RDP Listener down (TermService Cannot load illegal module rdpwsx.d

G

Guest

I am unable to connect with Remote Desktop to a machine with XP SP2 installed
on it. The event log on the remote machine reports:
Source: TermService
EventID: 1014
Description: Cannot load illegal module: C:\WINDOWS\system32\rdpwsx.DLL.
Unfortunately I found nothing in the KB nor anywhere else via Google that
applies to both this particular problem *and* to Windows XP (SP2).
Please advise me how to fix this.
 
G

Guest

Thank you for the reply. Yes I viewed this link but unfortunately I cannot
view the article links. Nevertheless, I revisited something I had skipped
earlier, which is to view the properties of C:\WINDOWS\system32\rdpwsx.DLL.

Something very fishy is going on as the version is 1.02 and company is Adobe
(sic). C:\WINDOWS\system32\dllcache\rdpwsx.DLL is from Microsoft with version
5.1.2600.2180, which is in agreement with
http://support.microsoft.com/dllhelp/?fid=42574&l=55&det=1 so I copied back
the file from the dllcache after renaming the existing (wrong) file.
The terminal services start after reboot and the machine listens to port
3389 and allows clients to connect via RDP.

So what is the bottom line? How did this .dll get replaced? I suspect it was
one of two viruses I found (and deleted) earlier with TrendMicro's housecall.
There have been reports of trojan downloaders which contact web sites in
order to download executable code or play tricks to turn jpegs into .dll .
One of them was reported on in http://www.mnin.org/write/2005_trimode.html

Thanks for putting me in the right direction, now I will have to try and get
my nvidia driver to behave which seems to be confused as well after removing
this piece of malware.

--theo
 
P

Peter

Thank you for the reply. Yes I viewed this link but unfortunately I cannot
view the article links. Nevertheless, I revisited something I had skipped
earlier, which is to view the properties of C:\WINDOWS\system32\rdpwsx.DLL.

Something very fishy is going on as the version is 1.02 and company is Adobe
(sic). C:\WINDOWS\system32\dllcache\rdpwsx.DLL is from Microsoft with version
5.1.2600.2180, which is in agreement with
http://support.microsoft.com/dllhelp/?fid=42574&l=55&det=1 so I copied back
the file from the dllcache after renaming the existing (wrong) file.
The terminal services start after reboot and the machine listens to port
3389 and allows clients to connect via RDP.

So what is the bottom line? How did this .dll get replaced? I suspect it was
one of two viruses I found (and deleted) earlier with TrendMicro's housecall.
There have been reports of trojan downloaders which contact web sites in
order to download executable code or play tricks to turn jpegs into .dll .
One of them was reported on in http://www.mnin.org/write/2005_trimode.html

Thanks for putting me in the right direction, now I will have to try and get
my nvidia driver to behave which seems to be confused as well after removing
this piece of malware.

Rather than one fix after another, you should restore your system state from
backup, taken just before attack occured. Otherwise, things might still be
broken and bite you in most unconvenient moments.
Or, does anyone know how to perform a full integrity check on whole OS and
apps? Personally, I don't think that check exist, unless you took some
measures (like CRC's) BEFORE attack occured.
 
T

Theo Kanter

I agree, however there is one catch. It assumes that one knows when the
attack occured and as it was some time ago I used RDP there is no easy
way of telling when it stopped working. Perhaps this can be established
with some degree of certainty when it did by trying one of multiple
System Restore files. However, virus tools such as TrendMicro require
system restore to be disabled in order to be able to find viruses in
there. Therefore, reinstalling the nividia driver after scanning the
system with at least 3 virus tools seemed to me a reasonable option.

--theo
 
Joined
Mar 18, 2013
Messages
1
Reaction score
0
I am having the same issue but it happens every time I install patches each month... the error is Cannot load illegal module: C:\WINDOWS\system32\rdpwsx.DLL. event id1014... I unstall the patches and usually I am able to RDP to my 2003 windows SP2 but this time it didnt work... any help would be awesome
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top