Solved

Suspect Rootkit issue on Blackberry server.  Without compromising the function of the blackberry how do I go about getting this cleaned?

Posted on 2008-10-24
6
814 Views
Last Modified: 2013-12-09
For months the Symantec antivirus is deleting or quarantined a variety of viruese.   Trojan Horse, W32.Auraax., Trojan.Virantix.C, Trojan.Fakeavalert, Trojan.Dropper, and Downloader.Misapp!zip to name a few.  Norton is doing it's job but my job it to resolve this and I've tried everything from Spydoctor, Malwarebytes, etc...  Everytime I think it is cleaned.  BAMM it's back.  Any help would be awesome.   Below is the RootkieREvealer ran today.  The only function this server does is the Blackberry enterprise for the Blackberry phones.

HKU\.DEFAULT\Control Panel\International  9/16/2008 3:04 PM      0 bytes      Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      4/28/2005 1:26 PM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd*      4/28/2005 1:24 PM      0 bytes key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:bb5039c0-1b77-4e51-a212-ed45631f23c6*   4/28/2005 1:24 PM 0 bytes      Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc      10/24/2008 12:18 PM  
8 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents\NextEtpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpIdToAgents 10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.
0
Comment
Question by:CAT27
6 Comments
 
LVL 8

Expert Comment

by:russell124
ID: 22798464
I'm not seeing anything suspicious on this rootkit scan.  The embedded nulls in \Secrets  are used to prevent certain sensitive registry keys from being viewed/edited with regedit, and the Data mismatch errors are usually due to files that are in use and are that have changed while the scan is running.

Have you tried any other rootkit scanners, such as GMER?

http://www.gmer.net/index.php

Where are these viruses appearing on the server?  Are they in the IE cache?

Can you post a HijackThis log?

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
0
 
LVL 1

Expert Comment

by:prlit
ID: 22799525
Try Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix plus malware bytes pretty much gets rid of anything and everything for me.
0
 

Author Comment

by:CAT27
ID: 22831342
Used Combo fix before I posted this and it looked good but a few days later issues occur.
Today I got the following Infostealer.Banker.c and it was found in the TEMP directory of the local account.

I have not tried GMER yet.   Any more ideas.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CAT27
ID: 23160917
No solution found here.  Had to do a complete re-install in order to resolve this issue.
0
 
LVL 2

Accepted Solution

by:
Franky_R earned 500 total points
ID: 23275684
To bad you had to do a complete re-install ... Rootkits are indeed hard to get rid of. Most of the times it only looks like your patching the damage they do but can't remove them completly. That's why reinstalling often is the best sollution.

Better luck next time !
Franky
0
 

Author Closing Comment

by:CAT27
ID: 31509740
I like the encouragement :)
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question