Panda AntiRootkit Official Release

Pedro Bustamante at  02 April 07 11:44
We're very glad to announce that Panda AntiRootkit 1.06 has finally been officially released for the mass market. It has taken a while since we've been implementing a lot of the suggestions and reports received during the alpha and beta testing phases started in December 2006. Many thanks to all the people (over 20,000 downloads) who have helped us improve this free utility for the community.

Panda AntiRootkit 1.06

Panda AntiRootkit is a free utility that performs in-depth scans of your computer in search for hidden resources, identifying and disinfecting known and unknown rootkits. Unlike other rootkit utilities which merely "reveal" hidden objects, Panda AntiRootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.

In addition Panda AntiRootkit has an Exhaustive Scan Monitor (requires reboot) capable of monitoring drivers and processes loading at boot time. It's unique technology does this at a lower level than any other AntiRootkit utility, therefore revealing all hiding techniques used by the latest generation rootkits.

Panda AntiRootkit discovers hidden files, registry entries, drivers, processes, modules, SDT modifications, EAT hooks, modifications to IDT, non-standard INT2E, non-standard SYSENTER, IRP hooks, and much more. Among many things we have added an extended .CSV report which can be exported for consulting detailed information of hidden objects found, and some interface process refinements.

Panda AntiRootkit runs on Windows 2000 SP4 and Windows XP and above. For a version that runs on servers please contact your local Panda Technical Support office. Keep in mind that Panda AntiRootkit is not an antivirus solution nor does it provide real-time protection. If Panda AntiRootkit has detected and disinfected a rootkit from your system, we still recommend that you run a complete AV scan afterwards to delete any malicious files that might be left over.

For those interested you can also run Panda AntiRootkit 1.06 from the command-line. This is specially useful in corporate networked environments that wish to run Panda AntiRootkit from a login script or centralized management tool. The available command-line switches are:
/CLEANAutomatically remove detected rootkits
/SEND
Send all suspicious items detected to PandaLabs
/RESULTS:Path
Log all results to a file
/R
Restart automatically to complete cleaning
/O
Hide on-screen messages during execution

Even though you can still comment and download Panda AntiRootkit 1.06 from our Research blog here, it will be officially distributed and supported from now on from our regular website.
Category: ,

Comments

PingBack from http://www.antirootkit.com/blog/2007/04/02/panda-antirootkit-officially-released/

   Posted by TrackBack at 3 April 07 1:00 AM
Glad to see it out of beta stages. Nice one guys. I'm excited to try it out.
   Posted by coz at 3 April 07 9:08 PM
Hi pedro, the scanner on my pc don't remove the unknown rootkit, why? I sended the file and report to the panda labs Regards
   Posted by lucass at 4 April 07 1:11 AM

Panda AntiRootkit only removes known rootkits. If we detect an unknown rootkit we don't remove it as some rootkits might hide behind winlogon.exe or some other OS file. Deleting such files would render your PC un-bootable. Send me to pbustamante[at]pandasoftware.com the exported CSV log and let me know what date/time you submitted to PandaLabs so I can take a look at the RK from the repository.

   Posted by Pedro Bustamante at 4 April 07 8:53 AM
does it work on vista
   Posted by dan hayden at 7 April 07 8:01 PM
Hi, Just wanted to let you know that the rootkit detector is detecting a hidden Zone Alarm Free registry entry and driver as a rootkit. I submitted the 'rootkit' when asked by the program. Zone alarm is a pretty popular program, so I expect you'll want to remove this false positive as soon as possible? Otherwise very impressed- thanks for the excellent tool. Very 'clean' and easy to use.
   Posted by Donald at 8 April 07 8:45 AM

Does NOT work under Vista. We're still evaluating the rootkit implications under Vista before we develop and release an antirootkit for Vista.

   Posted by Pedro Bustamante at 9 April 07 11:08 AM

Thanks for the FP report Donald. We'll analyze it asap.

   Posted by lucass at 9 April 07 11:10 AM
it doesn't work on win 2003
   Posted by Cloud at 10 April 07 3:35 AM

Correct about not running under Win2003. There's a separate server version which we're finishing up (there's a bug while running under W2003) and which will be distributed free-of-charge via our Panda Support offices.

   Posted by Pedro Bustamante at 10 April 07 9:01 AM

We have received reports of Prevx flagging the Panda AntiRootkit driver. We've talked to the good people at Prevx and this has been fixed already. Thanks!

   Posted by Pedro Bustamante at 10 April 07 11:59 AM
Hey Pedro, no Panda AntiRootkit to be found. I've searched the Panda web site, did a Google for it and so far found nothing but talk, talk, talk, talk, and no download. What gives?
   Posted by jim washburn at 22 April 07 10:32 PM
When I try to do an in depth scan, the computer restarts and I get a blue screen which begins... STOP: 0x000000BE(0x804D768E, 0x004D7121, 0xEB41F6E4, 0x0000000A) An attempt was made to write to read-only memory. This driver may be at fault:phooks.sys
   Posted by Barry Linton at 23 April 07 1:21 AM
@Jim The link for the Panda AntiRootkit is at the top of this page, but ive also linked it here as well for you. http://research.pandasoftware.com/blogs/images/AntiRootkit.zip
   Posted by Josh at 23 April 07 7:36 PM

Barry please contact me offline to troubleshoot your problem. pbustamante'at'pandasoftware.com.

   Posted by Pedro Bustamante at 25 April 07 2:02 AM
I find that intereesting.
   Posted by Jose at 27 April 07 12:58 PM
Thank you ! it works pretty fast. This is a must for highly "infectable" puters (hrm like mine)
   Posted by Garouppa at 23 May 07 3:17 PM
Hi Pedro, is there still no version for server 2003? I asked our german support office, but they don't know about it.
   Posted by Eric at 28 May 07 1:38 PM

Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed.

   Posted by Pedro Bustamante at 30 May 07 8:13 AM
I just tried Panda Anti-Rootkit with "In-deep scan enabled" on my Windows 2000 Pro SP4. It reported the following applications are Unknow Rootkits. It's really confusing me, since those are normal applications I am using. Confusing me more when I tried Panda Anti-Rootkit on my Windows XP SP2 with the same those applications, Panda Anti-Rootkit congratulated me that there is no rootkit found. How should I understand it? C:\Program Files\WinZip\WZQKPICK.EXE C:\Security\PandaAnti-Rootkit\PAVARK.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\GPGshell\GPGtray.exe C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
   Posted by Benjamin at 6 June 07 11:28 PM

Benjamin, please do two things:

1- If you haven't done so already, run Panda Anti-Rootkit and submit the files it finds and reports so we can take a look at it.

2- Download and run version 1.08 from http://research.pandasoftware.com/blogs/images/AntiRootkit.zip which has a lot of false positive fixes. Whatever 1.08 detects, please submit it again.

Please post your results

   Posted by Pedro Bustamante at 7 June 07 9:54 AM
Pedro,
1) I submitted the report yesterday; just submitted again.
2) Yesterday version was 1.08.00 (file version 5.0.0.4). Today version is still 1.08.00 (file version 5.0.0.4) meaning the same. I submitted the report again.
If you need further tracking down please advice.
Thank you.
   Posted by Benjamin at 7 June 07 9:14 PM
One more thing: Those files I listed above loaded by Programs > Startup, not from registry.
   Posted by Benjamin, at 7 June 07 9:20 PM

Benjamin, can't quite figure out what's going on with these detections you're getting. Please contact me by email to pbustamante'at'pandasoftware.com and I'll send you a special version of Panda Anti-Rootkit to troubleshoot this.

   Posted by Pedro Bustamante at 8 June 07 2:15 PM
I found "C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe" causes the problem. But, how could it make Pada AntiRootkit think other applications are rootkit? It's tough, isn't it? I'll contact you to try the troubleshooting version.
   Posted by Benjamin at 8 June 07 5:34 PM
The latest version you have doesn't run on Win 2003.
   Posted by Serge at 8 June 07 9:45 PM

As per comment above:

"Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed."

As soon as we're ready to release for W2003 I'll post it here.

   Posted by Pedro Bustamante at 9 June 07 2:37 AM
I just ran Pand anti-rootkit, and it nuked my Firefox and AOL. It apparently identified Firefox and AOL related items as "Unknown" rootkits, and when I chose to eliminate what I thought were harmful rootkits... it eliminated those programs from my machine. Argghh. I saved the CSV file if you want to take a look at it. Any hints on recovering anything, or are they gone (with my bookmarks)?
   Posted by Erik at 20 June 07 11:30 PM

Go ahead and send me the report file Erik. Did you by any chance submit the rootkits found to PandaLabs?

   Posted by Pedro Bustamante at 21 June 07 1:13 AM
Hello Looks good! Very useful, good stuff. Good resources here. Thanks much! G'night
   Posted by rofovnifo at 5 July 07 2:38 AM
Many thanks for this effective software. My machine was infected with trojan-phisher-snifula and with another trojan, Generic 6.0 SO. The antivirus software found 300 plus problem files, most of them masquerading as "Nero", and the Rootkit Revealer turned up a long list of hidden problem files. I first tried a program called Unhackme, but it did not get the whole job done. Your rootkit cleaner produced a clean result, and I was able to confirm this with Rootkit Revealer. I think I am out of the woods. Bravo and thanks. John
   Posted by John Harris at 2 August 07 1:22 AM

I used the Panda Rootkit and my system will now only boot into safe mode.

Any thoughts?

Rick

   Posted by Rick W at 20 September 07 12:35 AM

Did you try to booting using "Last known good configuration" as mentioned in someone's comments? It worked for me.

   Posted by Jack B. at 22 September 07 10:17 AM

Whenever a do a scan with Panda Anti-Rootkit v.1.08.00, the program stops in the Registry Scan, and a message refers to an error in  ModName ntdll.dll

   Posted by Fernando at 17 October 07 12:41 AM

I didn't removed the unknown rootkit, because it is an hidden file and I am afraid it may be a system file. I sended the report on 09/11/07 (11.30PM) to the panda labs

C:\Documents and Settings\Roberto\Desktop\Ormai che ci siamo....:Zone.Identifier

Can I remove it safely?

Regards

   Posted by Roberto at 10 November 07 12:15 AM

i realy want to try and see how effect is your antivirus because friends told me that it is good thank you for providing it

   Posted by sammi at 22 November 07 2:11 PM

A very useful and much needed tool.  I inadvertently discovered rootkits while trying to clear a spyware infection on my machine - a suspicious unsigned "winlogon" process kept appearing (Windows Defender was very useful for this).  I had 3 rootkits installed.  UnHackMe removed two of them, but couldn't remove the third.  I reinstalled Windows XP and then discovered Panda Anti-Rootkit.  I wonder if Vista is more resistant to Rookits than XP is.  Also I wonder if Vista handles administration privileges more elegantly than XP does.  Having a "limited" account in place probably would have prevented these problems in the first place, but accounts on XP are so cumbersome that noone ever uses them.

   Posted by Chris Brossard at 27 November 07 8:59 PM

The problem with Vista is that the decision of whether a rootkit should be allowed to install or not is passed on to the enduser via User Account Control (UAC). You get a nice "should this be allowed to install?" question from Vista. However we all know that relying on endusers to make good decisions on security matters is not the solution at all... some will say "No" and some will say "Yes". Even though right now there are no widely rootkit infected Vista systems, I'm that that in some time and with a little social engineering we'll start seeing rootkitted Vista machines. I believe it was either Symantec or Joanna @ invisiblethings who released some research a few months ago about social engineering Vista's UAC prompt.

   Posted by Pedro Bustamante at 3 December 07 4:17 PM

Will Panda antirootkit run okay with Avast (free edition) antivirus?  I don't want to add a problem, rather than see if one exists.

   Posted by Bob at 19 December 07 4:19 PM

Yes Bob, it will run ok with your current AV. For best performance and detection do an in-depth scan with a reboot.

   Posted by Pedro Bustamante at 21 December 07 5:46 PM

I find it extremely disappointing that the AntiRootkit runs only on win2k + above!

Why do you treat the 'elders' this way??

Thomas W.

   Posted by thomas weber at 29 December 07 4:18 AM

Well according to some stats Win98 and Windows NT are used in less than 0.1% of PCs nowadays:

http://research.pandasecurity.com/archive/Windows-Vista-spotted-in_2D00_the_2D00_wild.aspx

http://sunbeltblog.blogspot.com/2007/10/random-some-vista-adoption-numbers_256.html

But it's not only a matter of barely used platforms. Also the most current rootkits do not work on these older platforms, so it really makes no sense investing the effort in developing and maintaining a product specifically for these.

   Posted by Pedro Bustamante at 2 January 08 5:29 PM

I too got a blue screen on requesting an in-depth scan under Win2K. Rebooted last valid configuration etc., which activated a Pavark scan.

What causes this (what is "trying to write to read-only memory"), and is the scan that Pavark is now conducting in-depth?

You asked a previous contributor for more info on the system, but I don't see any follow-up on the topic.

TIA - Peter

   Posted by Peter at 21 January 08 4:27 PM

Yes this happens in certain Win2k configurations. Peter try booting with the "last known good configuration". This should boot your system without the Pavark scan. If that doesn't work boot the PC with NTFSDOS, BartPE or any other OS that allows you to change the file system, and delete the phooks.sys driver. Your computer should reboot normally after that.

   Posted by Pedro Bustamante at 28 January 08 10:45 PM

hoping to see a Vista working version

   Posted by mike at 4 February 08 11:31 PM

Post a comment

 
 

Share it: Print