BTE35.SYS Virus

  • Thread starter Thread starter John
  • Start date Start date
J

John

Symantec found BTE35.SYS virus on a user's computer, but could not clean it.

I Google BTE35.SYS and cound not find any information.

This virus screwup Administrator account so that it has no permission to do
almost anything.

I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
BTE35.SYS is still being loaded, so I cannot delete it because it's in use.

I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
drive cannot be located, it's like the virus screwup the partition table or
MBR so it can't be loaded from Windows XP PE CD.

I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
could not locate the hard drive to do a repair.

Any help would be greatly appreciated.
 
Basically, one is able to remove any sys file in operating system while it's
runing, because Windows does not lock sys files. In your case, it sounds
like a system has a rootkit, which prevents deleting itself.

Basically, any driver is registered as a service. So you can try to remove
the service entry in registry, reboot the machine. Theoretically, the
service would not start, so driver would not be loaded, and you will be able
to delete it. Open run, type regedit.exe, goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, locate entry BTE35 and
remove it. Reboot machine. What happens?

P.S. I suggest to backup the entry before removing it, it might recover
unpredictable situations ...

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"John" <John@discussions.microsoft.com> wrote in message
news:3F77F572-34E3-4E07-8723-8C1D5133269E@microsoft.com...
> Symantec found BTE35.SYS virus on a user's computer, but could not clean
> it.
>
> I Google BTE35.SYS and cound not find any information.
>
> This virus screwup Administrator account so that it has no permission to
> do
> almost anything.
>
> I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
> BTE35.SYS is still being loaded, so I cannot delete it because it's in
> use.
>
> I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
> drive cannot be located, it's like the virus screwup the partition table
> or
> MBR so it can't be loaded from Windows XP PE CD.
>
> I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
> could not locate the hard drive to do a repair.
>
> Any help would be greatly appreciated.
 
From: "John" <John@discussions.microsoft.com>

| Symantec found BTE35.SYS virus on a user's computer, but could not clean it.
|
| I Google BTE35.SYS and cound not find any information.
|
| This virus screwup Administrator account so that it has no permission to do
| almost anything.
|
| I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
| BTE35.SYS is still being loaded, so I cannot delete it because it's in use.
|
| I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
| drive cannot be located, it's like the virus screwup the partition table or
| MBR so it can't be loaded from Windows XP PE CD.
|
| I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
| could not locate the hard drive to do a repair.
|
| Any help would be greatly appreciated.

BTE35.SYS is a device driver and is most likely not a virus but a Trojan and very possible a
RootKit based Trojan.
I can't be sure because you failed to provide the exact name of the infector that Symantec
called this malware.

Running a repair is the WRONG idea! You would still be infected.

What you want to do is to run the WinXP Recovery Console.

You can install the Recovery Console by loading the CDROM while XP is running.

Assuming the CDROM drive is drive "D:", you want to run...

d:\i386\winnt32 /cmdcons

The the Recovery Console will then be installed and you can reboot the PC.

When you reboot you will be promted to loa either the Recovery Console or Windows XP. Load
the Recovery Console.

Logon as the administrator.

Use the "CD" command to chnge the directory to the location where BTE35.SYS is located.
Rename or delete the file.

Reboot the PC into Windows XP

Re-scan the PC.

You can also use my Multi AV Scanning Tool to perform the scan.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I was able to remove BTE35.SYS by puting the infected hard drive into another
system and deleting that file.

After that I put the hard drive back and it boot up fine. I removed all
BTE35.SYS from the registry okay now. But when it was infected with
BTE35.SYS, I could not remove it from the registry. There was some
permissions problem before.

Also all Administrator rights came back after BTE35.SYS was removed.

I now running a full virus scan and spybot scan.

BTE35.SYS was downloaded by Trogan.Pandex, The user said a "friend" gave a
him a "screensaver" to install.

Thanks

"David H. Lipman" wrote:

> From: "John" <John@discussions.microsoft.com>
>
> | Symantec found BTE35.SYS virus on a user's computer, but could not clean it.
> |
> | I Google BTE35.SYS and cound not find any information.
> |
> | This virus screwup Administrator account so that it has no permission to do
> | almost anything.
> |
> | I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
> | BTE35.SYS is still being loaded, so I cannot delete it because it's in use.
> |
> | I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
> | drive cannot be located, it's like the virus screwup the partition table or
> | MBR so it can't be loaded from Windows XP PE CD.
> |
> | I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
> | could not locate the hard drive to do a repair.
> |
> | Any help would be greatly appreciated.
>
> BTE35.SYS is a device driver and is most likely not a virus but a Trojan and very possible a
> RootKit based Trojan.
> I can't be sure because you failed to provide the exact name of the infector that Symantec
> called this malware.
>
> Running a repair is the WRONG idea! You would still be infected.
>
> What you want to do is to run the WinXP Recovery Console.
>
> You can install the Recovery Console by loading the CDROM while XP is running.
>
> Assuming the CDROM drive is drive "D:", you want to run...
>
> d:\i386\winnt32 /cmdcons
>
> The the Recovery Console will then be installed and you can reboot the PC.
>
> When you reboot you will be promted to loa either the Recovery Console or Windows XP. Load
> the Recovery Console.
>
> Logon as the administrator.
>
> Use the "CD" command to chnge the directory to the location where BTE35.SYS is located.
> Rename or delete the file.
>
> Reboot the PC into Windows XP
>
> Re-scan the PC.
>
> You can also use my Multi AV Scanning Tool to perform the scan.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.pctipp.ch/downloads/dl/35905.asp
>
> To use this utility, perform the following...
> Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose Unzip
> Choose Close
>
> Execute C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
From: "John" <John@discussions.microsoft.com>

| I was able to remove BTE35.SYS by puting the infected hard drive into another
| system and deleting that file.
|
| After that I put the hard drive back and it boot up fine. I removed all
| BTE35.SYS from the registry okay now. But when it was infected with
| BTE35.SYS, I could not remove it from the registry. There was some
| permissions problem before.
|
| Also all Administrator rights came back after BTE35.SYS was removed.
|
| I now running a full virus scan and spybot scan.
|
| BTE35.SYS was downloaded by Trogan.Pandex, The user said a "friend" gave a
| him a "screensaver" to install.
|
| Thanks
|

Malware will often protect the Registry keys that loads the malware as an act of self
preservation.

Using a surrogate PC to perform a anti malware scan or to remove files is a good idea but
most people don't have a second PC, or the capability, to use a surrogate PC. That why my
suggestion was to to use the Recovery Console.

I still suggest installing the Recovery Console as it is easier to boot in to the Recovery
Console then it is to remove a harddisk from an infected PC and install it in a surrogate
PC.

Please read the following on this Trojan. Especially the Technical Details.
Trojan.Pandex -- http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99

I do strongly suggest using my Multi AV Scanning Tool (SpyBot in this case is insufficient)
as Symantec *may* miss peer files and other Trojans that may be on the PC. I suggest
starting with the Sophos module as Sophos was identified in the above URL as also knowing
this Trojan as
Troj/Pushdo-B - http://www.sophos.com/virusinfo/analyses/trojpushdob.html
http://www.sophos.com/security/anal..._search&action=search&submit.x=61&submit.y=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I did install the Recovery Console and when I tried to boot the Recover
Console, it gave me a Bugcheck 7B.

"David H. Lipman" wrote:

> From: "John" <John@discussions.microsoft.com>
>
> | I was able to remove BTE35.SYS by puting the infected hard drive into another
> | system and deleting that file.
> |
> | After that I put the hard drive back and it boot up fine. I removed all
> | BTE35.SYS from the registry okay now. But when it was infected with
> | BTE35.SYS, I could not remove it from the registry. There was some
> | permissions problem before.
> |
> | Also all Administrator rights came back after BTE35.SYS was removed.
> |
> | I now running a full virus scan and spybot scan.
> |
> | BTE35.SYS was downloaded by Trogan.Pandex, The user said a "friend" gave a
> | him a "screensaver" to install.
> |
> | Thanks
> |
>
> Malware will often protect the Registry keys that loads the malware as an act of self
> preservation.
>
> Using a surrogate PC to perform a anti malware scan or to remove files is a good idea but
> most people don't have a second PC, or the capability, to use a surrogate PC. That why my
> suggestion was to to use the Recovery Console.
>
> I still suggest installing the Recovery Console as it is easier to boot in to the Recovery
> Console then it is to remove a harddisk from an infected PC and install it in a surrogate
> PC.
>
> Please read the following on this Trojan. Especially the Technical Details.
> Trojan.Pandex -- http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99
>
> I do strongly suggest using my Multi AV Scanning Tool (SpyBot in this case is insufficient)
> as Symantec *may* miss peer files and other Trojans that may be on the PC. I suggest
> starting with the Sophos module as Sophos was identified in the above URL as also knowing
> this Trojan as
> Troj/Pushdo-B - http://www.sophos.com/virusinfo/analyses/trojpushdob.html
> http://www.sophos.com/security/anal..._search&action=search&submit.x=61&submit.y=13
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
That means, that a blue screen (BSOD) appeared. Most likely the crappy
driver calls KeBugCheck to simulate system error, and thus prevent
recovering the system.

--
V
This posting is provided "AS IS" with no warranties, and confers no
rights.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O1VJ87hYIHA.2268@TK2MSFTNGP02.phx.gbl...
> From: "John" <John@discussions.microsoft.com>
>
> | I did install the Recovery Console and when I tried to boot the Recover
> | Console, it gave me a Bugcheck 7B.
> |
>
> Hmmmm...
> I don't know what that means. I have never seen it and I have installed
> the Recovery
> Console numerous times.
>
> I'll have to research this.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
Back
Top