Solved

VMWare Workstation & Virus?

Posted on 2010-08-19
24
1,678 Views
Last Modified: 2013-11-22
Running VMWork Station 7 and xp is the client OS.
I have a virust or malware on it. Is there away to remove the virus without booting up the VM or w/o starting windows?
0
Comment
Question by:Jess31
  • 8
  • 6
  • 6
  • +2
24 Comments
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478131
If you have a snapshot of a previous time (Pre-Virus), you can roll back to then.
0
 

Author Comment

by:Jess31
ID: 33478220
unfortunately I don't
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478474
Do you know the flavor of virus?  IE is it the fake AV?  
0
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478546
What makes you think its a virus?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478566
Because that is what it said in the original question.
0
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478577
lol not you I was asking Jess31 just to verify that the VM does in fact have a virus.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478582
Oh sorry..  ;)

0
 
LVL 28

Expert Comment

by:bgoering
ID: 33478777
You can install the VMware mount utility (http://downloads.vmware.com/d/details/disk_mount_utility_5_5_driver_tools/JSpiZGR0cGJkd2U=) in the host OS and mount the infected VM's disk as a drive letter on the host. From there use the antivirus that is installed on the host to scan the drive. After you clean it up unmount it from the host and bring your guest xp back up.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33478998
yes I know it's a virus or suchlike and this is what MSE reports on its flavor

 TrojanDropper:Win32/Alureon.V
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33479049
Is it stopping you from doing anything?  IE can you run malwarebytes on it?   Normally I find that malware makes a registry entry in the runonce category and then it is linked to the application data folder for that users particular profile.  

I would try cleaning it up first. Is this VM running anything important?  Can it be backed up?
0
 

Author Comment

by:Jess31
ID: 33479106
bgoering:

I tried installing it three times.
each time I get this msg when it ends:
Install wizard completed

The wizard was interrupted before VMware DiskMount Utility
could be completely installed.
You system has not been modified. To complete installation at another time, please run setup again.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33479224
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 28

Expert Comment

by:bgoering
ID: 33479397
Try to run the install as Administrator on Windows 7 or Vista. What OS is your host?
0
 

Author Comment

by:Jess31
ID: 33479416
Host is Windows 7
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33479429
Wait - Duh - you said you are using Workstation 7, I had originally read that as Windows 7. Anyway, the facilities are there (at least in Workstation 7.1, I kind of skipped 7.0 and rarely use the Workstation product anyway) to mount your disk to the host OS.

On the File menu there is an option to Map or Disconnect Virtual Disks

Use that wizard to mount your guest vmdk to the host. They have made it easier.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33481749
So I tried mouting it. No problem doing that. But when I canned it with malware bytes it found nothing. When i did it with MS Security Essentials it found loads of stuff but it was not able to do anything . I would attemp to remove it, clean it... but eventually it woudl fail (it seems like the mounted drive is locked in someway cause I couldn't remove any of the stuff by manually either). I ran superanti spyware and it said it cleaned it (after rebooting, which is strange since after it reboos the drive is no longer mounted) but when I ran it again it still found things so I'm not sure if it in fact removed anything.
Where do I go from here?
0
 

Author Comment

by:Jess31
ID: 33481958
I thought it was weird that Malware bytesfound nothing so I ran an Update in MB, and in fact it was very outdated. Then I ran BM and it did find items, but it could not remove them. It tells me to reboot to complete. But rebooting will lose the mounted drive. And I don't believe restarting the VM again will do much as I tried it before and all it does is reboots after one minute.

Here is the list of MB:

Files Infected:
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\cpgfmhb[1].htm (Adware.BHO) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\qghoquc[1].htm (Trojan.FakeAlert.Gen) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJB242M\vmdkfnhp[1].htm (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\W32gmsa.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\system32\aoacbj.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gmcjv.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gwlhinq.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\hotqs.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\Temp\dotdu.exe (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\Temp\fpnxk.exe (Adware.BHO) -> Delete on reboot.
Z:\WINDOWS\Temp\hfke.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And this is the error I'm getting when starting windows in the VM.
I get a box say:
This system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was intitiated by NT AUTHORITY\SYSTEM
The system process c:\windows\system32\services.exe termnated with status 0.
The system will now shutdown and restart.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33484493
Your vm guest should be powered down while mounting its disk to the host machine. I believe I saw an option to mount read/write or read only, make sure you are mounting it read write on the host - then I would just go and delete those files manually. You could also use registry editor on the host and use the "load hive" function to access the registry files to look for bad things in the run, run once, etc. registry keys.

Good Luck
0
 

Author Comment

by:Jess31
ID: 33485998
vm is not running whem I'm mounting it, I don't believe you can mount it while it is up.

I don't see any option for mounting it read/write.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33486036
I would just write a script to delete the above files on boot. Or manually delete them.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33486431
On Workstation 7.1 there is a check box - let me know if your version is different. You just uncheck it to mount read write. See picture.
Map-Virtual-Disk.jpg
0
 

Author Comment

by:Jess31
ID: 33487863
bgoering:
Outch. You are so right. I'm on may way to the eye doctor.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33487952
LOL
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33488121
Well done!  ;)
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now