Sign in with
Sign up | Sign in
Your question

Hit by sasser, cannot connect to remote desktop afterwards

Last response: in Windows XP
Share
Anonymous
May 4, 2004 10:05:22 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
Anonymous
May 4, 2004 2:51:02 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

As part of removing Sasser, did you lock down the firewall, or a
nat/router--in order to get the infection cleared up?

I don't have first-hand experience with removing Sasser, yet.

"Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
news:814e01c431d8$75820a10$a101280a@phx.gbl...
> Hi,
>
> I was recently hit by sasser on my Windows XP Pro machine
> at work. Before this I was extensively using remote
> desktop and it worked great. For the last few days I have
> been unable to connect to the machine anymore. I initially
> thought it was because of sasser so I removed the virus
> using the patch provided by MS. However, the problem with
> remote desktop still persists. I would be very grateful if
> someone has any insight regarding this matter.
>
> Thanks,
> Usman.
May 4, 2004 2:51:03 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

No I did not activate the firewall (and I have tried that
as well with remote desktop enabled). On further testing I
found a most disturbing behavior. Everytime I try to
remote desktop in to the computer it reboots!

Usman.

>-----Original Message-----
>As part of removing Sasser, did you lock down the
firewall, or a
>nat/router--in order to get the infection cleared up?
>
>I don't have first-hand experience with removing Sasser,
yet.
>
>"Usman Khalid" <anonymous@discussions.microsoft.com>
wrote in message
>news:814e01c431d8$75820a10$a101280a@phx.gbl...
>> Hi,
>>
>> I was recently hit by sasser on my Windows XP Pro
machine
>> at work. Before this I was extensively using remote
>> desktop and it worked great. For the last few days I
have
>> been unable to connect to the machine anymore. I
initially
>> thought it was because of sasser so I removed the virus
>> using the patch provided by MS. However, the problem
with
>> remote desktop still persists. I would be very grateful
if
>> someone has any insight regarding this matter.
>>
>> Thanks,
>> Usman.
>
>
>.
>
Related resources
Anonymous
May 4, 2004 6:41:07 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

This is a symptom that others have posted here at times, and I don't have
any fix on the cause--don't know whether Jeffrey does.

I'm tempted to recommend a repair install of XP (with great care--disconnect
the network and activate the firewall immediately after the repair, unless
there is also a hardware firewall)--but I'm going to sit on my hands for a
while and see if others have better ideas.


"Usman" <anonymous@discussions.microsoft.com> wrote in message
news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
> Hi,
>
> No I did not activate the firewall (and I have tried that
> as well with remote desktop enabled). On further testing I
> found a most disturbing behavior. Everytime I try to
> remote desktop in to the computer it reboots!
>
> Usman.
>
>>-----Original Message-----
>>As part of removing Sasser, did you lock down the
> firewall, or a
>>nat/router--in order to get the infection cleared up?
>>
>>I don't have first-hand experience with removing Sasser,
> yet.
>>
>>"Usman Khalid" <anonymous@discussions.microsoft.com>
> wrote in message
>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
>>> Hi,
>>>
>>> I was recently hit by sasser on my Windows XP Pro
> machine
>>> at work. Before this I was extensively using remote
>>> desktop and it worked great. For the last few days I
> have
>>> been unable to connect to the machine anymore. I
> initially
>>> thought it was because of sasser so I removed the virus
>>> using the patch provided by MS. However, the problem
> with
>>> remote desktop still persists. I would be very grateful
> if
>>> someone has any insight regarding this matter.
>>>
>>> Thanks,
>>> Usman.
>>
>>
>>.
>>
Anonymous
May 5, 2004 1:00:47 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Before you do a reinstall, submit the crash report that is generated
when you reboot and see what the Automated Crash Recovery system tells
you (or look in the Event Log and see what STOP error caused the
reboot)... We can see what is causing the issue...

Other troubleshooting - try running "sfc /scannow" (make sure you have
your Windows CD available) and see if any other system files were
damaged...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Tue, 4 May 2004 14:41:07 -0400, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>This is a symptom that others have posted here at times, and I don't have
>any fix on the cause--don't know whether Jeffrey does.
>
>I'm tempted to recommend a repair install of XP (with great care--disconnect
>the network and activate the firewall immediately after the repair, unless
>there is also a hardware firewall)--but I'm going to sit on my hands for a
>while and see if others have better ideas.
>
>
>"Usman" <anonymous@discussions.microsoft.com> wrote in message
>news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
>> Hi,
>>
>> No I did not activate the firewall (and I have tried that
>> as well with remote desktop enabled). On further testing I
>> found a most disturbing behavior. Everytime I try to
>> remote desktop in to the computer it reboots!
>>
>> Usman.
>>
>>>-----Original Message-----
>>>As part of removing Sasser, did you lock down the
>> firewall, or a
>>>nat/router--in order to get the infection cleared up?
>>>
>>>I don't have first-hand experience with removing Sasser,
>> yet.
>>>
>>>"Usman Khalid" <anonymous@discussions.microsoft.com>
>> wrote in message
>>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
>>>> Hi,
>>>>
>>>> I was recently hit by sasser on my Windows XP Pro
>> machine
>>>> at work. Before this I was extensively using remote
>>>> desktop and it worked great. For the last few days I
>> have
>>>> been unable to connect to the machine anymore. I
>> initially
>>>> thought it was because of sasser so I removed the virus
>>>> using the patch provided by MS. However, the problem
>> with
>>>> remote desktop still persists. I would be very grateful
>> if
>>>> someone has any insight regarding this matter.
>>>>
>>>> Thanks,
>>>> Usman.
>>>
>>>
>>>.
>>>
>
Anonymous
May 5, 2004 1:23:58 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

"Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
news:814e01c431d8$75820a10$a101280a@phx.gbl...
> Hi,
>
> I was recently hit by sasser on my Windows XP Pro machine
> at work. Before this I was extensively using remote
> desktop and it worked great. For the last few days I have
> been unable to connect to the machine anymore. I initially
> thought it was because of sasser so I removed the virus
> using the patch provided by MS. However, the problem with
> remote desktop still persists. I would be very grateful if
> someone has any insight regarding this matter.
>
> Thanks,
> Usman.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Follow these directions to remove The Sasser Worm from your computer:
http://www3.telus.net/dandemar/sasser.htm
Anonymous
May 5, 2004 2:31:16 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Tue, 4 May 2004 14:41:07 -0400, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>This is a symptom that others have posted here at times, and I don't have
>any fix on the cause--don't know whether Jeffrey does.
>
>I'm tempted to recommend a repair install of XP (with great care--disconnect
>the network and activate the firewall immediately after the repair, unless
>there is also a hardware firewall)--but I'm going to sit on my hands for a
>while and see if others have better ideas.

I'd start by turning off System Restore. Then run yer favorite
anti-virus program with latest definitions.


Have a nice week...

Trent

What do you call a smart blonde?
A golden retriever.
Anonymous
May 5, 2004 10:39:35 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

I don't get any memory dump whatsoever. The computer
simply reboots everytime I try to remote desktop in to the
machine. I believe I removed sasser successfully and all
virus scans are clean. I will try the "shutdown -a" option
but I don't think this has anything to do with sasser now.

Usman.


>-----Original Message-----
>This is a symptom that others have posted here at times,
and I don't have
>any fix on the cause--don't know whether Jeffrey does.
>
>I'm tempted to recommend a repair install of XP (with
great care--disconnect
>the network and activate the firewall immediately after
the repair, unless
>there is also a hardware firewall)--but I'm going to sit
on my hands for a
>while and see if others have better ideas.
>
>
>"Usman" <anonymous@discussions.microsoft.com> wrote in
message
>news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
>> Hi,
>>
>> No I did not activate the firewall (and I have tried
that
>> as well with remote desktop enabled). On further
testing I
>> found a most disturbing behavior. Everytime I try to
>> remote desktop in to the computer it reboots!
>>
>> Usman.
>>
>>>-----Original Message-----
>>>As part of removing Sasser, did you lock down the
>> firewall, or a
>>>nat/router--in order to get the infection cleared up?
>>>
>>>I don't have first-hand experience with removing Sasser,
>> yet.
>>>
>>>"Usman Khalid" <anonymous@discussions.microsoft.com>
>> wrote in message
>>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
>>>> Hi,
>>>>
>>>> I was recently hit by sasser on my Windows XP Pro
>> machine
>>>> at work. Before this I was extensively using remote
>>>> desktop and it worked great. For the last few days I
>> have
>>>> been unable to connect to the machine anymore. I
>> initially
>>>> thought it was because of sasser so I removed the
virus
>>>> using the patch provided by MS. However, the problem
>> with
>>>> remote desktop still persists. I would be very
grateful
>> if
>>>> someone has any insight regarding this matter.
>>>>
>>>> Thanks,
>>>> Usman.
>>>
>>>
>>>.
>>>
>
>
>.
>
Anonymous
May 5, 2004 2:04:13 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Check the event logs to see whether there's anything significant written
there around the reboot times, but there may not be.

"Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
news:89a101c432a6$67674e80$a601280a@phx.gbl...
> Hi,
>
> I don't get any memory dump whatsoever. The computer
> simply reboots everytime I try to remote desktop in to the
> machine. I believe I removed sasser successfully and all
> virus scans are clean. I will try the "shutdown -a" option
> but I don't think this has anything to do with sasser now.
>
> Usman.
>
>
>>-----Original Message-----
>>This is a symptom that others have posted here at times,
> and I don't have
>>any fix on the cause--don't know whether Jeffrey does.
>>
>>I'm tempted to recommend a repair install of XP (with
> great care--disconnect
>>the network and activate the firewall immediately after
> the repair, unless
>>there is also a hardware firewall)--but I'm going to sit
> on my hands for a
>>while and see if others have better ideas.
>>
>>
>>"Usman" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:841701c431fb$7a0dbed0$a301280a@phx.gbl...
>>> Hi,
>>>
>>> No I did not activate the firewall (and I have tried
> that
>>> as well with remote desktop enabled). On further
> testing I
>>> found a most disturbing behavior. Everytime I try to
>>> remote desktop in to the computer it reboots!
>>>
>>> Usman.
>>>
>>>>-----Original Message-----
>>>>As part of removing Sasser, did you lock down the
>>> firewall, or a
>>>>nat/router--in order to get the infection cleared up?
>>>>
>>>>I don't have first-hand experience with removing Sasser,
>>> yet.
>>>>
>>>>"Usman Khalid" <anonymous@discussions.microsoft.com>
>>> wrote in message
>>>>news:814e01c431d8$75820a10$a101280a@phx.gbl...
>>>>> Hi,
>>>>>
>>>>> I was recently hit by sasser on my Windows XP Pro
>>> machine
>>>>> at work. Before this I was extensively using remote
>>>>> desktop and it worked great. For the last few days I
>>> have
>>>>> been unable to connect to the machine anymore. I
>>> initially
>>>>> thought it was because of sasser so I removed the
> virus
>>>>> using the patch provided by MS. However, the problem
>>> with
>>>>> remote desktop still persists. I would be very
> grateful
>>> if
>>>>> someone has any insight regarding this matter.
>>>>>
>>>>> Thanks,
>>>>> Usman.
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>
Anonymous
May 5, 2004 8:49:17 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

"Usman Khalid" <anonymous@discussions.microsoft.com> wrote in message
news:814e01c431d8$75820a10$a101280a@phx.gbl...
> Hi,
>
> I was recently hit by sasser on my Windows XP Pro machine
> at work. Before this I was extensively using remote
> desktop and it worked great. For the last few days I have
> been unable to connect to the machine anymore. I initially
> thought it was because of sasser so I removed the virus
> using the patch provided by MS. However, the problem with
> remote desktop still persists. I would be very grateful if
> someone has any insight regarding this matter.
>
> Thanks,
> Usman.
Type: shutdown -a , and hit enter.
This should halt the rebooting problem.
Then do the link.

http://www3.telus.net/dandemar/sasser.htm
May 6, 2004 3:36:09 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I got the SAME problem.

I've double checked the terminal services status afterwards. It was set to disabled. Hence, I change it b ack to "Enable" mode in Add/Move Programes -> Windows Components -> Terminal Services -> Enable blah blah blah.

However, even after that, the remote app is still not working.

Anybody have similar problems?----- Usman Khalid wrote: -----

Hi,

I was recently hit by sasser on my Windows XP Pro machine
at work. Before this I was extensively using remote
desktop and it worked great. For the last few days I have
been unable to connect to the machine anymore. I initially
thought it was because of sasser so I removed the virus
using the patch provided by MS. However, the problem with
remote desktop still persists. I would be very grateful if
someone has any insight regarding this matter.

Thanks,
Usman.
Anonymous
May 7, 2004 5:11:02 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

There have been reports of this happening on Terminal Servers but not on workstations that I know of. You could try seeing if the same fix that is fixing it on the server will work on XP. See:
http://thethin.net/faqs2.cfm?id=464&category=2


If the keys in the FAQ DO exist on your XP machine make a back up them first and then try and delete them and reboot.
Let us know if this works.
Jim
http://thin.net
Anonymous
May 8, 2004 2:28:33 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Merrill Lifer posted this, below:

We had the same problem tryingt to remote into boxes hit
with this virus. I deleted the following registry key,
rebooted and now Im fine.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermS
ervice\Parameters\Certificate

so this key exists on XP and may be the fix needed.

"Jim Kenzig http://thin.net" <anonymous@discussions.microsoft.com> wrote in
message news:99EA8C8D-2C80-41F3-B1CF-B5A7853A34C7@microsoft.com...
> There have been reports of this happening on Terminal Servers but not on
> workstations that I know of. You could try seeing if the same fix that is
> fixing it on the server will work on XP. See:
> http://thethin.net/faqs2.cfm?id=464&category=2
>
>
> If the keys in the FAQ DO exist on your XP machine make a back up them
> first and then try and delete them and reboot.
> Let us know if this works.
> Jim
> http://thin.net
May 12, 2004 12:01:17 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Check for this event in the system log on the host:

Event Type: Error
Event Source: TermDD
Event ID: 50
Description: The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.


To workaround this issue:

1. On the Terminal Services Server, use the Registry editor to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TermService\Parameters.

2. Delete the Certificate Value Name, a REG_BINARY data type.

3. Shutdown and restart the Terminal Services Server. The Certificate Value Name is automatically regenerated

I did this and it resolved everything. I have no idea of the original cause but it may have occurred during a Sasser attack when my host system was being constantly rebooted (because it lacked the patches) and I was trying to remotely access the host from my laptop in order to install the patches.
!