Hi to all, I hope some of the experts can help me with investigation if my sytems have been compromised. Several days ago I got a spammail with attachment. Avast reported it had detected a threat and quarantained it. But nothing has been found in the Vault and the email was neither in any of my emailfolders nor the recycle bin. I thought I was lucky. But shortly after the laptop (Vista) started to heat constanly with sudden shutdowns. Also my hobbyPC (XP) soon got terrible slow. Full scans wit Avast and Startup scans said my systems are clean. I disconnected both machines from the internet and now using the third PC which seems OK (so far) However GMER tells on both machines there is a Possible Rootkit. Hidden processes are different on both machines. The only common feature they have on both Vista and XP machines is a locked Key in HKLM\System\CurrentControlset\Services\BTHPORT\Parameters\Keys\001f81000250 Also Controlset003 has the same key GMER shows them both in red. On the Vista laptop it also has in HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved an entry which is showing Red in GMER However this is not the case on my XP machine and seems normal there. Vista laptop with GMER running shows a Hidden Process that has no info about PID/Memory/Thr./Handles etc. only showing [4] 80CE290F Another time this it can be different like i.e [4] 81F00E30 ( I have seen many different values but all starting with [4] 8XXXXXXXX Killing this process seems possible as I do so, it dissapears, but a new GMER scan thereafter showing this process again. On the XP machine: MBAM quick scan says there are No Malicious Items detected I had not yet closed MBAM and was running GMER when it came up with warning that there is a Possible Rootkit activity. In red it showed a hidden service Windows\System32\TlntSrv. As far as I know this is the telnet service and therefore have the feeling it's a rootkit using both Telnet or the Bluetooth comminication features. When I closed MBAM and performed a new scan with GMER it did not find the hidden TlntServ anymore and the previous hidden service seems to be closed. Simulating the previous again, I ran MBAM again and after it's scan completed (again -> No mailicious items) started GMER again. Now GMER showing both registry keys 001f81000250 in black under the Rootkit/Malware tab, but under the Registry tab there are still in red. Is there anybody out there who can tell me more and if it's indeed some undiscovered rootkit activity ? Avast which uses GMER technology finds nothing, so I guess it's a new activity rather than a false positive. Many thanks for reading this !
