Solved

RDC in Windows XP SP3 not working after Virus

Posted on 2011-02-23
10
421 Views
Last Modified: 2012-05-11
I recently got one of those fake Security Center Viruses.  I cleaned off the computer with Malwarebytes Anti-Malware.  After it was cleaned my Remote Desktop Connection wont run.  I connect to a Terminal Server.  No errors come up and nothing in the Event Viewer.  I just click it and nothing happens.  I tried running it through Dos, the windows directory, etc.  I tried reinstalling it, reinstalled SP3, copied the files form a working computer and still nothing.

Also, something else strange.  When I go to www.google.com it takes me to www.google.co.uk.  I am in Los Angeles, CA.  Any help would be appreciated.  This is crucial to the business.  I attached the log file from the Malwarebytes Anti-Malware scan.
LogFile.txt
0
Comment
Question by:jborenstein
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962628
Have you tried also running HiJackThis (Trend Micro), I think you still have a few infected files lingering....   MalwareBytes is a great tool, but it's always best to run more than one utility when dealing with an infected computer.  Some of these rogue AV infections, also set a rootkit-like infection that is not always visible to standard utilities.  I've used IceSword to few any files hidden with restricted ACLs.  

Did you check your hosts file to make sure there is no hard-coded IP addresses there set by the virus?

If this was one of my PCs used for business, I would re-image it.  That is the best bet to ensure a clean PC.  We have an imaging server here and when we have a PC that crashes, we just push down another image.  
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 34962691
Have you checked your hosts file? (windows->system32->drivers->etc->hosts)

It should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


I always recommend using an alternate hosts file like the one hosted here:
http://www.mvps.org/winhelp2002/hosts.htm
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962698
Also, did you make sure Terminal Services was running under services?  After all the changes to your PC, make sure you still have Remote Desktop enabled as well and your not blocking RDP traffic on your machine's FW.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34962719
>Firstly, creste a restore point or install Erunt(reg backup program)

http://www.larshederer.homepage.t-online.de/erunt/
http://www.derfisch.de/lars/erunt-setup.exe >direct link

>Then run these scanners and save logfiles
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

>To fix IE problems, reset IE afterwards
http://support.microsoft.com/kb/923737
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 34962831
@optoma thank you for sharing the information on ERUNT.  I never came across it before and think I will find it useful in the future.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 30

Accepted Solution

by:
flubbster earned 500 total points
ID: 34963172
I agree you have a bad hosts file that is redirecting you.

Paste the file here if you like. Be aware that some viruses corrupt the hosts file, then make a duplicate that you think is correct. Make sure that you have View Hidden and System files" turned on. See if there are two hosts files with slightly different names. The corrupt one may not allow you to modify or delete it. You will need a program like FileAssassin and Hostsexpert to delete and then restore a correct one. If you go here:

http://www.malwarehelp.org/windows-protection-suite-analysis-and-removal-2009.html

Then scroll down to the section labeled "Windows Protection Suite Removal (How to remove Windows Protection Suite)"

Follow the steps. You have already run MalwareBytes. As a matter of fact, if you look at the whole page, you wil see an almost identical listeing of what your log looks like.

Use the built-in Fileassassin tool, then hostsexpert and test the system. Also verify the proper services are running as mentioned above.
0
 

Author Comment

by:jborenstein
ID: 34963446
Thank you everybody for all the comments.  I am going to try them all out now and keep you updated as i try and figure it out.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34963476
@ Tzucker. You're welcome :)
0
 

Author Closing Comment

by:jborenstein
ID: 34964196
I followed everything from that site and now everything is working again.  The one thing I did differently this time is I ran MalwareBytes’s Anti-Malware under the Administrator account and it found a few more things.
Thanks!
0
 
LVL 30

Expert Comment

by:flubbster
ID: 34964406
Glad it is working.

Take care
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now