SYSVOL and NETLOGON affected by crypto virus

Posted on 2016-09-09
Last Modified: 2016-09-11
Hi all

We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.

This is a server at a charity and they have only just noitced 10 days after it happened.

Is there a way i can recreate the items in these folders?

Question by:David
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 18

Expert Comment

ID: 41792314
Do you have a backup of the Server?

Author Comment

ID: 41792317
we use Mozy to backup and even though the backup set for active directory has been selected i cant see that it would backup the sysvol folder?

The server is running fine. and there are only about 6 hardly used group policies

Author Comment

ID: 41792320
sorry also the windows file replication service- sysvol is selected
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 41792511
i have restored a backup now, but was wondering if there was another way.
LVL 18

Accepted Solution

awawada earned 500 total points
ID: 41792529
No, for Crypto virus & Co there is no other way.
LVL 17

Expert Comment

ID: 41792953
How is it possible that someone had write access to Sysvol? Someone needs to seriously audit that environment. Even scarier is the thought someone is running around using an account in domain admins as their day to day account...

Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
LVL 18

Expert Comment

ID: 41793161
Thanks for the points and check with your Antivirus vendor if the Domain Controller is now clean.

Featured Post

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question