Catchme.sys and possible keystroke grabber

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by drdunk, Dec 13, 2007.

  1. drdunk

    drdunk Private E-2

    Hi Major Geeks,

    I have run the stuff I was supposed to including mgtools.exe

    I had hoped I could figure out the log files but I better let you do it.

    I didn't run AVG until last, and then it didn't give a report. I ran it over night last night and checked again in the morning to see that the right options were checked. Anyway it only found Adware.webupdates and a few cookies that must have popped back up since CCleaner.

    However catchme.sys is on my system just since I came back to Major Geeks a couple days ago. Is it a worm or what?

    And: too often after I type a letter there is a strange delay before it appears on screen. Is this a sign of trouble?

    I hope that catchme.sys is the only thing I have to remove, and that you know just how to do it.

    For the record I'm not a doctor despite my username.

    Thanks!

    Dunk
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the requested log from ComboFix.

    Why do you say Catchme.sys is on you system? Are you seeing it in a log? Don't confuse it with C:\WINDOWS\catchme.exe which is part of GMER and is used with ComboFix.
     
  3. drdunk

    drdunk Private E-2

    Log from Combofix: Aha! here it is right in plain sight. My bad. Thanks for a quick catch!.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not answer my question.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any malware. You just have some miscellaneous not malware things to cleanup as given below.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.1_02
    Java(TM) SE Runtime Environment 6 Update 1

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    After clicking Fix, exit HJT.
     
  6. drdunk

    drdunk Private E-2

    You're right again. Catchme.sys shows up at boot time. I have an expired Trojan Remover which checks but does not remove until I register - after I clear the problem so I am safe. Just in the last couple days it stops and warns me of catchme.sys. I'm going to register Trojan Remover; it notices things other programs don't.

    Meanwhile I'll follow your other instructions.

    Thanks,

    Dunk
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure it is catchme.sys? If so, where is it finding it?
     
  8. drdunk

    drdunk Private E-2

    Where is catchme.sys? T/R says:

    Scanning Services Keys ... 39 %
    Scanning subkeys ... 15 %
    Scaning:
    registry key
    HKLM\SYSTEM\CurrentControlSet\Services\catchme

    Filename
    C:\DOCUME~1User\LOCALS~1\Temp\catchme.sys

    An executable file with this name *has not* been found (it may be hidden)
    This file cannot be found to be scanned (it may be hidden).

    ===

    Now you see it, now you don't. Hence the teasing name "Catch me, Sis". :D

    Dunk
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that is what I wanted to see to be sure you really were detecting the service that is related to this. The service itself needs to be removed from the registry.


    Download Registry Search (see the link titled RegSearch Download Link)

    * Extract the files from Regsearch.zip into a folder.
    * Doubleclick regsearch.exe to start the program.
    * Enter catchme in the top area of the form and then click "OK".
    * Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.
     
  10. drdunk

    drdunk Private E-2

    Ok I did that. Log attached.

    By the way meanwhile, a little earlier today I downloaded and ran GMER which complicate the log. GMER log attached too.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    While I look at your logs and create a fix, please download the newest version of MGtools from MGtools.exe Download to C:\MGtools.exe and overwrite your old version. Then run MGtools.exe and attach the new C:\MGlogs.zip file that will be created.
     
  12. drdunk

    drdunk Private E-2

    Ok, new MGTools log attached.

    By the way, as before, at the end of Mgtools I still get an error msg:

    ProcessDll.exe - Application Error

    X The application failed to initialize properly (0xc0000135) Click on OK to terminate the application.

    ==

    This may have to do with name ProcessDll.exe vs procDll.exe.

    Dunk
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you notice in the runkeys.txt log that catchme.sys was reported. ;)

    This is the first time you mentioned this. It has nothing to do with the file name. It has to do with the fact that you have never installed Microsoft .NET Framework from Microsoft Update.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that
    will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  14. drdunk

    drdunk Private E-2

    "Did you notice in the runkeys.txt log that catchme.sys was reported. ;) "

    Yes indeed. And thanks for the new instructions. I'm on it.

    Dunk
     
  15. drdunk

    drdunk Private E-2

    Ok Things are fine! Rebooted, and no sign of catchme.sys. Logs attached.

    I noticed that avenger couldn't find everything is sought. And Ccleaner said it removed a long list of cookies. Where did they come from,since I had run it just a little earlier? ... Many mysteries but TrojanRemover does not see catchme.sys. Anything else I should know?

    Thanks!

    Dunk
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I added all of that to the version of GetRunKey and did the deletion just to make sure of something which I had said in message # 2. And that is what you were seeing is only due to ComboFix being run and it is not a problem. ComboFix uses Catchme which is part of GMER's Rootkit detection tool. And Catchme requires a service to be installed and the service is named catchme and the catchme.sys file in your temp folder is also from this.
     
  17. drdunk

    drdunk Private E-2

    Thanks again for everything *including the explanation*. I had already wasted a lot to time online searching for an explanation of catchme, and probably would have wasted more time on it.

    Dunk
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds