Virus moved my database to folder "sqlservr.exe/con" folder with access denied

Home Forums Other Microsoft Servers and SaaS SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2016 Virus moved my database to folder "sqlservr.exe/con" folder with access denied

This topic contains 5 replies, has 3 voices, and was last updated by  zhabib 8 months, 3 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author

  • naushad_khan

    My server was working fine, today suddenly i was not able to connect to my database with my web application. When i logged into the server, i found many files of SQL Server were deleted. When i tried to search my database .mdf and .dlf file it was not there. I found an unknown folder is been created in “C:Program Files (x86)Microsoft SQL Server110Shared” named sqlservr.exe and i am not able to open it. I tried to recover my database files with software “Recuva” and found both my .mdf and .ldf files are located in that “sqlservr.exe/con folder. I was able to recover the .ldf file however, the .mdf files showed me of 0 kb and unrecoverable. I have attached a screenshot of the same. The last full backup i took was way back 25thApr2018. Since then no full backup is been taken. Now the scenario is i have one month back full backup and .ldf file of today’s.

    I want to know any possibility of recovering my .mdf file from that virus folder or recovering my database with one-month-old full backup and current .ldf file.

    Any help will be greatly appreciated.


    Reinstall the server operating system, reinstall SQL Server and recover your database from backup. Its the only way to make sure you are infection free.

    Are you saying your last backup was a month ago? if so, that plus the log file should restore you. If you have more recent backups you have lost, you wont be able to restore past the last backup you have.


    Dear Ossian,

    i have a full backup of 26Apr2018 and i have only managed to recover the current .ldf file. What is the way to restore database with the old full backup and current .ldf file?


    As I asked previously, have any further backups been made since 26th April? If so, the log file will only contain transactions since the most recent backup.
    [EDIT] I am assuming the database is in the full recovery model?


    After 26Apr2018 no full backup is been executed on the server. The server crashed on 29May2018 and i have managed to recover only the ldf file of the database. The mdf file is coverted to 0kb by the virus and hidden under a folder. I am sure it is not 0kb it is only showing 0 kb, because most virus converts files to 0Kb.

    The file is located under “C:Program Files (x86)Microsoft SQL Server110Sharedsqlservr.execon” folder. I managed to rename the sqlserv.exe folder by changing security persmission and taking ownership of the folder. However, i am not able to change security permission of “con” folder. It gives me error “the requested security information is either unavailable or cannot be displayed”.


    Have ANY backups (differential) been taken? The log file contains transactions since the last backup (except copy backups) – assuming the database is in full recovery model.
    Also, do you have backups of the system databases (master, msdb, model)? (you will need them to restore logins.

    Regarding the folder, can you seize control (force change ownership)?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.