?
Solved

recovering explorer.exe to sbs2003 server.

Posted on 2010-11-17
4
Medium Priority
?
841 Views
Last Modified: 2012-05-10
Our AVG anti virus has identified an infection in the c:\windows\explorer.exe file.

We have been advised by AVG that this is a TDS Rootkit which requires the explorer.exe recovering from the original CD.

My question is what is the correct way to do this, and if the original file is an earlier version, will it impact the server having this restored in isolation? ie explorer.exe just on its own.

Any advise would be welcomed.

Many thansk.
0
Comment
Question by:nigelbeatson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
jfletchster earned 2000 total points
ID: 34154124
You would be best to try and recover the file from DLLCACHE rather than the orignal CD as the CD version will not match the current running version after all the patchs SBS recives. I have never had to do this myself, but as far as I am aware DLLCACHE stores backup copies of files for recovery. The other option is to get windows to repair it its self which will use the DLLCACHE and ask for CD/extracted Service Pack files, for example if you are on SP2 you can extract the SP2 download and then see if there are files in there near your version of .exe
DLLCACHE can be found by enabling Hidden Files and Folders and Disabling 'Hide Protected System Files' C:\windows\system32\dllcache
Or use the auto repair command;
Start > Run > sfc /scannow
0
 

Author Comment

by:nigelbeatson
ID: 34154315
I am a little concerned about doing this, as the cache could be infected too.
0
 
LVL 8

Expert Comment

by:jfletchster
ID: 34154352
Run a scan on the .exe in the cache folder or a full folder scan with AVG
Also make sure you disable your Windows Recovery (System Restore Points) as virus' quite often hide in here.
If the cache is infected then download the last SP that you applyed to the server run it but dont install, it will extract all the data to a folder on the root of one of your hard disks with a random folder name like;
bgtrasssrebsreeeaasese
inside here will be a full extract of all the files in the SP, then run sfc /scannow and when it asks for replacement files point it at this dir
0
 

Author Closing Comment

by:nigelbeatson
ID: 34164914
Starting in safe mode and copying the file from DLLCACHE worked. Thanks.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question