termsrv.dll Detected as Trojan

[Viersche]

Hi,

Hi,

I'm not sure if this is the right forum but i'm not sure if the files i'm reporting here are actually false positives.

I just ran a scan today and malwarebytes detected 3 infected files on my computer. a file called termsrv.dll was detected to be a trojan downloaded, i searched the net and found that none of the sites have sufficient info on this file

Here's the log file:

Malwarebytes' Anti-Malware 1.44

Database version: 3865

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 12:00:56 AM

mbam-log-2010-03-15 (00-00-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324627

Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

False positives have caused my computer to crash before and i'm not sure if i should just delete these files since it might cause my computer to repeatedly crash again.

Has anyone gotten the same results with their scans?

Any input on this would be greatly appreciated.

[Viersche]

Hi,

I just ran a scan today and malwarebytes detected 3 infected files on my computer. a file called termsrv.dll was detected to be a trojan downloaded, i searched the net and found that none of the sites have sufficient info on this file

Here's the log file:

Malwarebytes' Anti-Malware 1.44

Database version: 3865

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 12:00:56 AM

mbam-log-2010-03-15 (00-00-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324627

Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

False positives have caused my computer to crash before and i'm not sure if i should just delete these files since it might cause my computer to repeatedly crash again.

Has anyone gotten the same results with their scans?

Any input on this would be greatly appreciated.

[Viersche]

sorry for the double post, i was trying to edit my initial post as i copied it from the general forums.

[nosirrah]

This may be a patched copy of this file . Please zip and attach termsrv.dl to your next post .

[nosirrah]

I have just double checked and cannot replicate this on XPSP2 or XPSP3 .

[Viersche]

i'll run the developer program and re-scan it.

Although i've ran 2 other antivirus programs avg and avast and both hasn't detected the file though.

[nosirrah]

I have giving you the directions needed to answer your question , another scan will not help here .

Please zip and attach a copy of termsrv.dll to your next post .

[Viersche]

sorry i didn't run mbam.exe/developer the first time so i had to run it then re-scan the whole thing

Here's the resulting log file and i also attached the .rar file of the log to the post

Malwarebytes' Anti-Malware 1.44

Database version: 3867

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 2:37:05 AM

mbam-log-2010-03-15 (02-37-00).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324749

Time elapsed: 31 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

I haven't deleted the files yet as it might cause trouble with my computer.

mbam_log_2010_03_15__02_37_00_.rar

[Viersche]

Sorry i thought you meant compress the log file. Here's the termsrv.dll file on this computer.

Please get back to me if it's a virus or not so i can delete it off this computer.

termsrv.rar

[nosirrah]

There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

termsrv.zip

[Viersche]

There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

Is that .dll file safe to delete without causing problems for the computer? can't seem to find out what it's actually for.

[Viersche]

i can't delete or overwrite the actual file itself, it's saying that it's either write protected or in use. any suggestions?

[Viersche]

I was able to overwrite the file in safe mode. And everything seems to be running smoothly now. Thanks for all the help guys!

Btw what was that file for anyway?

[nosirrah]

http://www.blackviper.com/WinXP/Services/T...al_Services.htm

[rajah99]

http://www.blackviper.com/WinXP/Services/T...al_Services.htm

That was a hack to allow multiple logons in win xp, like in windows server. Are you saying this malwarebytes is just reporting the fact that the file is not the original file and that a hack has been applied?

Or are you saying that the file actually does more than simply allow multiple logons, and downloads more malicious stuff?

Will the file you attached allow multiple simultaneous logins?

[nosirrah]

It is so frequently used by malware AND never appears in a normal install so it is blocked . Geeks can use the ignore function

[advancedimagery]

There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

Hi there. I'm am having the same problem with my anti malware detecting the termsrv.dll as an infected file... how could i check to see if that file has been hacked or modified. my computer seem to freeze and i think it might be because of the infected termsrv.dll file. Can some one please help. Thanks