Anti Rootkit

Print Friendly, PDF & Email

This feature helps you proactively detect and clean rootkits that are active in the system. This program scans objects such as running Processes, Windows Registry, and Files and Folders for any suspicious activity and detects the rootkits without any signatures. Anti-Rootkit detects most of the existing rootkits and is designed to detect the upcoming rootkits and also to provide the option to clean them.

However, it is recommended that Quick Heal Anti-Rootkit should be used by a person who has good knowledge of the operating system or with the help of Quick Heal Technical Support engineer. Improper usage of this program could result in unstable system.

Using Quick Heal Anti-Rootkit

To use Anti-Rootkit, follow these steps:

  1. Open Quick Heal Total Security.
  2. On the left pane, click Protection and then click Anti-Rootkit.

    A message appears that recommends you to close all other applications before launching Anti-Rootkit.

  3. In the left pane on the Anti-Rootkit screen, click the Start Scan button.

    Quick Heal Anti-Rootkit starts scanning your system for suspicious rootkit activity in the running Processes, Windows Registry and Files and Folders.

    After completion of the scan, the result is displayed in three tabs.

  4. Select the appropriate action against each threat displayed. For example, you can terminate the rootkit Process, rename the rootkit Registry entry/Files and Folders.

    After taking the action, you should restart your system so that rootkit cleaning takes place.

Buttons Description
Stop Scanning Helps you stop the scan while the scan is under way.
Close Helps you close the Anti-Rootkit window. If you choose to close the Anti-Rootkit window while scanning is in progress, it will prompt you to stop the scan first.
Error Report Submission Due to infection or some unexpected conditions in system, scanning of Quick Heal Anti-Rootkit may fail. On failure, you will be asked to re-scan your system and submit error report to Quick Heal Team for further analysis.

With the help of the Settings feature available on the Anti-Rootkit screen, you can configure what items to scan.

Configuring Quick Heal Anti-Rootkit Settings

  1. Open Quick Heal Total Security.
  2. On the left pane, click Protection and then click Anti-Rootkit.

    Quick Heal Anti-Rootkit is configured for Auto Scan by default where it scans the required system areas.

Scan Options Description
Auto Scan Auto Scan is the default scan setting for Anti-Rootkit. Under Auto Scan, the Quick Heal Anti-Rootkit scans the predefined system areas such as:

  • Hidden Processes.
  • Hidden Registry entries.
  • Hidden Files and Folders.
  • Executable ADS.
Custom Scan Helps you customize the scan setting for Anti-Rootkit for the following options:

  • Detect Hidden Process – scans the hidden processes running in the system.
  • Detect Hidden Registry Items – scans the hidden items in Windows Registry.
  • Detect Hidden files and folders – scans the hidden files and folders in the system and executable ADS (Alternate Data Streams). You can further choose from the following options:
    • Scan drive on which Operating System is installed
    • Scan all fixed drives
    • ADS (Alternate Data Streams) to scan for executable ADS.
Report File Path Quick Heal Anti-Rootkit creates a scan report file at the location from which it is executed. However, you can specify different location.

Overview of Alternate Data Streams – ADS

Alternate Data Streams or ADS allows the data to be stored in hidden formats that are linked to a normal visible file. Streams are not limited in size and there can be more than one stream linked to a normal file. ADS is a security risk because streams are almost completely hidden.
Trojan or virus author can take advantage of streams to spread malware so to hide the source of viruses.

Scanning Results and Cleaning Rootkits

  1. Open Quick>Quick Heal Anti-Rootkit.
  2. In the left pane on the Quick Heal Anti-Rootkit screen, click the Start Scan button.
  3. Quick Heal Anti-Rootkit starts scanning your system for suspicious rootkit activity in the running Processes, Windows Registry and Files and Folders.
    After completion of the scan, the result is displayed in three different tabs.
    Take the appropriate action. You need to restart your system so that rootkit cleaning takes place.

Tabs that appear on the Scan Results screen

Options Description
Process After the scan is complete, Quick Heal Anti-Rootkit will detect and display a list of hidden processes. You can select the Process tab for termination, but ensure that the list of processes does not include any known trusted process. Quick Heal Anti-Rootkit also displays a summary of total number of processes scanned and hidden processes detected.
Terminating Hidden Process After selecting the list of processes to close, click the Terminate button. If a process is successfully terminated, then its PID (Process Identifier) field will show n/a and process name is appended by Terminated. All terminated Processes will be renamed after a restart.
Registry Similar to the Process scan, Quick Heal Anti-Rootkit displays a list of hidden Registry keys. You can select keys for renaming, but ensure that the list of keys does not include any known trusted registry key. Quick Heal Anti-Rootkit also displays a summary of total number of items scanned and number of hidden items detected.
Renaming Hidden Registry Key After selecting the list of keys for renaming, click the Rename button. Renaming of operation requires reboot hence Key name will be prefixed by Rename Queued.
Files and Folders Similarly, Quick Heal Anti-Rootkit displays a list of hidden files and folders. You can select the Files and Folders tab for renaming, but ensure that the list of Files and Folders does not include any known trusted file. Quick Heal Anti-Rootkit also displays a list of executable Alternate Data Streams. Quick Heal Anti-Rootkit also displays a summary of total number of files scanned and number of hidden files detected.
Renaming Hidden Files and Folders After selecting the list of files and folders for renaming, click the Rename button. Renaming of operation requires reboot hence Files and Folders name will be prefixed by Rename Queued.

Cleaning Rootkits through Quick Heal Emergency Disk

Sometimes rootkits are not cleaned properly and they reappear even after Quick Heal Anti-Rootkit scan. In such cases, you can also use Quick Heal Emergency Disk for complete cleaning. For cleaning this way, create Quick Heal Emergency Disk and boot your system through it.

To create Quick Heal Emergency Disk and clean your system through it, follow these steps:

Step 1

To create Quick Heal Emergency Disk, follow the link Create Emergency Disk.

Step 2

  1. Open Quick Heal Anti-Rootkit.
  2. In the left pane on the Quick Heal Anti-Rootkit screen, click the Start Scan button.
    Quick Heal Anti-Rootkit starts scanning your system for suspicious rootkit activity in the running Processes, Windows Registry, and Files and Folders.
    After the scan is complete, the scan result is displayed in three different tabs.
  3. Take the appropriate action against each threat displayed. For example, you can terminate the rootkit process or rename the rootkit registry entry or files.

Step 3

  1. Boot your system using Quick Heal Emergency Disk.
  2. Quick Heal Emergency Disk will automatically scan and clean the rootkits from your system.
Was this page helpful?

Leave a Comment