post, it worked! A note for admin- we have a good antivirus but this virus bipassed it and even hijacked the Super Spyware so I couldn’t clean the virus off my system. I had to restore to yesterday’s date, then rescanned, cleaned AND reset my homepage (the virus hijacked the homepage too).
i just dont get it, 3 nights of trying to read everything, i just dont know whats true and whats fake any more. ive tried safe mode restore and im told rstrui.exe is not recognised (is that the virus or am i doing it wrong) – cos i dont get a box that pops up. im convinced there is some evil person just sitting there laughing at me with everything i do, i have work laptop on desk while trying to find a way out of this mess. i thought windows defender was sufficient to stop all this but this is the 2nd virus we have had. i cant download anything because trojan stops me doing anything – help! x
It won’t let me do system restore… I did everything mike said but it won’t restore. It says “could not restore to [yesterday’s date]”
@admin
Mike… you are an F’n lifesaver. I followed your keys above and it was successful, so far. I’m going to run my antivirus and hope it stays clean. Thanks man!
Help!!!! I’ve run Webroot 5 times and rebooted as many times and it’s still there. I can’t get on the internet to download another antivirus so what can I do????
Thanks Mike!!! It worked!!!!
Mary: Make sure you have updated the webroot. Or run other removers from usb drive.
Mike – u are a genius!!! xx
mike your the man worked perfectly
Mike, not sure who you are but my guess is you’re wearing tights and a red cape! I’m not sure how long this solution will last but it worked right away and for that I thnk you. You never know who to trust on the internet but I am glad I read your post and even more glad I decided to give your solution a try.
Peace Out
Trying your suggestion right now will post if it works !!
just read your solution. i’ll try when I reached home.
thanks for sharing your solution.
Thanks, Mike… everthing is running smoothly again!
I have nothing but love for this man Mike. Im working of a Korean desktop and I still managed to follow his simple instructions, god bless you!
On a side note, anybody got any ideas where this little rascal came from? The last thing I remember doing was playing on facebook.
Mike, your solution worked like a charm. Thank you very much
so i downloaded this and now you want me to pay you for removal? sounds like your the one that created this?
JD: You can delete each threat by expanding detection. It posts full path to infected file. Also, Spyware Doctor uninstalls normally.
this was very helpful dan thank you i am not a computer person but i followed ur instructions to the t and it worked it gone
Mike. Thanks so much!! I am a computer novice, but was able to follow your instructions. Ran the computer in safe mode, scanned with super anti spyware. It identified the virus and removed it. I rebotted in normal mode and it seems to be working well. Appreciate the support.
Mike you are a life saver!!! Thank you!!!
How can I do any of the things listed to remove this Damn thing from my laptop when this thing won’t let me do anything!
So I’m willing to admit I was one of the dumb@$$es out there that actually purchased the phony scareware removal. I didn’t know any better and had no idea how to fix the problem. Big headache, had to close out bank accounts and change passwords to ensure they didn’t get any of that info. Well here I am again, trying to remove some more malicious crap. Thanks Mike, wised up this time and opened in safe mode to find your advice. I did download Malwarebytes the last go around but this new virus has managed to prevent me from opening it and McCaffee is useless when it comes to this stuff-even the most expensive versions that promise to prevent this nonsense. Thanks again!
Best way I see to remove this virus is either of three ways and two of them are a pain while third will aid you the most.
1. Restore your OS to a previous date (preferrably about3 to 5 days prior) so that it will restore your system to a known good functioning date the OS was working well! Thus removing the virus, just don’t make the same mistake twice and get it again.
2. Dig into your registry is the biggest part where it hides and shuts down your antivirus, malware and adware programs. (Soon as you click the pop up window as most of you know, doom sets in and your toast). So only do this if you know what you are doing, otherwise stick to #1.
3. Fall back option. If all else fails get ready to lose all data on your HDD. Cuxz this requires you to format and re-partition your HDD and re-install your OS and all your other software and all updates to them. This is the pain, but in the long run you will have a clean system, then you can take steps to harden you PC against threats such as this.
I have to say that in any case the entire time when you get the stupid keylogger / keystroke virus it is nasty and wwhen a window pops up asking you to purchase or upgrade something security related, “DONT!”, click the “x” in the upper right hand corner and check your system immediately. Otherwise this thing will basically shut you off the internet and leave you PC open for a backdoor attack from an outside source which you can’t stop. Also one last bit, if you know you have this pesky virus, remove or shut off your access to the internet until you have this resolved, otherwise your leaving yourself wide open for mkore attacks while you figure it out. Just my 2 cents worth.
V/R, Powercat
Powercat
In most cases it is one of 2 (fake security program or keylogger). If it was fake antivirus (and if there was a popup of unknown orgin claiming about this infection, then you can bet it was one ), then chances for real keylogger are quite low, as they are trying to get credit card details by directing you to purchase page.
Mike:
Thanks so much man. I followed your instructions and it worked perfectly.
None of this is working for me on XP. Can’t get to regedit, won’t register doctor spyware cause can’t get to browser…what a pain
Lisa : use usb key. Also, disable proxy in your browser.
This worked great for me as well. I’m on Windows 7 so it was a bit differently to get to the system restore (windows wanted to find and fix the problem itself but couldn’t) which I couldn’t repeat here as had to turn off and reboot a few times and have it fail doing a system “recovery” before it came to the option of me being able to do the system restore.
As a side, I got this a couple of years ago and did the whole registery edit approach. That worked but took a lot longer.
mike please helpe me get this of my pc trojan e mail me andexplane @Mike
I did system restore to a previous date of three days, and everything seems to be going okay now. What a pain!
Mike, great post. I’m running Win7 SP1. As soon as I starting seeing the WindowsSecurity Center popups, I removed the machine from the network (to prevent talkbacks and/or furthur spread). The popup request from ‘Windows Security Center” requesting a purchase of a product that our admin group has licensed, caused me suspicion…
I booted into safe mode:
1) Used regedit to figure out the usurped startup command (I choose firefox only because it was an application that I knew had been mucked with) – HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “\Users\root\AppData\local\vfu.exe” -a “firefox.exe”.
2) Renamed the file (in /Users/root/AppData/Local) to xxx.xxx, couldn’t delete at this point.
3) Ran regedit and searched for any/all ocurrences of vfu.exe, changed those back to “%1” %*.
4) Rebooted into safe mode again.
5) Removed /Users/root/AppData/Local/xxx.xxx.
6) Now doing full scan with SEVERAL tools, before plugging back into ANY network.
my computer is infected
I got this virus/trojan on Saturday. I think I had it for one or two days longer because my computer started getting these restart message for important updates and error messages on the same days. I have tried everything. This bastard has completely taken over my laptop and any antivirus software that I install has been taken over. Even the norton that has been on my laptop and updated to the newest version has been infected. It has infected the Adobe media player and everything else. I can’t do any thing becausE my entire computer and settings have been changed. I don’t know what to do. None of these fixes work.
Thank you for this post… It was a great help for Windows 7 with nasty critter!
control panel > system and maintenance > Back up and restore > repair windows using system restore. Set date of restore back a few days before you first noticed the problem. Easiest fix available! Works on Vista. Don’t know about XP. Get your computer manual and look up system restore if you want a better explanation. I could not get restore to work in safe mode because the “virus” was blocking it, but it worked in normal operating mode. Oh ya…..disconnect from any network you are on.
see post #54 @Brandi
My daughter’s NEW laptop is infected. I tried to install Trend Micro which I have used for years, but cannot get on the internet. I read #54 and tried those steps but cannot get past “System Restore” to enter date. The Win 7 Security 2012 Firewall alert keeps popping up.
Thanks for your Help
Okay, I just found out that keying-in the serial numbers didn’t really remove the virus. To remove the virus totally, you need to follow these 3 steps:
1) Download malwarebytes
2) Go to safe mode (Keep pressing the F8 button before windows starts up)
3) When in safe mode, right click on the malwarebytes install file and choose “run as the administrator” and install. You wont be able to update it because of the virus but perform a quick scan anyway. Delete the virus after that and it’s all done.
* I was using AVG free antivirus before all these. Somehow, after keying in the serial numbers, although my internet explorer and google chrome are finally working, my AVG cannot start up at all. The “Win 7 Antivirus 2012” program is still there, remains as a hidden icon. There are some suspicious programs running at the same time too (eg. 321.exe and AVG tray). After performed a quick scan using Malwarebytes, I’m glad that the virus is totally removed now as I can finally opened the AVG file on my desktop again.
Good luck!
Thanks for all the help Mike. I almost paid $200 to have the virus removed by someone and would have taken longer. Thanks! You are a lifesaver!
Restoring my laptop to a prior date worked. Now I am thinking I need to run / install anti-virus protection to basically scrub everything just to be safe. However, I am not able to run downloads from Microsoft security Essentials or Avast (the two anti-virus programs I was considering). I am suspcious that my problems downlading Microsoft essentials or Avast is because of a more general problem (a new problem) associated with exe files that did not exist before this virus. Two questions 1.) is there a free anti-virus program anyone would recommend that would be good after encountering this virus? 2.) is my suspicion of exe file problems common in the aftermath of this virus or am I just being paranoid?
Franchise
There are 2 separate issues in your case.
1. Browser hijacking, read our walkthrough here : http://www.2-viruses.com/how-to-fix-google-results-hijacker-google-redirect-virus-problem
2. Exe execution issues – you will need to fix .exe file execution in your registry, either with regedit, through control panel restoring default associations or importing correct registry
But how do you go to the next entry without hitting the enter key? (see codes at top)
@Gianpietro Signorini
@admin
I purchased Kaspersky to keep three computers clean.
Not only does it fail miserably, three scans and more wasted time have convinced me never to renew with them again.
They do not even mention or allow a search for this virus on their website.
There goes your credibility Kaspersky, you get an “F” for customer service.
Thank you Mike! We are running Vista and everything working fine now! Saved us a lot of time and money getting fixed. Thank you so much…
Just a lil heads up,
trojan killer can fail since it blocks programmes, and when you go into safe mode it requires internet and activation to actually remove the malware. so it’s not much of help when you most need it. But through playing in safemode, without network connection, there is something you can do that works effectively. first close the pop-ups of the remaining trash, they will only pop up like once. then launch events by ctrl-alt-del, start new task > browse > in the side window of search or in help type configuration panel – system – … – system restore. then you can finally activate it. pick a week or so behind and it will switch before this trash popped up. thats if the trojan blocked all applications including system restore from the normal mode.
I made the mistake of opening an attachment. I lost control of my Yahoo account and my computer turned very sluggish. I downloaded Dr. Web from CNet.com (after checking Wikipedia) and after the scan found I had 2 Trojans, worms and spyware. It took forever to run the scan but I would say it was worth it. You can use Dr. Web for free for 1 month and then they would like you to purchase it. My AVG didn’t even detect these trojans so I don’t know what to use when my month is up. It will have to be free as I spend all my money on my rescues. Any suggestions?
Cheryl Clark: I would recommend Hitman Pro ( http://www.2-viruses.com/reviews/hitman-pro ) over DrWeb as scanner at any time when speaking about trojans. Especially if you have an antivirus already. And no antivirus is 100%. Even not close to that.