Hit by sasser, cannot connect to remote desktop afterwards

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
13 answers Last reply
More about sasser connect remote desktop afterwards
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    As part of removing Sasser, did you lock down the firewall, or a
    nat/router--in order to get the infection cleared up?

    I don't have first-hand experience with removing Sasser, yet.

    "Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
    news:814e01c431d8$75820a10$a101280a@phx.gbl...
    > Hi,
    >
    > I was recently hit by sasser on my Windows XP Pro machine
    > at work. Before this I was extensively using remote
    > desktop and it worked great. For the last few days I have
    > been unable to connect to the machine anymore. I initially
    > thought it was because of sasser so I removed the virus
    > using the patch provided by MS. However, the problem with
    > remote desktop still persists. I would be very grateful if
    > someone has any insight regarding this matter.
    >
    > Thanks,
    > Usman.
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Hi,

    No I did not activate the firewall (and I have tried that
    as well with remote desktop enabled). On further testing I
    found a most disturbing behavior. Everytime I try to
    remote desktop in to the computer it reboots!

    Usman.

    >-----Original Message-----
    >As part of removing Sasser, did you lock down the
    firewall, or a
    >nat/router--in order to get the infection cleared up?
    >
    >I don't have first-hand experience with removing Sasser,
    yet.
    >
    >"Usman Khalid" <anonymous@discussions.microsoft.com>
    wrote in message
    >news:814e01c431d8$75820a10$a101280a@phx.gbl...
    >> Hi,
    >>
    >> I was recently hit by sasser on my Windows XP Pro
    machine
    >> at work. Before this I was extensively using remote
    >> desktop and it worked great. For the last few days I
    have
    >> been unable to connect to the machine anymore. I
    initially
    >> thought it was because of sasser so I removed the virus
    >> using the patch provided by MS. However, the problem
    with
    >> remote desktop still persists. I would be very grateful
    if
    >> someone has any insight regarding this matter.
    >>
    >> Thanks,
    >> Usman.
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    This is a symptom that others have posted here at times, and I don't have
    any fix on the cause--don't know whether Jeffrey does.

    I'm tempted to recommend a repair install of XP (with great care--disconnect
    the network and activate the firewall immediately after the repair, unless
    there is also a hardware firewall)--but I'm going to sit on my hands for a
    while and see if others have better ideas.


    "Usman" <anonymous@discussions.microsoft.com> wrote in message
    news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
    > Hi,
    >
    > No I did not activate the firewall (and I have tried that
    > as well with remote desktop enabled). On further testing I
    > found a most disturbing behavior. Everytime I try to
    > remote desktop in to the computer it reboots!
    >
    > Usman.
    >
    >>-----Original Message-----
    >>As part of removing Sasser, did you lock down the
    > firewall, or a
    >>nat/router--in order to get the infection cleared up?
    >>
    >>I don't have first-hand experience with removing Sasser,
    > yet.
    >>
    >>"Usman Khalid" <anonymous@discussions.microsoft.com>
    > wrote in message
    >>news:814e01c431d8$75820a10$a101280a@phx.gbl...
    >>> Hi,
    >>>
    >>> I was recently hit by sasser on my Windows XP Pro
    > machine
    >>> at work. Before this I was extensively using remote
    >>> desktop and it worked great. For the last few days I
    > have
    >>> been unable to connect to the machine anymore. I
    > initially
    >>> thought it was because of sasser so I removed the virus
    >>> using the patch provided by MS. However, the problem
    > with
    >>> remote desktop still persists. I would be very grateful
    > if
    >>> someone has any insight regarding this matter.
    >>>
    >>> Thanks,
    >>> Usman.
    >>
    >>
    >>.
    >>
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Before you do a reinstall, submit the crash report that is generated
    when you reboot and see what the Automated Crash Recovery system tells
    you (or look in the Event Log and see what STOP error caused the
    reboot)... We can see what is causing the issue...

    Other troubleshooting - try running "sfc /scannow" (make sure you have
    your Windows CD available) and see if any other system files were
    damaged...

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Tue, 4 May 2004 14:41:07 -0400, "Bill Sanderson"
    <Bill_Sanderson@msn.com.plugh.org> wrote:

    >This is a symptom that others have posted here at times, and I don't have
    >any fix on the cause--don't know whether Jeffrey does.
    >
    >I'm tempted to recommend a repair install of XP (with great care--disconnect
    >the network and activate the firewall immediately after the repair, unless
    >there is also a hardware firewall)--but I'm going to sit on my hands for a
    >while and see if others have better ideas.
    >
    >
    >"Usman" <anonymous@discussions.microsoft.com> wrote in message
    >news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
    >> Hi,
    >>
    >> No I did not activate the firewall (and I have tried that
    >> as well with remote desktop enabled). On further testing I
    >> found a most disturbing behavior. Everytime I try to
    >> remote desktop in to the computer it reboots!
    >>
    >> Usman.
    >>
    >>>-----Original Message-----
    >>>As part of removing Sasser, did you lock down the
    >> firewall, or a
    >>>nat/router--in order to get the infection cleared up?
    >>>
    >>>I don't have first-hand experience with removing Sasser,
    >> yet.
    >>>
    >>>"Usman Khalid" <anonymous@discussions.microsoft.com>
    >> wrote in message
    >>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
    >>>> Hi,
    >>>>
    >>>> I was recently hit by sasser on my Windows XP Pro
    >> machine
    >>>> at work. Before this I was extensively using remote
    >>>> desktop and it worked great. For the last few days I
    >> have
    >>>> been unable to connect to the machine anymore. I
    >> initially
    >>>> thought it was because of sasser so I removed the virus
    >>>> using the patch provided by MS. However, the problem
    >> with
    >>>> remote desktop still persists. I would be very grateful
    >> if
    >>>> someone has any insight regarding this matter.
    >>>>
    >>>> Thanks,
    >>>> Usman.
    >>>
    >>>
    >>>.
    >>>
    >
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    "Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
    news:814e01c431d8$75820a10$a101280a@phx.gbl...
    > Hi,
    >
    > I was recently hit by sasser on my Windows XP Pro machine
    > at work. Before this I was extensively using remote
    > desktop and it worked great. For the last few days I have
    > been unable to connect to the machine anymore. I initially
    > thought it was because of sasser so I removed the virus
    > using the patch provided by MS. However, the problem with
    > remote desktop still persists. I would be very grateful if
    > someone has any insight regarding this matter.
    >
    > Thanks,
    > Usman.

    Then type: shutdown -a , and hit enter.

    This should halt the rebooting problem.

    Follow these directions to remove The Sasser Worm from your computer:
    http://www3.telus.net/dandemar/sasser.htm
  6. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Tue, 4 May 2004 14:41:07 -0400, "Bill Sanderson"
    <Bill_Sanderson@msn.com.plugh.org> wrote:

    >This is a symptom that others have posted here at times, and I don't have
    >any fix on the cause--don't know whether Jeffrey does.
    >
    >I'm tempted to recommend a repair install of XP (with great care--disconnect
    >the network and activate the firewall immediately after the repair, unless
    >there is also a hardware firewall)--but I'm going to sit on my hands for a
    >while and see if others have better ideas.

    I'd start by turning off System Restore. Then run yer favorite
    anti-virus program with latest definitions.


    Have a nice week...

    Trent

    What do you call a smart blonde?
    A golden retriever.
  7. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Hi,

    I don't get any memory dump whatsoever. The computer
    simply reboots everytime I try to remote desktop in to the
    machine. I believe I removed sasser successfully and all
    virus scans are clean. I will try the "shutdown -a" option
    but I don't think this has anything to do with sasser now.

    Usman.


    >-----Original Message-----
    >This is a symptom that others have posted here at times,
    and I don't have
    >any fix on the cause--don't know whether Jeffrey does.
    >
    >I'm tempted to recommend a repair install of XP (with
    great care--disconnect
    >the network and activate the firewall immediately after
    the repair, unless
    >there is also a hardware firewall)--but I'm going to sit
    on my hands for a
    >while and see if others have better ideas.
    >
    >
    >"Usman" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
    >> Hi,
    >>
    >> No I did not activate the firewall (and I have tried
    that
    >> as well with remote desktop enabled). On further
    testing I
    >> found a most disturbing behavior. Everytime I try to
    >> remote desktop in to the computer it reboots!
    >>
    >> Usman.
    >>
    >>>-----Original Message-----
    >>>As part of removing Sasser, did you lock down the
    >> firewall, or a
    >>>nat/router--in order to get the infection cleared up?
    >>>
    >>>I don't have first-hand experience with removing Sasser,
    >> yet.
    >>>
    >>>"Usman Khalid" <anonymous@discussions.microsoft.com>
    >> wrote in message
    >>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
    >>>> Hi,
    >>>>
    >>>> I was recently hit by sasser on my Windows XP Pro
    >> machine
    >>>> at work. Before this I was extensively using remote
    >>>> desktop and it worked great. For the last few days I
    >> have
    >>>> been unable to connect to the machine anymore. I
    >> initially
    >>>> thought it was because of sasser so I removed the
    virus
    >>>> using the patch provided by MS. However, the problem
    >> with
    >>>> remote desktop still persists. I would be very
    grateful
    >> if
    >>>> someone has any insight regarding this matter.
    >>>>
    >>>> Thanks,
    >>>> Usman.
    >>>
    >>>
    >>>.
    >>>
    >
    >
    >.
    >
  8. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Check the event logs to see whether there's anything significant written
    there around the reboot times, but there may not be.

    "Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
    news:89a101c432a6$67674e80$a601280a@phx.gbl...
    > Hi,
    >
    > I don't get any memory dump whatsoever. The computer
    > simply reboots everytime I try to remote desktop in to the
    > machine. I believe I removed sasser successfully and all
    > virus scans are clean. I will try the "shutdown -a" option
    > but I don't think this has anything to do with sasser now.
    >
    > Usman.
    >
    >
    >>-----Original Message-----
    >>This is a symptom that others have posted here at times,
    > and I don't have
    >>any fix on the cause--don't know whether Jeffrey does.
    >>
    >>I'm tempted to recommend a repair install of XP (with
    > great care--disconnect
    >>the network and activate the firewall immediately after
    > the repair, unless
    >>there is also a hardware firewall)--but I'm going to sit
    > on my hands for a
    >>while and see if others have better ideas.
    >>
    >>
    >>"Usman" <anonymous@discussions.microsoft.com> wrote in
    > message
    >>news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
    >>> Hi,
    >>>
    >>> No I did not activate the firewall (and I have tried
    > that
    >>> as well with remote desktop enabled). On further
    > testing I
    >>> found a most disturbing behavior. Everytime I try to
    >>> remote desktop in to the computer it reboots!
    >>>
    >>> Usman.
    >>>
    >>>>-----Original Message-----
    >>>>As part of removing Sasser, did you lock down the
    >>> firewall, or a
    >>>>nat/router--in order to get the infection cleared up?
    >>>>
    >>>>I don't have first-hand experience with removing Sasser,
    >>> yet.
    >>>>
    >>>>"Usman Khalid" <anonymous@discussions.microsoft.com>
    >>> wrote in message
    >>>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
    >>>>> Hi,
    >>>>>
    >>>>> I was recently hit by sasser on my Windows XP Pro
    >>> machine
    >>>>> at work. Before this I was extensively using remote
    >>>>> desktop and it worked great. For the last few days I
    >>> have
    >>>>> been unable to connect to the machine anymore. I
    >>> initially
    >>>>> thought it was because of sasser so I removed the
    > virus
    >>>>> using the patch provided by MS. However, the problem
    >>> with
    >>>>> remote desktop still persists. I would be very
    > grateful
    >>> if
    >>>>> someone has any insight regarding this matter.
    >>>>>
    >>>>> Thanks,
    >>>>> Usman.
    >>>>
    >>>>
    >>>>.
    >>>>
    >>
    >>
    >>.
    >>
  9. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    "Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
    news:814e01c431d8$75820a10$a101280a@phx.gbl...
    > Hi,
    >
    > I was recently hit by sasser on my Windows XP Pro machine
    > at work. Before this I was extensively using remote
    > desktop and it worked great. For the last few days I have
    > been unable to connect to the machine anymore. I initially
    > thought it was because of sasser so I removed the virus
    > using the patch provided by MS. However, the problem with
    > remote desktop still persists. I would be very grateful if
    > someone has any insight regarding this matter.
    >
    > Thanks,
    > Usman.
    Type: shutdown -a , and hit enter.
    This should halt the rebooting problem.
    Then do the link.

    http://www3.telus.net/dandemar/sasser.htm
  10. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    I got the SAME problem.

    I've double checked the terminal services status afterwards. It was set to disabled. Hence, I change it b ack to "Enable" mode in Add/Move Programes -> Windows Components -> Terminal Services -> Enable blah blah blah.

    However, even after that, the remote app is still not working.

    Anybody have similar problems?----- Usman Khalid wrote: -----

    Hi,

    I was recently hit by sasser on my Windows XP Pro machine
    at work. Before this I was extensively using remote
    desktop and it worked great. For the last few days I have
    been unable to connect to the machine anymore. I initially
    thought it was because of sasser so I removed the virus
    using the patch provided by MS. However, the problem with
    remote desktop still persists. I would be very grateful if
    someone has any insight regarding this matter.

    Thanks,
    Usman.
  11. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    There have been reports of this happening on Terminal Servers but not on workstations that I know of. You could try seeing if the same fix that is fixing it on the server will work on XP. See:
    http://thethin.net/faqs2.cfm?id=464&category=2


    If the keys in the FAQ DO exist on your XP machine make a back up them first and then try and delete them and reboot.
    Let us know if this works.
    Jim
    http://thin.net
  12. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Merrill Lifer posted this, below:

    We had the same problem tryingt to remote into boxes hit
    with this virus. I deleted the following registry key,
    rebooted and now Im fine.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermS
    ervice\Parameters\Certificate

    so this key exists on XP and may be the fix needed.

    "Jim Kenzig http://thin.net" <anonymous@discussions.microsoft.com> wrote in
    message news:99EA8C8D-2C80-41F3-B1CF-B5A7853A34C7@microsoft.com...
    > There have been reports of this happening on Terminal Servers but not on
    > workstations that I know of. You could try seeing if the same fix that is
    > fixing it on the server will work on XP. See:
    > http://thethin.net/faqs2.cfm?id=464&category=2
    >
    >
    > If the keys in the FAQ DO exist on your XP machine make a back up them
    > first and then try and delete them and reboot.
    > Let us know if this works.
    > Jim
    > http://thin.net
  13. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Check for this event in the system log on the host:

    Event Type: Error
    Event Source: TermDD
    Event ID: 50
    Description: The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.


    To workaround this issue:

    1. On the Terminal Services Server, use the Registry editor to navigate to:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TermService\Parameters.

    2. Delete the Certificate Value Name, a REG_BINARY data type.

    3. Shutdown and restart the Terminal Services Server. The Certificate Value Name is automatically regenerated

    I did this and it resolved everything. I have no idea of the original cause but it may have occurred during a Sasser attack when my host system was being constantly rebooted (because it lacked the patches) and I was trying to remotely access the host from my laptop in order to install the patches.
Ask a new question

Read More

Remote Desktop Connection Windows XP