Discovered: August 18, 2008
Type: Removal Information
This tool is designed to remove the infections of:
How to download and run the tool
Follow these steps to download and run the tool.
Important:
- The application of these instructions is best performed by an experienced professional since important system files need to be changed. This process presents a risk to system stability and may also result in data loss. Ensure that all important personal data is backed up before following these instructions.
- You must have administrative rights to run this tool on Windows XP and Windows Vista.
- You must have a Windows XP/Windows Vista CDROM to recover system files.
- This document assumes that the system files are located on the C: drive.
1. Download and Install Norton Security Scan
- Download Norton Security Scan from:
ftp://ftp.symantec.com/misc/tools/nss/NortonSecurityScan.exe
- Save the file to a convenient location, such as your Windows desktop.
- Close all running programs.
- Create a new folder named NSS in your C drive.
- Locate the file that you just downloaded.
- Double-click the NortonSecurityScan.exe file.
- Click Run.
- Click Browse, and then navigate to the following folder: C:\NSS
- Click Unzip.
- Click OK and then Close.
2. Run Norton Security Scan
- Navigate to the following folder: C:\NSS
- Double-click the NSS.exe file.
- Read the License Agreement, and then click I Agree to continue.
- Downloading Protection Update will appear on the GUI. Wait for the update process to finish before proceeding to the next step.
- Click Full System Scan and then click Start Scan.
If the following system files are reported to be infected with Trojan.Bankpatch.C!inf, they will need to be restored from trusted media.
- kernel32.dll
- powrprof.dll
- wininet.dll
If nothing is reported at this point, the system is clean and no further action is required. - Click Next on the GUI when the scan finishes.
- NSS will report that: "Items need attention, please resolve them". Keep the default GUI settings and click Apply.
- Click Done and reboot the system when prompted.
3. Restore the Infected System Files
- Insert the Windows XP/Windows Vista CD-ROM into the CD-ROM drive.
- Restart the computer from the CD-ROM drive.
- Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
- Select the option to access from the Recovery Console.
- If requested, provide the administrator password and press Enter.
- At the command prompt, type the following commands and press Enter after each line:
cd windows\system32
[The following expand commands will require confirmation before overwriting the system files.]
expand [CD-ROM DRIVE LETTER]\i386\kernel32.dl_
expand [CD-ROM DRIVE LETTER]\i386\powrprof.dl_
expand [CD-ROM DRIVE LETTER]\i386\wininet.dl_
cd windows\system32\dllcache
expand [CD-ROM DRIVE LETTER]\i386\kernel32.dl_
expand [CD-ROM DRIVE LETTER]\i386\powrprof.dl_
expand [CD-ROM DRIVE LETTER]\i386\wininet.dl_
exit
- The computer will now restart automatically.
- NSS will appear after login and will perform a follow up scan to confirm the system has been cleaned.