Re: Automatic Updates options are greyed out, SBS 2003 and WSUS

Tech-Archive recommends: Speed Up your PC by fixing your registry

jwpsconsulting@xxxxxxxxx wrote:
On Nov 6, 10:40 pm, jwpsconsult...@xxxxxxxxx wrote:
On Nov 6, 9:26 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:



jwpsconsult...@xxxxxxxxx wrote:
On Nov 6, 6:13 pm, "Lanwench [MVP - Exchange]"
<lanwe...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
jwpsconsult...@xxxxxxxxx wrote:
Administrator is logged in...the intrusion was
"GrayPigeon_Hacker.com.cn." It created 2 users in ADS(now
disabled), but seems to have instituted a policy I cannot change.

You weren't hacked - you've got a trojan.

http://www.google.com/search?hl=en&rlz=1B3GGGL_enUS212US212&q=GrayPig...

You need better antivirus software, it would seem! If you can't
find easy removal results, I would indeed consider the
flatten&reinstall route.

It's a modified Trojan that installed a Javascript Rootkit...I am
able to see it in the registry and in files hidden from the API.
I plan on going in tomorrow and booting to PE to remove any
compromised files and access, and I am confident that I can get it
all, but I am curious as to how to disable the policy that seems
to be in effect that is stopping me from accessing AU. I have
looked in the registry, modified the SYSOC.INF to show hidden
components so I could remove and re-install it, but it does not
appear. Anyone know a way around a policy when I am the Admin?

I would love to flatten the box to re-install it, but for the next
45 days, that is not an option...heavy duty production units that
cannot be offline for any amount of time until the current project
is out the door. I am confident in my ability to prevent further
intrusions, but am very vulnerable with WSUS and AU not able to
operate because of this policy blocking AU.

And I was actually hacked...there were 2 user accounts created with
profile folders in Docs and Settings with files in one of the
Pictures folders. I logged the IP's and am trying to follow it
backwards, but in the meantime I need updates on this box.

Any takers?

If you can use group policy results to identify the policy that is
blocking you, then you might be able to disable or delete the
policy file under sysvol. If it's imbeded into a default domain or
default domain contoller policy you might be able to use dcgpofix
to restore plain jane default domain and default domain controller
policies. You then might be able to restore your SBS ones from a
backup.

Just a thought that might get you through till you can wipe and
restore - which would be my first choice, after pluggin the hole
that let the evil in that started this escapade.

--
/kj

That sounds feasible...I will give it a shot first thing in the AM.
It should be simple work to re-institute the group policies from the
default settings as I have a current backup. I will reply with the
result.

You, sir, are a God! The reset and reimplementation of the GPO's gave
me access to WSUS again and I was able to access AU. Once I switched
over to a member server I had the "New updates ready" balloon up and
all of the clients are current on updates.

If you are ever in Portland, Oregon I should hope you would drop me a
line so I can buy you a cold one!!!

Lucky or good, I'll take whatever I can get today. Pleased we were able to
help you out.

....and someday I will get to Portland!

--
/kj


.

Relevant Pages

  • Re: Remote Client Configuration
    ... > Thanks for quickly updates. ... > group policy will not be updates, instead it will use the old policy that ... > will be applied after the user logon in order to reduce the logon process. ... > laptop to connect to SBS domain first; currently we have no other better ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Client Configuration
    ... Thanks for updates. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> group policy will not be updates, instead it will use the old policy ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Client Configuration
    ... Thanks for quickly updates. ... Just as I know, if you only logon the domain with cache credential, the ... group policy will not be updates, instead it will use the old policy that ... dial up VPN connection to logon SBS domain once-in-a-while for the group ...
    (microsoft.public.windows.server.sbs)
  • Re: Event Application Errors related to Group Policy
    ... longer needed the policy so I removed it and the errors went away. ... > It appears that this issue is related to WSUS. ... > | child DC's. ... > | to the Parent DC in my Forest Root to get the updates. ...
    (microsoft.public.windows.server.general)
  • Re: How do I turn off automatic updates on my SBS 2k3 SP-1 Server?
    ... Updates control panel is grayed out, and you would like to know how to ... to check the group policy settings. ... policy setting is configured in which GPO: ... Open Server Management, navigate to Advanced Management, Group Policy ...
    (microsoft.public.windows.server.sbs)