Bogdan Florin 0 Posted June 11, 2022 Share Posted June 11, 2022 I have a Hyper-V Host machine with Windows 2019 called "mnhost02"On this machine I have a Virtual Machine called "eMail" who is also Windows 2019 + Exchange 2019the Windows Security Antivirus from Host mnhost02 detect the Trojan Downloader Banload.AYD on VM eMail and was unable to Quarantine or Remove since VM eMail was running. I stop it. Than the Win Security Antivirus from Host mnhost02 simply delete the virtual HDD of VM eMail machine creating BIIIIG problem.Previous scanning VM eMail from inside with Win Security Antivirus does not show any infection !!!It seems to be a Boot infection and Win Security within the infected machine eMail it is not seeing it.Any suggestion how to remove a MBR Virus on a Virtual Machine ???Your suggestion will be greatly appreciated. Link to comment Share on other sites More sharing options...
Bogdan Florin 0 Posted June 11, 2022 Author Share Posted June 11, 2022 I use Data Deletion Recover Tool to recover .vhdx file of eMail VM machine .. but if I manage to mount back online .. I will still have the same TorjanDownloader - Banload.AYD issue who install himself to MBR. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 11, 2022 Administrators Share Posted June 11, 2022 Please provide logs collected with ESET Log Collector from the machine where the threat was detected. Link to comment Share on other sites More sharing options...
Bogdan Florin 0 Posted June 11, 2022 Author Share Posted June 11, 2022 (edited) Thank you for answering so fast. I do not have ESET installed neither on Hyper-V HOST and neither on VM. Please advice. Right now I'm recovering the VM. Edited June 11, 2022 by Bogdan Florin Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 11, 2022 Share Posted June 11, 2022 Appears the OP is using a Microsoft AV on his Win 2019 Server installation. As such, this posting in inappropriate for this forum. This issue should be directed to Microsoft for resolution. Link to comment Share on other sites More sharing options...
Bogdan Florin 0 Posted June 11, 2022 Author Share Posted June 11, 2022 After I was able to recover deleted .vhdx file by Win Security Antivirus ... I get stuck in adding this file back to Virtual Machine in order to start. All my problem begin because of the Banload.AYD who arrive somehow in VM EFI and MS Antivirus inside VM was unable to see it, only MS Antivirus from HOst was seing it and delete the VM VHDX file. Any help how to make this VM work after I recover deleted VHDX file ? it is massive stress on me since all Google Leads arrive in dead end. No Checkpoint, no backup, not very big experience with VM Link to comment Share on other sites More sharing options...
Bogdan Florin 0 Posted June 11, 2022 Author Share Posted June 11, 2022 it is highly probable than NOD32 would behave the same under this circumstances. I research all internet about Banload.AYD in MBR and there is absolute NO Documentation at all. but now my bigest problem is to make VM to work again, and than will have to solve the Trojan issue. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 12, 2022 Most Valued Members Share Posted June 12, 2022 I doubt ESET will help you since it is Microsoft's AntiVirus which done all of this , I have no suggestions other than for Backup or making Windows Defender restore what it deleted and excluding the trojan so it doesn't get removed again by Defender and break the VM , and then installing ESET to see if it can help you in a better way without breaking the system like Defender has done. , better to be done while the internet is blocked from the VMs so the infections doesn't spread somehow. Contact Microsoft Support they should assist you with this , since it's their product who has done this mayhem. Link to comment Share on other sites More sharing options...
Bogdan Florin 0 Posted June 16, 2022 Author Share Posted June 16, 2022 Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough. As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 16, 2022 Most Valued Members Share Posted June 16, 2022 1 hour ago, Bogdan Florin said: Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough. As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ? I don't think anyone will be able to provide you a solution on here as this forum is not a general computer form but for customers of Eset. Your best bet would be trying something like the bleeping computer technical support forum or something similar. There are also Reddit it support groups Link to comment Share on other sites More sharing options...
Recommended Posts