GMER - Catchme

Catchme is the rootkit scanner that detects all userland rootkits including gromozon, hexdef, vanquish and AFX. It cannot detect kernel mode rootkits like Rustock ( PE386 ), Haxdoor, etc.

gromozon rootkit

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

Scanning hidden processes ...

Scanning hidden services ...

Scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  AppInit_DLLs = \\?\D:\WINDOWS\com4.exg

Scanning hidden files ...

D:\WINDOWS\com4.exg
D:\WINDOWS\wgifi1.dll

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2

hxdef rootkit

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

Scanning hidden processes ...

  hxdef100.exe [1416]

Scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\HackerDefender100
  Type = 16
  Start = 2
  ErrorControl = 63
  ImagePath = C:\rootkits\hxdef100\hxdef100.exe
  DisplayName = HXD Service 100
  ObjectName = LocalSystem
  Description = powerful NT rootkit

HKLM\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100
  ErrorControl = 63
  ImagePath = \??\C:\rootkits\hxdef100\hxdefdrv.sys
  Start = 3
  Type = 1

Scanning hidden autostart entries ...

Scanning hidden files ...

C:\rootkits\hxdef.txt
C:\rootkits\hxdef100
C:\rootkits\hxdef100\hxdef100.2.ini
C:\rootkits\hxdef100\hxdef100.exe
C:\rootkits\hxdef100\hxdef100.ini
C:\rootkits\hxdef100\hxdefdrv.sys
C:\WINDOWS\Prefetch\HXDEF100.EXE-351601D2.pf

scan completed successfully
hidden processes: 1
hidden services: 2
hidden files: 7

vanquish rootkit

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

Scanning hidden processes ...

Scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\vanquish
  Type = 272
  Start = 2
  ErrorControl = 1
  ImagePath = "C:\WINNT\vanquish.exe"
  DisplayName = Vanquish Autoloader v0.2.1
  ObjectName = LocalSystem

Scanning hidden autostart entries ...

Scanning hidden files ...

C:\vanquish.log
C:\WINNT\vanquish.dll
C:\WINNT\vanquish.exe

scan completed successfully
hidden services: 1
hidden files: 3

AFX rootkit

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

Scanning hidden processes ...

  root.exe [1556]

Scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\rewt
  Type = 272
  Start = 2
  ErrorControl = 63
  ImagePath = C:\rootkits\rewt\root.exe
  ObjectName = LocalSystem

Scanning hidden autostart entries ...

Scanning hidden files ...

C:\rootkits\rewt
C:\rootkits\rewt\hook.dll
C:\rootkits\rewt\ReadMe.txt
C:\rootkits\rewt\root.exe

scan completed successfully
hidden processes: 1
hidden services: 1
hidden files: 4