Agent.BTZ/Worm:W32 Removal Tool & Removal Guide

Agent.BTZ Removal

Agent.BTZ

What is Agent.BTZ:

Threat Classification: Rootkit/Worm

Agent.BTZ or Worm:W32 (the predecessor of Snake Malware or Turla also known as Uroburos) is a malicious worm, which targets computers running Windows operating system. Agent.BTZ was first seen in 2008 when a rapidly spreading unknown worm crawled across the US Military Command Centre. A new research report conducted by Kaspersky Lab reveals that the mysterious worm known as Agent.BTZ infected around than 400,000 computers across Russia and the European Union after its first target: the Central Command of the US military. Agent.BTZ is widely described as a software worm used for espionage.

*Worm – malicious software that will replicate independently by copying itself to other systems.

The infection might come from various sources – infected files from various P2P networks, torrents or other file sharing applications, email attachments etc. However, its main way of spreading is removable media like USB drives or through the network.

When an infected drive or disc is plugged into a computer, the worm replicates itself again onto the connected PC. Once running, Agent.BTZ automatically downloads code from a remote location and starts creating profiles of the infected machines and then sends the stolen data back to its creators.

Furthermore, once the infection is executed on your computer, it will inject itself deep into the system by modifying the registry in order to start with Windows on every boot. If new media is being inserted, it will create an AUTORUN.INF file to the root of each new drive with a malicious .dll file.

Since its new appearance, the worm is very hard to detect. It is believed that when it identifies targets of interest, such as military networks, banks etc., Agent.BTZ could be used to gain remote control of the system to steal all kinds of personal, financial or other information. That is the reason why this malware infection should not be left unattended, and it needs to be terminated immediately, as it is a serious threat to your online security.

!!! Please note that this infection could potentially bring up other malware to your computer and even cause a loss of data. Please do not underestimate such threat.

Removal Process:

There are two ways to remove this infection. It is totally up to you to decide which way you want to go:

1. Automatic Removal Method (recommended for regular or novice users) using a Professional Malware Removal Software.

2. Manual Removal (recommended for PC Experts or Enthusiasts).

Automatic Agent.BTZ Removal:

We recommend using SpyHunter Malware Security Suite.

You can download and install SpyHunter to detect Agent.BTZ and remove it, by clicking the button below. Once installed, SpyHunter will automatically scan and detect all threats present on your system, but in order to use it as a removal tool, you need to purchase a subscription.

SpyHunter will automatically scan and detect all threats present on your system.

Learn more about SpyHunter (EULA). You can find Install Instructions here: (LINK) SpyHunter`s free diagnosis offers free scans and detection. You can remove the detected files, processes and registry entries manually, by yourself, or to purchase the full version to perform an automatic removal and also to receive free professional help for any malware related queries by their technical support department.

Manual Agent.BTZ Removal:

!!! Please note: You can remove Agent.BTZ manually. However, you should proceed at your own risk. Any of these interventions might render your system inoperable. Therefore this manual removal method is highly recommended for PC Experts or Enthusiasts. For regular users, MalwareKillers.com recommends using SpyHunter or any other reputable security application.

1. Remove Agent.BTZ by restoring your system to a previous state.

1. Reboot your computer into Safe Mode with Command Prompt. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard.

***For Windows 8:

If you are using Windows 8, you need to hold the Shift button and tap the F8 key repeatedly, this should boot you into the new advanced “recovery mode”, where you can choose the advanced repair options to show up. On the next screen, you will need to click on the Troubleshoot option, then select Advanced Options and select Windows Startup Settings. Click on the Restart button, and you should now be able to see the Advanced Boot Options screen.

2. Using the arrow keys on your keyboard, select the option “Safe Mode with Command Prompt” and press Enter on your keyboard.

3. When the command prompt loads up, type:

Windows XP: C:\windows\system32\restore\rstrui.exe and press Enter

Windows Vista/7/8: C:\windows\system32\rstrui.exe and press Enter

4. System Restore should initialize, and you will be displayed a list of restore points. Try using a restore point created just before the date and time before the Your-computer-has-been-locked virus has infected your computer.

When System Restore has completed its task, start your computer in Windows normal mode, you would need to perform a scan with anti-spyware software as the infection might still be on the system.

2. Remove Agent.BTZ under Safe Mode or Offline using a Rescue Disc:

1. Reboot your computer by using the information above but select Safe Mode with networking. Alternatively, you can boot the computer from a Rescue CD that you need to prepare before the removal process.

2. Open Registry Editor (If using Rescue CD -> load the registry hive.)

3. Check the following registry keys for any entries related to the infection and remove them, if any found:

Shell:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

*Default entry must be: Explorer.exe

UserInit:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

*Default entry must be: C:\WINDOWS\system32\userinit.exe,

Notify:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

AppInit_DLLs:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

*Default entry must be:

Windows XP: rundll32 shell32,Control_RunDLL “sysdm.cpl”

Windows Vista/7/8: SystemPropertiesPerformance.exe /pagefile

Run:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

SharedTaskScheduler:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

*Please be extremely careful of modifying the default entries of Shell; UserInit and AppInit as you can break your system.

4. Check and remove/modify the following entries/values:

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62} (default) = Java.Runtime.52

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\ (default) = C:\WINDOWS\system32\muxbde40.dll

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\ ThreadingModel = Apartment

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}

HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}

HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\InprocServer32\

5. Delete any files or folders related to Agent.BTZ by checking the following locations:

Look for the following files or similar:

%windir%\system32\muxbde40.dll

%windir%\system32\winview.ocx

%temp%\6D73776D706461742E746C62FA.tmp

%windir%\system32\mswmpdat.tlb

%ALLUSERSPROFILE%

%APPDATA%

%USERPROFILE%

%PROGRAMFILES%

%PROGRAMFILES(x86)%

%COMMONPROGRAMFILES%

%COMMONPROGRAMFILES(x86)%

%WINDIR%

Leave a Reply

BOT Check: * Time limit is exhausted. Please reload CAPTCHA.