Results 1 to 2 of 2

Thread: Virus found

  1. #1
    Join Date
    Dec 2011
    Posts
    3

    Virus found

    My 14 year old daughter has got a virus on her computer. It has Windows 7. It is Trogan-BNK.Win32.Keylogger.gen. It will not connect to the internet. She got it off a site tailored to kids that I had blocked, but she talked me into unblocking Does anybody have a suggestion on how to get this gone. Thanks.

  2. #2
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Hello Waldo, Sorry you had to wait so long. You are going to need a flash/thumb drive to begin to remove this infection. You will need to download several tools to a clean computer, move them to the thumb/flash drive and take them to the infected computer. If you do not have a flash drive, they are not expensive and you should be able to purchase one at Wal-Mart, K-Mart, Office Depot, Staples, Best Buy...basically anywhere that sells computer products. You don't need a large one, 2 to 4 Gb would be more than enough.
    Now here are the steps you will need to take. Download ALL of these tools to the flash drive using the clean computer first. I am also givning these in the order you will use them.
    Just between us, I would suggest that you have your daughter sit in and watch or assist while you do these removals. It will be a good way for her to learn how and why the most important thing a person must do when using a computer...Stay Safe. Follow Safe surfing practices. When she sees all the steps that will be required to clean her computer and make it usable she will likely "think twice" the next time and remember what it took to get it clean this time. Just my opinion but it's a good learning experience. Usually this infection can be removed but it is not a quick process, it will take several hours at least.But it should be able to be accomplished.

    You will need to download these small files to the clean computer, move them to the flash drive:

    1.The registry fixer, FixNCR.reg from http://download.bleepingcomputer.com/reg/FixNCR.reg

    2. rkill from here: http://www.bleepingcomputer.com/down...ti-virus/rkill there will be seven copies of this file on the download page, all are the same file just with different names in order to fool the infection. Download all 7 to the flash drive.

    3. Since these infections are sometimes bundled with the TDSS rootkit infection. To be safe you should also run a program that can be used to scan for this infection so download this tool to the flash drive also also the TDSSRookkiller from http://www.bleepingcomputer.com/down...rus/tdsskiller

    4. Finally download the install file for Malwarebytes' Anti-Malware (MBA-M) from here: http://www.bleepingcomputer.com/down...s-anti-malware

    Once you have all these tools downloaded to the flash drive you can take the to the infected computer and begin in this order:

    1. The first tool you will use is FixNCR.reg
    Insert the flash drive and open the drive. Ignore ANY warning you may receive from the infection processes that tell you you must purchase anything or run a scan or anything like that. Double click the FixNCR.reg file file to fix the Registry.

    2. Next you will need to use rkill to stop the infection processes from running. Remember there are seven of these you can try until you get ONE of the to work. Begin with the first one, double click to run it. When RKill does run it will display a console screen that will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running. If the first one doesn't run then go to the next one, continue this until you get one of these to run as described. You may have to keep trying them all one by one until one works. Since RKill only terminates processes, after running it you should not reboot the computer as any malware processes that are set to start automatically, will just start up again. So after running RKill then proceed to step number 3.

    3. The next tool you will need to run is the TDSSKiller, which is the tool that will look for and remove the TDSS rootkit if it is on the computer.
    You will need to put the TDSSKiller file onto the desktop of the infected computer. Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com. If a random name does not work, please try renaming it as iexplore.com and attempt to run it again. Once the file is renamed, you should double-click on it to launch it. When you run the program, Windows may display a warning asking if you are certain you want to run the program. Click the Run button.
    TDSSKiller will now start and display the welcome screen when you see this screen just click on the Start scan button to have TDSSKiller scan your computer for the TDSS infection. TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen telling you this, simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly. When it has finished cleaning the infection you will see a report stating whether or not it was successful. Some times complete cleaning requires a reboot, if this is the case please do so. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer.
    Now if the reboot begins the infection processes and warnings again you will again have to run rkill to stop these processes before going forward. If this happens follow the same rkill steps that you followed above.
    4. Once you have used rkill again if you needed to do so then your next step will be the install, update and running of Malwarebytes' Anti-Malware (MBA-M)
    Again from the flash drive double click the MBA-M install file to install it on the infected computer. Follow these instructions for usage:

    DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version if one is available. There are always new updates to the definitions.

    * Once the program has loaded, select Perform full scan, then choose the drive(s) then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected if malware is found.

    * When MBA-M finishes, Notepad will open with the log. The log can be retrieved by opening up MBAM and clicking on the Logs Tab at the top of the program .

    Reboot the computer

    Hopefully you will then be able to go online with the computer. If you can then do the following:

    Run the ESET Online Scanner

    http://www.eset.com/onlinescan/scanner.php?i_agree=14

    * You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
    * You will need to temporarily Disable your current Anti-virus program.
    * Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.

    * When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Come back here, copy/paste first the MBA-M log, then the ESET Scan log, once I see these logs I can give you the next steps. Hopefully there will not be too many more after that.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •