XP Internet Security 2012

  the hick 16:01 19 Jun 2011

I downloaded IE8 earlier, now I have the above (maybe a coincidence. Its stopping me using internet on my PC (now using different PC), and tells me I have Trojan BNK.Win32.keylogger.gen.. I am a bit stuck, dont know what to do next. Any advice much appreciated, thank you.

  Fruit Bat /\0/\ 16:10 19 Jun 2011

Ctrl + Alt + Delt ---- task manager Processes tab

Stop the following XP Internet Security 2012 processes:


Start - Run type regedit press OK

Navigate to and Remove the following XP Internet Security 2012 registry keys:

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012


HKEYCURRENTUSER\Software\XP Internet Security 2012

HKEYCURRENTUSER\Software\Classes.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

HKEYCURRENTUSER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

HKEYCLASSESROOT.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

Locate (Search) and delete the following XP Internet Security 2012 files:


%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

  the hick 16:24 19 Jun 2011

Thank you for reply, are the random characters likely to be the ones at top of list? Not been here before! thankyou.

  Fruit Bat /\0/\ 17:12 19 Jun 2011

Just tell us the ones you think are the random characters before trying to stop the process

  the hick 17:26 19 Jun 2011

Random: SbPFCl.exe, SbPFSvcexe, RTHDCPL.exe sbPFLnch.exe

these ones look non-random to me CALMAIN.exe, jqs.exe, avgnt.exe,
ctfmon.exe, smss.exe

thanks for your help.

  rdave13 18:53 19 Jun 2011

Bleeping Computers removal instructions (scroll down a bit) if above is difficult.

  the hick 20:04 19 Jun 2011

rdave13, thanks for the link. However, FixNCR.reg does not seem to have a SAVE option, only RUN and CANCEL. Still a bit stuck!

  rdave13 20:23 19 Jun 2011

It won't if you download it and run. Download it but select 'save' and to a flash drive or cd/dvd disc. Once saved you can run the exe. file when required.

  rdave13 20:24 19 Jun 2011

Use a 'clean' PC to do this.

  the hick 21:22 19 Jun 2011

Now seems sorted, thank you all for your help. After I had run FIXncr.reg, I was able to do a 'System Restore'. then downloaded IE-8 again. Result!

  rdave13 00:41 20 Jun 2011

I'd still run all your security apps in full mode just in case you've got hidden malware.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Best Black Friday Deals 2017

Black Friday Deals for Designers & Artists: Adobe, Apple, Corel Painter, Microsoft Surface, Wacom &e…

Best Black Friday Apple Deals 2017

Black Friday 2017 : date, sites participants & bonnes affaires