BTE35.SYS Virus

BTE35.SYS Virus
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
BTE35.SYS Virus John 01-28-2008
|--> Re: BTE35.SYS Virus Volodymyr Shche...01-28-2008
Posted by =?Utf-8?B?Sm9obg==?= on January 28, 2008, 4:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Symantec found BTE35.SYS virus on a user's computer, but could not clean it.

I Google BTE35.SYS and cound not find any information.

This virus screwup Administrator account so that it has no permission to do
almost anything.

I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
BTE35.SYS is still being loaded, so I cannot delete it because it's in use.

I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
drive cannot be located, it's like the virus screwup the partition table or
MBR so it can't be loaded from Windows XP PE CD.

I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
could not locate the hard drive to do a repair.

Any help would be greatly appreciated.

Posted by Volodymyr Shcherbyna on January 28, 2008, 4:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Basically, one is able to remove any sys file in operating system while it's
runing, because Windows does not lock sys files. In your case, it sounds
like a system has a rootkit, which prevents deleting itself.

Basically, any driver is registered as a service. So you can try to remove
the service entry in registry, reboot the machine. Theoretically, the
service would not start, so driver would not be loaded, and you will be able
to delete it. Open run, type regedit.exe, goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, locate entry BTE35 and
remove it. Reboot machine. What happens?

P.S. I suggest to backup the entry before removing it, it might recover
unpredictable situations ...

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
> Symantec found BTE35.SYS virus on a user's computer, but could not clean
> it.
>
> I Google BTE35.SYS and cound not find any information.
>
> This virus screwup Administrator account so that it has no permission to
> do
> almost anything.
>
> I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
> BTE35.SYS is still being loaded, so I cannot delete it because it's in
> use.
>
> I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
> drive cannot be located, it's like the virus screwup the partition table
> or
> MBR so it can't be loaded from Windows XP PE CD.
>
> I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
> could not locate the hard drive to do a repair.
>
> Any help would be greatly appreciated.



Posted by David H. Lipman on January 28, 2008, 4:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Symantec found BTE35.SYS virus on a user's computer, but could not clean it.
|
| I Google BTE35.SYS and cound not find any information.
|
| This virus screwup Administrator account so that it has no permission to do
| almost anything.
|
| I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
| BTE35.SYS is still being loaded, so I cannot delete it because it's in use.
|
| I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
| drive cannot be located, it's like the virus screwup the partition table or
| MBR so it can't be loaded from Windows XP PE CD.
|
| I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
| could not locate the hard drive to do a repair.
|
| Any help would be greatly appreciated.

BTE35.SYS is a device driver and is most likely not a virus but a Trojan and
very possible a
RootKit based Trojan.
I can't be sure because you failed to provide the exact name of the infector
that Symantec
called this malware.

Running a repair is the WRONG idea! You would still be infected.

What you want to do is to run the WinXP Recovery Console.

You can install the Recovery Console by loading the CDROM while XP is running.

Assuming the CDROM drive is drive "D:", you want to run...

d:\i386\winnt32 /cmdcons

The the Recovery Console will then be installed and you can reboot the PC.

When you reboot you will be promted to loa either the Recovery Console or
Windows XP. Load
the Recovery Console.

Logon as the administrator.

Use the "CD" command to chnge the directory to the location where BTE35.SYS is
located.
Rename or delete the file.

Reboot the PC into Windows XP

Re-scan the PC.

You can also use my Multi AV Scanning Tool to perform the scan.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by =?Utf-8?B?Sm9obg==?= on January 28, 2008, 7:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I was able to remove BTE35.SYS by puting the infected hard drive into another
system and deleting that file.

After that I put the hard drive back and it boot up fine. I removed all
BTE35.SYS from the registry okay now. But when it was infected with
BTE35.SYS, I could not remove it from the registry. There was some
permissions problem before.

Also all Administrator rights came back after BTE35.SYS was removed.

I now running a full virus scan and spybot scan.

BTE35.SYS was downloaded by Trogan.Pandex, The user said a "friend" gave a
him a "screensaver" to install.

Thanks

"David H. Lipman" wrote:

>
> | Symantec found BTE35.SYS virus on a user's computer, but could not clean it.
> |
> | I Google BTE35.SYS and cound not find any information.
> |
> | This virus screwup Administrator account so that it has no permission to do
> | almost anything.
> |
> | I tried to bootup in in Safemode and delete BTE35.SYS, but I can "see"
> | BTE35.SYS is still being loaded, so I cannot delete it because it's in use.
> |
> | I tried booting off Windows XP PE CD and delete BTE35.SYS, but the hard
> | drive cannot be located, it's like the virus screwup the partition table or
> | MBR so it can't be loaded from Windows XP PE CD.
> |
> | I tried booting off XPSP2 CD and do a repair, but booting off XPSP2 also
> | could not locate the hard drive to do a repair.
> |
> | Any help would be greatly appreciated.
>
> BTE35.SYS is a device driver and is most likely not a virus but a Trojan and
very possible a
> RootKit based Trojan.
> I can't be sure because you failed to provide the exact name of the infector
that Symantec
> called this malware.
>
> Running a repair is the WRONG idea! You would still be infected.
>
> What you want to do is to run the WinXP Recovery Console.
>
> You can install the Recovery Console by loading the CDROM while XP is running.
>
> Assuming the CDROM drive is drive "D:", you want to run...
>
> d:\i386\winnt32 /cmdcons
>
> The the Recovery Console will then be installed and you can reboot the PC.
>
> When you reboot you will be promted to loa either the Recovery Console or
Windows XP. Load
> the Recovery Console.
>
> Logon as the administrator.
>
> Use the "CD" command to chnge the directory to the location where BTE35.SYS is
located.
> Rename or delete the file.
>
> Reboot the PC into Windows XP
>
> Re-scan the PC.
>
> You can also use my Multi AV Scanning Tool to perform the scan.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.pctipp.ch/downloads/dl/35905.asp
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot
the PC.
>
> You can choose to go to each menu item and just download the needed files or
you can
> download the files and perform a scan in Normal Mode. Once you have downloaded
the files
> needed for each scanner you want to use, you should reboot the PC into Safe
Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to
run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

Posted by David H. Lipman on January 28, 2008, 7:45 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| I was able to remove BTE35.SYS by puting the infected hard drive into another
| system and deleting that file.
|
| After that I put the hard drive back and it boot up fine. I removed all
| BTE35.SYS from the registry okay now. But when it was infected with
| BTE35.SYS, I could not remove it from the registry. There was some
| permissions problem before.
|
| Also all Administrator rights came back after BTE35.SYS was removed.
|
| I now running a full virus scan and spybot scan.
|
| BTE35.SYS was downloaded by Trogan.Pandex, The user said a "friend" gave a
| him a "screensaver" to install.
|
| Thanks
|

Malware will often protect the Registry keys that loads the malware as an act of
self
preservation.

Using a surrogate PC to perform a anti malware scan or to remove files is a good
idea but
most people don't have a second PC, or the capability, to use a surrogate PC.
That why my
suggestion was to to use the Recovery Console.

I still suggest installing the Recovery Console as it is easier to boot in to
the Recovery
Console then it is to remove a harddisk from an infected PC and install it in a
surrogate
PC.

Please read the following on this Trojan. Especially the Technical Details.
Trojan.Pandex --
http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99

I do strongly suggest using my Multi AV Scanning Tool (SpyBot in this case is
insufficient)
as Symantec *may* miss peer files and other Trojans that may be on the PC. I
suggest
starting with the Sophos module as Sophos was identified in the above URL as
also knowing
this Trojan as;
Troj/Pushdo-B - http://www.sophos.com/virusinfo/analyses/trojpushdob.html
http://www.sophos.com/security/analyses/search-results/?search=Pushdo&product_search=virus_search&action=search&submit.x=61&submit.y=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Similar ThreadsPosted
HELP: Virus is preventing me from installing anti virus software!! January 11, 2007, 2:17 am
I have a virus that uses "anti virus software" downloads as a cover up March 24, 2007, 1:40 pm
I have a worm or virus that does not allow me to go to ANY anti-virus website January 28, 2006, 10:29 pm
Caught a Virus: Virus:Trj/Shutdown.Z -- need advice June 13, 2007, 12:59 am
Vundo fix not finding vundo virus - windows tool deletes virus May 14, 2008, 2:06 pm
Does anybody know what virus i've got? July 5, 2005, 8:23 am
New Virus? July 6, 2005, 11:22 am
virus July 19, 2005, 12:20 pm
Virus help August 8, 2005, 10:34 am
Virus Help August 13, 2005, 8:00 am

The site map in XML format XML site map

Contact Us | Privacy Policy