Solved

VM Rootkit detected by Rootkit Unhooker and redpill

Posted on 2009-04-05
5
1,490 Views
Last Modified: 2013-11-11
I installed Rootkit Unhooker (RkU3.8.341.552) recently because I found some susicious hidden files using other rootkit scanners. Initially, I had a file called sp**.sys (** being random letters each reboot). I eventuallly removed this infection after finding another.sys file and removing that. Anyway, the machine now seems to be clean from all suspicious looking files / hooks.

Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.

So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.

From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.

Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?

Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)

Thanks for any help!
0
Comment
Question by:ironbut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
csaint00 earned 250 total points
ID: 24071493
try this, http://www.trapkit.de/research/vmm/scoopyng/index.html it's a more reliable vmware detection kit. If it comes back positive you probably have problems.
0
 
LVL 3

Expert Comment

by:csaint00
ID: 24071535
And you're pretty much going to have to format to get rid of it as your system has no way of reaching the rootkit if it's controlling the OS.
0
 
LVL 1

Assisted Solution

by:mrbayne
mrbayne earned 250 total points
ID: 24079969
Do you have Daemon Tools installed on your computer? It's main driver is named sp**.sys and hooks into windows the way many rootkits.

I have it installed on my computer and it shows up in rku.

If you didn't install Daemon Tools, then go get the newer version of rku (3.8.342.554), and you might as well grab rootrepeal and gmer as well. those three combined should give you more info.

After that, boot from a cd and remove what you can or go ahead and reformat.
0
 
LVL 1

Expert Comment

by:mrbayne
ID: 24080024
Oh, if you do get the new version of rku, make sure you remove the old version completely. When I didn't, it would cause a BSOD and I wasted half an hour of my time trying to figure out why the new version wasn't working.
0
 

Author Comment

by:ironbut
ID: 24082411
Thanks for replying csaint and mrbayne. Scoopy didnt report me as being inside of VMware. I already have rootrepeal, but i dont think it likes my raid setup, because it gives me a BSOD and im pretty sure it mentions nvraid.sys on the blue screen.

Yes I did have Daemon tools installed and I did notice SPDT.SYS, but there was also another file called SP**.SYS that hooked into almost every process. I am not certain what fixed it in the end because I did several things at once, but now that I think of it, it was after i uninstalled Daemon Tools that the rootkit seemed to disappear. But I also got rid of several other nasty looking files on the same reboot.

I have too much to lose by formatting, so I think i will stick it out until I upgrade to a new OS (Windows 7 maybe??).

Thanks again
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question