Need help to remove rootkit in Hkey_local_machine\system\currentcontrolset\service\bt

Inactive
By folamour
Jun 3, 2011
Topic Status:
Not open for further replies.
  1. Hi I was doing an article about rootkit and I have found on my laptop (mainly use by son) this toy :

    Hkey_local_machine\system\currentcontrolset\service\bthport\parameters\keys

    i'm unable to edit or delete key on regedit,

    [urlLink deleted by Bobbye[/url]

    i've tried lot of tools, GMER is able to show it, i'm running a 64bits windows 7,

    Kaspersky TDSS killer was not able to get rid of it, it put a hijack this log of this cpu on Link deleted by Bobbye

    i really dont want to reinstall this unit, if someone have already faced this *****, can he help me ???

    I supected a msn keylogger or a kind nice tools like that....

    thanks a lot, have a nice day,
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Welcome to TechSpot. We have an organized list of steps to begin:

    The entry that you left, at least in part, is for the BT Mobile data device. (currentcontrolset\service\bt)
    The full entry might resemble this:
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0007611f2755
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0007611f2755@00076123af85 0x72 0x35 0x03 0xC4 ...


    You should have a corresponding Service for this. The BTHPORT is a legitimate operating system driver for Bluetooth Bus Driver

    Possibly that why it won't be removed. Is there any problem on the system? Did you read something into this entry that wasn't there?


    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Please remove the programs that you have been using in an attempt to remove this and do not do any other scans while I am helping you.

    I am going to delete the URL reference you left. It is a French site. Please do not leave a hyperlink for any suspected malware.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.