Solved

VM Rootkit detected by Rootkit Unhooker and redpill

Posted on 2009-04-05
5
1,449 Views
Last Modified: 2013-11-11
I installed Rootkit Unhooker (RkU3.8.341.552) recently because I found some susicious hidden files using other rootkit scanners. Initially, I had a file called sp**.sys (** being random letters each reboot). I eventuallly removed this infection after finding another.sys file and removing that. Anyway, the machine now seems to be clean from all suspicious looking files / hooks.

Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.

So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.

From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.

Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?

Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)

Thanks for any help!
0
Comment
Question by:ironbut
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
csaint00 earned 250 total points
Comment Utility
try this, http://www.trapkit.de/research/vmm/scoopyng/index.html it's a more reliable vmware detection kit. If it comes back positive you probably have problems.
0
 
LVL 3

Expert Comment

by:csaint00
Comment Utility
And you're pretty much going to have to format to get rid of it as your system has no way of reaching the rootkit if it's controlling the OS.
0
 
LVL 1

Assisted Solution

by:mrbayne
mrbayne earned 250 total points
Comment Utility
Do you have Daemon Tools installed on your computer? It's main driver is named sp**.sys and hooks into windows the way many rootkits.

I have it installed on my computer and it shows up in rku.

If you didn't install Daemon Tools, then go get the newer version of rku (3.8.342.554), and you might as well grab rootrepeal and gmer as well. those three combined should give you more info.

After that, boot from a cd and remove what you can or go ahead and reformat.
0
 
LVL 1

Expert Comment

by:mrbayne
Comment Utility
Oh, if you do get the new version of rku, make sure you remove the old version completely. When I didn't, it would cause a BSOD and I wasted half an hour of my time trying to figure out why the new version wasn't working.
0
 

Author Comment

by:ironbut
Comment Utility
Thanks for replying csaint and mrbayne. Scoopy didnt report me as being inside of VMware. I already have rootrepeal, but i dont think it likes my raid setup, because it gives me a BSOD and im pretty sure it mentions nvraid.sys on the blue screen.

Yes I did have Daemon tools installed and I did notice SPDT.SYS, but there was also another file called SP**.SYS that hooked into almost every process. I am not certain what fixed it in the end because I did several things at once, but now that I think of it, it was after i uninstalled Daemon Tools that the rootkit seemed to disappear. But I also got rid of several other nasty looking files on the same reboot.

I have too much to lose by formatting, so I think i will stick it out until I upgrade to a new OS (Windows 7 maybe??).

Thanks again
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now