Suspect Rootkit issue on Blackberry server. Without compromising the function of the blackberry how do I go about getting this cleaned?

For months the Symantec antivirus is deleting or quarantined a variety of viruese.   Trojan Horse, W32.Auraax., Trojan.Virantix.C, Trojan.Fakeavalert, Trojan.Dropper, and Downloader.Misapp!zip to name a few.  Norton is doing it's job but my job it to resolve this and I've tried everything from Spydoctor, Malwarebytes, etc...  Everytime I think it is cleaned.  BAMM it's back.  Any help would be awesome.   Below is the RootkieREvealer ran today.  The only function this server does is the Blackberry enterprise for the Blackberry phones.

HKU\.DEFAULT\Control Panel\International  9/16/2008 3:04 PM      0 bytes      Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      4/28/2005 1:26 PM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd*      4/28/2005 1:24 PM      0 bytes key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:bb5039c0-1b77-4e51-a212-ed45631f23c6*   4/28/2005 1:24 PM 0 bytes      Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc      10/24/2008 12:18 PM  
8 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents\NextEtpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpIdToAgents 10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.
CAT27Asked:
Who is Participating?
 
Franky_RConnect With a Mentor Commented:
To bad you had to do a complete re-install ... Rootkits are indeed hard to get rid of. Most of the times it only looks like your patching the damage they do but can't remove them completly. That's why reinstalling often is the best sollution.

Better luck next time !
Franky
0
 
russell124Commented:
I'm not seeing anything suspicious on this rootkit scan.  The embedded nulls in \Secrets  are used to prevent certain sensitive registry keys from being viewed/edited with regedit, and the Data mismatch errors are usually due to files that are in use and are that have changed while the scan is running.

Have you tried any other rootkit scanners, such as GMER?

http://www.gmer.net/index.php

Where are these viruses appearing on the server?  Are they in the IE cache?

Can you post a HijackThis log?

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
0
 
prlitCommented:
Try Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix plus malware bytes pretty much gets rid of anything and everything for me.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
CAT27Author Commented:
Used Combo fix before I posted this and it looked good but a few days later issues occur.
Today I got the following Infostealer.Banker.c and it was found in the TEMP directory of the local account.

I have not tried GMER yet.   Any more ideas.
0
 
CAT27Author Commented:
No solution found here.  Had to do a complete re-install in order to resolve this issue.
0
 
CAT27Author Commented:
I like the encouragement :)
0
All Courses

From novice to tech pro — start learning today.