What Is Microsoft "Boot Time Removal Tool"?

5

I'm working on a Windows 7 computer. The owner reports that they believe the computer has been infected by malware and that they had an overseas company attempt to fix the problem but that something they did rendered the computer unable to boot.

I've found a somewhat suspicious driver file named trjaaake.sys located in C:\Windows\System32\Drivers. The file was only recently created/modified although it appears to me that it was created/modified about two days after the assumed infection. Under the version tab for this file I see the following:

Description: Boot Time Removal Tool
Company: Microsoft Corporation
File Version: 1.1.16.0
Internal Name: BootTimeRemoval
Original File Name: BTR.sys
Product Name: Microsoft Malware Protection
Product Version: 1.1.0016.0

The file appears to be signed with a digital signature but I don't know how to tell if the signature is legitimate/valid.

I submitted the file to Virus Total and all 42 different antivirus engines report that the file is OK. Norton File Insight also says that this file is used by thousands of computer users and that it has been given a trusted rating.

I did find a file in C:\Windows\Temp called BootClean.log. It contains the following (I've changed the username to "[redacted]"): 

Boot Time Removal Tool started
Error 0xc0000034 opening (\??\C:\Users\[redacted]\Desktop\SMART_HDD.lnk) for reparse check.
Unable to strip attributes from \??\C:\Users\[redacted]\Desktop\SMART_HDD.lnk with error 0xc0000034
Error 0xc0000034 removing: \??\C:\Users\[redacted]\Desktop\SMART_HDD.lnk 
Error 0xc0000034 opening (\??\C:\Users\[redacted]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk) for reparse check.
Unable to strip attributes from \??\C:\Users\[redacted]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk with error 0xc0000034
Error 0xc0000034 removing: \??\C:\Users\[redacted]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk 
Error 0xc0000034 opening (\??\C:\ProgramData\1yfOZG3BLWgtFb.exe) for reparse check.
Unable to strip attributes from \??\C:\ProgramData\1yfOZG3BLWgtFb.exe with error 0xc0000034
Error 0xc0000034 removing: \??\C:\ProgramData\1yfOZG3BLWgtFb.exe 
Removed \??\C:\Users\[redacted]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\smart hdd\ 
BTR Completed Successfully

So I guess my question is, does anyone know what this file is? Is it maybe part of Microsoft's Malicious Software Removal Tool?

HK1

Posted 2012-04-28T19:36:25.357

Reputation: 358

Well, I would just delete it since I Googled it and can't find anything.. If it is a file which is needed, (which I Seriously doubt), just run a repair disk and that will have you fixed up, or should. Also, I find having an overseas company to fix a computer very.. odd. – cutrightjm – 2012-04-28T20:11:26.073

Until your figure it out be safe, rename it to trjaaake.sys.bak, it may be legitimate. See this article to clean any infections it may have...http://superuser.com/questions/100360/computer-is-infected-by-a-virus-or-a-malware-what-do-i-do-now/157533#157533

– Moab – 2012-04-28T21:39:18.853

I would be willing to bet it was generated/downloaded during a Microsoft MRT scan and was used to remove a specific infection during the boot process. This is what the MRT tool does, when it finds a hard to remove infection it downloads a removal tool from the MRT servers at Microsoft. More than likely this is the file that was infected 1yfOZG3BLWgtFb.exe. – Moab – 2012-04-28T21:55:28.613

Answers

2

A good place to start might be to run sigverif - this might help validate the signature. From there, if it's signed by a company you trust, it's not likely to be your issue; otherwise, you may want to delete it.

On the other hand, once a machine is compromised, it can't really be trusted from that point on. I'd suggest backing up personal files and any other non OS-specific data, and reformatting / reinstalling the OS.

Geoff

Posted 2012-04-28T19:36:25.357

Reputation: 2 335

+1 More than likely it is part of Microsofts MRT tool, signature would verify legitimacy. – Moab – 2012-04-28T21:44:15.057

0

These files are actually dynamically created by Windows Defender. The purpose is to remove malware at reboot that infected your system.

Take a look that the properties of each file and you'll notice the names are random and they are digitally signed by the Microsoft Certificate Authority. Upon reboot the .SYS files will actually disappear once they have served their intended purpose, which is to remove malware at reboot.

THESE ARE GOOD FILES AND NOT BAD!!!

Robert - Security Expert

Posted 2012-04-28T19:36:25.357

Reputation: 1

Asked: 2012-04-28T19:36:25.357

Viewed: 2 125 times

Active: 2017-12-01T13:41:27.337