We're very glad to announce that Panda AntiRootkit 1.06 has finally been officially released for the mass market. It has taken a while since we've been implementing a lot of the suggestions and reports received during the alpha and beta testing phases started in December 2006. Many thanks to all the people (over 20,000 downloads) who have helped us improve this free utility for the community.
Panda AntiRootkit 1.06
Panda AntiRootkit is a free utility that performs in-depth scans of your computer in search for hidden resources, identifying and disinfecting known and unknown rootkits. Unlike other rootkit utilities which merely "reveal" hidden objects, Panda AntiRootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.
In addition Panda AntiRootkit has an Exhaustive Scan Monitor (requires reboot) capable of monitoring drivers and processes loading at boot time. It's unique technology does this at a lower level than any other AntiRootkit utility, therefore revealing all hiding techniques used by the latest generation rootkits.
Panda AntiRootkit discovers hidden files, registry entries, drivers,
processes, modules, SDT modifications, EAT hooks, modifications to IDT,
non-standard INT2E, non-standard SYSENTER, IRP hooks, and much more.
Among many things we have added an extended .CSV report which can be
exported for consulting detailed information of hidden objects found,
and some interface process refinements.
Panda AntiRootkit runs on Windows 2000 SP4 and Windows XP and above. For a version that
runs on servers please contact your local Panda Technical Support
office. Keep in mind that Panda AntiRootkit is not an antivirus
solution nor does it provide real-time protection. If Panda AntiRootkit
has detected and disinfected a rootkit from your system, we still
recommend that you run a complete AV scan afterwards to delete any
malicious files that might be left over.
For those interested you can also run Panda AntiRootkit 1.06 from the command-line. This is specially useful in corporate networked environments that wish to run Panda AntiRootkit from a login script or centralized management tool. The available command-line switches are:
| /CLEAN | Automatically remove detected rootkits |
| /SEND |
Send all suspicious items detected to PandaLabs |
| /RESULTS:Path |
Log all results to a file |
| /R |
Restart automatically to complete cleaning |
| /O |
Hide on-screen messages during execution |
Even though you can still comment and download Panda AntiRootkit 1.06 from our Research blog here, it will be officially distributed and supported from now on from our regular website.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
44 comments
Glad to see it out of beta stages. Nice one guys. I’m excited to try it out.
Hi pedro, the scanner on my pc don’t remove the unknown rootkit, why?
I sended the file and report to the panda labs
Regards
Panda AntiRootkit only removes known rootkits. If we detect an unknown rootkit we don’t remove it as some rootkits might hide behind winlogon.exe or some other OS file. Deleting such files would render your PC un-bootable. Send me to pbustamante[at]pandasoftware.com the exported CSV log and let me know what date/time you submitted to PandaLabs so I can take a look at the RK from the repository.
does it work on vista
Hi,
Just wanted to let you know that the rootkit detector is detecting a hidden Zone Alarm Free registry entry and driver as a rootkit. I submitted the ‘rootkit’ when asked by the program. Zone alarm is a pretty popular program, so I expect you’ll want to remove this false positive as soon as possible?
Otherwise very impressed- thanks for the excellent tool. Very ‘clean’ and easy to use.
Does NOT work under Vista. We’re still evaluating the rootkit implications under Vista before we develop and release an antirootkit for Vista.
Thanks for the FP report Donald. We’ll analyze it asap.
it doesn’t work on win 2003
Correct about not running under Win2003. There’s a separate server version which we’re finishing up (there’s a bug while running under W2003) and which will be distributed free-of-charge via our Panda Support offices.
We have received reports of Prevx flagging the Panda AntiRootkit driver. We’ve talked to the good people at Prevx and this has been fixed already. Thanks!
Hey Pedro, no Panda AntiRootkit to be found. I’ve searched the Panda web site, did a Google for it and so far found nothing but talk, talk, talk, talk, and no download. What gives?
When I try to do an in depth scan, the computer restarts and I get a blue screen which begins…
STOP: 0x000000BE(0x804D768E, 0x004D7121, 0xEB41F6E4, 0x0000000A) An attempt was made to write to read-only memory. This driver may be at fault:phooks.sys
@Jim
The link for the Panda AntiRootkit is at the top of this page, but ive also linked it here as well for you.
http://research.pandasoftware.com/blogs/images/AntiRootkit.zip
Barry please contact me offline to troubleshoot your problem. pbustamante’at’pandasoftware.com.
I find that intereesting.
Thank you ! it works pretty fast.
This is a must for highly “infectable” puters (hrm like mine)
Hi Pedro, is there still no version for server 2003? I asked our german support office, but they don’t know about it.
Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed.
I just tried Panda Anti-Rootkit with “In-deep scan enabled” on my Windows 2000 Pro SP4. It reported the following applications are Unknow Rootkits. It’s really confusing me, since those are normal applications I am using.
Confusing me more when I tried Panda Anti-Rootkit on my Windows XP SP2 with the same those applications, Panda Anti-Rootkit congratulated me that there is no rootkit found.
How should I understand it?
C:Program FilesWinZipWZQKPICK.EXE
C:SecurityPandaAnti-RootkitPAVARK.exe
C:Program FilesHpHP Software UpdateHPWuSchd2.exe
C:Program FilesGPGshellGPGtray.exe
C:Program FilesReliable SoftwareCode Co-opDispatcher.exe
C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
Benjamin, please do two things:
1- If you haven’t done so already, run Panda Anti-Rootkit and submit the files it finds and reports so we can take a look at it.
2- Download and run version 1.08 from http://research.pandasoftware.com/blogs/images/AntiRootkit.zip which has a lot of false positive fixes. Whatever 1.08 detects, please submit it again.
Please post your results
Pedro,
1) I submitted the report yesterday; just submitted again.
2) Yesterday version was 1.08.00 (file version 5.0.0.4). Today version is still 1.08.00 (file version 5.0.0.4) meaning the same. I submitted the report again.
If you need further tracking down please advice.
Thank you.
One more thing: Those files I listed above loaded by Programs > Startup, not from registry.
Benjamin, can’t quite figure out what’s going on with these detections you’re getting. Please contact me by email to pbustamante’at’pandasoftware.com and I’ll send you a special version of Panda Anti-Rootkit to troubleshoot this.
I found “C:Program FilesHewlett-PackardHP Easy Printer CareHPPRun.exe” causes the problem. But, how could it make Pada AntiRootkit think other applications are rootkit? It’s tough, isn’t it? I’ll contact you to try the troubleshooting version.
The latest version you have doesn’t run on Win 2003.
As per comment above:
“Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed.”
As soon as we’re ready to release for W2003 I’ll post it here.
I just ran Pand anti-rootkit, and it nuked my Firefox and AOL. It apparently identified Firefox and AOL related items as “Unknown” rootkits, and when I chose to eliminate what I thought were harmful rootkits… it eliminated those programs from my machine. Argghh.
I saved the CSV file if you want to take a look at it.
Any hints on recovering anything, or are they gone (with my bookmarks)?
Go ahead and send me the report file Erik. Did you by any chance submit the rootkits found to PandaLabs?
Hello
Looks good! Very useful, good stuff. Good resources here. Thanks much!
G’night
Many thanks for this effective software. My machine was infected with trojan-phisher-snifula and with another trojan, Generic 6.0 SO. The antivirus software found 300 plus problem files, most of them masquerading as “Nero”, and the Rootkit Revealer turned up a long list of hidden problem files. I first tried a program called Unhackme, but it did not get the whole job done. Your rootkit cleaner produced a clean result, and I was able to confirm this with Rootkit Revealer. I think I am out of the woods. Bravo and thanks. John
I used the Panda Rootkit and my system will now only boot into safe mode.
Any thoughts?
Rick
Did you try to booting using "Last known good configuration" as mentioned in someone's comments? It worked for me.
Whenever a do a scan with Panda Anti-Rootkit v.1.08.00, the program stops in the Registry Scan, and a message refers to an error in ModName ntdll.dll
I didn’t removed the unknown rootkit, because it is an hidden file and I am afraid it may be a system file. I sended the report on 09/11/07 (11.30PM) to the panda labs
C:Documents and SettingsRobertoDesktopOrmai che ci siamo….:Zone.Identifier
Can I remove it safely?
Regards
i realy want to try and see how effect is your antivirus because friends told me that it is good thank you for providing it
A very useful and much needed tool. I inadvertently discovered rootkits while trying to clear a spyware infection on my machine – a suspicious unsigned “winlogon” process kept appearing (Windows Defender was very useful for this). I had 3 rootkits installed. UnHackMe removed two of them, but couldn’t remove the third. I reinstalled Windows XP and then discovered Panda Anti-Rootkit. I wonder if Vista is more resistant to Rookits than XP is. Also I wonder if Vista handles administration privileges more elegantly than XP does. Having a “limited” account in place probably would have prevented these problems in the first place, but accounts on XP are so cumbersome that noone ever uses them.
The problem with Vista is that the decision of whether a rootkit should be allowed to install or not is passed on to the enduser via User Account Control (UAC). You get a nice “should this be allowed to install?” question from Vista. However we all know that relying on endusers to make good decisions on security matters is not the solution at all… some will say “No” and some will say “Yes”. Even though right now there are no widely rootkit infected Vista systems, I’m that that in some time and with a little social engineering we’ll start seeing rootkitted Vista machines. I believe it was either Symantec or Joanna @ invisiblethings who released some research a few months ago about social engineering Vista’s UAC prompt.
Will Panda antirootkit run okay with Avast (free edition) antivirus? I don’t want to add a problem, rather than see if one exists.
Yes Bob, it will run ok with your current AV. For best performance and detection do an in-depth scan with a reboot.
I find it extremely disappointing that the AntiRootkit runs only on win2k + above!
Why do you treat the ‘elders’ this way??
Thomas W.
Well according to some stats Win98 and Windows NT are used in less than 0.1% of PCs nowadays:
http://research.pandasecurity.com/archive/Windows-Vista-spotted-in_2D00_the_2D00_wild.aspx
http://sunbeltblog.blogspot.com/2007/10/random-some-vista-adoption-numbers_256.html
But it’s not only a matter of barely used platforms. Also the most current rootkits do not work on these older platforms, so it really makes no sense investing the effort in developing and maintaining a product specifically for these.
I too got a blue screen on requesting an in-depth scan under Win2K. Rebooted last valid configuration etc., which activated a Pavark scan.
What causes this (what is “trying to write to read-only memory”), and is the scan that Pavark is now conducting in-depth?
You asked a previous contributor for more info on the system, but I don’t see any follow-up on the topic.
TIA – Peter
Yes this happens in certain Win2k configurations. Peter try booting with the “last known good configuration”. This should boot your system without the Pavark scan. If that doesn’t work boot the PC with NTFSDOS, BartPE or any other OS that allows you to change the file system, and delete the phooks.sys driver. Your computer should reboot normally after that.
hoping to see a Vista working version