Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SFC can't repair "corrupted" termsrv.dll. And Chrome links redirected?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Mugsy323

Mugsy323

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston
  • Local time:08:21 PM

Posted 08 March 2018 - 08:06 AM

I was stung by a nasty virus last weekend. I'm reasonably sure it's now gone but the damage remains.

 

For some reason, Windows (64bit Win7 Home) refuses to Shutdown or Reboot. Windows goes thru the normal shutdown process, Windows exits and the screen goes black, but my lights & fans continue to run. I must then hard power-off/reset to shutdown or reboot the PC.

 

This does NOT happen in Safe Mode or from Linux (Ubuntu), so it is NOT a hardware or BIOS issue.

 

I ran the SFC and it reports:

2018-03-08 05:59:53, Info                  CSI    0000019a [SR] Cannot repair member file [l:22{11}]"termsrv.dll" of Microsoft-Windows-TerminalServices-RemoteConnectionManager, Version = 6.1.7601.18637, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2018-03-08 05:59:53, Info                  CSI    0000019d [SR] Cannot repair member file [l:22{11}]"termsrv.dll" of Microsoft-Windows-TerminalServices-RemoteConnectionManager, Version = 6.1.7601.18637, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2018-03-08 05:59:53, Info                  CSI    0000019e [SR] This component was referenced by [l:160{80}]"Package_51_for_KB3003743~31bf3856ad364e35~amd64~~6.1.1.1.3003743-130_neutral_GDR"
2018-03-08 05:59:53, Info                  CSI    000001a1 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\windows\System32"\[l:22{11}]"termsrv.dll"; source file in store is also corrupted

A bit of research tells me "termsrv.dll" is part of "Remote Desktop" (which I do not use.) I tried replacing "termsrv.dll" from an old backup (last November, older than I'd like to go back to now), but SFC still gives the same result. I'm not even sure "termsrv.dll" is related to my problem (but I'm guessing the inability to shutdown/restart is due to the computer not being able to sever a network connection.

 

I use Firefox and everything seems to be okay, but moments ago I tried logging into BleepingComputer using Chrome and my BC links were redirected to a page on the BestBuy website, and I'm not sure how to fix that.

 

Some of the things the virus did was totally screw up my Permissions (which I thought I finally fixed, but maybe not) and it disabled both of my Optical Drives (which has also since been fixed.)

 

I use Avast Free AV, but it didn't say boo when this virus struck. I've since run the free Malwarebytes adware checker (which reported 213 PUP's... ALL of them false positives) A full CheckDisk likewise finds no problems.

 

The file that is supposedly corrupt, C:\Windows\System32\termsrv.dll, is 665KB, but a search of my C: drive finds a half-dozen other copies ranging from 665K to 671K, so I can't even verify if they are all good, all bad, or if they are even interchangeable. :(

 

I can't do a "Repair" from my Win7 CD because it is too old (pre-SP1 OEM) and says my copy of Win7 is "too new" to fix. And reinstalling Windows from scratch is NOT an option.

 

And before anyone asks, Yes, I DID check my Power Profile/Settings. This isn't my first rodeo. And how do I "fix" Chrome?

 

Any help is appreciated. TIA


Edited by hamluis, 08 March 2018 - 09:03 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:21 PM

Posted 08 March 2018 - 10:55 AM

Best to check if malware is still at play. Start a new topic in the malware removal forum by following the directions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Mugsy323

Mugsy323
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston
  • Local time:08:21 PM

Posted 08 March 2018 - 12:32 PM

Best to check if malware is still at play. Start a new topic in the malware removal forum by following the directions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.

 

Thanks for the reply. I've scanned my computer with Avast, Malwarebytes (which found a zillion false positive PUP's) and now "Spybot's Search & Destroy", none of which are finding any active infection. So I don't think posting in a "Virus, etc Removal Forum" will draw the kind of support I need. :(

 

But I'll remove this post this evening if my problem isn't something that can be solved here.

PS: I ran FRST and created the logs.



#4 buddy215

buddy215

  • Moderator
  • 13,313 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:21 PM

Posted 08 March 2018 - 12:40 PM

Up to you....I still suggest you post those FRST logs in the malware removal forum. If you do, those responding are volunteers

offering their expert service for free.

 

I've never seen "a zillion" false positive PUPs in hundreds of Malwarebyte scans....finding one is unusal.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Mugsy323

Mugsy323
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston
  • Local time:08:21 PM

Posted 08 March 2018 - 01:46 PM

I've never seen "a zillion" false positive PUPs in hundreds of Malwarebyte scans....finding one is unusal.

 

Thanks. I'll post the logs in the other forum.

 

Malwarebytes reported 213 PUPs. Every disc scanning utility, registry fixer... just about every disk utility that can access parts of your disk or Registry that an "ordinary" program wouldn't, got flagged. Every old "XP" era utility ("XP Power Tools", etc) was flagged. I forget all of the files that were flagged, but nearly all were of that ilk. Mostly backups of old setup programs. Nothing that wasn't from a trusted source. Nothing in a protected folder on the C: drive. :unsure:

 

Thx.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 PM

Posted 09 March 2018 - 10:41 AM

New topic
https://www.bleepingcomputer.com/forums/t/672648/cant-shutdown-or-reboot-from-windows-following-infection/

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 3 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users