Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Suspect Rootkit issue on Blackberry server.  Without compromising the function of the blackberry how do I go about getting this cleaned?

Posted on 2008-10-24
6
Medium Priority
?
824 Views
Last Modified: 2013-12-09
For months the Symantec antivirus is deleting or quarantined a variety of viruese.   Trojan Horse, W32.Auraax., Trojan.Virantix.C, Trojan.Fakeavalert, Trojan.Dropper, and Downloader.Misapp!zip to name a few.  Norton is doing it's job but my job it to resolve this and I've tried everything from Spydoctor, Malwarebytes, etc...  Everytime I think it is cleaned.  BAMM it's back.  Any help would be awesome.   Below is the RootkieREvealer ran today.  The only function this server does is the Blackberry enterprise for the Blackberry phones.

HKU\.DEFAULT\Control Panel\International  9/16/2008 3:04 PM      0 bytes      Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      4/28/2005 1:26 PM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd*      4/28/2005 1:24 PM      0 bytes key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:bb5039c0-1b77-4e51-a212-ed45631f23c6*   4/28/2005 1:24 PM 0 bytes      Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc      10/24/2008 12:18 PM  
8 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents\NextEtpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpIdToAgents 10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.
0
Comment
Question by:CAT27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:russell124
ID: 22798464
I'm not seeing anything suspicious on this rootkit scan.  The embedded nulls in \Secrets  are used to prevent certain sensitive registry keys from being viewed/edited with regedit, and the Data mismatch errors are usually due to files that are in use and are that have changed while the scan is running.

Have you tried any other rootkit scanners, such as GMER?

http://www.gmer.net/index.php

Where are these viruses appearing on the server?  Are they in the IE cache?

Can you post a HijackThis log?

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
0
 
LVL 1

Expert Comment

by:prlit
ID: 22799525
Try Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix plus malware bytes pretty much gets rid of anything and everything for me.
0
 

Author Comment

by:CAT27
ID: 22831342
Used Combo fix before I posted this and it looked good but a few days later issues occur.
Today I got the following Infostealer.Banker.c and it was found in the TEMP directory of the local account.

I have not tried GMER yet.   Any more ideas.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:CAT27
ID: 23160917
No solution found here.  Had to do a complete re-install in order to resolve this issue.
0
 
LVL 2

Accepted Solution

by:
Franky_R earned 1500 total points
ID: 23275684
To bad you had to do a complete re-install ... Rootkits are indeed hard to get rid of. Most of the times it only looks like your patching the damage they do but can't remove them completly. That's why reinstalling often is the best sollution.

Better luck next time !
Franky
0
 

Author Closing Comment

by:CAT27
ID: 31509740
I like the encouragement :)
0

Featured Post

Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question