VM Rootkit detected by Rootkit Unhooker and redpill
Posted on 2009-04-05
I installed Rootkit Unhooker (RkU3.8.341.552) recently because I found some susicious hidden files using other rootkit scanners. Initially, I had a file called sp**.sys (** being random letters each reboot). I eventuallly removed this infection after finding another.sys file and removing that. Anyway, the machine now seems to be clean from all suspicious looking files / hooks.
Then I took a look inside Tools -> VM Detection. When I click analyze, I have scores of 70-90. That means 70-90 tacts between two RTSC instructions. I understand most machines should have around 8. It also displays 'Detected execution on virtual machine'.
So I read further into VM rootkits and downloaded redpill.exe, which tells me I am 'Inside matrix!'. Redpill.exe does not report anything bad in Windows 7 Beta, which I am dual booting with at the moment.
From what I have read, this suggests that my copy of Windows XP is runnning as a virtual machine inside some sort of host OS. This makes me worried about the security and performance of the machine.
Could this be a false positive because of some driver or hardware and is there a way of removing it without formatting?
Windows XP Pro / Windows 7 Beta dual boot
Asus M2N-SLI Deluxe
AMD Phenom with Virtualization turned off in bios
Nvidia raid 0 (2 x Seagate 500gb)
Thanks for any help!