Solved

SYSVOL and NETLOGON affected by crypto virus

Posted on 2016-09-09
7
164 Views
Last Modified: 2016-09-11
Hi all

We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.

This is a server at a charity and they have only just noitced 10 days after it happened.

Is there a way i can recreate the items in these folders?

Thanks
0
Comment
Question by:David
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41792314
Do you have a backup of the Server?
0
 

Author Comment

by:David
ID: 41792317
we use Mozy to backup and even though the backup set for active directory has been selected i cant see that it would backup the sysvol folder?

The server is running fine. and there are only about 6 hardly used group policies
0
 

Author Comment

by:David
ID: 41792320
sorry also the windows file replication service- sysvol is selected
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:David
ID: 41792511
i have restored a backup now, but was wondering if there was another way.
0
 
LVL 18

Accepted Solution

by:
awawada earned 500 total points
ID: 41792529
No, for Crypto virus & Co there is no other way.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41792953
How is it possible that someone had write access to Sysvol? Someone needs to seriously audit that environment. Even scarier is the thought someone is running around using an account in domain admins as their day to day account...

Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41793161
Thanks for the points and check with your Antivirus vendor if the Domain Controller is now clean.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question