?
Solved

recovering explorer.exe to sbs2003 server.

Posted on 2010-11-17
4
Medium Priority
?
846 Views
Last Modified: 2012-05-10
Our AVG anti virus has identified an infection in the c:\windows\explorer.exe file.

We have been advised by AVG that this is a TDS Rootkit which requires the explorer.exe recovering from the original CD.

My question is what is the correct way to do this, and if the original file is an earlier version, will it impact the server having this restored in isolation? ie explorer.exe just on its own.

Any advise would be welcomed.

Many thansk.
0
Comment
Question by:nigelbeatson
  • 2
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
jfletchster earned 2000 total points
ID: 34154124
You would be best to try and recover the file from DLLCACHE rather than the orignal CD as the CD version will not match the current running version after all the patchs SBS recives. I have never had to do this myself, but as far as I am aware DLLCACHE stores backup copies of files for recovery. The other option is to get windows to repair it its self which will use the DLLCACHE and ask for CD/extracted Service Pack files, for example if you are on SP2 you can extract the SP2 download and then see if there are files in there near your version of .exe
DLLCACHE can be found by enabling Hidden Files and Folders and Disabling 'Hide Protected System Files' C:\windows\system32\dllcache
Or use the auto repair command;
Start > Run > sfc /scannow
0
 
LVL 1

Author Comment

by:nigelbeatson
ID: 34154315
I am a little concerned about doing this, as the cache could be infected too.
0
 
LVL 8

Expert Comment

by:jfletchster
ID: 34154352
Run a scan on the .exe in the cache folder or a full folder scan with AVG
Also make sure you disable your Windows Recovery (System Restore Points) as virus' quite often hide in here.
If the cache is infected then download the last SP that you applyed to the server run it but dont install, it will extract all the data to a folder on the root of one of your hard disks with a random folder name like;
bgtrasssrebsreeeaasese
inside here will be a full extract of all the files in the SP, then run sfc /scannow and when it asks for replacement files point it at this dir
0
 
LVL 1

Author Closing Comment

by:nigelbeatson
ID: 34164914
Starting in safe mode and copying the file from DLLCACHE worked. Thanks.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Are you working to mount the dismounted Exchange 2013 database? Then the best course of action is to analyze the causes of Database issue, their probable solutions and decide for the appropriate course of action.
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Watch the software video of Kernel Import PST to Office 365 tools which can easily import PST and OST files to Office 365 for bulk mailboxes. The process of migration is simple and user can map source and destination mailboxes and easily import data…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question