Question What are best Rescue Disk?

[WBlueHat]

What are the most reliable Rescue Disk / Live Malware Removal tools ?
I am looking for samething that use different kind of O.S. like no linux no Windows would be better (so have different kind of kernel) and would be awesome that have latest signature offline not online.
I need to remouve a VM bootkit/VM rootkit that is not possible to been detected normally

 

[Ralston18]

More information needed.

What VM bootkit/VM rootkit is being detected/or found?

What tool was used?

In any case online access in some manner is needed to keep the signature files up to date.

Otherwise some virus etc. could be missed.

Overall though, what is reliable is a good backup and recovery system.

 

[WBlueHat]

More information needed.

What VM bootkit/VM rootkit is being detected/or found?

What tool was used?

In any case online access in some manner is needed to keep the signature files up to date.

Otherwise some virus etc. could be missed.

Overall though, what is reliable is a good backup and recovery system.

Because there are evidence the system is infected with samething similar tro Vitriol or other VM rootkits.
HyperV is infected,creates static rules to open inbound remote connections.
Any try to disable HyperV or that rules fails.
Idk what to try but maybe an external rescue disk that is not on the windows emulated wm can detect it?

 

[USAFRet]

The backstory on this:

Question - What are all the way to know that our O.S. is a vm?

What are the commands and all way to know we are running on a vm emulate O.S. by HyperV? Instead of a regular w11 O.S.

forums.tomshardware.com

 

[Ralston18]

@WBlueHat

1)"Because there are evidence the system is infected with samething similar tro Vitriol or other VM rootkits."

What evidence? Details needed. Capture and post some relevant screenshots. Post here via imgur (www.imgur.com).

2)"HyperV is infected,creates static rules to open inbound remote connections."

Capture some screenshots of those static rules and likewise post those screenshots here.

3) "Any try to disable HyperV or that rules fails."

Again capture some screenshots showng the windows/pop-ups, etc. that appear when you try to disable Hyper V and that attempt fails.

 

[WBlueHat]

I have found samething similar to my problem in this post..

How can I get rid of a Loopback Virtual Machine? - Virus, Trojan, Spyware, and Malware Removal Help

How can I get rid of a Loopback Virtual Machine? - posted in Virus, Trojan, Spyware, and Malware Removal Help: A hacker has hacked our laptops. I now finally know how he continues to plague us. He has installed a Loopback Virtual Machine on the laptops....and WE operate from there. He Remote...

www.bleepingcomputer.com

There's any way to put down this damn loopback interface vmware?

 

[Ralston18]

How/what tool are you using to see that loopback interface vmware?

For example does the the process appear via Process Explorer (Microsoft, free)?

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Screenshots please.

 

[WBlueHat]

I will check with this sysinternals ty
Also if I disable HyperV in options or with commands it's still appear active/running in system information
Anyway here are same proof

20231204-171655 hosted at ImgBB

Image 20231204-171655 hosted in ImgBB

ibb.co

20231203-160839 hosted at ImgBB

Image 20231203-160839 hosted in ImgBB

ibb.co

20231126-174743 hosted at ImgBB

Image 20231126-174743 hosted in ImgBB

ibb.co

20231126-174809 hosted at ImgBB

Image 20231126-174809 hosted in ImgBB

ibb.co

How/what tool are you using to see that loopback interface vmware?

For example does the the process appear via Process Explorer (Microsoft, free)?

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Screenshots please.

 

[Ralston18]

BD being Bit Defender - correct?

MSPSVC being:

https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc

As for the Powershell Get-NetFirewallHypervrule cmdlet I have not (full disclosure) worked with that cmdlet.

However, the rules being shown do not appear consistent to me with respect to the listed Actions of Allow and Block.

Not sure about that at all but you should take a look and determine if the rules are as you would expect with respect Inbound and Outbound as well as what is Allow and what is block Block

Lastly, are you concerned simply because HyperV is running?

As I currently understand the circumstances HyperV can be disabled.

Do not do that until there is some certainty in the matter and that there are no adverse side-effects.

 

[WBlueHat]

You can't disable HyperV.
You are in a vm hyperV rooted O.S. where you have no real administrator privileges.
That loopback interface sends comands to windows registry continously
So whatever you try to change or to stop is just wasted time.
The point here is try to understand where is the malware,when it starts and if exists a way to block his routine before it corrupts kernels during installation of Windows

 

[USAFRet]

You can't disable HyperV.

There is almost certainly an On/Off option for virtualization in your BIOS settings.
That setting is available long before any OS takes over.

 

[mdd1963]

After Hyper-V mode is enabled, which installs Hyper-V and converts the 'host' WIn10/11 Pro into a special VM, I am curious as to what (if anything) would/could actually boot afterward if 'enable virtualization' were then disabled in the BIOS...

Interesting.