Solved

VMWare Workstation & Virus?

Posted on 2010-08-19
24
1,687 Views
Last Modified: 2013-11-22
Running VMWork Station 7 and xp is the client OS.
I have a virust or malware on it. Is there away to remove the virus without booting up the VM or w/o starting windows?
0
Comment
Question by:Jess31
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 6
  • +2
24 Comments
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478131
If you have a snapshot of a previous time (Pre-Virus), you can roll back to then.
0
 

Author Comment

by:Jess31
ID: 33478220
unfortunately I don't
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478474
Do you know the flavor of virus?  IE is it the fake AV?  
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478546
What makes you think its a virus?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478566
Because that is what it said in the original question.
0
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478577
lol not you I was asking Jess31 just to verify that the VM does in fact have a virus.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478582
Oh sorry..  ;)

0
 
LVL 28

Expert Comment

by:bgoering
ID: 33478777
You can install the VMware mount utility (http://downloads.vmware.com/d/details/disk_mount_utility_5_5_driver_tools/JSpiZGR0cGJkd2U=) in the host OS and mount the infected VM's disk as a drive letter on the host. From there use the antivirus that is installed on the host to scan the drive. After you clean it up unmount it from the host and bring your guest xp back up.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33478998
yes I know it's a virus or suchlike and this is what MSE reports on its flavor

 TrojanDropper:Win32/Alureon.V
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33479049
Is it stopping you from doing anything?  IE can you run malwarebytes on it?   Normally I find that malware makes a registry entry in the runonce category and then it is linked to the application data folder for that users particular profile.  

I would try cleaning it up first. Is this VM running anything important?  Can it be backed up?
0
 

Author Comment

by:Jess31
ID: 33479106
bgoering:

I tried installing it three times.
each time I get this msg when it ends:
Install wizard completed

The wizard was interrupted before VMware DiskMount Utility
could be completely installed.
You system has not been modified. To complete installation at another time, please run setup again.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33479224
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33479397
Try to run the install as Administrator on Windows 7 or Vista. What OS is your host?
0
 

Author Comment

by:Jess31
ID: 33479416
Host is Windows 7
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33479429
Wait - Duh - you said you are using Workstation 7, I had originally read that as Windows 7. Anyway, the facilities are there (at least in Workstation 7.1, I kind of skipped 7.0 and rarely use the Workstation product anyway) to mount your disk to the host OS.

On the File menu there is an option to Map or Disconnect Virtual Disks

Use that wizard to mount your guest vmdk to the host. They have made it easier.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33481749
So I tried mouting it. No problem doing that. But when I canned it with malware bytes it found nothing. When i did it with MS Security Essentials it found loads of stuff but it was not able to do anything . I would attemp to remove it, clean it... but eventually it woudl fail (it seems like the mounted drive is locked in someway cause I couldn't remove any of the stuff by manually either). I ran superanti spyware and it said it cleaned it (after rebooting, which is strange since after it reboos the drive is no longer mounted) but when I ran it again it still found things so I'm not sure if it in fact removed anything.
Where do I go from here?
0
 

Author Comment

by:Jess31
ID: 33481958
I thought it was weird that Malware bytesfound nothing so I ran an Update in MB, and in fact it was very outdated. Then I ran BM and it did find items, but it could not remove them. It tells me to reboot to complete. But rebooting will lose the mounted drive. And I don't believe restarting the VM again will do much as I tried it before and all it does is reboots after one minute.

Here is the list of MB:

Files Infected:
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\cpgfmhb[1].htm (Adware.BHO) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\qghoquc[1].htm (Trojan.FakeAlert.Gen) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJB242M\vmdkfnhp[1].htm (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\W32gmsa.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\system32\aoacbj.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gmcjv.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gwlhinq.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\hotqs.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\Temp\dotdu.exe (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\Temp\fpnxk.exe (Adware.BHO) -> Delete on reboot.
Z:\WINDOWS\Temp\hfke.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And this is the error I'm getting when starting windows in the VM.
I get a box say:
This system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was intitiated by NT AUTHORITY\SYSTEM
The system process c:\windows\system32\services.exe termnated with status 0.
The system will now shutdown and restart.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33484493
Your vm guest should be powered down while mounting its disk to the host machine. I believe I saw an option to mount read/write or read only, make sure you are mounting it read write on the host - then I would just go and delete those files manually. You could also use registry editor on the host and use the "load hive" function to access the registry files to look for bad things in the run, run once, etc. registry keys.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33485998
vm is not running whem I'm mounting it, I don't believe you can mount it while it is up.

I don't see any option for mounting it read/write.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33486036
I would just write a script to delete the above files on boot. Or manually delete them.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33486431
On Workstation 7.1 there is a check box - let me know if your version is different. You just uncheck it to mount read write. See picture.
Map-Virtual-Disk.jpg
0
 

Author Comment

by:Jess31
ID: 33487863
bgoering:
Outch. You are so right. I'm on may way to the eye doctor.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33487952
LOL
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33488121
Well done!  ;)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
When rebooting a vCenters 6.0 and try to connect using vSphere Client we get this issue "Invalid URL: The hostname could not parsed." When we get this error we need to do some changes in the vCenter advanced settings to fix the issue.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question