Solved

VMWare Workstation & Virus?

Posted on 2010-08-19
24
1,682 Views
Last Modified: 2013-11-22
Running VMWork Station 7 and xp is the client OS.
I have a virust or malware on it. Is there away to remove the virus without booting up the VM or w/o starting windows?
0
Comment
Question by:Jess31
  • 8
  • 6
  • 6
  • +2
24 Comments
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478131
If you have a snapshot of a previous time (Pre-Virus), you can roll back to then.
0
 

Author Comment

by:Jess31
ID: 33478220
unfortunately I don't
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478474
Do you know the flavor of virus?  IE is it the fake AV?  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478546
What makes you think its a virus?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478566
Because that is what it said in the original question.
0
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478577
lol not you I was asking Jess31 just to verify that the VM does in fact have a virus.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478582
Oh sorry..  ;)

0
 
LVL 28

Expert Comment

by:bgoering
ID: 33478777
You can install the VMware mount utility (http://downloads.vmware.com/d/details/disk_mount_utility_5_5_driver_tools/JSpiZGR0cGJkd2U=) in the host OS and mount the infected VM's disk as a drive letter on the host. From there use the antivirus that is installed on the host to scan the drive. After you clean it up unmount it from the host and bring your guest xp back up.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33478998
yes I know it's a virus or suchlike and this is what MSE reports on its flavor

 TrojanDropper:Win32/Alureon.V
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33479049
Is it stopping you from doing anything?  IE can you run malwarebytes on it?   Normally I find that malware makes a registry entry in the runonce category and then it is linked to the application data folder for that users particular profile.  

I would try cleaning it up first. Is this VM running anything important?  Can it be backed up?
0
 

Author Comment

by:Jess31
ID: 33479106
bgoering:

I tried installing it three times.
each time I get this msg when it ends:
Install wizard completed

The wizard was interrupted before VMware DiskMount Utility
could be completely installed.
You system has not been modified. To complete installation at another time, please run setup again.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33479224
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33479397
Try to run the install as Administrator on Windows 7 or Vista. What OS is your host?
0
 

Author Comment

by:Jess31
ID: 33479416
Host is Windows 7
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33479429
Wait - Duh - you said you are using Workstation 7, I had originally read that as Windows 7. Anyway, the facilities are there (at least in Workstation 7.1, I kind of skipped 7.0 and rarely use the Workstation product anyway) to mount your disk to the host OS.

On the File menu there is an option to Map or Disconnect Virtual Disks

Use that wizard to mount your guest vmdk to the host. They have made it easier.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33481749
So I tried mouting it. No problem doing that. But when I canned it with malware bytes it found nothing. When i did it with MS Security Essentials it found loads of stuff but it was not able to do anything . I would attemp to remove it, clean it... but eventually it woudl fail (it seems like the mounted drive is locked in someway cause I couldn't remove any of the stuff by manually either). I ran superanti spyware and it said it cleaned it (after rebooting, which is strange since after it reboos the drive is no longer mounted) but when I ran it again it still found things so I'm not sure if it in fact removed anything.
Where do I go from here?
0
 

Author Comment

by:Jess31
ID: 33481958
I thought it was weird that Malware bytesfound nothing so I ran an Update in MB, and in fact it was very outdated. Then I ran BM and it did find items, but it could not remove them. It tells me to reboot to complete. But rebooting will lose the mounted drive. And I don't believe restarting the VM again will do much as I tried it before and all it does is reboots after one minute.

Here is the list of MB:

Files Infected:
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\cpgfmhb[1].htm (Adware.BHO) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\qghoquc[1].htm (Trojan.FakeAlert.Gen) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJB242M\vmdkfnhp[1].htm (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\W32gmsa.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\system32\aoacbj.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gmcjv.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gwlhinq.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\hotqs.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\Temp\dotdu.exe (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\Temp\fpnxk.exe (Adware.BHO) -> Delete on reboot.
Z:\WINDOWS\Temp\hfke.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And this is the error I'm getting when starting windows in the VM.
I get a box say:
This system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was intitiated by NT AUTHORITY\SYSTEM
The system process c:\windows\system32\services.exe termnated with status 0.
The system will now shutdown and restart.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33484493
Your vm guest should be powered down while mounting its disk to the host machine. I believe I saw an option to mount read/write or read only, make sure you are mounting it read write on the host - then I would just go and delete those files manually. You could also use registry editor on the host and use the "load hive" function to access the registry files to look for bad things in the run, run once, etc. registry keys.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33485998
vm is not running whem I'm mounting it, I don't believe you can mount it while it is up.

I don't see any option for mounting it read/write.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33486036
I would just write a script to delete the above files on boot. Or manually delete them.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33486431
On Workstation 7.1 there is a check box - let me know if your version is different. You just uncheck it to mount read write. See picture.
Map-Virtual-Disk.jpg
0
 

Author Comment

by:Jess31
ID: 33487863
bgoering:
Outch. You are so right. I'm on may way to the eye doctor.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33487952
LOL
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33488121
Well done!  ;)
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Esxi management service 10 55
Where to look for vmware esxi 6.0 logs 9 69
Vsphere 6.0 or 6.5? 15 127
Any way to enable hot add for memory on a VM while it's turned on? 6 60
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question