Jump to content

Possible rootkit BTHPORT locked Keys 001f81000250

Recommended Posts

Hi to all,

I hope some of the experts can help me with investigation if my sytems have been compromised.

Several days ago I got a spammail with attachment. Avast reported it had detected a threat and quarantained it.

But nothing has been found in the Vault and the email was neither in any of my emailfolders nor the recycle bin.

I thought I was lucky. But shortly after the laptop (Vista) started to heat constanly with sudden shutdowns.

Also my hobbyPC (XP) soon got terrible slow.

Full scans wit Avast and Startup scans said my systems are clean.

I disconnected both machines from the internet and now using the third PC which seems OK (so far)

However GMER tells on both machines there is a Possible Rootkit.

Hidden processes are different on both machines.

The only common feature they have on both Vista and XP machines is a locked Key in HKLM\System\CurrentControlset\Services\BTHPORT\Parameters\Keys\001f81000250

Also Controlset003 has the same key

GMER shows them both in red.

On the Vista laptop it also has in HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved an entry which is showing Red in GMER

However this is not the case on my XP machine and seems normal there.

Vista laptop with GMER running shows a Hidden Process that has no info about PID/Memory/Thr./Handles etc. only showing [4] 80CE290F

Another time this it can be different like i.e [4] 81F00E30 ( I have seen many different values but all starting with [4] 8XXXXXXXX

Killing this process seems possible as I do so, it dissapears, but a new GMER scan thereafter showing this process again.

On the XP machine:

MBAM quick scan says there are No Malicious Items detected

I had not yet closed MBAM and was running GMER when it came up with warning

that there is a Possible Rootkit activity.

In red it showed a hidden service Windows\System32\TlntSrv.

As far as I know this is the telnet service and therefore have the feeling it's a rootkit using both Telnet or the Bluetooth comminication features.

When I closed MBAM and performed a new scan with GMER it did not find the hidden TlntServ anymore and the previous hidden service seems to be closed.

Simulating the previous again, I ran MBAM again and after it's scan completed (again -> No mailicious items) started GMER again.

Now GMER showing both registry keys 001f81000250 in black under the Rootkit/Malware tab, but under the Registry tab there are still in red.

Is there anybody out there who can tell me more and if it's indeed some undiscovered rootkit activity ?

Avast which uses GMER technology finds nothing, so I guess it's a new activity rather than a false positive.

Many thanks for reading this !

Link to post
Share on other sites

Hello and welcome, jarjar: :)

Please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.

A qualified helper will guide you through the scanning and cleanup process.

>>If you have more than one computer that might be infected, please start a separate topic in the malware removal section (or a separate help desk request) for each one. To minimize confusion, it would be helpful to title each post clearly to that effect, such as "Infected computer #1", "Infected computer #2", etc.



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.