computer has root kit. need it removed

Question

My computer has a root kit happening and i entered my recovery key got the computer back to starting point but now i am worried that there is still a unauthorized user in the background monitoring my private information. How do i find them? How do I get rid of them?

Answer 1

Hi!

You can run scans with Microsoft and third-party antivirus software. However, even if some malware is found, there's no 100% guarantee that all malware has been eliminated.

The safest and most reliable way is to format your Windows system.

If you just want to scan:

1. Download the Microsoft Safety Scan.

https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download

2. Before running the tools, scan using Windows Defender. Type “Windows Security'' in the Search Bar > Open Program > Click 'Virus and Threat Protection'.
3. Under "Verification Options" (marked in blue), choose the option "Microsoft Defender Offline Verification" > Verify Now.
4. When the scan is complete, enter Safe Mode.

Safe mode

1. Press the shortcut CTRL + R > Type ''msconfig'' (without quotation marks) > Click on the tab System Boot > Check the option "Secure Boot'' > Apply > OK.
2. Restart the computer > When rebooting, scan your computer using Microsoft Safety Scan.

- Select all volumes to scan.

3. To exit the Safe Mode, Press the shortcut CTRL + R again > Type "msconfig" > Click on the tab General > Select Normal Boot > Apply > OK > Restart your computer.

Answer 2

A rootkit is designed to hide itself and other malware, so the priority is to scan from a trusted environment and, if needed, fully reset the device.

1. Run Microsoft Defender Offline

• In Windows 10/11, open Windows Security.
• Go to Virus & threat protection > Scan options.
• Select Microsoft Defender Offline scan and start the scan.
• The PC will restart into a minimal, separate environment where the rootkit cannot hide as easily, and a deep scan will run to detect and remove rootkits and other hidden malware.

2. Use up-to-date antimalware tools

• Ensure Windows and all security tools are fully updated.
• Run a full scan with Microsoft Defender or another trusted, fully updated antimalware product.
• If an update was recently installed that improves rootkit detection, an installed antimalware program should be able to detect and report rootkits after that update.

3. If removal fails, reset/reinstall Windows If scans still show infection, or suspicious behavior continues:

• Back up important files (documents, photos, etc.) to clean media.
• Perform a full Windows reset or clean reinstall so the OS, bootloader, and drivers are replaced.
• After reinstalling, immediately install security software and apply all Windows Updates before restoring files.
• If a rootkit still cannot be removed, reformatting the drive and reinstalling Windows is strongly recommended.

4. Ongoing protection and checking for “unauthorized users” Rootkits can enable hidden access, but once the OS is clean and fully patched and security software shows no active threats, there should not be a hidden user still running in the background. To reduce future risk:

• Keep Windows and apps fully updated.
• Run regular antivirus scans.
• Be cautious with suspicious email attachments, links, and downloads.
• Maintain regular backups using the 3-2-1 rule (three copies, two media types, one offsite).

If repeated scans from a trusted offline environment show no threats, and the system has been reset or reinstalled, any previous hidden access from the rootkit should be removed.

---

References:

• Rootkits
• Keep your computer secure at home
• RootkitRevealer v1.71
• Microsoft Security Advisory 2506014
• Unexplained Windows or software behavior may be caused by deceptive software
• Protect yourself from tech support scams
• Secure the Windows boot process