Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VM Rootkit detected by Rootkit Unhooker and redpill

Posted on 2009-04-05
5
Medium Priority
?
1,499 Views
Last Modified: 2013-11-11
I installed Rootkit Unhooker (RkU3.8.341.552) recently because I found some susicious hidden files using other rootkit scanners. Initially, I had a file called sp**.sys (** being random letters each reboot). I eventuallly removed this infection after finding another.sys file and removing that. Anyway, the machine now seems to be clean from all suspicious looking files / hooks.

Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.

So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.

From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.

Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?

Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)

Thanks for any help!
0
Comment
Question by:ironbut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
csaint00 earned 750 total points
ID: 24071493
try this, http://www.trapkit.de/research/vmm/scoopyng/index.html it's a more reliable vmware detection kit. If it comes back positive you probably have problems.
0
 
LVL 3

Expert Comment

by:csaint00
ID: 24071535
And you're pretty much going to have to format to get rid of it as your system has no way of reaching the rootkit if it's controlling the OS.
0
 
LVL 1

Assisted Solution

by:mrbayne
mrbayne earned 750 total points
ID: 24079969
Do you have Daemon Tools installed on your computer? It's main driver is named sp**.sys and hooks into windows the way many rootkits.

I have it installed on my computer and it shows up in rku.

If you didn't install Daemon Tools, then go get the newer version of rku (3.8.342.554), and you might as well grab rootrepeal and gmer as well. those three combined should give you more info.

After that, boot from a cd and remove what you can or go ahead and reformat.
0
 
LVL 1

Expert Comment

by:mrbayne
ID: 24080024
Oh, if you do get the new version of rku, make sure you remove the old version completely. When I didn't, it would cause a BSOD and I wasted half an hour of my time trying to figure out why the new version wasn't working.
0
 

Author Comment

by:ironbut
ID: 24082411
Thanks for replying csaint and mrbayne. Scoopy didnt report me as being inside of VMware. I already have rootrepeal, but i dont think it likes my raid setup, because it gives me a BSOD and im pretty sure it mentions nvraid.sys on the blue screen.

Yes I did have Daemon tools installed and I did notice SPDT.SYS, but there was also another file called SP**.SYS that hooked into almost every process. I am not certain what fixed it in the end because I did several things at once, but now that I think of it, it was after i uninstalled Daemon Tools that the rootkit seemed to disappear. But I also got rid of several other nasty looking files on the same reboot.

I have too much to lose by formatting, so I think i will stick it out until I upgrade to a new OS (Windows 7 maybe??).

Thanks again
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question