Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible catchme.sys or mbr.sys rootkit?


  • Please log in to reply
3 replies to this topic

#1 ImDisguysd

ImDisguysd

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 18 July 2010 - 01:00 PM

I believe that my other desktop computer has been infected with the catchme.sys rootkit and perhaps the mbr.sys rootkit.

The software that I have already downloaded includes ComboFix, CCleaner, rkill, HijackThis, AVG 9.0 (free), Spybot S&D, BitDefender Online Scanner, GMER, Rootkit Buster, MalwareBytes Anti-Malware and a registered copy of SpySweeper. I have also downloaded and run CWShredder, VundoFix and have SysInternals Process Explorer available to assist in the troubleshooting process. On at least one log (I believe it was ComboFix), I saw an entry for catchme.sys and another entry for mbr.sys, both identified as problems.

I have spent an exhaustive amount of time unsuccessfully trying various things that the talented people here have suggested to others. Realizing that each configuration is unique, I thought it was time for me to ask for some help on a personal basis.

Prior to sending any logs or performing any further software scans, I respectfully ask for the help from the members here to aid me in finding out how to cure this issue.

Thanks very much for anyone who can help and will take the time to do so.

Dave

Edited by hamluis, 18 July 2010 - 01:46 PM.
Moved from XP to Am I Infected forum ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 AM

Posted 19 July 2010 - 12:39 PM

Catchme is a rootkit scanner that detects userland rootkits and is incorporated with some specialized fix tools like Combofix and GMER. Mbr.sys is the driver related to GMER's MBR rootkit detector which also uses catchme.exe.

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

GMER is a stand-alone tool that will help investigate for the presence of rootkits. It will not actually tell you if you are infected or not unless you know what you're looking for. If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results. Arks are powerful tools and using them incorrectly could lead to disastrous problems with your operating system. Most of the more effective ARK tools like GMER should only be used under the guidance of an expert who knows how to investigate its log for malicious entries before taking any removal action.

Why? Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

With that said, what specific issues are you having that require a request for assistance with malware removal? Please describe any problem(s) in detail as they could provide a clue as to whether your issues are malware related or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ImDisguysd

ImDisguysd
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 20 July 2010 - 12:29 PM

Thanks for the reply. I'm looking further into this issue. I have had a popup warning or two from AVG 9. I will attempt to screen cap those errors and let you know what's going with them.

Again, thanks for the reply and advice.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 AM

Posted 20 July 2010 - 12:33 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users