[wtfer]

Hello,
I recently had a rootkit installed on my system, I eventually got it all cleaned up, but after checking with a new anti-rootkit tool, I see I might still have a keylogger left on my system.
The problem is that only that one particular scanner is showing the problem, about a dozen other rootkit scanners show me as 100% clean.


I need to know if I should clean up that file, or leave it alone as it might be important to my system.


I used Combofix & a Maleware-btyes to clean out the rootkit on my PC. After I finished with Combofix, I deleted it as per instructions.

I additionally scanned with the following rootkit scanners:
RUbotted, F-Secure Blacklight rootkit, Rootkit Buster, RootkitRevealer, Sophos Anti-Rootkit, GMER, Kaspersky Online Scanner, MalewareBtyes, Panda Anti-Rootkit & Bitdefender Antirootkit.

All showed me as clean, except one program:

UnHackMe

It showed that I had a known maleware that might be a keylooger.

The log was this:

Quote

The problem is related to the computer component:
Kernel Auto Boot

Type: Services detected by Partizen

Item Name: catchme

Related File: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys

This program is a known as maleware

Googling catchme.sys gives me several pages that either say the .sys file is a keylogger or a legitimate file that belongs to combofix (which I uninstalled already).

I am not sure what to do, am I infected with a keylogger or will deleting it cause me problems, since it might be a legitimate file?
UnHackMe also shows the file MEMSWEEP2 located in:
\C:\WINDOWS\System32\1.tmp as suspicious but not necessarily maleware. Googling MEMSWEEP2 also gives conflicting results on if it is maleware or a legitimate part of Sophos Anti-Rootkit program, which I have.


The Catchme folder is located in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme\
The files inside are listed like this:

Quote

Name: Type: Data:
Default REG_SZ (value not set)
ErrorControl REG_DWORD 0x00000001 (1)
Group REG_EXPAND_SZ Base
Image Path REG_EXPAND_SZ \??\C:Documen~1\owner\
Start REG_DWORD 0x00000003 (3)
Type REG_DWORD 0x00000001 (1)

There is also a sub-folder in the catchme folder called Enum with similar files like the ones above.

Is this legit or is it a keylogger & I should immediately delete it with unhackem?

[Transience]

Hello and welcome to Geeks to Go!

Catchme.sys is a legitimate rootkit detection tool used by several programs, including ComboFix. It is not malware, and will not cause you any harm if you leave it on your PC. Having said that, it's also not especially useful to you if you PC is clean, and will really only sit around taking up space, there's no need to keep it. Feel free to delete it if you wish, but know that it is not malware so you need not be concerned.

Cheers,
Dave

[wtfer]

Transience, on Sep 11 2009, 09:59 PM, said:

Hello and welcome to Geeks to Go!

Catchme.sys is a legitimate rootkit detection tool used by several programs, including ComboFix. It is not malware, and will not cause you any harm if you leave it on your PC. Having said that, it's also not especially useful to you if you PC is clean, and will really only sit around taking up space, there's no need to keep it. Feel free to delete it if you wish, but know that it is not malware so you need not be concerned.

Cheers,
Dave

Thank you very much, that is the exact info I needed to know.

I can now safely shop online/make transactions again with my PC. Thanks again!

[Transience]

No problem glad to be of assistance

[Transience]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.