Solved

RDC in Windows XP SP3 not working after Virus

Posted on 2011-02-23
10
423 Views
Last Modified: 2012-05-11
I recently got one of those fake Security Center Viruses.  I cleaned off the computer with Malwarebytes Anti-Malware.  After it was cleaned my Remote Desktop Connection wont run.  I connect to a Terminal Server.  No errors come up and nothing in the Event Viewer.  I just click it and nothing happens.  I tried running it through Dos, the windows directory, etc.  I tried reinstalling it, reinstalled SP3, copied the files form a working computer and still nothing.

Also, something else strange.  When I go to www.google.com it takes me to www.google.co.uk.  I am in Los Angeles, CA.  Any help would be appreciated.  This is crucial to the business.  I attached the log file from the Malwarebytes Anti-Malware scan.
LogFile.txt
0
Comment
Question by:jborenstein
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962628
Have you tried also running HiJackThis (Trend Micro), I think you still have a few infected files lingering....   MalwareBytes is a great tool, but it's always best to run more than one utility when dealing with an infected computer.  Some of these rogue AV infections, also set a rootkit-like infection that is not always visible to standard utilities.  I've used IceSword to few any files hidden with restricted ACLs.  

Did you check your hosts file to make sure there is no hard-coded IP addresses there set by the virus?

If this was one of my PCs used for business, I would re-image it.  That is the best bet to ensure a clean PC.  We have an imaging server here and when we have a PC that crashes, we just push down another image.  
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 34962691
Have you checked your hosts file? (windows->system32->drivers->etc->hosts)

It should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


I always recommend using an alternate hosts file like the one hosted here:
http://www.mvps.org/winhelp2002/hosts.htm
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962698
Also, did you make sure Terminal Services was running under services?  After all the changes to your PC, make sure you still have Remote Desktop enabled as well and your not blocking RDP traffic on your machine's FW.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34962719
>Firstly, creste a restore point or install Erunt(reg backup program)

http://www.larshederer.homepage.t-online.de/erunt/
http://www.derfisch.de/lars/erunt-setup.exe >direct link

>Then run these scanners and save logfiles
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

>To fix IE problems, reset IE afterwards
http://support.microsoft.com/kb/923737
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 34962831
@optoma thank you for sharing the information on ERUNT.  I never came across it before and think I will find it useful in the future.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 30

Accepted Solution

by:
flubbster earned 500 total points
ID: 34963172
I agree you have a bad hosts file that is redirecting you.

Paste the file here if you like. Be aware that some viruses corrupt the hosts file, then make a duplicate that you think is correct. Make sure that you have View Hidden and System files" turned on. See if there are two hosts files with slightly different names. The corrupt one may not allow you to modify or delete it. You will need a program like FileAssassin and Hostsexpert to delete and then restore a correct one. If you go here:

http://www.malwarehelp.org/windows-protection-suite-analysis-and-removal-2009.html

Then scroll down to the section labeled "Windows Protection Suite Removal (How to remove Windows Protection Suite)"

Follow the steps. You have already run MalwareBytes. As a matter of fact, if you look at the whole page, you wil see an almost identical listeing of what your log looks like.

Use the built-in Fileassassin tool, then hostsexpert and test the system. Also verify the proper services are running as mentioned above.
0
 

Author Comment

by:jborenstein
ID: 34963446
Thank you everybody for all the comments.  I am going to try them all out now and keep you updated as i try and figure it out.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34963476
@ Tzucker. You're welcome :)
0
 

Author Closing Comment

by:jborenstein
ID: 34964196
I followed everything from that site and now everything is working again.  The one thing I did differently this time is I ran MalwareBytes’s Anti-Malware under the Administrator account and it found a few more things.
Thanks!
0
 
LVL 30

Expert Comment

by:flubbster
ID: 34964406
Glad it is working.

Take care
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now