catchme.sys keylogger

Hi:

I recently saw that someone bought airline tickets on a Middle Eastern airline using my credit card. Since I don't support terrorists, I notified the credit card company and had it cancelled right away. After going through several forums, I think that I found the answer here at Major Geeks.

In this forum (http://forums.majorgeeks.com/showthread.php?t=145834), drdunk had the same problem as me. I couldn't see the catchme.sys file in my local setting/temp folder, but a Kaspersky AVZ report indicated that it was there. I also had the same registry entries that DrDunk had.

I nthe same fashion as drdunk, I used Avenger and deleted those entries, and I now have followed all of the requisite instructions for this forum.

None of the scans seemed to find anything, but after having my credit card stolen, I want to make sure that everything is OK on this laptop.

If there is anything else that I should change and/or delete, please let me know. I don't want this to happen again.

I am very good about installing the latest updates and keeping everything up-to-date; so I am clueless as to how this happened on my system, unless another family member downloaded something in my absence.

Since I upgraded Kaspersky Internet Security to KIS 2009, there have been a few instances where it would shut down and stop "application filtering". When this would happen, I would immediately shut off the wireless connection and reboot, but a couple of weeks ago, I was unable to do so right away, and I think that's how my data escaped with the keylogger. Kaspersky reports showed "keylogger activity" right around the same time as the Kaspersky downtime. Coincidence? I think not.

Thanks in advance for your help, this forum is a great resource.

Sven

 

Here is the final attachment MGlogs.zip

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Your logs are clean and everything looks good. The file and registry entries you are referring to is a part of ComboFix. The utilty ComboFix uses catchme, it's part of GMER's rootkit detection tool that is included into ComboFix. It is NOT a problem and should not be detected as a problem. There are some antivirus programs that will flag such utilties simply due to their nature. In reality they are harmless, they are in fact fighting the malware.

You can run these steps below to remove some unecessary items.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

OK I will run the items you requested. However, I have to disagree with you on one thing. I WAS NOT REFERRING TO THE CATHCHME associated with ComboFix. I do know that ComboFix has a catchme file, but I had the catchme.sys file on my system before I even downloaded ComboFix.

In the Drdunk thread that I mentioned in my first post, I think that the person helping him (CHASLANG) also thought that he was talking about the combofix catchme at first, but drdunk did have catchme.sys on his system, and so did I (CHASLANG confirmed the catchme.sys problem for drdunk was genuine as his case progressed). However, after running through the same steps mentioned in that thread, I was able to remove it with the Avenger program. Yes, I know that I shouldn't use someone else's instructions, but I had the exact same problem, the exact same registry entries, and I didn't want this keylogger to continue on, especially since I had my credit card used to book flights between Pakistan, Dubai and Peking (sounds like a terrorist to me).

I suggest you look at this thread again to see that I do know what I am talking about. http://forums.majorgeeks.com/showthread.php?t=145834

Before I ran combofix, and before I even downloaded combofix, I had the same CATHCHME.SYS file and registry entries as dr dunk.

Here's a snippet of my Avenger report (which was run before combox fix was even downloaded) that shows the catchme registry entries that were deleted (and were in no way related to combofix):

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000\Control" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme\Enum" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme" deleted successfully.


I don't mean to belabor this, but I do want to prove that I did, in fact, have the catchme.sys file on my system before I deleted it with Avenger.

Thanks for your help, Now I will run the analyse and ATF cleaner as per your instructions.

Thank you for confirming that the rest of the logs look OK. I will post the results as soon as I am done.

Sven

 

Thanks for the help. I went through both steps, then ran analyse.exe again to confirm that the items were removed. The first boot-up after that took a bit longer than usual, but that was to be expected. Now the old laptop is a lean, mean, computing machine again.

I was extremely close to a complete reformat and reinstall when this breach first occurred. I then would've given this laptop to my son and bought a new one when I was finished reinstalling everthing.

Thanks to this forum, I was able to get rid of the catchme.sys keylogger program with CHASLANG's instructions, and now I know that the rest of the system is clean thanks to bjgarrick.

My son is a bit disappointed that I don't have to buy a new laptop right now, but I may still give him this laptop. At least now I have the luxury of time; so that I can wait for a great deal on a new one.

Sven

 

Run the below to see if anything remains...

Download Registry Search (see the link titled RegSearch Download Link)

* Extract the files from Regsearch.zip into a folder.
* Doubleclick regsearch.exe to start the program.
* Enter catchme in the top area of the form and then click "OK".
* Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

 

Thanks bjgarrick:

Sorry for the delay in replying. \

The AC adpater for this laptop just crapped out yesterday; so I have been very careful to conserve battery power until a replacement arrives (when it rains, it pours).

The attached regsearch.txt file contains references to the combofix catchme, but it also has other references. Are all of these now related to ComboFix, or are some of them related to the catchme.sys that I tried to delete before I downloaded ComboFix?

I used the Avenger program, but just like drdunk in the other thread I referenced, it did fail in deleteing the hidden catchme.sys. It did succeed in deleting the registry entries earlier. Did some of the registry entries restore themselves?

Thanks, this has been annoying, but educational. I appreciate your help.

Sven

 

Sorry, I had to get off of my laptop quick; trying to save that battery... I'll finish what I wanted to say on another PC here:

I know that the Avenger program did get rid of all of the catchme.sys registry entries when I ran it before; so I guess I just wanted to confirm that all of these current registry entries were for the catchme.sys that is part of the ComboFix program?

Before I ran Avenger, I had similar registry entries, except that one of them didn't reference the ComboFix directory, instead, referenced my user directory\local settings\Temp directory for the location of the catchme.sys file (but I couldn't find the file in that location when I looked for it). I am sure the hidden nature of the malicious file is by design.

 

Just to know it's all gone, run the below and attach the log once complete.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

 

Thanks bjgarrick:

I tried your script this morning, but got an error message. I then tried to continue the script, but it just kept giving the same error message; so I quit the program and shut down. If you have any other ideas, I may have enough bATTERY POWER FOR ANOTHER ATTEMPT. Sorry, I hit caps lock (wasn't shouting)

Error message was something like this ( I couldn't cut and paste):
(start of error message)
Error: Invalid registry syntax in command:

Hkey_Local_Machine\system\control set0001\enum\root\legacy_catchme\0000\control

Only registry keys under Local Macine hive are accessible to this program. Skipping Line.

(Registry key deletion model)
(end of error message)
I wrote the above quickly to conserve battery power; so I don't know if the above is 100% accurate ( I know that some items are in upper case, and I may have missed an underscore character here and there), however, that is the jist of the error message I got.

When I tried to continue, I just kept getting the same error over and over; so I quit the program and shut down to save my battery. A new AC adapter is on its way, but won't be here for a few days.


Is this something as simple as the brackets around the registry keys in your input script? Could that be causing the problem? Before, When I followed CHASLANG's instructions from drdunk's post, his Avenger script didn't have the brackets around the registry keys to be deleted. Other than that, many items seemed identical to your script.

Sorry if that sounds dumb, but I don't know why your script wouldn't run; so I am grasping for ideas. I won't do anything else until I hear from you.

Thanks again for your help; it is truly appreciated.


Sven

 

Yes! Run it again, I took off the brackets. I forgot to remove those while going thru the log.

 

OK, I thought that might be it, but wanted to be sure. Thanks for the confirmation.

I'll get to it on Monday morning and report back; I think I have enough battery power left for another try.

On another note, I see that you are located in southern Alabama. Were you sweating out the LSU game this weekend, or are you not a 'Bama supporter?

 

I was a bit worried because of the rivalry, rankings and stats don't mean anything when it comes to a rivalry like that. Either way, my team won and is on their way

 

OK, I ran it and the avenger log is attached. I also attached the old avenger log I ran before I started this process. Were the catchme registry entries that were deleted just now related to combofix, or did the bad catchme registry entries regenerate?


Thanks, gotta go, not much battery left, but will borrow a neighbor's charger today.

Sven

 

OK here they are

 

To finish this thread, look in Add/Remove Programs and uninstall Coupon Printer for Windows if found.

Next, manually locate and delete the following file.

Once you complete this post, reboot and let me know how things are running.

 

Coupon printer removed, as was the googleupdate.exe file. Everything seems OK so far. I topped off the battery with a neighbor's charger yesterday; so I'll see how it performs and report back after some more use.

Thanks again for the help.

Sven

Now if I could only find the guy who booked tickets on my credit card from Pakistan to Dubai, and then on to Peking.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we had you run Avenger, you can delete all files related to Avenger now.
5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!