Solved

VMWare Workstation & Virus?

Posted on 2010-08-19
24
1,668 Views
Last Modified: 2013-11-22
Running VMWork Station 7 and xp is the client OS.
I have a virust or malware on it. Is there away to remove the virus without booting up the VM or w/o starting windows?
0
Comment
Question by:Jess31
  • 8
  • 6
  • 6
  • +2
24 Comments
 
LVL 7

Expert Comment

by:deisrobinson
Comment Utility
If you have a snapshot of a previous time (Pre-Virus), you can roll back to then.
0
 

Author Comment

by:Jess31
Comment Utility
unfortunately I don't
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Do you know the flavor of virus?  IE is it the fake AV?  
0
 
LVL 7

Expert Comment

by:deisrobinson
Comment Utility
What makes you think its a virus?
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Because that is what it said in the original question.
0
 
LVL 7

Expert Comment

by:deisrobinson
Comment Utility
lol not you I was asking Jess31 just to verify that the VM does in fact have a virus.
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Oh sorry..  ;)

0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
You can install the VMware mount utility (http://downloads.vmware.com/d/details/disk_mount_utility_5_5_driver_tools/JSpiZGR0cGJkd2U=) in the host OS and mount the infected VM's disk as a drive letter on the host. From there use the antivirus that is installed on the host to scan the drive. After you clean it up unmount it from the host and bring your guest xp back up.

Good Luck
0
 

Author Comment

by:Jess31
Comment Utility
yes I know it's a virus or suchlike and this is what MSE reports on its flavor

 TrojanDropper:Win32/Alureon.V
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Is it stopping you from doing anything?  IE can you run malwarebytes on it?   Normally I find that malware makes a registry entry in the runonce category and then it is linked to the application data folder for that users particular profile.  

I would try cleaning it up first. Is this VM running anything important?  Can it be backed up?
0
 

Author Comment

by:Jess31
Comment Utility
bgoering:

I tried installing it three times.
each time I get this msg when it ends:
Install wizard completed

The wizard was interrupted before VMware DiskMount Utility
could be completely installed.
You system has not been modified. To complete installation at another time, please run setup again.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Try to run the install as Administrator on Windows 7 or Vista. What OS is your host?
0
 

Author Comment

by:Jess31
Comment Utility
Host is Windows 7
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
Comment Utility
Wait - Duh - you said you are using Workstation 7, I had originally read that as Windows 7. Anyway, the facilities are there (at least in Workstation 7.1, I kind of skipped 7.0 and rarely use the Workstation product anyway) to mount your disk to the host OS.

On the File menu there is an option to Map or Disconnect Virtual Disks

Use that wizard to mount your guest vmdk to the host. They have made it easier.

Good Luck
0
 

Author Comment

by:Jess31
Comment Utility
So I tried mouting it. No problem doing that. But when I canned it with malware bytes it found nothing. When i did it with MS Security Essentials it found loads of stuff but it was not able to do anything . I would attemp to remove it, clean it... but eventually it woudl fail (it seems like the mounted drive is locked in someway cause I couldn't remove any of the stuff by manually either). I ran superanti spyware and it said it cleaned it (after rebooting, which is strange since after it reboos the drive is no longer mounted) but when I ran it again it still found things so I'm not sure if it in fact removed anything.
Where do I go from here?
0
 

Author Comment

by:Jess31
Comment Utility
I thought it was weird that Malware bytesfound nothing so I ran an Update in MB, and in fact it was very outdated. Then I ran BM and it did find items, but it could not remove them. It tells me to reboot to complete. But rebooting will lose the mounted drive. And I don't believe restarting the VM again will do much as I tried it before and all it does is reboots after one minute.

Here is the list of MB:

Files Infected:
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\cpgfmhb[1].htm (Adware.BHO) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\qghoquc[1].htm (Trojan.FakeAlert.Gen) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJB242M\vmdkfnhp[1].htm (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\W32gmsa.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\system32\aoacbj.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gmcjv.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gwlhinq.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\hotqs.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\Temp\dotdu.exe (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\Temp\fpnxk.exe (Adware.BHO) -> Delete on reboot.
Z:\WINDOWS\Temp\hfke.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And this is the error I'm getting when starting windows in the VM.
I get a box say:
This system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was intitiated by NT AUTHORITY\SYSTEM
The system process c:\windows\system32\services.exe termnated with status 0.
The system will now shutdown and restart.
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Your vm guest should be powered down while mounting its disk to the host machine. I believe I saw an option to mount read/write or read only, make sure you are mounting it read write on the host - then I would just go and delete those files manually. You could also use registry editor on the host and use the "load hive" function to access the registry files to look for bad things in the run, run once, etc. registry keys.

Good Luck
0
 

Author Comment

by:Jess31
Comment Utility
vm is not running whem I'm mounting it, I don't believe you can mount it while it is up.

I don't see any option for mounting it read/write.
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
I would just write a script to delete the above files on boot. Or manually delete them.
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
On Workstation 7.1 there is a check box - let me know if your version is different. You just uncheck it to mount read write. See picture.
Map-Virtual-Disk.jpg
0
 

Author Comment

by:Jess31
Comment Utility
bgoering:
Outch. You are so right. I'm on may way to the eye doctor.
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
LOL
0
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Well done!  ;)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Teach the user how to delpoy the vCenter Server Appliance and how to configure its network settings Deploy OVF: Open VM console and configure networking:
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now