Jump to content

Catchme.Sys


Recommended Posts

Has anyone ever seen catchme.sys running from the temp directory be flagged as possible rootkit activity?  I know that Catchme.sys is associated with some rootkit detection tool or another (not sure which one), but from what I've read, it should be running from C:\

 

I've found it running from C:\users\%username%\appdata\local\temp and it keeps getting flagged by certain diagnostics tools as a rootkit. 

 

VirusTotal shows the file to be clean by ESET and others, but on this particular machine, the user has lost their ability to create New Folders. 

 

Any ideas?

Link to comment
Share on other sites

Hello,

 

While i am not familier with catchme.sys, you should be able to repair the fact user cannot create folders.

 

Run system file checker and see if it fixed the issue. If not, you can create a registry import to repair the damages.

 

BACK UP YOUR REGISTRY KEYS FIRST (EXPORT)

Try this in a reg format and import:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{11dbb47c-a525-400b-9e80-a54615a090c0}]

@="CLSID_ExecuteFolder"

 

[HKEY_CLASSES_ROOT\CLSID\{11dbb47c-a525-400b-9e80-a54615a090c0}\InProcServer32]

@="ExplorerFrame.dll"

"ThreadingModel"="Apartment"

 

[HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\New]

@="{D969A300-E7FF-11d0-A93B-00A0C90F2719}"

 

[HKEY_CLASSES_ROOT\Folder]

@="Folder"

"EditFlags"=hex:d2,03,00,00

"FullDetails"="prop:System.PropGroup.Description;System.ItemNameDisplay;System.ItemType;System.Size"

"ThumbnailCutoff"=dword:00000000

"TileInfo"="prop:System.Title;System.PropGroup.Description;System.ItemType"

 

[HKEY_CLASSES_ROOT\Folder\DefaultIcon]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\

  65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,00,00

 

[HKEY_CLASSES_ROOT\Folder\shell]

 

[HKEY_CLASSES_ROOT\Folder\shell\explore]

"MultiSelectModel"="Document"

"BrowserFlags"=dword:00000022

"ExplorerFlags"=dword:00000021

 

[HKEY_CLASSES_ROOT\Folder\shell\explore\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

  00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

  65,00,20,00,2f,00,73,00,65,00,70,00,61,00,72,00,61,00,74,00,65,00,2c,00,2f,\

  00,65,00,2c,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,00,25,00,49,00,\

  2c,00,25,00,4c,00,00,00

"DelegateExecute"="{11dbb47c-a525-400b-9e80-a54615a090c0}"

 

[HKEY_CLASSES_ROOT\Folder\shell\open]

"MultiSelectModel"="Document"

"BrowserFlags"=dword:00000010

"ExplorerFlags"=dword:00000012

 

[HKEY_CLASSES_ROOT\Folder\shell\open\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

  00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\

  65,00,20,00,2f,00,73,00,65,00,70,00,61,00,72,00,61,00,74,00,65,00,2c,00,2f,\

  00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,00,25,00,49,00,2c,00,25,00,4c,00,\

  00,00

"DelegateExecute"="{11dbb47c-a525-400b-9e80-a54615a090c0}"

 

[HKEY_CLASSES_ROOT\Folder\shellex]

 

[HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers]

 

[HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]

@="PDF Column Info"

 

[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers]

 

[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\BriefcaseMenu]

@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

 

[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Offline Files]

@="{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}"

 

[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]

 

[HKEY_CLASSES_ROOT\Folder\shellex\DragDropHandlers]

 

[HKEY_CLASSES_ROOT\Folder\shellex\DragDropHandlers\{BD472F60-27FA-11cf-B8B4-444553540000}]

@=""

 

[HKEY_CLASSES_ROOT\Folder\shellex\PropertySheetHandlers]

 

[HKEY_CLASSES_ROOT\Folder\shellex\PropertySheetHandlers\BriefcasePage]

@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

 

[HKEY_CLASSES_ROOT\Folder\shellex\PropertySheetHandlers\Offline Files]

@="{7EFA68C6-086B-43e1-A2D2-55A113531240}"

 

[HKEY_CLASSES_ROOT\Folder\ShellNew]

"Directory"=""

"IconPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

  00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,\

  00,00

"ItemName"="@shell32.dll,-30396"

"MenuText"="@shell32.dll,-30317"

"NonLFNFileSpec"="@shell32.dll,-30319"

 

[HKEY_CLASSES_ROOT\Folder\ShellNew\Config]

"AllDrives"=""

"IsFolder"=""

"NoExtension"=""

 

You may receive an error that not all can be imported, i think its due to context menu right click create new folder and may be able to be fixed as well, try this if it does not work :
 

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\New]
@="{D969A300-E7FF-11d0-A93B-00A0C90F2719}"

[HKEY_CLASSES_ROOT\Folder\ShellNew]
"Directory"=""
"IconPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,\
  00,00
"ItemName"="@shell32.dll,-30396"
"MenuText"="@shell32.dll,-30317"
"NonLFNFileSpec"="@shell32.dll,-30319"

[HKEY_CLASSES_ROOT\Folder\ShellNew\Config]
"AllDrives"=""
"IsFolder"=""
"NoExtension"=""

 

I would also recommend running a scan with Kaspersky's TDSS Killer, which is a very good tool for detecting rootkits alone.

Edited by Arakasi
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...