Solved

VMWare Workstation & Virus?

Posted on 2010-08-19
24
1,699 Views
Last Modified: 2013-11-22
Running VMWork Station 7 and xp is the client OS.
I have a virust or malware on it. Is there away to remove the virus without booting up the VM or w/o starting windows?
0
Comment
Question by:Jess31
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 6
  • +2
24 Comments
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478131
If you have a snapshot of a previous time (Pre-Virus), you can roll back to then.
0
 
LVL 1

Author Comment

by:Jess31
ID: 33478220
unfortunately I don't
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478474
Do you know the flavor of virus?  IE is it the fake AV?  
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478546
What makes you think its a virus?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478566
Because that is what it said in the original question.
0
 
LVL 7

Expert Comment

by:deisrobinson
ID: 33478577
lol not you I was asking Jess31 just to verify that the VM does in fact have a virus.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33478582
Oh sorry..  ;)

0
 
LVL 28

Expert Comment

by:bgoering
ID: 33478777
You can install the VMware mount utility (http://downloads.vmware.com/d/details/disk_mount_utility_5_5_driver_tools/JSpiZGR0cGJkd2U=) in the host OS and mount the infected VM's disk as a drive letter on the host. From there use the antivirus that is installed on the host to scan the drive. After you clean it up unmount it from the host and bring your guest xp back up.

Good Luck
0
 
LVL 1

Author Comment

by:Jess31
ID: 33478998
yes I know it's a virus or suchlike and this is what MSE reports on its flavor

 TrojanDropper:Win32/Alureon.V
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33479049
Is it stopping you from doing anything?  IE can you run malwarebytes on it?   Normally I find that malware makes a registry entry in the runonce category and then it is linked to the application data folder for that users particular profile.  

I would try cleaning it up first. Is this VM running anything important?  Can it be backed up?
0
 
LVL 1

Author Comment

by:Jess31
ID: 33479106
bgoering:

I tried installing it three times.
each time I get this msg when it ends:
Install wizard completed

The wizard was interrupted before VMware DiskMount Utility
could be completely installed.
You system has not been modified. To complete installation at another time, please run setup again.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33479224
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33479397
Try to run the install as Administrator on Windows 7 or Vista. What OS is your host?
0
 
LVL 1

Author Comment

by:Jess31
ID: 33479416
Host is Windows 7
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33479429
Wait - Duh - you said you are using Workstation 7, I had originally read that as Windows 7. Anyway, the facilities are there (at least in Workstation 7.1, I kind of skipped 7.0 and rarely use the Workstation product anyway) to mount your disk to the host OS.

On the File menu there is an option to Map or Disconnect Virtual Disks

Use that wizard to mount your guest vmdk to the host. They have made it easier.

Good Luck
0
 
LVL 1

Author Comment

by:Jess31
ID: 33481749
So I tried mouting it. No problem doing that. But when I canned it with malware bytes it found nothing. When i did it with MS Security Essentials it found loads of stuff but it was not able to do anything . I would attemp to remove it, clean it... but eventually it woudl fail (it seems like the mounted drive is locked in someway cause I couldn't remove any of the stuff by manually either). I ran superanti spyware and it said it cleaned it (after rebooting, which is strange since after it reboos the drive is no longer mounted) but when I ran it again it still found things so I'm not sure if it in fact removed anything.
Where do I go from here?
0
 
LVL 1

Author Comment

by:Jess31
ID: 33481958
I thought it was weird that Malware bytesfound nothing so I ran an Update in MB, and in fact it was very outdated. Then I ran BM and it did find items, but it could not remove them. It tells me to reboot to complete. But rebooting will lose the mounted drive. And I don't believe restarting the VM again will do much as I tried it before and all it does is reboots after one minute.

Here is the list of MB:

Files Infected:
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\cpgfmhb[1].htm (Adware.BHO) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M6YC960U\qghoquc[1].htm (Trojan.FakeAlert.Gen) -> Delete on reboot.
Z:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NKJB242M\vmdkfnhp[1].htm (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\W32gmsa.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\system32\aoacbj.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gmcjv.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\gwlhinq.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\system32\hotqs.dll (LSP.Hijacker) -> Delete on reboot.
Z:\WINDOWS\Temp\dotdu.exe (Trojan.Hiloti.Gen) -> Delete on reboot.
Z:\WINDOWS\Temp\fpnxk.exe (Adware.BHO) -> Delete on reboot.
Z:\WINDOWS\Temp\hfke.exe (Trojan.FakeAlert.Gen) -> Delete on reboot.


And this is the error I'm getting when starting windows in the VM.
I get a box say:
This system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was intitiated by NT AUTHORITY\SYSTEM
The system process c:\windows\system32\services.exe termnated with status 0.
The system will now shutdown and restart.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33484493
Your vm guest should be powered down while mounting its disk to the host machine. I believe I saw an option to mount read/write or read only, make sure you are mounting it read write on the host - then I would just go and delete those files manually. You could also use registry editor on the host and use the "load hive" function to access the registry files to look for bad things in the run, run once, etc. registry keys.

Good Luck
0
 
LVL 1

Author Comment

by:Jess31
ID: 33485998
vm is not running whem I'm mounting it, I don't believe you can mount it while it is up.

I don't see any option for mounting it read/write.
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33486036
I would just write a script to delete the above files on boot. Or manually delete them.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33486431
On Workstation 7.1 there is a check box - let me know if your version is different. You just uncheck it to mount read write. See picture.
Map-Virtual-Disk.jpg
0
 
LVL 1

Author Comment

by:Jess31
ID: 33487863
bgoering:
Outch. You are so right. I'm on may way to the eye doctor.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33487952
LOL
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 33488121
Well done!  ;)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question