I HAVE BEEN UNABLE TO SUCCESSFULLY RUN TDS.
I SET IT UP AND TRIED TO RUN IT AND NOTHING HAPPENS,
EXCEPT IN THE WINDOWS TASK MANAGER IT SHOWS IT AS RUNNING.
I UNINSTALLED AND REINSTALLED TWICE WITH SAME RESULTS.
I EVEN DOWNLOADED THE SETUP FILE TWICE TO BE SURE.
SET UP GOES FINE- WITH NO ERRORS- CUES TO REBOOT TO COMPLETE and yet THE ICON TO EXE THE PROGRAM still seems to do NOTHING....hmmmmm

Hi, Jim Moore

Welcome to Wilder's and DCS.

You say it is not running. what do you mean?

Have you any icon's showing? is it in the program start list? is it in C:\ program files? what OS do you have?

Please give as much information as possible? as the more you give the easer it will to help you.

TheQuest 8)

If I open the program from anywhere, the start menu or the "C:\Program Files\TDS3\tds-3.exe" nothing appears to happen except that Windows Task Manager shows the TDS application and the process tds-3.exe as running.
I have Windows XP Pro
I downloaded the TDS3 program from the http://tds.diamondcs.com.au/ site
and I have emailed there support the problem as well.
Thanks for any help.

Hi,

Please see this page
http://tds.diamondcs.com.au/index.php?page=files

It should solve your problem

downloaded the runtime update (service pack 5) and checked all the ocx system32 files and mine are all the same as the ones listed except my TABCTL32.ocx is newer version 6.0.90.43

the windows task manager shows the tds application and tds-3.exe process running but
other than that nothing happens when open it.

Thanks

If I can gve a little background here

I advised Jim to try TDS bcause he posted in another forum with a problem, I think it was TSG which is down for maintenance this weekend, so I can't trace the thread

but basically there were strange apparantly M$ IE files being installed on a run once basis in the HJT

They look like IE updates but on a search showed as IE 3 versions so I started to suspect trojan & suggested TDS, which won't start so that makes me even more suspicious

I've seen this once with another XP user before my own eyes.
First: did you reboot after installing TDS?
The other person had his taskbar locked, so the icon could not be placed there, and i saw TDS running in the taskmanager only.
After unlocking the taskbar and rebooting TDS showed up normal on that system.
If you get that far, in the configuration select TDS to startup normal and minimize to systray, so the icon functions as quicklaunch.

Hope there is no infection responsible here, now the systemfiles including the VB6 runtimes seem all tb uptodate......... fingers crossed here!

Jim, if the above doesn't make any positive changes, can you please be so kind as to post the HJT log again overhere? Thanks a lot!

THanks for your help guys!

The taskbar is not locked and I did reboot after each installation of TDS. It still only shows as running in Taskmanager.

Here is the original HJT report

Logfile of HijackThis v1.97.5
Scan saved at 1:13:25 AM, on 4/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\shpc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\PROGRAM FILES\WINRAR\WinRAR.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX00.u20\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Print Favorites (HKLM)
O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

also I have run about 10 different virus scans only one RAV Scan showed I had viruses but they look like ones that were previously cleaned by MCAFFEE Online virus scan, these system files:
C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

And the rest of them I think are old emails I never opened but never deleted. here is the report of the scan:
Scan started at 4/2/2004 1:21:50 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0075:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0076:My Money.mny.scr) - Win32/Bugbear.A@mm -> Infected
C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0290:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0291:image.scr) - Win32/Bugbear.A@mm -> Infected
C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0542:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0001) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0002) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0075:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0076:My Money.mny.scr) - Win32/Bugbear.A@mm -> Infected
C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0290:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0291:image.scr) - Win32/Bugbear.A@mm -> Infected
C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Drafts.dbx->Message.13: ("Jim and Cheryl Moore" [])->(NameExploit*) - MIME/NameExploit* -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.2289: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.2231: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1670: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1663: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1661: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1650: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1646: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1586: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1578: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1570: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1345: ("BizRate.com Weekly Special Offers" [Love Is... Super Savings])->(part0003:)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1261: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.973: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.968: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.830: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.642: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.640: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.31: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\quarantine.dbx->Message.22: (admin@CHARTER.NET [your account bcobehre])->(part0001:message.zip)->message.... - Win32/Mimail.A@mm -> Infected
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox67.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox103.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox139.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox175.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox211.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox246.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox251.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0051:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0052:00[21].exe) - Win32/Klez.H@mm -> Infected
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0067:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0068:alt.bat) - Win32/Klez.H@mm -> Infected
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox3.mbs->(part0015:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox3.mbs->(part0016:2.10.bat) - Win32/Klez.H@mm -> Infected
D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

Scanned
============================
***Objects: 62972
***Directories: 5358
***Archives: 2785
***Size(Kb): 376101
***Infected files: 21

Found
============================
***Viruses found: 6
***Suspicious files: 26
***Disinfected files: 0
***Mail files: 4269

finally here is the newest HJT report, with some new entries since yesterday.

Logfile of HijackThis v1.97.5
Scan saved at 11:19:49 AM, on 4/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shpc32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\PROGRAM FILES\WINRAR\WinRAR.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX0k.p30\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Print Favorites (HKLM)
O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Thanks Again

I know little about this but here is something else I am concerned about that I noticed on my drive are numerous files named "spunist" applications setup information MS-Dos Batch files, text docs under windows\$NtUninstall followed by different numbers and so many of the files appear to be duplicates, but many of the dates are very old with only a few new files in the last 6 months. just thought it looked wierd.

wierd things that I have noticed is my quickfinder program wont work, and seach.exe keaps telling me there is nothing in drive A when I am not searching Drive A.

One more thing that was simular to the TDS situation happened recently after installing Netscape, My opera browser would only show as running in task manager, but I downloaded an updated setup file of opera and it corrected the problem.

Please let me know what else to look for or to do to figure out what may be going on here, Thanks,
Jim Moore

Some of your problems are being caused by the searchcentrix hijacker so do this

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab

and the spunst and windows\$NtUninstall matters tell me you have M$ autoupdate working and it's auto updated you, that is probably where the M$ run once entries came from

I'm sure the TDS experts will sooon sort out why it won't run, but looking at the virus log i see various viruses that kill antivirusesand anti trojans if they are active on the computer . I can't see tham active in the running processes section, but I think the TDS bods will ask for a few different logs

Now I'm not sure of these 2
C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected


if RAv says thay re infected then they probably are but I can find nothing except RAV links when searching for that virus/trojan name, but
Before fixing, I would like you to see what else is in those folders

please navigate to C:\cpqdrv\PATCHES & D :\CPQS\PATCHES and make a list of what files are in there

Is this a compaq or HP computer, if not then the whole cpqdrv & cpqs folders could be dodgy

In your Outlook Express and the Opera mailbox start with deleting emails you won't open anyway as they're no use keeping unless you build a database of infections. Delete them and after in Outlook Express first empty permanently deleted files folder, then go to File > Folder > compress folder , and you probably would like to compress all folders but that takes a while if you never did before. So do it on that deleted items folder only, and you will notice you have more space now and in a next scan at least those infections have gone.
But these are inside the Outlook Express folders and thus would not be the cause to block TDS from appearing.
One warning: Outlook Express has the habit of cleaning out the inbox automatically at a certain time and no way to stop it, so best create several folders for different subjects and in the message rules have some emails/senders delivered in those folders and move a lot yourself manually to those places to keep the inbox content small and if Outlook Express would start it's unexpected spring cleaning the damage is not too much. Just a warning as it happens all of a sudden and you just think why is my OE so slow and not reacting and so much HD activity? Then it's too late!
So move those things and fight the spam, delete what you don't need and use that compress option regularly on cleansed folders.

Now back to Derek's HJT advices.
If those suspicious alarms are still there, feel free to submit a copy to submit@diamondcs.com.au so Gavin will be able to tell you if it is nasty or not.
But also please follow Derek's advice and post the content of those folders.

This is a referbished compaq computer, originally loaded with window millenium and came with a back-up of system info on the D drive from Compaq.

here is the list under
C:\cpqdrv\PATCHES
DNX application
RM application
324951 GIF Image
211968 MS-Dos Batch File
DOS1111 MS-Dos Batch File
DOS1112 MS-Dos Batch File
DOSTZEN MS-Dos Batch File
DOSDIAG MS-Dos Batch File
DVD Registration Entries
ORIA Registration Entries
CLOSEADD Setup Info
COSEDEL Setup Info
211968 Shortcut to MS-DOS Program

printed info about DOS1111

@ECHO OFF
@REM 7/18/2000

REM Deletes the _RESTORE directory, which clears any/all System Restore checkpoints.
deltree /y C:\_restore >nul

And in the Back up D Drive
D:\CPQS\PATCHES files
Has All the same as the those listed above in the C drive plus these few more

211892 MS-DOS Batch File
211904 MS-DOS Batch File
999999 MS-DOS Batch File
OEMRST Reg Entries
211892 Shortcut to MS-Dos Program
211904 Shortcut to MS-Dos Program
999999 Shortcut to MS-Dos Program

all the files in both drives were last modified in either 1999 or 2000 and most recently the file 211968 in the C drive way back in 6/7/2001 which is about when I bought this refurbished computer.

I have gotten rid of all the suspicious and infected emails and rerun the RAV Scan

Scan started at 4/3/2004 5:41:48 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

Scanned
============================
***Objects: 48770
***Directories: 5368
***Archives: 2713
***Size(Kb): -248176
***Infected files: 2

Found
============================
***Viruses found: 2
***Suspicious files: 0
***Disinfected files: 0
***Mail files: 2030

I will now do as instructed on the HJT and repost a report after fixing and rebooting.

Thanks Again,
YOU GUYS are Great,
I Hope someone is paying you well!

That looks lots cleaner now.
Seems those two files belong there. You can still submit them to Gavin at submit@diamondcs.com.au

Looking forward to your next HJT log now.

All in this forum is teamwork, the members and moderators/admins. The best satisfaction is yet another system cleansed out and secured for a happy use on internet. The virtual applauses and karmacookies taste well! Remember we all learn from each posting again. And we can use some threads in our CV :)
See what google does: type any of our user names in google, you might need to add "security", and you will see us on top of the list, each time again. That's a very good feeling too!

OH Yes I do have MS auto update enabled!

here is the latest HJT report

Logfile of HijackThis v1.97.5
Scan saved at 6:40:26 PM, on 4/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shpc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX08.u10\HijackThis.exe
C:\WINDOWS\system32\regsvr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Print Favorites (HKLM)
O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab


hmm I thought I unintalled Norton Systemworks along time ago but there it is running
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
and it is still listed on my control panel, I guess It did not uninstall afterall.

should I fix this one and any others?
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
It just changed my ie search page somehow.

how about all the new ones from the online virus searches?

I suppose I should figure out how to replace the two infected files I have first.

C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

And then I hope to be able to get the TDS-3 working to find out if there is anything worse to deal with.

Your log is looking cleaner now, but i leave the fixes to the experts.
The HOSTS file entry that was placed by TDS to enable --once you have it visible on screen-- you with the F5 button to jump immediately to the TDS forum at the DiamondCS site itself.
The domain name mentioned there no longer belongs to DiamondCS.

Hi Jim,

Your HJT log is clean now, no problems with it.
I will let someone else advise you as to the infected batch files....

Regards,
Kent

I would think that the virus alert is a false alarm as what that virus does is exactly what the bat file is supposed to do

the virus wipes the disk sector which is what the bat file is set to do as part of the compaq restore process.

I would do as the others say and zip & send the folder to mailto:submit@diamondcs.com.au just so the experts can check, but I've seen that in other compaq systems and it has exactly the same files

which search page do you want?

Did i see correctly you have no firewall started?
Oh and how much RAM do you have?
Could it be due to that TDS is there but can't show the GUI? Is it still the same or is there better hope now?

I have the Win XP network settings firewall enabled.
I have 640 megs of RAM
Still no change in the TDS showing only running in Taskmanager.

Hi Jim,

This may or may not apply to your situation. Do you have TDS starting at boot? If it is, there has been a problem with that in XP. TDS tries starting before some needed programs are running. If this is your case, kill the TDS process in task manager and then restart it. It should come up. If it does, the workaround for having it start with your system is to change Configuration >> Run At Windows Startup to NO and add a shortcut to TDS in your startup folder......

Like I say, I do not know if this applies to you, but if it does, it is an easy fix.....

Regards,
Kent

Thanks, but no, It does not start at boot.

From the programs you have running i'm not aware of any which would be conflicting with TDS -- could only suggest to see if there is any program not urgently needed at startup to close that and try again, so one by one, maybe starting with the norton speeddisk to name one example, just for a try.
If you see TDS in the TaskManager, how long did you wait for it to appear?
Seconds, minute, more minutes?
For initialising it can take several seconds before you see it appear, you might see some HD activity during it's starting but in a few seconds it would start appearing on screen.

Hi,

It could very well be that I'm completely wrong here (I don't have XP and don't know anything about it from own experience...):

I was wondering whether Jim's TDS-3 problem could have anything to do with users accounts under XP.
If I remember me well I have seen some postings with advices to run TDS-3 as power-user.

Well, as I said, I could be completely wrong here ( :-[ ).
Maybe Pilli or others with knowledge about this, could jump in here and (if needed ...) correct my wild guess...

Regards, Jan.

FanJ is quite correct in stating that you have to use the "run as" command for TDs3 when running from a limited user account :)
Right click on the TDS shortcut, properties, Shortcut, advanced, run with different credentials.
Though I do not know if this is applicable in this case :)

Thanks Jan, forgot about that part. Indeed, TDS installed in the admin account and run as from the user.
It was running but not showing it's face yet.
But in the meantime the system is lots cleaner too fortunately :)

This is the original posts in TSG that stsrted me being concerned
http://forums.techguy.org/t216582.html

I'm still confused about why these files
C:\WINDOWS\System32\schannel.dll 5.1.2600.0
C:\WINDOWS\System32\urlmon.dll 6.0.2736.2300
C:\WINDOWS\System32\actxprxy.dll 6.0.2600.0
C:\WINDOWS\System32\hlink.dll 5.0.0.4513
C:\WINDOWS\System32\oleaut32.dll 3.50.5014.0

were being updated/installed and they aren't the latest versions

I still suspect some sort of trojan, don't know why, but they just don't feeel right, ( I hope I'm wrong)

I would copy & zip those files mentioned above

and send them to submit@diamondcs.com.au

with a note giving both this thread and the TSG thread so Gavin can see what is happening and hopefulkly he will come up with an answer

Jim,

I know that you already had a look at the Required System Files for TDS-3.
May I kindly ask you to re-check them:

http://tds.diamondcs.com.au/index.php?page=files

I quote from that site:

PLEASE NOTE - Windows XP users should not need to update any DLL files. In rare cases, check the versions of your tabctl32.ocx, richtx32.ocx and in some cases comdlg32.ocx, these could need updating. These most important files listed first, they will solve a problem where the TDS console does not visibly appear yet is running.

- end quote -

What do you have as version-number for those files?
And what is the full path of them on your system?


Another question:
What is your language version of Windows?
Do you perhaps have a Chinese version installed?


Well, it are only questions to exclude possible causes of your TDS-3 problem...

Regards, Jan.

the four OCX files and VB6 runtimes, yep; trojan or no trojan, i thought all time of a system file, system is lots cleaner, so please recheck all files mentioned on the site with your version and the minimum version required on the site, you mighthave newer ones.
In the other occasions a system file was the problem too, so i keep hoping it's one of these here too.

The BAT virus sounds nasty, please zip a copy of the whole folder up for me, and then I guess you should go to Safe Mode and remove that entire folder.. email the zip to submit@diamondcs.com.au afterwards

http://www.rav.ro/virus/showvirus.php?v=148
aii!