Trojan.Bankpatch Removal Tool

Discovered: August 18, 2008
Type: Removal Information

This tool is designed to remove the infections of:

• Trojan.Bankpatch.C
• Infostealer.Nadebanker

How to download and run the tool
Follow these steps to download and run the tool.

Important:

• The application of these instructions is best performed by an experienced professional since important system files need to be changed. This process presents a risk to system stability and may also result in data loss. Ensure that all important personal data is backed up before following these instructions.
• You must have administrative rights to run this tool on Windows XP and Windows Vista.
• You must have a Windows XP/Windows Vista CDROM to recover system files.
• This document assumes that the system files are located on the C: drive.
  

1. Download and Install Norton Security Scan

1. Download Norton Security Scan from:
   
   ftp://ftp.symantec.com/misc/tools/nss/NortonSecurityScan.exe
   
   
2. Save the file to a convenient location, such as your Windows desktop.
   
   
3. Close all running programs.
   
   
4. Create a new folder named NSS in your C drive.
   
   
5. Locate the file that you just downloaded.
   
   
6. Double-click the NortonSecurityScan.exe file.
   
   
7. Click Run.
   
   
8. Click Browse, and then navigate to the following folder: C:\NSS
   
   
9. Click Unzip.
   
   
10. Click OK and then Close.
    

2. Run Norton Security Scan

1. Navigate to the following folder: C:\NSS
   
   
2. Double-click the NSS.exe file.
   
   
3. Read the License Agreement, and then click I Agree to continue.
   
   
4. Downloading Protection Update will appear on the GUI. Wait for the update process to finish before proceeding to the next step.
   
   
5. Click Full System Scan and then click Start Scan.
   
   If the following system files are reported to be infected with Trojan.Bankpatch.C!inf, they will need to be restored from trusted media.
   
   
   • kernel32.dll
   • powrprof.dll
   • wininet.dll
   
   If nothing is reported at this point, the system is clean and no further action is required.
   
   
6. Click Next on the GUI when the scan finishes.
   
   
7. NSS will report that: "Items need attention, please resolve them". Keep the default GUI settings and click Apply.
   
   
8. Click Done and reboot the system when prompted.
   

3. Restore the Infected System Files

1. Insert the Windows XP/Windows Vista CD-ROM into the CD-ROM drive.
   
   
2. Restart the computer from the CD-ROM drive.
   
   
3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
   
   
4. Select the option to access from the Recovery Console.
   
   
5. If requested, provide the administrator password and press Enter.
   
   
6. At the command prompt, type the following commands and press Enter after each line:
   
   cd windows\system32
   
   [The following expand commands will require confirmation before overwriting the system files.]
   
   expand [CD-ROM DRIVE LETTER]\i386\kernel32.dl_
   
   expand [CD-ROM DRIVE LETTER]\i386\powrprof.dl_
   
   expand [CD-ROM DRIVE LETTER]\i386\wininet.dl_
   
   cd windows\system32\dllcache
   
   expand [CD-ROM DRIVE LETTER]\i386\kernel32.dl_
   
   expand [CD-ROM DRIVE LETTER]\i386\powrprof.dl_
   
   expand [CD-ROM DRIVE LETTER]\i386\wininet.dl_
   
   exit
   
   
7. The computer will now restart automatically.
   
   
8. NSS will appear after login and will perform a follow up scan to confirm the system has been cleaned.