XP Internet Security 2012

  the hick 16:01 PM 19 Jun 11

I downloaded IE8 earlier, now I have the above (maybe a coincidence. Its stopping me using internet on my PC (now using different PC), and tells me I have Trojan BNK.Win32.keylogger.gen.. I am a bit stuck, dont know what to do next. Any advice much appreciated, thank you.

  Fruit Bat /\0/\ 16:10 PM 19 Jun 11

Ctrl + Alt + Delt ---- task manager Processes tab

Stop the following XP Internet Security 2012 processes:


Start - Run type regedit press OK

Navigate to and Remove the following XP Internet Security 2012 registry keys:

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012


HKEYCURRENTUSER\Software\XP Internet Security 2012

HKEYCURRENTUSER\Software\Classes.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

HKEYCURRENTUSER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

HKEYLOCALMACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

HKEYCLASSESROOT.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

Locate (Search) and delete the following XP Internet Security 2012 files:


%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

  the hick 16:24 PM 19 Jun 11

Thank you for reply, are the random characters likely to be the ones at top of list? Not been here before! thankyou.

  Fruit Bat /\0/\ 17:12 PM 19 Jun 11

Just tell us the ones you think are the random characters before trying to stop the process

  the hick 17:26 PM 19 Jun 11

Random: SbPFCl.exe, SbPFSvcexe, RTHDCPL.exe sbPFLnch.exe

these ones look non-random to me CALMAIN.exe, jqs.exe, avgnt.exe,
ctfmon.exe, smss.exe

thanks for your help.

  rdave13 18:53 PM 19 Jun 11

Bleeping Computers removal instructions (scroll down a bit) if above is difficult.

  the hick 20:04 PM 19 Jun 11

rdave13, thanks for the link. However, FixNCR.reg does not seem to have a SAVE option, only RUN and CANCEL. Still a bit stuck!

  rdave13 20:23 PM 19 Jun 11

It won't if you download it and run. Download it but select 'save' and to a flash drive or cd/dvd disc. Once saved you can run the exe. file when required.

  rdave13 20:24 PM 19 Jun 11

Use a 'clean' PC to do this.

  the hick 21:22 PM 19 Jun 11

Now seems sorted, thank you all for your help. After I had run FIXncr.reg, I was able to do a 'System Restore'. then downloaded IE-8 again. Result!

  rdave13 00:41 AM 20 Jun 11

I'd still run all your security apps in full mode just in case you've got hidden malware.


This thread is now locked and can not be replied to.

How to watch Rugby World Cup 2015 online: Watch live, catch up on-demand & stream the 2015 Rugby…

1995-2015: How technology has changed the world in 20 years

See immersive artist and storyteller Chris Milk speak at London VR event

What everyone thinks of the new Steve Jobs movie | 21 Facts about the Steve Jobs film | PLUS:…