Jump to content
Viersche

termsrv.dll Detected as Trojan

Recommended Posts

Hi,

Hi,

I'm not sure if this is the right forum but i'm not sure if the files i'm reporting here are actually false positives.

I just ran a scan today and malwarebytes detected 3 infected files on my computer. a file called termsrv.dll was detected to be a trojan downloaded, i searched the net and found that none of the sites have sufficient info on this file

Here's the log file:

Malwarebytes' Anti-Malware 1.44

Database version: 3865

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 12:00:56 AM

mbam-log-2010-03-15 (00-00-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324627

Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

False positives have caused my computer to crash before and i'm not sure if i should just delete these files since it might cause my computer to repeatedly crash again.

Has anyone gotten the same results with their scans?

Any input on this would be greatly appreciated.

Share this post


Link to post
Share on other sites

Hi,

I just ran a scan today and malwarebytes detected 3 infected files on my computer. a file called termsrv.dll was detected to be a trojan downloaded, i searched the net and found that none of the sites have sufficient info on this file

Here's the log file:

Malwarebytes' Anti-Malware 1.44

Database version: 3865

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 12:00:56 AM

mbam-log-2010-03-15 (00-00-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324627

Time elapsed: 43 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.

False positives have caused my computer to crash before and i'm not sure if i should just delete these files since it might cause my computer to repeatedly crash again.

Has anyone gotten the same results with their scans?

Any input on this would be greatly appreciated.

Share this post


Link to post
Share on other sites

sorry for the double post, i was trying to edit my initial post as i copied it from the general forums.

Share this post


Link to post
Share on other sites

This may be a patched copy of this file . Please zip and attach termsrv.dl to your next post .

Share this post


Link to post
Share on other sites

i'll run the developer program and re-scan it.

Although i've ran 2 other antivirus programs avg and avast and both hasn't detected the file though.

Share this post


Link to post
Share on other sites

I have giving you the directions needed to answer your question , another scan will not help here .

Please zip and attach a copy of termsrv.dll to your next post .

Share this post


Link to post
Share on other sites

sorry i didn't run mbam.exe/developer the first time so i had to run it then re-scan the whole thing

Here's the resulting log file and i also attached the .rar file of the log to the post

Malwarebytes' Anti-Malware 1.44

Database version: 3867

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/15/2010 2:37:05 AM

mbam-log-2010-03-15 (02-37-00).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 324749

Time elapsed: 31 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\termservice (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken. [5B2C34AC11E01536D68F2EA461EFCAFE]

I haven't deleted the files yet as it might cause trouble with my computer.

mbam_log_2010_03_15__02_37_00_.rar

Share this post


Link to post
Share on other sites

Sorry i thought you meant compress the log file. Here's the termsrv.dll file on this computer.

Please get back to me if it's a virus or not so i can delete it off this computer.

termsrv.rar

Share this post


Link to post
Share on other sites

There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

termsrv.zip

Share this post


Link to post
Share on other sites
There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

Is that .dll file safe to delete without causing problems for the computer? can't seem to find out what it's actually for.

Share this post


Link to post
Share on other sites

i can't delete or overwrite the actual file itself, it's saying that it's either write protected or in use. any suggestions?

Share this post


Link to post
Share on other sites

I was able to overwrite the file in safe mode. And everything seems to be running smoothly now. Thanks for all the help guys!

Btw what was that file for anyway?

Share this post


Link to post
Share on other sites

That was a hack to allow multiple logons in win xp, like in windows server. Are you saying this malwarebytes is just reporting the fact that the file is not the original file and that a hack has been applied?

Or are you saying that the file actually does more than simply allow multiple logons, and downloads more malicious stuff?

Will the file you attached allow multiple simultaneous logins?

Share this post


Link to post
Share on other sites

It is so frequently used by malware AND never appears in a normal install so it is blocked . Geeks can use the ignore function :)

Share this post


Link to post
Share on other sites
There are a few infections replacing this file with modified or beta versions and it looks like this is what happened here .

Attached to this post is the correct version of that file . Your 2 options are to replace your copy with the one attached to this post or to install SP3 . I strongly recommend installing SP3 .

Hi there. I'm am having the same problem with my anti malware detecting the termsrv.dll as an infected file... how could i check to see if that file has been hacked or modified. my computer seem to freeze and i think it might be because of the infected termsrv.dll file. Can some one please help. Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.