Jump to content

Banload.AYD virused a Hyper-V Virtual Machine


Recommended Posts

I have a Hyper-V Host machine with Windows 2019 called "mnhost02"
On this machine I have a Virtual Machine called "eMail" who is also Windows 2019 + Exchange 2019
the Windows Security Antivirus from Host mnhost02 detect the Trojan Downloader Banload.AYD on VM eMail and was unable to Quarantine or Remove since VM eMail was running. I stop it. Than the Win Security Antivirus from Host mnhost02 simply delete the virtual HDD of VM eMail machine creating BIIIIG problem.
Previous scanning VM eMail from inside with Win Security Antivirus does not show any infection !!!

It seems to be a Boot infection and Win Security within the infected machine eMail it is not seeing it.

Any suggestion how to remove a MBR Virus on a Virtual Machine ???

Your suggestion will be greatly appreciated.

Link to comment
Share on other sites

I use Data Deletion Recover Tool to recover .vhdx file of eMail VM machine .. but if I manage to mount back online .. I will still have the same TorjanDownloader - Banload.AYD issue who install himself to MBR.

Link to comment
Share on other sites

Posted (edited)

Thank you for answering so fast.

I do not have ESET installed neither on Hyper-V HOST and neither on VM. Please advice.

Right now I'm recovering the VM.

Edited by Bogdan Florin
Link to comment
Share on other sites

Appears the OP is using a Microsoft AV on his Win 2019 Server installation.

As such, this posting in inappropriate for this forum. This issue should be directed to Microsoft for resolution.

Link to comment
Share on other sites

After I was able to recover deleted .vhdx file by Win Security Antivirus ... I get stuck in adding this file back to Virtual Machine in order to start.

All my problem begin because of the Banload.AYD who arrive somehow in VM EFI and MS Antivirus inside VM was unable to see it, only MS Antivirus from HOst was seing it and delete the VM  VHDX file.

 

Any help how to make this VM work after I recover deleted VHDX file ? it is massive stress on me since all Google Leads arrive in dead end. No Checkpoint, no backup, not very big experience with VM :(

Link to comment
Share on other sites

it is highly probable than NOD32 would behave the same under this circumstances.

I research all internet about Banload.AYD in MBR and there is absolute NO Documentation at all. but now my bigest problem is to make VM to work again, and than will have to solve the Trojan issue.

Link to comment
Share on other sites

  • Most Valued Members

I doubt ESET will help you since it is Microsoft's AntiVirus which done all of this , I have no suggestions other than for Backup or making Windows Defender restore what it deleted and excluding the trojan so it doesn't get removed again by Defender and break the VM , and then installing ESET to see if it can help you in a better way without breaking the system like Defender has done. , better to be done while the internet is blocked from the VMs so the infections doesn't spread somehow.

Contact Microsoft Support they should assist you with this , since it's their product who has done this mayhem.

Link to comment
Share on other sites

Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough.

As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ?

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Bogdan Florin said:

Old machine is gone but rest of advises are welcomed and will be followed. We delete 25 years of email and contacts. That's tough.

As much I search Internet I NEVER found a solution who FIX a Recovered from Delete VM file. No one imagine this solution would be needed sometime somehow ?

I don't think anyone will be able to provide you a solution on here as this forum is not a general computer form but for customers of Eset.

Your best bet would be trying something like the bleeping computer technical support forum or something similar. There are also Reddit it support groups 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...