Windows active server advice?

Post #352,865 by hnick 1/7/12 4:49:22 PM Reply	Windows active server advice? My village police department has a network consisting of a windows 2003 server, and a workstation (more to be added later if they get a budget.) I cleaned a rootkit virus off the workstation with Combofix and the networking works again. I can bring up all sorts of locations on the internet. I can ping the server. I can net view the server. The server is DHCPing an address (the proper one, based on running ubuntu live on the machine to test the hardware.) Users can not access shares on the server (used to work.) The event logs say there is an Failure Aud Event ID: 537. The same user can log onto the server with the same username and password. On the server, in the active directory section, all the users are there and they still seem to have the privileges to log on. Is it possible that I removed something in registry that identified these privileges? Any ideas how to replace it? Any suggestions at all? Other than run away, of course. Thanks, Hugh
Post #352,866 by Another Scott 1/7/12 5:15:48 PM Reply	Chkdsk and SP2 issue? http://www.infoworld...date-roulette-470 (via http://www.winvistat...ions-t660371.html ) No personal experiece. HTH. Good luck! Cheers, Scott.
Post #352,869 by hnick 1/7/12 5:27:19 PM Reply	Thanks At least, it's a place to start. I've not done a lot with MS servers. It's usually been test networks, but with more than one server and one client. The problem was on the client, and not the server. Is there something I can do to reinitialize the client so that the server will talk to it?
Post #352,870 by Another Scott 1/7/12 5:44:16 PM Reply	Ooops. Misread. :-( Maybe this will help. http://www.trcb.com/...missions-2402.htm Scroll down to the section "Troubleshoot access to files and shared folders:" It lists a few things to check, but doesn't go into details about fixing things. This link has several pages of descriptions of what can give the 537 Audit Event ID. http://www.eventid.n...=Security&phase=1 Perhaps there's something there that helps? I think that if the permissions are messed up on the client, you'll have to manually reset them (or restore them from an appropriate backup). I don't think you can have it done automagically, but that's just a guess. Good luck. Cheers, Scott.
Post #352,881 by hnick 1/8/12 7:32:47 AM Reply	There are some good ideas there. One more coffee and I'm back to the fray. Thanks much!
Post #352,874 by scoenye 1/7/12 9:39:49 PM Reply	ComboFix will bin system files The root kit that has been doing the rounds recently infects service and system drivers. ComboFix will delete those without giving a second thought. The infected files are somewhat arbitrary but usually involve parts of the network stack. Missing low level hidden services usually end up in the visible services failing to start and from there, Windows will do funny things. Take a look in the services admin console for any "automatic" services that are not running. See if those left traces in the event log reading like "service scheduled for deletion". If so, find out what is supposed to be there for the version of Windows involved and make sure all files and registry entries are present and correct. (These are not just the services you can see via the admin console, it involves the entire list in the registry at HKML/System/CurrentControlSet/Services). If anything is missing, copy the files and export/import the registry entries from a clean box running the same version of Winders.

Welcome to IWETHEY!