Need help with rootkit

[vanvock]

It's shown as \RtrDpeBk.ini & I can't find anything on it. Google brings up something about basketball. AVG rootkit detector dosen't find it nor does their spyware or virus detectors. It looks like Panda can't remove it. Has anyone seen this before? I couldn't nail it down with a reistry scan either. Any help is appreciated.

[Current Loc]
S-1-5-18=\WINDOWS\system32\config\systemprofile\NTUser.Dat
S-1-5-19=\Documents and Settings\LocalService\NTUSER.DAT
S-1-5-19_Classes=\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-20=\Documents and Settings\NetworkService\NTUSER.DAT
S-1-5-20_Classes=\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-21-1606980848-413027322-725345543-1004=\Documents and Settings\VanVock\ntuser.dat
S-1-5-21-1606980848-413027322-725345543-1004_Classes=\Documents and Settings\VanVock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-21-1606980848-413027322-725345543-500=\Documents and Settings\Administrator\NTUSER.DAT
S-1-5-21-1606980848-413027322-725345543-500_Classes=\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
All Users=\Documents and Settings\All Users\ntuser.dat
Default User=\Documents and Settings\Default User\NTUSER.DAT
.DEFAULT=\WINDOWS\SYSTEM32\CONFIG\default
SAM=\WINDOWS\SYSTEM32\CONFIG\SAM
SECURITY=\WINDOWS\SYSTEM32\CONFIG\SECURITY
software=\WINDOWS\SYSTEM32\CONFIG\software
system=\WINDOWS\SYSTEM32\CONFIG\system
[Original Loc]
S-1-5-18=C:\WINDOWS\system32\config\systemprofile\NTUser.Dat
S-1-5-19=C:\Documents and Settings\LocalService\NTUSER.DAT
S-1-5-19_Classes=C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-20=C:\Documents and Settings\NetworkService\NTUSER.DAT
S-1-5-20_Classes=C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-21-1606980848-413027322-725345543-1004=C:\Documents and Settings\VanVock\ntuser.dat
S-1-5-21-1606980848-413027322-725345543-1004_Classes=C:\Documents and Settings\VanVock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
S-1-5-21-1606980848-413027322-725345543-500=C:\Documents and Settings\Administrator\NTUSER.DAT
S-1-5-21-1606980848-413027322-725345543-500_Classes=C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
All Users=C:\Documents and Settings\All Users\ntuser.dat
Default User=C:\Documents and Settings\Default User\NTUSER.DAT
.DEFAULT=C:\WINDOWS\SYSTEM32\CONFIG\default
SAM=C:\WINDOWS\SYSTEM32\CONFIG\SAM
SECURITY=C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
software=C:\WINDOWS\SYSTEM32\CONFIG\software
system=C:\WINDOWS\SYSTEM32\CONFIG\system
[Reg Key Type]
S-1-5-18=0
S-1-5-19=0
S-1-5-19_Classes=1
S-1-5-20=0
S-1-5-20_Classes=1
S-1-5-21-1606980848-413027322-725345543-1004=0
S-1-5-21-1606980848-413027322-725345543-1004_Classes=1
S-1-5-21-1606980848-413027322-725345543-500=0
S-1-5-21-1606980848-413027322-725345543-500_Classes=1
All Users=0
Default User=0
.DEFAULT=0
SAM=2
SECURITY=2
software=2
system=2

>>> This appears to be the file in question.

 

[mechBgon]

1) back up your data, emails, contacts and Favorites

2) if it were me, with a rootkit on the system, the next step would be to unplug all secondary hard drives, then nuke the boot drive using DBAN. Rootkit dead. :evil: Now reinstall Windows.

3) if you're not ready to get that drastic, you might try GMER next. It's another rootkit-removal tool.

4) another option is to boot the system from a bootable CD and attack from there.

 

[vanvock]

Thanks for the reply, I've done a little more digging & I'm starting to wonder if it may be a false positive. I found some other similar configuration files that appear to be related to Dantz Retrospect backup program. I'll try that GMER link & see what happens.

 

[vanvock]

I ran the catchme detector & it was negative. The GMER scan didn't report anything either, hmmmmmm...........

 

[vanvock]

I ran Panda again this morning & it shows \gmer.zip as a rootkit as well so now I have 2 entries. What's up with that?

 

[mechBgon]

Originally posted by: vanvock
I ran Panda again this morning & it shows \gmer.zip as a rootkit as well so now I have 2 entries. What's up with that?

Mysteriouser and mysteriouser. Did you have any particular reasons to be suspicious, that prompted you to scan for rootkits in the first place, or was it just a precautionary thing?

 

[vanvock]

No real prompt, maybe I'm just a little paranoid (but just because I am doesn't mean they're not watching 🙂 ). I keep my AV etc. programs up to date & scan regularly.

 

[vanvock]

I'm sure you wouldn't knowingly reccomend a tool with malware in it. Could you run a scan with Panda to see if it tags it for you?

 

[mechBgon]

Sure, I'll have an update for you in a couple minutes here.

 

[mechBgon]

Panda doesn't tag the GMER.zip file for me. Maybe Panda is smokin' crack like you speculated 😀

 

[vanvock]

Thanks for doing that. I really don't know what to do next, any suggestions short of nukin' windows?

 

[mechBgon]

Originally posted by: vanvock
Thanks for doing that. I really don't know what to do next, any suggestions short of nukin' windows?

You could check with additional rootkit detection products and try to form a consensus, I guess. I've seen rootkit detectors trigger on normal stuff before. Some other rootkit-detection products: McAfee Rootkit Detective, Microsoft/Sysinternals Rootkit Revealer, and the F-Secure online scanner (ActiveX-driven, so use IE).

 

[vanvock]

Thanks again for the links. The Revealer didn't tag those but found 4 other possibles that I can't be sure if they're threats or needed files. The deeper I dig into this the further I get in over my head. I guess I'll just let it ride & pray for blissfull ignorance.