Protocol Error on Small Business Server 2000

[Linker3000]

All of a sudden, none of my clients can connect to the server: Wyse
WinTerms get misc errors and Windows PCs get "Because of a protocol
error detected at the client (code 0x1104) this session will be
disconnected".

Around the same time I noticed a network card related problem - the
server was disconnecting and reconnecting to the switch every few
seconds and so I replaced the card and that sorted the problem.

A virus scan reported bkdr_ibounce.A in \Windows\system32\service.exe
and so the file was deleted. The info for this program says it can be
used to delete services, so perhaps someone used it to remove terminal
services?

All other network functionality (shares and remote printing to the
server) work fine but TS doesn't. I removed and reinstalled TS and the
licencing service + licences, but this made matters worse - no "Terminal
Service" was shown in services.

After a couple of re-installs, I started a wander through the registry
and by comparing keys with a working server on another site I found
several missing ones. I copied the keys from the working server,
rebooted and Terminal Services now starts but with the start/stop
buttons greyed.

I'd really like to do a clean reinstall of TS - what is the best way to
do this. Failing that, what about other things to check?

Am I best considering a complete reinstall of SBS?

Thanks

L3K

 

[Linker3000]

HOORAY!

I downloaded TCPView from www.sysinternals.com - it shows all ports in
use and which process/programs/threads are using them.

TCPView showed a program called runtime.exe hooked into port 3389
(Terminal Services) as well as port 4666.

Symantec AV (Corporate edition) and Trend HouseCall do not show this
file as infected (GRRRR), but TrojanHunter (www.trojanhunter.com - free
trial version!) does - it's a backdoor trojan.

Killing the runtime.exe process in TCPView instantly restored Terminal
Services functionality.

Looking through the registry, I found two keys called TiServ referencing
this file - both gone now. Couldn't find any further references in any
..BAT or .INI files.

File deleted, server rebooted - All OK!

Hope this helps someone else!

L3K

 

[Vera Noest [MVP]]

Wooow!
Congrats for finding the culprit and solving your problem, Linker!
And thanks for letting us know!

 

[Linker3000]

Wooow!
Congrats for finding the culprit and solving your problem, Linker!
And thanks for letting us know!

Thanks - a few lessons learnt from this one:

LAN card problem might have been the backdoor program hooked into the
LAN drivers/protocol stack, and fitting a new LAN card with different
drivers might have done some unhooking (? Maybe?).

Symantec Antivirus Corporate edition does NOT scan running services nor
detect Trojans by default - you have to turn it on!
(http://helpdesk.graniteschools.org/docs/Antivirus/SpywareScan/) - this
seems crazy!

Happy to share useful knowledge.

If the problem re-occurs it'll take me about 10 mins to fix it compared
to about a day of fiddling this time round - isn't that always the way!

L3K