Solved

recovering explorer.exe to sbs2003 server.

Posted on 2010-11-17
4
837 Views
Last Modified: 2012-05-10
Our AVG anti virus has identified an infection in the c:\windows\explorer.exe file.

We have been advised by AVG that this is a TDS Rootkit which requires the explorer.exe recovering from the original CD.

My question is what is the correct way to do this, and if the original file is an earlier version, will it impact the server having this restored in isolation? ie explorer.exe just on its own.

Any advise would be welcomed.

Many thansk.
0
Comment
Question by:nigelbeatson
  • 2
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
jfletchster earned 500 total points
ID: 34154124
You would be best to try and recover the file from DLLCACHE rather than the orignal CD as the CD version will not match the current running version after all the patchs SBS recives. I have never had to do this myself, but as far as I am aware DLLCACHE stores backup copies of files for recovery. The other option is to get windows to repair it its self which will use the DLLCACHE and ask for CD/extracted Service Pack files, for example if you are on SP2 you can extract the SP2 download and then see if there are files in there near your version of .exe
DLLCACHE can be found by enabling Hidden Files and Folders and Disabling 'Hide Protected System Files' C:\windows\system32\dllcache
Or use the auto repair command;
Start > Run > sfc /scannow
0
 

Author Comment

by:nigelbeatson
ID: 34154315
I am a little concerned about doing this, as the cache could be infected too.
0
 
LVL 8

Expert Comment

by:jfletchster
ID: 34154352
Run a scan on the .exe in the cache folder or a full folder scan with AVG
Also make sure you disable your Windows Recovery (System Restore Points) as virus' quite often hide in here.
If the cache is infected then download the last SP that you applyed to the server run it but dont install, it will extract all the data to a folder on the root of one of your hard disks with a random folder name like;
bgtrasssrebsreeeaasese
inside here will be a full extract of all the files in the SP, then run sfc /scannow and when it asks for replacement files point it at this dir
0
 

Author Closing Comment

by:nigelbeatson
ID: 34164914
Starting in safe mode and copying the file from DLLCACHE worked. Thanks.
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question