Removing GPO's from standalone system

[FNBIT]

I have systems that have been removed from a domain that has some GPO's on it. Now these systems crash every couple of hours. It counts down from 60 seconds then reboots. I can duplicate this error by typing GPUpdate from the run command.

The error is "Services and Controller App"

It is referencing these files:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER0a07.dir00\services.exe.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER0a07.dir00\appcompat.txt

With error signature:
szAppName : services.exe szAppVer : 5.1.2600.2180 szModName : esent.dll
szModVer : 5.1.2600.2780 offset : 0001baec


These systems are now acting in a Windows Workgroup and will be put into a new domain later. I think the problem will go away once they are in the new domain but I would like to get them working before then.

Does anybody have any suggestions?

Thanks,

Chris

 

[58sniper]

They are infected with a virus.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[FNBIT]

I think it is more likely it is a domain issue but it is possible. However I did do a scan on one of the units and it came up clean so I do not think it is a virus. I do understand that the Sasser worm causes a similar problem which I learned through some searches. The searches also lead me to believe that this can be caused by a domain problem.

Any other ideas?

 

[58sniper]

Hmmm... you have an .exe file running from your temp folder. Still think it's not a virus? That looks like a MyDoom infection.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[FNBIT]

I thought the same thing when I started looking at this but here is more on the scenario.
The company is changing their affiliates. Their old affiliate went in and removed some workstations, the server OS, and all of their virus protection from the rest of the workstations stating that they did not own those items. My company provided the new company with some workstations that we had extra and moved them to the new location. We also removed our virus protection since they need to purchase their own. (Which a we have ordered along with a MS 2003 Server OS)

Until the new OS comes in they need to use the systems as stand alones. Therefore they have about 15 systems without virus protection but they are behind a firewall. All systems are running XP Pro SP2 and all are fully updated with all patches.

Now for the reason I do not think it is a virus. The only systems that have this problem are the ones that came from our company. The other systems do not show these erros at all. Our systems started to show the above errors all about the same time. Therefore it is stange that a virus would target only certain computers but not others. I have also ran a scan on two of the systmes since I thought it was virus also. The scans came up clean in both cases. I will take a look at MyDoom and see if the scans I did would detect it just in case.

Now for the reason why I think it may be due to a GPO problem. When searching this problem I came across a link that had somebody with the same problem. The reply made me believe this was the case. Also the event log made references in this direction. I don't remember exactly what it said but I can find out. Here is the link I have found:

http://forums.extremeoverclocking.com/showthread.php?t=228166

Thanks for your input,

Chris

 

[FNBIT]

Just a follow up on this. Once they where added to a new domain they worked fine. I also moved all machines to be removed from the network to a branch in AD that did not have any GPO's applied. I then ran GPUpdate /force and then removed them. These machines never exprerienced the problem since they had been cleaned before the removal.