How do I know if a rootkit has been deleted?

Interesting situation here… I ran a virus scan last night and came back with a rootkit infection. Avast had me flag it for deletion, and restart my computer and run a boot scan. So I did that.

When my computer came back on, I ran another virus scan to see if the rootkit was gone. Yes, the one from before no longer showed up, but now it’s telling me that I have 2 more rootkits that differ from the original one that had not been there before. So my questions are these:

  • How do I know when a rootkit is completely gone?
  • Is it normal to remove one and have several more appear in its place? :frowning:

Could you give the file names and locations - as they may be false positives

Ah, yes, certainly. I’ll grab them when I get my computer back up and running (it’s doing a boot scan right now). :slight_smile: Thank you for your quick reply!

(Apologies for double-posting.)

All of the rootkits that Avast! found are as follows:

PnrpResolveSession0.sqm
SEARCHFILTERHOST.EXE-77482212.pf

And something at:
C:\Windows\SOftwareDistribution\Download\5096e4850d5873cbae1f79e2fa5a6176f12a3317

They both look to be false positives could you upload them to Avast via the virus chest

Hi alfredjones,

The SEARCHFILTERHOST.EXE can also be checked against what is given here:
http://www.backgroundtask.eu/Systeemtaken/taakinfo/8905/searchfilterhost.exe/
check your file version against the MD5 hash given there,

polonus