Solved

Suspect Rootkit issue on Blackberry server.  Without compromising the function of the blackberry how do I go about getting this cleaned?

Posted on 2008-10-24
6
820 Views
Last Modified: 2013-12-09
For months the Symantec antivirus is deleting or quarantined a variety of viruese.   Trojan Horse, W32.Auraax., Trojan.Virantix.C, Trojan.Fakeavalert, Trojan.Dropper, and Downloader.Misapp!zip to name a few.  Norton is doing it's job but my job it to resolve this and I've tried everything from Spydoctor, Malwarebytes, etc...  Everytime I think it is cleaned.  BAMM it's back.  Any help would be awesome.   Below is the RootkieREvealer ran today.  The only function this server does is the Blackberry enterprise for the Blackberry phones.

HKU\.DEFAULT\Control Panel\International  9/16/2008 3:04 PM      0 bytes      Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      4/28/2005 1:26 PM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd*      4/28/2005 1:24 PM      0 bytes key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:bb5039c0-1b77-4e51-a212-ed45631f23c6*   4/28/2005 1:24 PM 0 bytes      Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc      10/24/2008 12:18 PM  
8 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents\NextEtpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpIdToAgents 10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.
0
Comment
Question by:CAT27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:russell124
ID: 22798464
I'm not seeing anything suspicious on this rootkit scan.  The embedded nulls in \Secrets  are used to prevent certain sensitive registry keys from being viewed/edited with regedit, and the Data mismatch errors are usually due to files that are in use and are that have changed while the scan is running.

Have you tried any other rootkit scanners, such as GMER?

http://www.gmer.net/index.php

Where are these viruses appearing on the server?  Are they in the IE cache?

Can you post a HijackThis log?

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
0
 
LVL 1

Expert Comment

by:prlit
ID: 22799525
Try Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix plus malware bytes pretty much gets rid of anything and everything for me.
0
 

Author Comment

by:CAT27
ID: 22831342
Used Combo fix before I posted this and it looked good but a few days later issues occur.
Today I got the following Infostealer.Banker.c and it was found in the TEMP directory of the local account.

I have not tried GMER yet.   Any more ideas.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CAT27
ID: 23160917
No solution found here.  Had to do a complete re-install in order to resolve this issue.
0
 
LVL 2

Accepted Solution

by:
Franky_R earned 500 total points
ID: 23275684
To bad you had to do a complete re-install ... Rootkits are indeed hard to get rid of. Most of the times it only looks like your patching the damage they do but can't remove them completly. That's why reinstalling often is the best sollution.

Better luck next time !
Franky
0
 

Author Closing Comment

by:CAT27
ID: 31509740
I like the encouragement :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
turbotax on windows 10 115
What to look for in Fraud Protection Solutions  PoC 1 95
MS Endpoint Protection 2 105
How do I protect myself from the latest Ransomware attack? 3 401
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question