Image Work System Possible Virus

On my work computer on a virtual machine I believe I have a virus. All scans come up clean for MSE and many, many, many other scanners both on the host and the VMs.

The hits are always on the VHD files inside the zips on the backups (MS) and only when I open a certain VM. That nights scan hits on the virus on the USB backup drive as mentioned above.

Honestly I have tried every scanner I could find including root kits and nothing.

My IT resources gave up and decided to send me a new HDD and USB since we are all remote.

My REAL problem is that I need to get files are need off the machine to transfer. I thought evernote would be good for this. This was tedious and I need a better way. I thought a mountable drive image like Acronis but that introduces the possibility of transfer the virus. (I think)

Any advice?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
You can refer to this article for virus removal methods:

Could be in the boot sector of the VM which a typical scanner might not detect so you would follow the boot sector section.
mohrkAuthor Commented:
Hadn't thought about the MBR thing. I will do that.

I guess all 6 VMs since I am not sure which one?
mohrkAuthor Commented:
Yeah the problem is getting worse. After many additional scans including MBRs, MSSE came up with an infection on the OS drive and required a reboot to fix. This is a new symptom and I think it is really time to "go-for it".

I am really back to the original question I need an easy way to snap-shot the drive onto a mountable image and not worry about recontaminating the new HDD if I need to pull off any files. Using sky-drive to store and mount the image sounds appealing but I think with the sync thing there may be an issue? I can attach to the local version but what does sky-drive sync think when it can't get to the image/file?

Did I mention that the VPN my employer requires for just about any access to company resources and the individual customers that use various forms of VPN's Citrix and other portals to access their systems makes it hugely inconvenient to use my network resources to store and use the image? So it needs to be thought of in terms of 1 local drive and one USB backup drive for Windows Backup which insists it needs the entire physical drive.

Some of this stuff (backup and MSSE I know for sure) is monitored.
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Will give my input and see what you think...

1) You need to clean the existing drive first regardless - if the original isn't clean then producing an image to be able to mount it isn't going to guarantee you are safe no matter what AV products have you scanned with? If MSE found something on a recent scan that it didn't find the first time that probably means its either not finding the root infection...or it can't clean it properly...

2) Use paid for AV products - we use Vipre( - download the 30 daay trial and let it scan the existing system and see what it reports

3) As for cloning I can't see a reason to put this image in the locally as its much faster - here are some of the more common packages for cloning...Reflect I've used before and it allows you to mount after image -

I agree that you need to get a USB drive for the image...don't see any reason this won't work for you but if so let us know why...

But if the original system isn't clean then the image isn't like I said its hard to guarantee you aren't going to pass the infection after lifting the data files...but scan the main data files as a minimum and if they pass then usually that means you should be ok

Apologies if I missed anything...
mohrkAuthor Commented:

Thank you for the response. I tried ESET the other day and after hours of scanning it found 3 hits on some pretty nasty ones. I was confident that this was going to be the last of it because it was the only one besides MSSE that found the hit in the archive of the backup on the USB drive (*.zip something or other that MS likes to have fun hiding) A day or so later MSSE comes up with more hits and it is scanning right now because the "preliminary scan" found something. I am guessing RootKit or MBR at this point. A reboot last night and a something this morning is found so it kind of fits that.

I have not seen a real stubborn rootkit before, not that infections are common with me but I have kids who won't learn that P2P does not come without a price.

Beside trying everything on my own, seeking out online scanners and such. I have hit a few pages such as this one and really only succeeded downloading more applications for little if no gain. This is a corporate PC after all.

The skydrive was a one file at a time deal. I had given up on the image as I think you are right about re-infection. I'll try Vipre if I haven't already said that.

By the way I think the infection originated from a VPC we all have for various VPN and portal solutions with our customers that tend to conflict. I really don't want to take the time to doe this aggressive scanning 5 times but is anything but file scan going to avaid that?
When you say 'found the hit in the archive of the backup on the USB drive (*.zip something or other that MS likes to have fun hiding)'

Are you saying that a particular ZIP file is infected? Do you know what is in that zip file? Or do you mean this is a file from a backup product that is being scanned and finding infections?

Just want to get the info right so excuse the stupid questions...

Is this a machine that is infected or a backup image? Or both?

ESET is a decent scanner for sure...I only pushed Vipre since I use/know it better...but if ESET is finding infections and can't clean that could be because they are in a zip file...what does the zip contain is the next question and is it worth keeping?
mohrkAuthor Commented:
Originally the only place anything was found was in a backup on the USB drive in a Zip on a file with a .VHD extension.

The file name was a good indication of which virtual PC it came from but scans of it failed to find anything. Scans of the OS drive failed to find anything.

To be honest, and I am sorry I left this bit of probably crucial information out, an email came through a week or two ago that looked very much as if it had come internally and I opened the zip. I won't bore you about the what and why. I contacted my IT staff and their advice was to run scans and of course nothing. So here I am with probably a FP in the beginning and now a real problem which is probably a secondary infection.

So, the original question. Some way to get the files off maybe batch scan them? and ditch the the HDD and USB for the new hardware that was sent.
Right, I missed your first line where you said 'virtual' so my fault

What scanner detected the issue in the VHD?
What AV WAS installed on the virtual machine prior to you starting work on this current issue?

Reason I ask is it appears you have a backup image which is infected...but the live machine doesn't show any possibly whatever it was the current AV detected it and cleaned the live machine...

The zip you opened from email - yep that sounds like the infection...thing about infections these days is on the day its opened it might not be detected...its later it rears its ugly head and causes issues(or put another way later definitions on the AV then detect said infection and that's why you only see it a few days/week later)

At this point I can't see any point cleaning the VHD...clean the live system with one of the AV's mentioned and you should be ok I think, is the live system still running or are you not able to boot it up?
mohrkAuthor Commented:
All the virtuals and the host machines run MSSE.

Maybe you missed the last part? About opening the email zip and the current symptoms appeared afterward?

I think this is another or a real infection.
Nope I read that part as well! What is the question again? I simply meant after opening the email/zip attachment that MSSE didn't see an issue, cause it didn't know what it was...that is all I meant

End of the day you need to scan the live system, scanning the backups I don't think will make any difference but maybe I'm mistaken...

If you want to continue with the backups then cool, but you need to extract the contents first I think, then run a file scan like you mentioned, then you are ok...
Just to add...

I clean up various infected machines during the week...there are times when the scans don't run on the live system(due to the level of the infection) and I pull the drive from the host machine and connect as slave to another pc with all the tools for scanning on it...

This does 2 things

1) Since some infections run live in memory this eliminates them from starting
2) Since those said infections are dormant it leaves things easier to clean overall...

So back to your original question - scanning the backup image is probably a good idea if you can't confirm that the live one is totally need to connect it to another machine and make sure that machine is not connected to network etc etc...also be aware that if you happen to run into a virus that can pass to the live system(i.e. when you copy data etc) that the machine you are using to do the clean may need to be wiped after the job - again rare but I'm just saying you need to be aware of all the possibilities...

Just thought I'd throw that in the mix...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mohrkAuthor Commented:
Good idea about the sacrificial machine. The drives are bitlockered because of the type of work I do. How does that play into it? Yes I have the keys to both the USB and the main HDD.

I think you are right this would be the best bet, I was going to go for a boot disk cleaner thing but maybe jump to this step instead.

I think in the end I will need to install the new drive and USB that was sent.

I think let me know about this last post and we should call it quits. I appreciate the assistance.
Oh, encryption...don't bump into that too often so might not be much help with that one...

The one last way you could do this is get the data off the live system to a slave drive(USB if that will work)

Then once you've all you need take that and scan with another machine and see what it I mentioned once its a slave drive the infection shouldn't launch and the scanner can do what it likes to the files in this I think you'll have better luck with that...always scan offline(meaning disconnect from internal network) just to be safe...
btanExec ConsultantCommented:
i was thinking if offline dd of the bitlocker drive will be possible and from the dd image make it into a vmware machine for any live view checks safely (hopefully the virus is not a vm aware one or one that can break out of the vm machine). Then mount a bootable LiveCD iso first via the vm (just like the first bootable is a CD or DVD) that can scan virus with the clear plain volume acquired as the image for targeted vm. And start grabbing those file you need offline and perform another scan of those files into the thumbdrive also mounted by the iso

BitLocker: how to image

LiveView creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.

Use Malwarebytes Chameleon to install Malwarebytes Anti-Malware on an already infected system


The ULTIMATE Boot Cd for Windows
btanExec ConsultantCommented:
May be outdated ... but see the EE for VHD scanning if applicable
mohrkAuthor Commented:
OK, complexity level has gone up a few notches. Let me see if I got this straight

Image the BL drive with dd (the Linux utility?) . Create and store this iso where?
The applications for the dd "style" iso are in the wiki?
Another app to create the VM on sourceforge where do I put this VM? Same place as the iso I guess.
Lastly from the VM I assume (?)  use one of the applications to load and scan the machine.

On another track I can mount a vhd as in diskmgmt.msc? and scan which will be more effective than just scanning the vhd as a file.
Can't see the point of creating an image of this...maybe @breadtan is confused - the system that is infected breadtan is already a at this point all that is needed is an offline scan of that VHD...unless I misread something

To answer your last question @morik...scanning the VHD itself is need to mount it like you said in diskmanagement and scan then...

This bitlocker thing - is that not on the host machine? Is the VM itself also encrypted? If so then what @breadtan is suggesting probably gets around that issue(i.e. if you can't just mount the VHD on another machine and see its contents)

If however you CAN mount this VHD and read its contents on another machine then you are already half way to getting to a solution as all you need to do now is scan it...hit it with ESET and another just to be sure if you want
btanExec ConsultantCommented:
all in all it is to get the data out and if so, retrieve from the machine and scan it before use. There is no use of the infected machine as I will not trust it state and will rebuild it.

The scheme of using VM and ISO is more from forensic angle if you do not want to touch the physical machine and still have a virtual environment to understand the malware doings...scanning VHD file itself is useless as AV will not "see" the malware but scanning the VHD when it is running will be idea if the scanner is at hypervisor level. I recall VMware has AV virtual appliance that is running such to scan guest VM running image.

Just few cents worth - apologies if I complicate the matters
mohrkAuthor Commented:
OK, I think I did one (or more) thing wrong. I did mount the vhd file and scanned it but on the potentially infected machine. There is only one vhd file (that I can find) I have 6 VMs is it shared?

breadtan - no apologies necessary this is a learning experience for me as well assistance. Still I have the basic question of where can the iso/vm  live without possibly infected the host machine?

I just wanted to say that there may be 2 infections incidents here (!) one in the XP mode VM and probably another on the host after opening a fake file attached to an email (can't believe I got caught)
Feck...if the host and the vm are infected you've a lot of work to do...

End of the day I really think you need to take the HOST drive out - connect to another machine, scan it - once cleaned then you can move to the VHD's - mount them, as breadtan said scanning the VHD as a flat file is either needs to be live running or mounted so that the scanner can see the contents of the drive...

I don't know of any shortcuts to this either, time to bite the bullet and go offline and start your scanning

But...if you really want to chance a shortcut this is it - mount the VHD - copy the data you need - once copied(to USB/other drive) take that to a machine as a slave drive and scan it...
btanExec ConsultantCommented:
Iso of the vm need to run live  for scanning to be effective , at least to my best knowledge. Another is take out the hdd and take it as second data drive and use another machine to scan it as secondary hdd but as it is bitlocker based hence make it tougher unless you disable bitlocker for time being.

As for the attachment I see rightfully the email exchange should be doing some scanning before delivering and seems like that evaded the scan or likely no such capability in it. Password protected is not allow for web email if I recalled so I suspect the sender can be eother botnet based or through other means to deliver
mohrkAuthor Commented:
OK everyone I think I am good.

I am reasonable confident that I have enough information to get the files off the machine safely and do what I can to prevent cross-contamination.

I appreciate all of your assistance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.