From: "John" <John@discussions.microsoft.com>
| Symantec found BTE35.SYS virus on a user's computer, but could not clean it.
|
| I Google BTE35.SYS and cound not find any information.
|
| This virus screwup Administrator account so that it has no permission to do
| almost anything.
|
| I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
| BTE35.SYS is still being loaded, so I cannot delete it because it's in use.
|
| I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
| drive cannot be located, it's like the virus screwup the partition table or
| MBR so it can't be loaded from Windows XP PE CD.
|
| I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
| could not locate the hard drive to do a repair.
|
| Any help would be greatly appreciated.
BTE35.SYS is a device driver and is most likely not a virus but a Trojan and very possible a
RootKit based Trojan.
I can't be sure because you failed to provide the exact name of the infector that Symantec
called this malware.
Running a repair is the WRONG idea! You would still be infected.
What you want to do is to run the WinXP Recovery Console.
You can install the Recovery Console by loading the CDROM while XP is running.
Assuming the CDROM drive is drive "D:", you want to run...
d:\i386\winnt32 /cmdcons
The the Recovery Console will then be installed and you can reboot the PC.
When you reboot you will be promted to loa either the Recovery Console or Windows XP. Load
the Recovery Console.
Logon as the administrator.
Use the "CD" command to chnge the directory to the location where BTE35.SYS is located.
Rename or delete the file.
Reboot the PC into Windows XP
Re-scan the PC.
You can also use my Multi AV Scanning Tool to perform the scan.
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp
To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close
Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp