to complete a scan depends
on a variety of factors
Before performing an anti-rootkit
- The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
- Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
- Options to scan memory, boot sectors, registry and alternate data streams (ADS).
- Type of scan performed: Deep, Quick or Custom scanning.
- What action has to be performed when malware is detected.
- A computer's hard drive size.
- Disk used capacity (number of files to include temporary files) that have to be scanned.
- Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
- Whether external drives are included in the scan.
- Competition for and utilization of system resources by the scanner.
- Other running processes and programs in the background.
- Interference from malware.
- Interference from the user.
(ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
- Disconnect from the Internet or physically unplug you Internet cable connection.
- Clean out your temporary files.
- Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
- Temporarily disable your anti-virus and real-time anti-spyware protection.
- After starting the scan, do not use the computer until the scan has completed.
- When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
If you are using a CD Emulator (Daemon Tools
, Alchohol 120%
, etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, false detection
of legitimate file, cause unexpected crashes, BSODs
, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.
Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.
Some ARK scanners have settings which you can adjust if the scan hangs or freezes while others do not. If that's the case and you still cannot complete a scan, then try another ARK.