Banload.AYD virused a Hyper-V Virtual Machine

[Bogdan Florin 0]

I have a Hyper-V Host machine with Windows 2019 called "mnhost02"
On this machine I have a Virtual Machine called "eMail" who is also Windows 2019 + Exchange 2019
the Windows Security Antivirus from Host mnhost02 detect the Trojan Downloader Banload.AYD on VM eMail and was unable to Quarantine or Remove since VM eMail was running. I stop it. Than the Win Security Antivirus from Host mnhost02 simply delete the virtual HDD of VM eMail machine creating BIIIIG problem.
Previous scanning VM eMail from inside with Win Security Antivirus does not show any infection !!!

It seems to be a Boot infection and Win Security within the infected machine eMail it is not seeing it.

Any suggestion how to remove a MBR Virus on a Virtual Machine ???

Your suggestion will be greatly appreciated.

[Bogdan Florin 0]

I use Data Deletion Recover Tool to recover .vhdx file of eMail VM machine .. but if I manage to mount back online .. I will still have the same TorjanDownloader - Banload.AYD issue who install himself to MBR.

[Marcos 5,074]

Please provide logs collected with ESET Log Collector from the machine where the threat was detected.

[Bogdan Florin 0]

Thank you for answering so fast.

I do not have ESET installed neither on Hyper-V HOST and neither on VM. Please advice.

Right now I'm recovering the VM.

Edited June 11, 2022 by Bogdan Florin

[itman 1,659]

Appears the OP is using a Microsoft AV on his Win 2019 Server installation.

As such, this posting in inappropriate for this forum. This issue should be directed to Microsoft for resolution.

[Bogdan Florin 0]

After I was able to recover deleted .vhdx file by Win Security Antivirus ... I get stuck in adding this file back to Virtual Machine in order to start.

All my problem begin because of the Banload.AYD who arrive somehow in VM EFI and MS Antivirus inside VM was unable to see it, only MS Antivirus from HOst was seing it and delete the VM  VHDX file.

 

Any help how to make this VM work after I recover deleted VHDX file ? it is massive stress on me since all Google Leads arrive in dead end. No Checkpoint, no backup, not very big experience with VM

[Bogdan Florin 0]

it is highly probable than NOD32 would behave the same under this circumstances.

I research all internet about Banload.AYD in MBR and there is absolute NO Documentation at all. but now my bigest problem is to make VM to work again, and than will have to solve the Trojan issue.

[Nightowl 202]

I doubt ESET will help you since it is Microsoft's AntiVirus which done all of this , I have no suggestions other than for Backup or making Windows Defender restore what it deleted and excluding the trojan so it doesn't get removed again by Defender and break the VM , and then installing ESET to see if it can help you in a better way without breaking the system like Defender has done. , better to be done while the internet is blocked from the VMs so the infections doesn't spread somehow.

Contact Microsoft Support they should assist you with this , since it's their product who has done this mayhem.

[Bogdan Florin 0]

Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough.

As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ?

[peteyt 393]

1 hour ago, Bogdan Florin said:

Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough.

As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ?

I don't think anyone will be able to provide you a solution on here as this forum is not a general computer form but for customers of Eset.

Your best bet would be trying something like the bleeping computer technical support forum or something similar. There are also Reddit it support groups