Solved

recovering explorer.exe to sbs2003 server.

Posted on 2010-11-17
4
840 Views
Last Modified: 2012-05-10
Our AVG anti virus has identified an infection in the c:\windows\explorer.exe file.

We have been advised by AVG that this is a TDS Rootkit which requires the explorer.exe recovering from the original CD.

My question is what is the correct way to do this, and if the original file is an earlier version, will it impact the server having this restored in isolation? ie explorer.exe just on its own.

Any advise would be welcomed.

Many thansk.
0
Comment
Question by:nigelbeatson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
jfletchster earned 500 total points
ID: 34154124
You would be best to try and recover the file from DLLCACHE rather than the orignal CD as the CD version will not match the current running version after all the patchs SBS recives. I have never had to do this myself, but as far as I am aware DLLCACHE stores backup copies of files for recovery. The other option is to get windows to repair it its self which will use the DLLCACHE and ask for CD/extracted Service Pack files, for example if you are on SP2 you can extract the SP2 download and then see if there are files in there near your version of .exe
DLLCACHE can be found by enabling Hidden Files and Folders and Disabling 'Hide Protected System Files' C:\windows\system32\dllcache
Or use the auto repair command;
Start > Run > sfc /scannow
0
 

Author Comment

by:nigelbeatson
ID: 34154315
I am a little concerned about doing this, as the cache could be infected too.
0
 
LVL 8

Expert Comment

by:jfletchster
ID: 34154352
Run a scan on the .exe in the cache folder or a full folder scan with AVG
Also make sure you disable your Windows Recovery (System Restore Points) as virus' quite often hide in here.
If the cache is infected then download the last SP that you applyed to the server run it but dont install, it will extract all the data to a folder on the root of one of your hard disks with a random folder name like;
bgtrasssrebsreeeaasese
inside here will be a full extract of all the files in the SP, then run sfc /scannow and when it asks for replacement files point it at this dir
0
 

Author Closing Comment

by:nigelbeatson
ID: 34164914
Starting in safe mode and copying the file from DLLCACHE worked. Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question