Solved

Suspect Rootkit issue on Blackberry server.  Without compromising the function of the blackberry how do I go about getting this cleaned?

Posted on 2008-10-24
6
798 Views
Last Modified: 2013-12-09
For months the Symantec antivirus is deleting or quarantined a variety of viruese.   Trojan Horse, W32.Auraax., Trojan.Virantix.C, Trojan.Fakeavalert, Trojan.Dropper, and Downloader.Misapp!zip to name a few.  Norton is doing it's job but my job it to resolve this and I've tried everything from Spydoctor, Malwarebytes, etc...  Everytime I think it is cleaned.  BAMM it's back.  Any help would be awesome.   Below is the RootkieREvealer ran today.  The only function this server does is the Blackberry enterprise for the Blackberry phones.

HKU\.DEFAULT\Control Panel\International  9/16/2008 3:04 PM      0 bytes      Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*          4/28/2005 9:59 AM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      4/28/2005 1:26 PM      0 bytes      Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\TS:InternetConnectorPswd*      4/28/2005 1:24 PM      0 bytes key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:bb5039c0-1b77-4e51-a212-ed45631f23c6*   4/28/2005 1:24 PM 0 bytes      Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc      10/24/2008 12:18 PM  
8 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents\NextEtpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpId      10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NextSrpIdToAgents 10/24/2008 12:19 PM      4 bytes      Data mismatch between Windows API and raw hive data.
0
Comment
Question by:CAT27
6 Comments
 
LVL 8

Expert Comment

by:russell124
Comment Utility
I'm not seeing anything suspicious on this rootkit scan.  The embedded nulls in \Secrets  are used to prevent certain sensitive registry keys from being viewed/edited with regedit, and the Data mismatch errors are usually due to files that are in use and are that have changed while the scan is running.

Have you tried any other rootkit scanners, such as GMER?

http://www.gmer.net/index.php

Where are these viruses appearing on the server?  Are they in the IE cache?

Can you post a HijackThis log?

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
0
 
LVL 1

Expert Comment

by:prlit
Comment Utility
Try Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix plus malware bytes pretty much gets rid of anything and everything for me.
0
 

Author Comment

by:CAT27
Comment Utility
Used Combo fix before I posted this and it looked good but a few days later issues occur.
Today I got the following Infostealer.Banker.c and it was found in the TEMP directory of the local account.

I have not tried GMER yet.   Any more ideas.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:CAT27
Comment Utility
No solution found here.  Had to do a complete re-install in order to resolve this issue.
0
 
LVL 2

Accepted Solution

by:
Franky_R earned 500 total points
Comment Utility
To bad you had to do a complete re-install ... Rootkits are indeed hard to get rid of. Most of the times it only looks like your patching the damage they do but can't remove them completly. That's why reinstalling often is the best sollution.

Better luck next time !
Franky
0
 

Author Closing Comment

by:CAT27
Comment Utility
I like the encouragement :)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
After going through the deployment of BlackBerry Device Service 10, and seeing a number of questions posted about it, this article addresses some of the issues and particulars of the installation. There have been a number of other questions posted, …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now