New Panda Anti-Rootkit - Version 1.07

Pedro Bustamante at  27 April 07 04:15
We're experiencing a lot of downloads of Panda AntiRootkit. Many thanks to all the people that are helping us improve this free utility by sending suggestions, comments, feedback and submitting new rootkits that are being found in the wild.

I'm happy to say that I have a couple of good news. The first one is that based on your many suggestions we have created version 1.07 of Panda AntiRootkit. Version 1.07 has the following improvements:
  • Capable of deactivating unknown rootkits. We consider "unknown" a rootkit for which Panda AntiRootkit does not have a deactivation routine. This does not mean that Panda does not know about the rootkit. Rather that we have not yet included the full deactivation routine in Panda AntiRootkit. But now you'll be able to deactivate all rootkits. By default you'll be presented with deactivation of known rootkits plus the option to deactivate any unknown rootkits found on your system.
  • Deletes registry keys transparently. Up to version 1.06 we only deleted the necessary registry keys to deactivate the rootkit and prevent it from functioning. Some leftover keys made some users worry about incomplete deactivation. Version 1.07 now transparently deletes all rootkit associated registry keys for piece of mind.
  • Cleaner interface. We have cleaned the results window for a more efficient use of available space. Now a mouse-over a detected object will present you with its type (file, process, ADS, registry, etc.).
  • Various improvements have also been made to the disinfection of unknown rootkits, some false positives reported by some of you, and more deactivation routines.
Get it from CNET Download.com!

Alternative download link here.


The second good news is that Panda AntiRootkit 1.07 has achieved the prestigious Editor's Choice award from PC Magazine USA. Read the review to see how Panda AntiRootkit and other anti-rootkits performed during detection and deactivation tests. Again many thanks for your support and remember to perform a full system scan with a signature based antivirus after deactivating a rootkit.

Category: ,

Comments

Thank you for this helpful -and free!- tool. Even though every computer in my home (7-10 systems; it varies) is behind a hardware firewall, all have software firewalls, sig-based AV, and Anti-Spyware running at all times... ...I still run deep scans for rootkits, 'cause you just never know, do you? Now if we could just get Joe & Jane Citizen to buy into the whole "Best Practices" regimen, we could seriously slow the 'Bot Masters in their quest for world domination. Thanks for all you do, Greg Howard Consultant, Elder Geek, &... 20-Year Veteran of the IT wars.
   Posted by Garouppa at 2 May 07 3:11 AM
Thank you for providing a security blanket for those of us who know next to nothing but have worries. I live in Mexico and my service is really wide open except what I can do to protect myself, so once again thank you
   Posted by Garouppa at 2 May 07 7:48 AM

ravi@akgroup.com.sa  I will send my comment after installing and running the software.  For the time being, many thanks for a philanthropic job.

   Posted by Ravikumar N. Iyer at 7 May 07 2:53 PM
Pleased with Panda Internet Security but having trouble installing it on the Main Mahine. Wil try some cleanup first. Thanks.
   Posted by Robert Lesher at 9 May 07 11:39 PM
I used the program and deleted all my unknown rootkits. Now I cannot connect to the internet. I apparently have no TCP/IP anymore since "ipconfig" typed in cmd brings up nothing. Anybody know anything about this and how to fix it? I would like to recover the rootkits I deleted to bring my system back to where it was before I deleted the kits. Thanks in advance.
   Posted by David at 21 May 07 11:07 AM
David use a restore point http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx scroll the page and read "Use System Restore" Regards PS:Do you remember rootkit file?
   Posted by lucass at 21 May 07 11:20 AM

David you might want to try either lucass' suggestion (although this will bring you back to an infected state) or re-installing the networking components from the original Windows installation source. Also if you submitted the rootkits for analysis to PandaLabs via the AntiRookit application let me know the date and time to fish them from the repository and analyze them.

   Posted by Pedro Bustamante at 21 May 07 12:53 PM
I ran the software and it tells me that I have got a Rootkit on my machine C:\Windows\System32 :{DA6227CB-326B-4B4D-9A81-04B81F1538DD}: IS_ADS_DIRECTORY: TRUE ADS_DIRECTORY: 1 IRP_HOOK: 1 SDT_FUNCTION_HOOK: 48 Cannot find much about this. Is it dangerous?
   Posted by dcb65 at 23 May 07 11:14 AM

Maximx86, please run Panda AntiRootkit again and submit both the files and report so we can take a look at it.

   Posted by Pedro Bustamante at 24 May 07 3:51 PM
Got similar message as that posted on April 2x. Running Win2K Pro. On restart, similar message to this appeared: When I try to do an in depth scan, the computer restarts and I get a blue screen which begins... STOP: 0x000000BE(0x804D768E, 0x004D7121, 0xEB41F6E4, 0x0000000A) An attempt was made to write to read-only memory. This driver may be at fault:phooks.sys Deleted from Documents and Settings folder, but stil getting this message...
   Posted by Maria Angeles at 28 May 07 10:38 PM

For those of you under Win2k that are getting BSOD after an exhaustive scan and an error on pshooks.sys: restart your computer and during the first boot process press F8 repeatedly until you get the boot menu. At this point choose "Last known good configuration" and this will allow you to boot Windows without the BSOD.

Also please send me as much detail about your computer as possible: hardware, OS, service packs, software, peculiarities, etc.

   Posted by Pedro Bustamante at 30 May 07 8:09 AM
my panda anti-rootkit revealed that i had 1 unknown rootkit,win32tukernel.exe,but whenever i checked on it it was from microsoft,can you guys help,i'd hate to delete a file that my pc needs...thanks
   Posted by sam at 3 June 07 7:53 PM

sam go ahead and submit both the detected files and the report to us via the Panda Anti-Rootkit application (or directly to pbustamante'at'pandasoftware.com) so we can evaluate this.

   Posted by Pedro Bustamante at 6 June 07 8:55 AM
I'm on a Vista machine and it says 'not supported'. any time frame for Vista? EV
   Posted by EVO at 7 June 07 7:44 PM

Evo, Panda Anti-Rootkit does not work under Vista. We're still evaluating the implications and impact of rootkits under Vista before we develop an antirootkit for this platform. Until now we have not really seen much evidence or distribution of Vista rootkits, so no time frame yet.

   Posted by Pedro Bustamante at 7 June 07 7:55 PM

Sam, we haven't seen a win32tukernel.exe. There is however a tukernel.exe, a known false positive that's already been corrected in version 1.08 (run it again and tell Panda Anti-Rootkit to look for updates). Tukernel.exe is basically a modified ntoskrnl.exe to show a personalized logo during system start. It's not necessary to delete it.

   Posted by Pedro Bustamante at 8 June 07 1:16 PM
I have windows vista and after downloading the program an alert jumped up and stated that it is not supported, any advice? thanks
   Posted by Brian G at 8 June 07 9:39 PM

As per the comments above, it's not for Vista. We're studying rootkits under Vista before we develop an anti-rootkit for it.

   Posted by Pedro Bustamante at 9 June 07 2:35 AM
Read about it in PC mag, thought I'd try it. In W98SE it won't install (needs USERENV.DLL) this .dll won't work.
   Posted by Frank Newton at 9 June 07 10:48 PM
Is the rootkit under a freeware license or a shareware license? So can I run this on 100 corporate machines or only my own personal machine?
   Posted by Val at 11 June 07 10:24 PM

Yes its freeware. If you are going to run it on 100 corporte machines I'd really like to hear from you so make sure to post some feedback if possible.

   Posted by Pedro Bustamante at 12 June 07 8:24 AM
100 corporate machines maybe not, but (my biz I work at) are currently rebuilding our mobile service toolkit. We are grabbing comparions / reviews between different root scanners and this is one of the software bits that made it to the reivew list. I do IT consultant work so the software (if used) would be used under many machines.
   Posted by Val at 12 June 07 5:08 PM

Understood. Any feedback will be appreciated, mostly in the form of submitting the rootkits it finds along with the report.

   Posted by Pedro Bustamante at 12 June 07 7:32 PM
Just ran 1.07.00 with the update option checked, which immediately downloaded and ran version 1.08.00. This version always errors out at about 16% during the Windows Registry step. I went back and ran version 1.07.00 with update turned off, and that version ran fine. Here is the info on 1.08.00: PAVARK.exe has encountered a problem and needs to close. AppName: pavark.exe AppVer: 5.0.0.4 ModName: ntdll.dll ModVer: 5.1.2600.2180 Offset: 000106c3
   Posted by Jim Smith at 16 June 07 1:54 AM
I start the scan and when it gets to the registry (2nd part of scan) it stops and says it has encountered a problem. What's up with that? Has worked before now won't!
   Posted by Linda P at 21 June 07 6:13 PM
Hi, I have been using PAVARK for several months and think it is a great free utility. However, version 108 crashes and closes when scanning the second item on the list. Is there anyway I can go back to using version 107? Since you use the same file name, irregardless of version, my old PAVARK was overwritten. oldgringo@cableone.net
   Posted by Pedro Bustamante at 21 June 07 9:54 PM

Those of you with problems running 1.08 during the registry scan, please send me or post the details of your PC: OS version, service pack, installed apps, etc.

   Posted by Alan at 21 June 07 10:36 PM
When I tried to run the PAVARK.EXE from the download, I get a small Internet Explorer window that states "The page cannot be displayed". The only option I seem to have to to close the window.
   Posted by Chuck Deason at 23 June 07 2:12 AM
I am running WINXP SP2. When I run the PAVARK.EXE that came in my download, all I get is a small Internet Explorer window displaying "The page cannot be displayed". This is the second I've posted this, but have yet to see it or a response.
   Posted by Chuck Deason at 23 June 07 2:56 AM
I tried to run version 1.07 over Windows ME. Just got error message " Missing UserEnv.dll" Does Anti-rootkit work only with win Xp and later? Thanks,
   Posted by Phil D'Agostino at 23 June 07 10:23 PM
"Those of you with problems running 1.08 during the registry scan, please send me or post the details of your PC: OS version, service pack, installed apps, etc." Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_qfe.070227-2300) Language: English (Regional Setting: English) System Manufacturer: INTEL_ System Model: D875BZLK BIOS: BIOS Date: 03/31/05 22:15:04 Ver: 08.00.09 Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz (2 CPUs) Memory: 1022MB RAM Page File: 373MB used, 2090MB available
   Posted by Pedro Bustamante at 25 June 07 3:27 AM

Phil, Panda Anti-Rootkit is for Windows 2000 SP4 and Windows XP SP2 only.

   Posted by Pedro Bustamante at 25 June 07 9:43 AM
Panda Anti-Rootkit v1.08.00 has an unhandled win32 exception in PAVARK.exe at 0x7c910f29. Access violation reading location 0x00000000. Since your site does not have an email address there is no way for me to send you the details and correspond with you - maybe to confirm the bug is fixed in a later version. Please put your contact details on your research webpage and I will come back to you. Clearly I cannot include snapshots in this limited textbox that you have implemented for feedback!
   Posted by Andrew Bauer at 30 June 07 11:25 AM

Andrew please send me all the details of your machine (OS, Service Pack, installed apps, hardware, screenshots, etc.). You can either click on my name to get a contact form or email me at pbustamante'at'pandasoftware.com.

   Posted by Pedro Bustamante at 1 July 07 3:00 AM
program encountered an error and must close, did this on 2 different computers. win xp sp2
   Posted by cham44 at 3 July 07 7:33 PM
RE:Those of you with problems running 1.08 during the registry scan, please send me or post the details of your PC: OS version, service pack, installed apps, etc. toshiba satellite L25-@1193 Celeron M, 2G RAM, win xp sp2, use spybot, advanced windowscare, windows defender, spywareblaster, AVG free AV
   Posted by cham44 at 3 July 07 7:38 PM
Pedro...After many crashes with 1.08 and clean scans with 1.07, I tiried to find the error report in the Temp folder to send to you. I did not locate it, so I deleted all the garbage except for the prefetch data file and and ran another 1.08 scan...ran clean to completion...go figure... but it worked???
   Posted by Jack at 6 July 07 8:54 AM
Running HP a620N, XP SP II, Comodo Firewall, Avast Anti virus, Ad-Aware SE Plus, Spygot with tea Timer, Intel IV 2.8 processor, Advanced Window's care. Panda Rootkit scan stops after 22% complete, and the program window disappears.
   Posted by Sam Lowe at 6 July 07 2:54 PM

Andrew, cham44, Jack, Sam and the rest of you running into problems with 1.08 during the registry scan, I have uploaded version 1.07 to http://research.pandasoftware.com/blogs/images/AntiRootkit-1.07.zip. Please try running 1.07 but still send me the details of your machine and installed applications to pbustamante'at'pandasoftware.com.

   Posted by Pedro Bustamante at 8 July 07 3:42 PM
Just ran the updated 1.08. on dell M171 xps. xp sp2. No detected rootkits. Worked for me, no problems.
   Posted by Jim Smith at 11 July 07 3:51 PM
Just loaded anti rootkit and seem to having problems. It starts off ok - connects and searches for updates, downloads new versions. When starting scan...running processes ok but then stops soon after registry check starts up? Message pops up: pav ark exe has generated errors and will be xlosed by windows. You will need to restart program. An error log is being created? I've tried taking some apps off the bar/running temporarily but am at a loss for any real fix for my problem. Any suggestions would greatly be appreciated by this non-techie. txs kindly
   Posted by ronson at 16 July 07 2:21 PM
Still having problems-loaded wersion 7 as suggested above but stopped at registry chec at 17%. Hope we can all be "happy campers" before too long with this glitch. txs from all of us for your attention to this!
   Posted by ronson at 16 July 07 2:39 PM

Ronson please try running version 1.07 from http://research.pandasoftware.com/blogs/images/AntiRootkit-1.07.zip again but uncheck "automatic update" option before starting the scan in order to avoid upgrading to 1.08. If you're still having problems contact me at pbustamante'at'pandasoftware.com and I'll send you a debug version.

   Posted by Pedro Bustamante at 16 July 07 4:20 PM
Question: Any Vista Anti-rootkit available? Panda is only 1.7 for for Win? T
   Posted by Terry at 21 July 07 4:52 AM

Correct Terry, Panda Anti-Rootkit is only for Windows 2000/XP. We're not currently developing an anti-rootkit for Vista just yet.

   Posted by Pedro Bustamante at 23 July 07 12:16 AM
Downloaded and ran the v1.08. It checked for update, scanned everything and said no rootkit. Ran again but this time for deep scan, after checking for update it asked to reboot. Rebooted computer and it came automatically and started to scan. The intialization took around 90 seconds but after that it scanned everything and said all clear. So all-in-all a good experience with no bugs. But it leaves a PAVARK folder inside the user folder. I had to delete it manually. Trivial thing actually. Thanks for a nice user-friendly tool.
   Posted by Arin at 24 July 07 1:00 PM
Is there a way to get rid of phooks.sys ? I got a PC with W2K on one partition (where I installed the rootkit) and a WIN98 partition. The W2K partition is no longer accessible ( BLUE SCREEN: An attempt was made to write to read-only memory. This driver may be at fault:phooks.sys ... ) I am still able to start WIN98 and with help of NTFS4DOS am able to access the NTFS partition. But both phooks.sys files seem to be in use and cannot be deleted. Strange that W2K is not even started - nevertheless these files cannot be deleted in any way (tried attrib -R). Also there is only one last known good version of W2K that I can choose - and that is the one with the Rootkit trying to do an in depth scan resulting in Blue Screen. Any chance not to reformat the disk ? It would be days of work to reinstall all programms.
   Posted by Michael at 29 July 07 2:20 PM
me again I finally managed to restart the last good config of W2K and the rootkit ran fine (nothing found). I think i had been somewhat blind not to find the last good configuration of the OS before (bluscreens are scaring). I do not see any file of the rootkit now - are they deleted when run once ? regards Michael
   Posted by Michael at 29 July 07 4:11 PM
i would like to download your new panda anti-rootkit-version 1.07 but i need from you the windows vista version download. my gmail address is theduck1b3c@gmail.com
   Posted by tom dykstra at 29 July 07 9:08 PM

Michael, glad you got it running. Panda Anti-Rootkit removes all traces of itself after finishing, so don't worry about cleanup.

Tom, sorry but Panda Anti-Rootkit is only for 2000/XP. We're not currently developing and AR for Vista.

   Posted by Pedro Bustamante at 30 July 07 9:26 AM
The software deleted some of my system files. My XP don't work more!
   Posted by Joao at 3 August 07 11:06 PM

Victor, I lost your comment during the migration to the new blog. Re-posting here:

---

installed it but it has an error msg has has to shut down each time i try to run the program.

   Posted by Pedro Bustamante at 11 September 07 1:00 PM

Also reposting Jack von Bloeker's comment:

---

I just downloaded version 1.080 from the MajorGeek site in TX, installed it and did the re-boot.  The re-boot process goes into a loop and also blocks my F8 capability to do a Safe Mode, etc. boot process.  HELP!  All users are blocked out by re-boot loop after entering password.  I have Windows XP Home.  I entered my BIOS and told it to boot from my Windows XP CD, but it would not boot from it either.

   Posted by Pedro Bustamante at 11 September 07 1:04 PM

Also reposting dcb65's comment:

---

I ran the software and my laptop won't work now saying "Windows couldnot start because the following file is missing or corrupt: \windows\system32\config\system.  It says I can attempt to repair the file by running Windows Setup using the original Setup CD-ROM, but that didn't help.  Now all I have is a dead laptop.  Going to F8 and rebooting to last known config was no help either.  Not happy.

   Posted by Pedro Bustamante at 11 September 07 1:06 PM

Hi,

I am attempting to run Panda Anti-Rootkit on my XP machine.

It comes up with the following message box:

PVARK.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

Any help would be appreciated.

TIA

Kevin

   Posted by Kevin Markey at 16 September 07 7:38 PM

Kevin, try closing all the running applications, restart your machine and try again from scratch. If it still doesn't work contact me and I'll send you a debug version.

   Posted by Pedro Bustamante at 17 September 07 10:14 AM

Need to try something for spyware saw your site on Kim Komando and thought I would give it a try.

Thanks for keeping it free a lot of us just don't have the money for the ones they are selling.

Celia

   Posted by Celia McCartney at 24 September 07 8:26 PM

Like others who have posted, version 1.08 will not run on my PCs (HP Compaq nx9600, XP SP2, Kerio personal firewall, Avira AV; Dell Inspiron 1505, XP SP2, Kerio personal firewall, Avira AV). It gives no error message, but just stops scanning at 20% (I let it run on both PCs for about 90 minutes). I downloaded version 1.07 and it scanned with no problems in about five minutes.

   Posted by Dave at 17 October 07 12:00 AM

cnet d/l link broken (

   Posted by mike at 25 October 07 6:41 PM

Works for me mike. If you're still not able to download from cnet try the following:

http://research.pandasecurity.com/blogs/images/AntiRootkit.zip

   Posted by Pedro Bustamante at 29 October 07 4:39 PM

There's a report of a rootkited machine with the following Registry entry:

UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe

If you run into this, clean your machine manually by deleting only the second portion of the UserInit entry, that is "C:\WINDOWS\system32\ntos.exe"

   Posted by Pedro Bustamante at 29 October 07 4:43 PM

Having same problem as Kevin Markey - version 1.08 encounters problem when scanning registry and must close.

No other applications running and restarting makes no difference.

   Posted by Mike Penk at 29 October 07 9:11 PM

very interesting, but I don't agree with you

Idetrorce

   Posted by Idetrorce at 15 December 07 3:17 PM

What don't you agree with Idetrorce?

   Posted by Pedro Bustamante at 17 December 07 10:11 AM

When I attempt to run version 1.08.00 on XP sp2, the program stops at Windows registry after scanning 20%.  I have run the program by itself both as a "regular scan", and and in-depth scan, with the same results.

Please help, as I think I am infected with rootkits.

Thanks!

Roger

   Posted by Roger at 29 December 07 5:02 AM

Pedro,

How long before you envisage the development of a rootkit tool for Vista

   Posted by John at 30 December 07 11:37 PM

Is this compatible with Windows Vista?

   Posted by bonnie Page at 2 January 08 4:08 AM

Regarding the development of a stand-alone anti-rootkit for Vista, we're currently keeping an eye out to see how the entire rootkit scene evolves under Vista and User Access Control (UAC), as it's yet very premature to conclude anything.

However we have included the anti-rootkit technology into our commercial products that support Vista, so you can perform a scan for rootkits using our 2008 products (free download from http://www.pandasecurity.com).

   Posted by Pedro Bustamante at 2 January 08 5:43 PM

I also find it fails at 17% on version 1.08. But I never had version 1.07. Where can I get it?

   Posted by simon at 8 January 08 10:32 PM

HI

Your product  seems great  !!! Thank you..

I was running a complete scan (w/reboot) and also began an EMSI a2 (a-squared) anti-trojan scan at the same time.....

and got the following report

- <REPORT>

- <MALWARE_EVIDENCES>

- <FILE>

 <PATH>C:\WINNT\Temp\a2archive\ObjectAdapterIdArray.class</PATH>

 </FILE>

 </MALWARE_EVIDENCES>

 </REPORT>

.....Curious as to why, should I clean it, leave it alone...etc.. or if I should be worried  !!!

   Posted by tyler at 11 January 08 9:40 PM

I cannot even start it. I get the same error as with my antivirus. "Not a valid Win32 aplication".

   Posted by Luicfer66 at 29 January 08 6:36 PM

Did you download the application from this blog (download.com) or from a different site? Where?

   Posted by Pedro Bustamante at 7 February 08 9:52 AM

Does this only run on 32bit versions of 2k/XP or will it also run on the 64bit versions?

   Posted by Stef 2u at 9 February 08 3:16 AM

Only 32bit versions Stef.

   Posted by Pedro Bustamante at 12 February 08 9:19 AM

SAme problem "Not a valid Win32 aplication"

downloaded from download.com

running on WinXP SP2.

   Posted by lechozo at 13 February 08 4:28 PM

Seems there's been some problems with download.com. I've put an alternative download link on the post above just under the "Download Now" green button.

   Posted by Pedro Bustamante at 19 February 08 10:16 AM

AppName: pavark.exe AppVer: 5.0.0.4 ModName: ntdll.dll

ModVer: 5.1.2600.2180 Offset: 00011f52

I'm sad about I can't install Panda Anti RootKit. I need a trust program to my problem. But this window stop all install.

I`m looking for an old version (1.07) to try to install, but don`t found.

I have Win XP Pro SP2 all original, Bitdefender antivirus, Spybot S&D and Comodo firewall.

And AVG Antispy ... what happens ¿?

   Posted by PELR at 22 February 08 5:37 AM

More about Panda Anti RootKit install (in my PC):

C:\DOCUME~1\XXXXX\CONFIG~1\Temp\3652_appcompat.txt

That`s the file I can read in tht window "see details"

Bye.

   Posted by PELR at 22 February 08 5:45 AM

Is there anyone still helping with blue screen  phooks.sys problem?  The main Panda Tech Support doesn't list the anti-rootkit and the offers for help in this forum are 6 months old.

I made the mistake of starting up in safe mode after receving the blue screen, so the "last known configuration" startup option now gives the same blue screen error message.

   Posted by adam at 25 March 08 6:37 PM

Adam, try booting from a different source (Boot CD, NTFSDOS+, Linux, ...) and delete the phooks.sys file. Reboot and you should be good to go.

   Posted by Pedro Bustamante at 26 March 08 8:53 PM

   When I run the rootkit, it always says that there is a rootkit detected in the Symantec file, hidden. I haven't removed it since I am afraid it will somehow interfere with my Antivirus Norton (that is what Symantec is).

    Also, when I try to scan with Ad-aware going, the Antirootkit always gets stuck at 57%.  When I deactivate the Ad-aware, it runs the scan fine, telling me there is a rootkit in Symantec.

These are the only probs I am having so far.  Thanks for offering this product.  Hopefully all the kinks will get worked out soon enough.

   Posted by granny at 2 April 08 4:10 AM

Granny, could you please email me and send me a report of the anti-rootkit scan that detects the Symantec file as hidden? (pedro.bustamante'at'pandasecurity.com)

Btw the Ad-aware issue has been reported before so I recommend you always deactivate it before running a scan with Panda Anti-Rootkit.

   Posted by Pedro Bustamante at 17 April 08 4:29 PM

Post a comment

 
 

Share it: Print