Hit by sasser, cannot connect to remote desktop afterwards

  • Thread starter Thread starter Usman Khalid
  • Start date Start date
U

Usman Khalid

Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
 
As part of removing Sasser, did you lock down the firewall, or a
nat/router--in order to get the infection cleared up?

I don't have first-hand experience with removing Sasser, yet.
 
Hi,

No I did not activate the firewall (and I have tried that
as well with remote desktop enabled). On further testing I
found a most disturbing behavior. Everytime I try to
remote desktop in to the computer it reboots!

Usman.
 
This is a symptom that others have posted here at times, and I don't have
any fix on the cause--don't know whether Jeffrey does.

I'm tempted to recommend a repair install of XP (with great care--disconnect
the network and activate the firewall immediately after the repair, unless
there is also a hardware firewall)--but I'm going to sit on my hands for a
while and see if others have better ideas.
 
Before you do a reinstall, submit the crash report that is generated
when you reboot and see what the Automated Crash Recovery system tells
you (or look in the Event Log and see what STOP error caused the
reboot)... We can see what is causing the issue...

Other troubleshooting - try running "sfc /scannow" (make sure you have
your Windows CD available) and see if any other system files were
damaged...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
 
Usman Khalid said:
Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
Click to expand...

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Follow these directions to remove The Sasser Worm from your computer:
http://www3.telus.net/dandemar/sasser.htm
 
This is a symptom that others have posted here at times, and I don't have
any fix on the cause--don't know whether Jeffrey does.

I'm tempted to recommend a repair install of XP (with great care--disconnect
the network and activate the firewall immediately after the repair, unless
there is also a hardware firewall)--but I'm going to sit on my hands for a
while and see if others have better ideas.
Click to expand...

I'd start by turning off System Restore. Then run yer favorite
anti-virus program with latest definitions.


Have a nice week...

Trent

What do you call a smart blonde?
A golden retriever.
 
Hi,

I don't get any memory dump whatsoever. The computer
simply reboots everytime I try to remote desktop in to the
machine. I believe I removed sasser successfully and all
virus scans are clean. I will try the "shutdown -a" option
but I don't think this has anything to do with sasser now.

Usman.
 
Check the event logs to see whether there's anything significant written
there around the reboot times, but there may not be.
 
Usman Khalid said:
Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
Click to expand...
Type: shutdown -a , and hit enter.
This should halt the rebooting problem.
Then do the link.

http://www3.telus.net/dandemar/sasser.htm
 
I got the SAME problem

I've double checked the terminal services status afterwards. It was set to disabled. Hence, I change it b ack to "Enable" mode in Add/Move Programes -> Windows Components -> Terminal Services -> Enable blah blah blah

However, even after that, the remote app is still not working.

Anybody have similar problems?----- Usman Khalid wrote: ----

Hi

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter

Thanks
Usman.
 
There have been reports of this happening on Terminal Servers but not on workstations that I know of. You could try seeing if the same fix that is fixing it on the server will work on XP. See
http://thethin.net/faqs2.cfm?id=464&category=

If the keys in the FAQ DO exist on your XP machine make a back up them first and then try and delete them and reboot.
Let us know if this works.
Ji
http://thin.net
 
Merrill Lifer posted this, below:

We had the same problem tryingt to remote into boxes hit
with this virus. I deleted the following registry key,
rebooted and now Im fine.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermS
ervice\Parameters\Certificate

so this key exists on XP and may be the fix needed.
 
Back
Top