Inactive Need help to remove rootkit in Hkey_local_machine\system\currentcontrolset\service\bt

[folamour]

Hi, I was doing an article about rootkit and I have found on my laptop (mainly use by son) this toy :

Hkey_local_machine\system\currentcontrolset\service\bthport\parameters\keys

I'm unable to edit or delete key on regedit,

I've tried lot of tools, GMER is able to show it, I'm running a 64bits windows 7,

Kaspersky TDSS killer was not able to get rid of it, it put a hijack this log of this cpu on ...

I really don't want to reinstall this unit, if someone have already faced this *****, can he help me ??? I suspected a msn keylogger or a kind nice tools like that....

thanks a lot, have a nice day

 

[Bobbye]

Welcome to TechSpot. We have an organized list of steps to begin:

The entry that you left, at least in part, is for the BT Mobile data device. (currentcontrolset\service\bt)
The full entry might resemble this:
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0007611f2755
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0007611f2755@00076123af85 0x72 0x35 0x03 0xC4 ...

You should have a corresponding Service for this. The BTHPORT is a legitimate operating system driver for Bluetooth Bus Driver

Possibly that why it won't be removed. Is there any problem on the system? Did you read something into this entry that wasn't there?


If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Please remove the programs that you have been using in an attempt to remove this and do not do any other scans while I am helping you.

I am going to delete the URL reference you left. It is a French site. Please do not leave a hyperlink for any suspected malware.