TR/Aphex.030.B

Discussion in 'Trojan Defence Suite' started by hendricus, Jun 25, 2003.

Thread Status:
Not open for further replies.
  1. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    When i want to run TDS3 the following messages appear on my screen:
    c:\tds3\xdynamic\tds.cfg\scanctrl.cfg was missing but has been restored by DCS file protection system
    c:\tds3\xdynamic\tds.cfg\sockets.cfg was missing but has been restored by DCS file protection system
    c:\tds3\xdynamic\tds.cfg\sockopt.cfg was missing but has been restored by DCS file protection system
    c:\tds3\xdynamic\tds.cfg\crcfiles.txt was missing but has been restored by DCS file protection system
    c:\tds3\tds3.kf was missing but has been restored by DCS file protection system
    Each message has an OK button to let it disappear.
    After that the TDS screen appears and the same sequence follows!
    Pressing OK let the messages disappear and then TDS3 runs without giving any alerts!

    In my virusscanner the following message shows up:25-6-2003,13:03 WARNING: AVGuard detected a problem in the file
    C:\DOCUMENTS AND SETTINGS\USER01\APPLICATION DATA\MICROSOFT\PROTECT\S-1-5-21-1390067357-1957994488-854245398-1003\PREFERRED
    INFO: This executable has an invalid start address!
    25-6-2003,13:04 WARNING: The Trojan horse TR/Aphex.030.B!
    C:\TDS3\DCSFPS.DLL
    File has been deleted!
    25-6-2003,13:24 WARNING: The Trojan horse TR/Aphex.030.B!
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{F973F5D6-89CE-46AF-855E-44DF9B5B32AF}\RP68\A0016677.DLL
    File has been moved to quarantine directory!
    25-6-2003,13:25 WARNING: The Trojan horse TR/Aphex.030.B!
    C:\TDS3\EXT.PLUG\NBSRVEM.EXE
    File has been moved to quarantine directory!
    25-6-2003,13:25 WARNING: The Trojan horse TR/Aphex.030.B!
    C:\TDS3\EXT.PLUG\SMTP.EXE
    File has been moved to quarantine directory!
    I tried a few times to start TDS3 but everytime the described procedure follows.
    What's wrong here?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hendricus,

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".
    Be sure to get the latest version (1.95) since that also lists running processes.

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Hi, Pieter, here's my
    Logfile of HijackThis v1.95.0
    Scan saved at 15:49:19, on 25-6-2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\TrayIcon.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\AVPersonal\AVSched32.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Documents and Settings\User01\Local Settings\Temporary Internet Files\Content.IE5\KNBNM85L\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hendricus,

    I don't see anything wrong in your log.
    Since I can't tell you what the TDS files are for, I'm moving this thread to their dedicated forum.

    Help is on it's way. ;)

    Regards,

    Pieter
     
  5. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Thnx, Pieter! I know help is on it's way!
    Some supplementary info: Housecall and Spybot did find nothing, AdAware showed the following message:AVGuard detected the virus c:\docume~1\user1\locals~1\temp\16491753251 in file the trojan horse TR/Aphex.030B.
    All this mess started with an update for Antivir. Could it be possible that.... :p
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That netbus emulator is one of the plugins of TDS and in no way the netbus server or other infection.
    The other files are systemfiles and even your keyfile (!!!) for TDS and very valid.
    You better alert Antivir for their false positives, for which alert they should be really grateful.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hendricus,

    You mean during an AdAware scan this message from AV came up?
    It should give you no problems to completely clean out your Temp folder.
    It is certainly worth a try. Boot into safe mode, empty the Temp folder and see if all goes well.
    Maybe you will have the same routine once more, because TDS has to recover his files.

    Regards,

    Pieter
     
  8. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    @ Jooske
    Hi, I will certainly inform Antivir about this!
    But[blush]what exactly is that netbus emulator you mentioned?[unblush].
    Since the message stated:....was missing but has been restored by DCS file protection system, I wonder how these files and the keyfile will be put back?
    @ Pieter
    Hi, I will do this a few times to see what happens.

    Both of you thnx for now.
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    From the TDS HelpFile:
    Dolf
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hendricus,

    I'm sorry, I was unclear. I didn't mean you had to clean out the Temp folder several times. All I ment to say was clean out the temp file and the next time you start TDS you will have to go through that routine of recovering files again. (Hopefully only once)

    Regards,

    Pieter
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might prefer to go back to the former Antivir database as well if possible.
    Clean all caches, IE caches, all that.
    System restore? if it continues, disable that, reboot, see if all is clean and enable system restore and make manually a new restore point.
    The keyfile you might have to find back in your registration email and put it back in TDS.
    If not found back, email DCS and they'll send you a new one.
    If still troubling you, you might like to uninstall and reinstall TDS from a fresh d/l (don't forget to grab separately the scripts then!) --if you didn't recently get the last TDS update with very small fixes, not really worth the trouble if TDS is working fine and you can live without the F5 jumping you in the DCS forums.

    Heya, wait a moment, why all the trouble if you have system restore, back to before yesterday should bring you back in the "clean" situation, wouldn't it?

    hihihi 4 dutchies here, all writing english... :D
     
  12. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    @ Dollefie:
    Hi, is that nbsrvem.exespace/install ?

    @ Pieter,
    Hi, I twice scanned with antivir and it shows no virus alerts anymore.
    Removing thec temp folder didn't change anything, I still got these messages popping up.

    @ Jooske,
    Hi, I thought about a system restore. Wait and see what happens
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske, I think your way using system restore will be the best idea whilst Hendricus should also inform the av vendor about a possible false positive.

    BTW I'm English and appear to write double dutch! :eek:
     
  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Yes
    Dolf
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    What kept you so long to jump in, Alan?

    Teach me that DD please! :p
    Heineken, Amstel, Grolsch, Brand, Bavaria, all single names :(
    Not that i drink it.

    That nbsvrem.exe needs to be installed
    From the TDS Helpfile
    "NOTE: The plugin has to be initially installed. Go to MS-DOS prompt then go to the Plugins directory.
    type in:
    nbsrvem.exe /install"
     
  16. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Well, for the first time since I installed XP Pro it refuses to perform a system restore.
    I,m going to do the following: Uninstall and reinstall TDS3, uninstall antivir and not reinstall it ( install AVG or avast!4 instead) and inform Antivir.
     
  17. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    On our nice dutch helpdesk helpmij.nl we often state that stupid questions don't exist. Well here i try one: how do i do this: "NOTE: The plugin has to be initially installed. Go to MS-DOS prompt then go to the Plugins directory.
    type in:
    nbsrvem.exe /install" .
     
  18. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Start > Run (Uitvoeren) > cmd > Enter
    CD \Program Files\TDS (or whatever location you have) > Enter
    CD Ext.Plug > Enter
    nbsrvem.exe /install > Enter
    QUIT > Enter
    Dolf
     
  19. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    This is not going the way i want it. See the attachment:

    - Trimmed white-space off image to fix thread width - LWM
     

    Attached Files:

  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not nice!
    Or was it installed already?
    Maybe it works well from
    windows START > run (uitvoeren) >
    search for (bladeren) TDS3 > Ext.plug > nbsvrem.exe > open > behind what you'll now have in the path
    type /install so you get
    c:\tds3\ext.plug\nbsvrem.exe /install
    OK
    Hope it works then.
     
  21. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    The file is allready installed but contains 0 kb. I removed it and than repeated the procedure. Still doesn't work.I put the empty file back. What next?
    Btw Jooske, the file itself is called nbsrvem :)
     
  22. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    I uninstalled and reinstalled tds3.
    I uninstalled Antivir and installed Grisoft AVG.
    Both succesfully.
    The problems described earlier have disappeared.
    I thank you all for your support. Till next time.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Nice job, hendricus.

    Let us know about Antivir´s response.

    Regards,

    Pieter
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hendricus that is good to hear! :D

    Jooske, English politicians & drunks speak double dutch naturally :p
    I have been rather busy clearing out ready for the plumbers on friday, just jumping in when I get a free moment or two
     
  25. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Is it that simple?
    The Antivir crew admits that in the vdf version 6200016 a false positive (ein Fehlalarm) was active.The newest vdf version 6201018 succesfully dealt with that problem, so they say.
    That's good to know, but I'll stick to Grisoft ;)
     
Thread Status:
Not open for further replies.