VM Rootkit detected by Rootkit Unhooker and redpill
I installed Rootkit Unhooker (RkU3.8.341.552) recently because I found some susicious hidden files using other rootkit scanners. Initially, I had a file called sp**.sys (** being random letters each reboot). I eventuallly removed this infection after finding another.sys file and removing that. Anyway, the machine now seems to be clean from all suspicious looking files / hooks.
Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.
So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.
From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.
Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?
Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)
Thanks for any help!
Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.
So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.
From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.
Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?
Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)
Thanks for any help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
csaint00
And you're pretty much going to have to format to get rid of it as your system has no way of reaching the rootkit if it's controlling the OS.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, if you do get the new version of rku, make sure you remove the old version completely. When I didn't, it would cause a BSOD and I wasted half an hour of my time trying to figure out why the new version wasn't working.
ASKER
Thanks for replying csaint and mrbayne. Scoopy didnt report me as being inside of VMware. I already have rootrepeal, but i dont think it likes my raid setup, because it gives me a BSOD and im pretty sure it mentions nvraid.sys on the blue screen.
Yes I did have Daemon tools installed and I did notice SPDT.SYS, but there was also another file called SP**.SYS that hooked into almost every process. I am not certain what fixed it in the end because I did several things at once, but now that I think of it, it was after i uninstalled Daemon Tools that the rootkit seemed to disappear. But I also got rid of several other nasty looking files on the same reboot.
I have too much to lose by formatting, so I think i will stick it out until I upgrade to a new OS (Windows 7 maybe??).
Thanks again
Yes I did have Daemon tools installed and I did notice SPDT.SYS, but there was also another file called SP**.SYS that hooked into almost every process. I am not certain what fixed it in the end because I did several things at once, but now that I think of it, it was after i uninstalled Daemon Tools that the rootkit seemed to disappear. But I also got rid of several other nasty looking files on the same reboot.
I have too much to lose by formatting, so I think i will stick it out until I upgrade to a new OS (Windows 7 maybe??).
Thanks again