Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

recovering explorer.exe to sbs2003 server.

Posted on 2010-11-17
4
838 Views
Last Modified: 2012-05-10
Our AVG anti virus has identified an infection in the c:\windows\explorer.exe file.

We have been advised by AVG that this is a TDS Rootkit which requires the explorer.exe recovering from the original CD.

My question is what is the correct way to do this, and if the original file is an earlier version, will it impact the server having this restored in isolation? ie explorer.exe just on its own.

Any advise would be welcomed.

Many thansk.
0
Comment
Question by:nigelbeatson
  • 2
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
jfletchster earned 500 total points
ID: 34154124
You would be best to try and recover the file from DLLCACHE rather than the orignal CD as the CD version will not match the current running version after all the patchs SBS recives. I have never had to do this myself, but as far as I am aware DLLCACHE stores backup copies of files for recovery. The other option is to get windows to repair it its self which will use the DLLCACHE and ask for CD/extracted Service Pack files, for example if you are on SP2 you can extract the SP2 download and then see if there are files in there near your version of .exe
DLLCACHE can be found by enabling Hidden Files and Folders and Disabling 'Hide Protected System Files' C:\windows\system32\dllcache
Or use the auto repair command;
Start > Run > sfc /scannow
0
 

Author Comment

by:nigelbeatson
ID: 34154315
I am a little concerned about doing this, as the cache could be infected too.
0
 
LVL 8

Expert Comment

by:jfletchster
ID: 34154352
Run a scan on the .exe in the cache folder or a full folder scan with AVG
Also make sure you disable your Windows Recovery (System Restore Points) as virus' quite often hide in here.
If the cache is infected then download the last SP that you applyed to the server run it but dont install, it will extract all the data to a folder on the root of one of your hard disks with a random folder name like;
bgtrasssrebsreeeaasese
inside here will be a full extract of all the files in the SP, then run sfc /scannow and when it asks for replacement files point it at this dir
0
 

Author Closing Comment

by:nigelbeatson
ID: 34164914
Starting in safe mode and copying the file from DLLCACHE worked. Thanks.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Add Email to my Outlook of another AD User 23 47
Domain Share problems 5 58
How do I remove a downed SBS 2008 server from my domain 6 66
Multiple Open Excel Spreadsheets 12 57
This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question