Can't access TS because of spoolsv.exe

[blin]

One of our clients is running windows 2003 server. Recently they have a problem with Terminal Service. They can't access the server using remote desktop. These are what I did. 1. Make sure Remote Desktop is enabled. 2. We can telnet the server prot 3389. However, can't use RDC to access it. 3. netstat -no doesn't show port 3389. 4. I changed the port # from 3389 to 2290 using regedit. It was working. 5. Next day, it didn't work agagin. Then I found the termservice in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services was missing and services doesn't have terminal services. So exported it from other server and imported it to the prometical server. it worked again. 6. Next day, it doesn't work. I check every thing, remote desktop is enabled, termservice is running, I can telnet port 3389, I changed the port to 3390, but this time I can't make it work. 7. I downalod PTCViewer and find spoolsv.exe is using port 3389. I have scanned the server, but can't find virus or spyware. The spoolsv.exe is located in c:\windows\ssytem32 and size is correct. How can I fix it?

[blin]

Although you said you scanned the machine I'm really thinking this is some kind of virus / trojan. I mean you could of course change some dependencies in the services so that terminal services starts before the print-spooler service, but that would be just a workaround. I would recommend scanning the machine thoroughly again and is you can't find anything you might want to consider rebuilding the machine. Running Autoruns might help in finding suspicious files or processes as well

[blin]

Thank you for all tips. I agree it could be a virus. However, we have Trend Micro engineer to scan whole network and all computers. He said no virus found.



After I checked more computers, I found most computers, servers and workstation use 2288 port as RDD-tcp port. I think someone might install a software using port 3389. As I mentioned this is my client, I don't know what they did and the IT guy in the company doesn't know that either.



Any way, if I change RDC port to 2288, most computer work fine except the problematic server. I think the problem is we made a lot changes on the server. For example, we import TermServices, RDP-Tcp and TermDD folders from other working server.



The symptoms we have are 1. The server Event Viewer logs ID 50 TermDD. 2. When trying to the server using RDC, we receive "The connection was lost due to network error". I have tried all suggestion in this page: Case collection of Event ID 50 Source TermDD - http://www.chicagotech.net/troubleshooting/event50.htm



But can’t fix it. I think somehow, the Terminal services have been damaged and need to remove/re-install. But how do you do it?