Helping people with computers... one answer at a time.

Rootkits are definitely dangerous and immediate steps need to be taken to clean this machine.

Hi, Leo. Are all rootkits dangerous? I have had 28 that cannot be removed since April of last year. I don't seem have any of the obvious problems, but I wonder if they are necessary to remove by other than convenient methods. My AVG free rootkit removal tool cannot remove them. Thank you.

In this excerpt from Answercast #41, I look at a case with numerous rootkits found on a machine – it definitely needs cleaning.

Rootkits

Are all rootkits dangerous? Boy, you know, they are certainly intended to be; I'll put it that way!

Rootkits are rootkits for a reason:

  • They are there to hide from you.

  • They are there specifically to do something that you would not normally want your computer to do.

Is it dangerous?

Depends on your definition of danger. The only safe answer is that yes; rootkits, all rootkits, are potentially dangerous.

That means, in a situation like yours, you definitely need, in my opinion, to find a rootkit removal tool that will remove all of those rootkits that you have on your machine.

Potential reinstall

Twenty eight is an incredible number!

If you cannot find an anti-malware tool that actually does the rootkit removal that you're looking for (I would have expected AVG to be able to do it), then I think you may want to seriously consider:

  • Backing up your machine and,

  • Reinstalling Windows.

Yes, personally, I believe that rootkits are that serious, especially if you've got 28 of them, so give it some thought.

Rootkit removal

Have a look for a better rootkit removal tool. I honestly don't have one to recommend for you right now; otherwise, I would.

  • Most of the commercial tools do a fine job.

I'm hoping that what you really have is one rootkit that happens to manifest in 28 different ways to AVG. But nonetheless, the number 28 really scares me. I think it's very likely that you have something that you really, really don't want on your machine.

Article C5658 - August 5, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Mike
August 6, 2012 2:23 AM

As far as I understand it, rootkits are able to modify the way the kernel operates. For instance, they could actually remove their files (or any other files the person who put them there wouldn't want you to know about) from any requests by normal "user" programs (like virus scanners), so they remain undetected. That is why I'm kind of skeptical about so-called rootkit removers, because a well-written rootkit should be able to hide itself from the system that it's running inside of.
That being said, I suppose if you take a live CD so you don't have to touch the hard disk you could probably find it if you look hard enough. Maybe that's what good rootkit removers would do.
Please tell me if I'm wrong about any of this, though.

Scott Currier
August 7, 2012 9:54 AM

Rootkits are difficult to get rid of. Many people say that you can never be sure that you have gotten rid of it. I tend to agree with this line of thinking.

At the very least you'd need a program that will boot from a cd or ram stick and check for rootkits and hopefully remove them.

If you check a freeware/shareware site such as snapfiles.com you should find a few free programs that will do this for you. I seem to remember Norton having a freebie on there.

In truth, the only way to be sure is to redo the system from scratch, starting with a boot CD and then reinstalling your software.

My experience has been that you can't rely on the free programs to protect you.

I recommend using a name brand commercial package. The biggest and most popular one that has the largest user community would be ideal. They're not that expensive and are worth the money if they save you just once.

You may want to check with your ISP and see if they offer an anti-virus package as part of your subscription. Comcast offers a very good one, that's what I use. Verizon, last I knew offered one, Fairpoint I believe does. I do not know about any other ISP's.

If yours doesn't then I would check the PC Magazine or your favorite review site and choose the one you think is best.

In my opinion, you don't want to think along the lines of cleaning up after an infection. You want to avoid the infection in the first place.

The package I use has a large user community and either doesn't allow or warns you if you are going to install a program that it knows nothing about. In other words, if the program isn't known to be good, it's assumed to be bad. That's really the only safe way of doing it.

I've been pleased so far.

Good luck.

Steuart
August 7, 2012 11:11 AM

28 rootkits????

Some of the freeware rootkit scanners can give false-positives. You can try to research each one of the results, but far too often the web provides conflicting or intentionally alarming answers designed to push people into using another product. Try to copy and paste each detected threat into a search engine to see how others have dealt with it. If you keep digging you can usually still get an idea if the detected issue is really a threat.

It may be that AVG isn't really unable to remove them--it may be that AVG knows NOT to remove them because they are known false-positives. If so, it should be documented somewhere with AVG and it would be worth checking with them to see. As Leo mentioned, the tool may also scan using different techniques that identify the same issue multiple times. Seven false positives detected with 4 different techniques in one tool is possible.

If AVG doesn't provide the answer, Leo and Scott give good advice --find another decent tool and get a second opinion to make sure you really have rootkits infecting the machine. Stick within the user community of the tool you use when seeking answers. The experts there will know how the tool works and how detected threats will be revealed. They'll also likely have a list of known and suspected false-positives.

28 sounds pretty serious even allowing for duplicate false-positives. Definitely don't sit around hoping to peacefully coexist with them!

Robert Rojas
August 7, 2012 11:56 AM

I would boot it to safe mode with networking and download and install Avast make sure it is up to date. Scan it in boot time, from here it will scan in a pre environment......before installing Avast remove AVG. Im sure that will help you

Brook Evans
August 7, 2012 5:16 PM

I hate to ask a dumb questiion but how can I tell if any rootkits inhabit my computer?

Gabe
August 8, 2012 7:54 AM

Leo, I couldn't help but notice you mentioned nothing about Microsoft's "Windows Defender Offline" (formerly known as System Sweeper). It's a rootkit remover, yes?

BAW30s
August 8, 2012 8:06 AM

I am also sceptical about the 28: whenever I have seen one it has created a lot of obvious, severe damage.
In my experience, the only program which has been really effective in removing them is ComboFix, but it has to be used with care, as it can itself be damaging. If you search it, read the instructions carefully before use. It's free.

A Richter
August 9, 2012 1:39 AM

On ComboFix et al: Tools like it are industrial standard and not to be handled by amateurs. Let knowledgeable guys tell you what to do, step by step, using an advisory forum. I had good experience with Tom Coyote's WhatTheTech in the days of XP; past that OS, there have hardly been any issues. Make sure you do exactly as they tell you, and stick with them until the problem is resolved.

Kevin
August 10, 2012 6:40 AM

Hi
Know of course that rootkits are prob the most dangerous of all. You could have one and not know about it is the obvious reason.
Still I do as an OAP have to rely on freebies.
At the moment I use HitManPro (Force Breach mode), CCE (Comodo) and tdsskiller (Kaspersky). I also use other scans that are supposed to detect and remove rootkits. Of course I am not 100% confident with all this and my research is ongoing.
Any ideas without guaranties Leo?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.