catchme.sys and other possible malware... Windows XP

catchme.sys is just part of GMER which is used by ComboFix and some other tools.

 

Please follow these instructions, as catchme.sys is malware:

READ & RUN ME FIRST. Malware Removal Guide

 

You need to provide the requested logs as instructed in the Windows XP Malware Removal/Cleaning Procedure:

 

Sorry I was confused because of this thread here where Chas says:

 

See the below more than 3 year old thread explaining this. See what I stated in message # 16 too

http://forums.majorgeeks.com/showthread.php?t=145834

 

I am not finding any malware in your logs. You can try running the AVG removal tool to see if it finds any traces:
AVG Removal Tool.

We can then do this:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
Quit::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Tell me what issues you are still having, if any.

 

Run CCleaner. Both the cleaner and the registry. Make sure to do the backup when prompted. Hopefully that will remove all leftovers from AVG. Let me know what you find.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Try download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Did that work?

 

Just copy:

Folders to delete:
C:\ZZZZZZ

Is that the correct number of Z's?

 

You should be able to just delete the Avenger folder.

 

Yes.

 

Open the folder and right click the folder inside. Choose properties and click on the security tab. Set your user account to have full permissions. Then do the same with the main folder. Then see if you can delete it.

 

On which? The Avenger folder or the ZZZZZ folder?

 

Boot in safe mode try deleting. If that does not work, navigate downward in the folder/file directory structure to the lowest level file/folder and delete it first and the work your way toward the top level which is the C:\Avenger folder.

 

Also something else that may fix the no security tab issue is the below.



So to see and unhide the Security tab, just use the following steps:

1. Launch Windows Explorer or MyComputer
2. Click on the Tools at the menu bar, then click on Folder Options.
3. Click on View tab.
4. In the Advanced Settings section at the bottom of the list, uncheck and unselect (clear the tick) on the “Use simple file sharing (Recommended)” check box.
5. Click OK.

See the below where the above came from and more info is included too:

http://www.mydigitallife.info/2006/07/19/missing-or-no-security-tab-found-in-windows-xp-professional/

 

Normal boot mode.

C:\Avenger is a folder. Inside this folder there can be other folders and other files. If you just keep navigating down from the root Avenger folder you will eventually hit the lowest level item ( either a file or a folder ). You need to work backwards from this point deleting files first and then the folder that contained the files until you get back up to the top which is the Avenger folder. Once there is nothing else under the Avenger folder, you should be able to delete it. You are having a problem with Windows permissions ( quite common and somewhat of a bug in Windows ). It is not a malware problem.

Also note that you need to make sure that you have viewing of hidden and system files enabled to make sure that you are not missing the viewing of any files in the folders you are trying to remove.

 

You're welcome.

Yes.