Glad to see it out of beta stages. Nice one guys. I’m excited to try it out.

Hi pedro, the scanner on my pc don’t remove the unknown rootkit, why?

I sended the file and report to the panda labs

Regards

Panda AntiRootkit only removes known rootkits. If we detect an unknown rootkit we don’t remove it as some rootkits might hide behind winlogon.exe or some other OS file. Deleting such files would render your PC un-bootable. Send me to pbustamante[at]pandasoftware.com the exported CSV log and let me know what date/time you submitted to PandaLabs so I can take a look at the RK from the repository.

does it work on vista

Hi,

Just wanted to let you know that the rootkit detector is detecting a hidden Zone Alarm Free registry entry and driver as a rootkit. I submitted the ‘rootkit’ when asked by the program. Zone alarm is a pretty popular program, so I expect you’ll want to remove this false positive as soon as possible?

Otherwise very impressed- thanks for the excellent tool. Very ‘clean’ and easy to use.

Does NOT work under Vista. We’re still evaluating the rootkit implications under Vista before we develop and release an antirootkit for Vista.

Thanks for the FP report Donald. We’ll analyze it asap.

it doesn’t work on win 2003

Correct about not running under Win2003. There’s a separate server version which we’re finishing up (there’s a bug while running under W2003) and which will be distributed free-of-charge via our Panda Support offices.

We have received reports of Prevx flagging the Panda AntiRootkit driver. We’ve talked to the good people at Prevx and this has been fixed already. Thanks!

Hey Pedro, no Panda AntiRootkit to be found. I’ve searched the Panda web site, did a Google for it and so far found nothing but talk, talk, talk, talk, and no download. What gives?

When I try to do an in depth scan, the computer restarts and I get a blue screen which begins…
STOP: 0x000000BE(0x804D768E, 0x004D7121, 0xEB41F6E4, 0x0000000A) An attempt was made to write to read-only memory. This driver may be at fault:phooks.sys

@Jim

The link for the Panda AntiRootkit is at the top of this page, but ive also linked it here as well for you.

http://research.pandasoftware.com/blogs/images/AntiRootkit.zip

Barry please contact me offline to troubleshoot your problem. pbustamante’at’pandasoftware.com.

I find that intereesting.

Thank you ! it works pretty fast.
This is a must for highly “infectable” puters (hrm like mine)

Hi Pedro, is there still no version for server 2003? I asked our german support office, but they don’t know about it.

Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed.

I just tried Panda Anti-Rootkit with “In-deep scan enabled” on my Windows 2000 Pro SP4. It reported the following applications are Unknow Rootkits. It’s really confusing me, since those are normal applications I am using.
Confusing me more when I tried Panda Anti-Rootkit on my Windows XP SP2 with the same those applications, Panda Anti-Rootkit congratulated me that there is no rootkit found.
How should I understand it?

C:\Program Files\WinZip\WZQKPICK.EXE
C:\Security\PandaAnti-Rootkit\PAVARK.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\GPGshell\GPGtray.exe
C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Benjamin, please do two things:
1- If you haven’t done so already, run Panda Anti-Rootkit and submit the files it finds and reports so we can take a look at it.
2- Download and run version 1.08 from http://research.pandasoftware.com/blogs/images/AntiRootkit.zip which has a lot of false positive fixes. Whatever 1.08 detects, please submit it again.
Please post your results

Pedro,
1) I submitted the report yesterday; just submitted again.
2) Yesterday version was 1.08.00 (file version 5.0.0.4). Today version is still 1.08.00 (file version 5.0.0.4) meaning the same. I submitted the report again.
If you need further tracking down please advice.
Thank you.

One more thing: Those files I listed above loaded by Programs > Startup, not from registry.

Benjamin, can’t quite figure out what’s going on with these detections you’re getting. Please contact me by email to pbustamante’at’pandasoftware.com and I’ll send you a special version of Panda Anti-Rootkit to troubleshoot this.

I found “C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe” causes the problem. But, how could it make Pada AntiRootkit think other applications are rootkit? It’s tough, isn’t it? I’ll contact you to try the troubleshooting version.

The latest version you have doesn’t run on Win 2003.

As per comment above:
“Regarding the server version, we are still on fixing a bug under very rare conditions that might leave systems unable to boot after an exhaustive scan. Therefore we will not release the server version until this problem is fixed.”
As soon as we’re ready to release for W2003 I’ll post it here.

I just ran Pand anti-rootkit, and it nuked my Firefox and AOL. It apparently identified Firefox and AOL related items as “Unknown” rootkits, and when I chose to eliminate what I thought were harmful rootkits… it eliminated those programs from my machine. Argghh.

I saved the CSV file if you want to take a look at it.

Any hints on recovering anything, or are they gone (with my bookmarks)?

Go ahead and send me the report file Erik. Did you by any chance submit the rootkits found to PandaLabs?

Hello

Looks good! Very useful, good stuff. Good resources here. Thanks much!

G’night

Many thanks for this effective software. My machine was infected with trojan-phisher-snifula and with another trojan, Generic 6.0 SO. The antivirus software found 300 plus problem files, most of them masquerading as “Nero”, and the Rootkit Revealer turned up a long list of hidden problem files. I first tried a program called Unhackme, but it did not get the whole job done. Your rootkit cleaner produced a clean result, and I was able to confirm this with Rootkit Revealer. I think I am out of the woods. Bravo and thanks. John

I used the Panda Rootkit and my system will now only boot into safe mode.

Any thoughts?

Rick

Did you try to booting using "Last known good configuration" as mentioned in someone's comments? It worked for me.

Whenever a do a scan with Panda Anti-Rootkit v.1.08.00, the program stops in the Registry Scan, and a message refers to an error in ModName ntdll.dll

I didn’t removed the unknown rootkit, because it is an hidden file and I am afraid it may be a system file. I sended the report on 09/11/07 (11.30PM) to the panda labs
C:\Documents and Settings\Roberto\Desktop\Ormai che ci siamo….:Zone.Identifier
Can I remove it safely?
Regards

i realy want to try and see how effect is your antivirus because friends told me that it is good thank you for providing it

A very useful and much needed tool. I inadvertently discovered rootkits while trying to clear a spyware infection on my machine – a suspicious unsigned “winlogon” process kept appearing (Windows Defender was very useful for this). I had 3 rootkits installed. UnHackMe removed two of them, but couldn’t remove the third. I reinstalled Windows XP and then discovered Panda Anti-Rootkit. I wonder if Vista is more resistant to Rookits than XP is. Also I wonder if Vista handles administration privileges more elegantly than XP does. Having a “limited” account in place probably would have prevented these problems in the first place, but accounts on XP are so cumbersome that noone ever uses them.

The problem with Vista is that the decision of whether a rootkit should be allowed to install or not is passed on to the enduser via User Account Control (UAC). You get a nice “should this be allowed to install?” question from Vista. However we all know that relying on endusers to make good decisions on security matters is not the solution at all… some will say “No” and some will say “Yes”. Even though right now there are no widely rootkit infected Vista systems, I’m that that in some time and with a little social engineering we’ll start seeing rootkitted Vista machines. I believe it was either Symantec or Joanna @ invisiblethings who released some research a few months ago about social engineering Vista’s UAC prompt.

Will Panda antirootkit run okay with Avast (free edition) antivirus? I don’t want to add a problem, rather than see if one exists.

Yes Bob, it will run ok with your current AV. For best performance and detection do an in-depth scan with a reboot.

I find it extremely disappointing that the AntiRootkit runs only on win2k + above!
Why do you treat the ‘elders’ this way??
Thomas W.

Well according to some stats Win98 and Windows NT are used in less than 0.1% of PCs nowadays:
http://research.pandasecurity.com/archive/Windows-Vista-spotted-in_2D00_the_2D00_wild.aspx
http://sunbeltblog.blogspot.com/2007/10/random-some-vista-adoption-numbers_256.html
But it’s not only a matter of barely used platforms. Also the most current rootkits do not work on these older platforms, so it really makes no sense investing the effort in developing and maintaining a product specifically for these.

I too got a blue screen on requesting an in-depth scan under Win2K. Rebooted last valid configuration etc., which activated a Pavark scan.
What causes this (what is “trying to write to read-only memory”), and is the scan that Pavark is now conducting in-depth?
You asked a previous contributor for more info on the system, but I don’t see any follow-up on the topic.
TIA – Peter

Yes this happens in certain Win2k configurations. Peter try booting with the “last known good configuration”. This should boot your system without the Pavark scan. If that doesn’t work boot the PC with NTFSDOS, BartPE or any other OS that allows you to change the file system, and delete the phooks.sys driver. Your computer should reboot normally after that.

hoping to see a Vista working version