unable to run tds-3 after install

Discussion in 'Trojan Defence Suite' started by Jim Moore, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. Jim Moore

    Jim Moore Guest

    I HAVE BEEN UNABLE TO SUCCESSFULLY RUN TDS.
    I SET IT UP AND TRIED TO RUN IT AND NOTHING HAPPENS,
    EXCEPT IN THE WINDOWS TASK MANAGER IT SHOWS IT AS RUNNING.
    I UNINSTALLED AND REINSTALLED TWICE WITH SAME RESULTS.
    I EVEN DOWNLOADED THE SETUP FILE TWICE TO BE SURE.
    SET UP GOES FINE- WITH NO ERRORS- CUES TO REBOOT TO COMPLETE and yet THE ICON TO EXE THE PROGRAM still seems to do NOTHING....hmmmmm
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Jim Moore

    Welcome to Wilder's and DCS.

    You say it is not running. what do you mean?

    Have you any icon's showing? is it in the program start list? is it in C:\ program files? what OS do you have?

    Please give as much information as possible? as the more you give the easer it will to help you.

    TheQuest :cool:
     
  3. Jim Moore

    Jim Moore Guest

    If I open the program from anywhere, the start menu or the "C:\Program Files\TDS3\tds-3.exe" nothing appears to happen except that Windows Task Manager shows the TDS application and the process tds-3.exe as running.
    I have Windows XP Pro
    I downloaded the TDS3 program from the http://tds.diamondcs.com.au/ site
    and I have emailed there support the problem as well.
    Thanks for any help.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please see this page
    http://tds.diamondcs.com.au/index.php?page=files

    It should solve your problem
     
  5. Jim Moore

    Jim Moore Guest

    downloaded the runtime update (service pack 5) and checked all the ocx system32 files and mine are all the same as the ones listed except my TABCTL32.ocx is newer version 6.0.90.43

    the windows task manager shows the tds application and tds-3.exe process running but
    other than that nothing happens when open it.

    Thanks
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If I can gve a little background here

    I advised Jim to try TDS bcause he posted in another forum with a problem, I think it was TSG which is down for maintenance this weekend, so I can't trace the thread

    but basically there were strange apparantly M$ IE files being installed on a run once basis in the HJT

    They look like IE updates but on a search showed as IE 3 versions so I started to suspect trojan & suggested TDS, which won't start so that makes me even more suspicious
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I've seen this once with another XP user before my own eyes.
    First: did you reboot after installing TDS?
    The other person had his taskbar locked, so the icon could not be placed there, and i saw TDS running in the taskmanager only.
    After unlocking the taskbar and rebooting TDS showed up normal on that system.
    If you get that far, in the configuration select TDS to startup normal and minimize to systray, so the icon functions as quicklaunch.

    Hope there is no infection responsible here, now the systemfiles including the VB6 runtimes seem all tb uptodate......... fingers crossed here!

    Jim, if the above doesn't make any positive changes, can you please be so kind as to post the HJT log again overhere? Thanks a lot!
     
  8. Jim Moore

    Jim Moore Guest

    THanks for your help guys!

    The taskbar is not locked and I did reboot after each installation of TDS. It still only shows as running in Taskmanager.

    Here is the original HJT report

    Logfile of HijackThis v1.97.5
    Scan saved at 1:13:25 AM, on 4/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\shpc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\PROGRA~1\Netscape\Netscape\Netscp.exe
    C:\PROGRAM FILES\WINRAR\WinRAR.exe
    C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX00.u20\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SHPC32] shpc32.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Print Favorites (HKLM)
    O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    also I have run about 10 different virus scans only one RAV Scan showed I had viruses but they look like ones that were previously cleaned by MCAFFEE Online virus scan, these system files:
    C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
    D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

    And the rest of them I think are old emails I never opened but never deleted. here is the report of the scan:
    Scan started at 4/2/2004 1:21:50 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0075:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0076:My Money.mny.scr) - Win32/Bugbear.A@mm -> Infected
    C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0290:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0291:image.scr) - Win32/Bugbear.A@mm -> Infected
    C:\Program Files\Opera\Mail\MAINback\Inbox.MBS->(part0542:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0001) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MAINback\Trash.MBS->(IFRAME0002) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0075:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0076:My Money.mny.scr) - Win32/Bugbear.A@mm -> Infected
    C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0290:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Program Files\Opera\Mail\MOORETHEMERRIER\Inbox.MBS->(part0291:image.scr) - Win32/Bugbear.A@mm -> Infected
    C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Drafts.dbx->Message.13: ("Jim and Cheryl Moore" [])->(NameExploit*) - MIME/NameExploit* -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.2289: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.2231: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1670: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1663: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1661: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1650: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1646: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1586: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1578: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1570: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1345: ("BizRate.com Weekly Special Offers" [Love Is... Super Savings])->(part0003:)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1261: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.973: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.968: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.830: ("Auction Travel, Inc." [Auction Travel, Inc.])->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.642: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.640: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\Deleted Items.dbx->Message.31: (Untitled)->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Identities\{DA1AECA8-3C74-400A-922A-B2A1BB127BDC}\Microsoft\Outlook Express\quarantine.dbx->Message.22: (admin@CHARTER.NET [your account bcobehre])->(part0001:message.zip)->message.... - Win32/Mimail.A@mm -> Infected
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox67.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox103.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox139.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox175.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox211.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox246.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\default\Application Data\Opera\Opera7\Mail\storage\mbox251.mbs->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0051:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0052:00[21].exe) - Win32/Klez.H@mm -> Infected
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0067:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox1.mbs->(part0068:alt.bat) - Win32/Klez.H@mm -> Infected
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox3.mbs->(part0015:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
    C:\Documents and Settings\CHERYL\Application Data\Opera\Opera7\Mail\storage\mbox3.mbs->(part0016:2.10.bat) - Win32/Klez.H@mm -> Infected
    D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

    Scanned
    ============================
       Objects: 62972
       Directories: 5358
       Archives: 2785
       Size(Kb): 376101
       Infected files: 21

    Found
    ============================
       Viruses found: 6
       Suspicious files: 26
       Disinfected files: 0
       Mail files: 4269

    finally here is the newest HJT report, with some new entries since yesterday.

    Logfile of HijackThis v1.97.5
    Scan saved at 11:19:49 AM, on 4/3/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\shpc32.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Netscape\Netscape\Netscp.exe
    C:\PROGRAM FILES\WINRAR\WinRAR.exe
    C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX0k.p30\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SHPC32] shpc32.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Print Favorites (HKLM)
    O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    Thanks Again

    I know little about this but here is something else I am concerned about that I noticed on my drive are numerous files named "spunist" applications setup information MS-Dos Batch files, text docs under windows\$NtUninstall followed by different numbers and so many of the files appear to be duplicates, but many of the dates are very old with only a few new files in the last 6 months. just thought it looked wierd.

    wierd things that I have noticed is my quickfinder program wont work, and seach.exe keaps telling me there is nothing in drive A when I am not searching Drive A.

    One more thing that was simular to the TDS situation happened recently after installing Netscape, My opera browser would only show as running in task manager, but I downloaded an updated setup file of opera and it corrected the problem.

    Please let me know what else to look for or to do to figure out what may be going on here, Thanks,
    Jim Moore
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Some of your problems are being caused by the searchcentrix hijacker so do this

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=162805681169861
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
    O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab

    and the spunst and windows\$NtUninstall matters tell me you have M$ autoupdate working and it's auto updated you, that is probably where the M$ run once entries came from

    I'm sure the TDS experts will sooon sort out why it won't run, but looking at the virus log i see various viruses that kill antivirusesand anti trojans if they are active on the computer . I can't see tham active in the running processes section, but I think the TDS bods will ask for a few different logs
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Now I'm not sure of these 2
    C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
    D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected


    if RAv says thay re infected then they probably are but I can find nothing except RAV links when searching for that virus/trojan name, but
    Before fixing, I would like you to see what else is in those folders

    please navigate to C:\cpqdrv\PATCHES & D :\CPQS\PATCHES and make a list of what files are in there

    Is this a compaq or HP computer, if not then the whole cpqdrv & cpqs folders could be dodgy
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In your Outlook Express and the Opera mailbox start with deleting emails you won't open anyway as they're no use keeping unless you build a database of infections. Delete them and after in Outlook Express first empty permanently deleted files folder, then go to File > Folder > compress folder , and you probably would like to compress all folders but that takes a while if you never did before. So do it on that deleted items folder only, and you will notice you have more space now and in a next scan at least those infections have gone.
    But these are inside the Outlook Express folders and thus would not be the cause to block TDS from appearing.
    One warning: Outlook Express has the habit of cleaning out the inbox automatically at a certain time and no way to stop it, so best create several folders for different subjects and in the message rules have some emails/senders delivered in those folders and move a lot yourself manually to those places to keep the inbox content small and if Outlook Express would start it's unexpected spring cleaning the damage is not too much. Just a warning as it happens all of a sudden and you just think why is my OE so slow and not reacting and so much HD activity? Then it's too late!
    So move those things and fight the spam, delete what you don't need and use that compress option regularly on cleansed folders.

    Now back to Derek's HJT advices.
    If those suspicious alarms are still there, feel free to submit a copy to submit@diamondcs.com.au so Gavin will be able to tell you if it is nasty or not.
    But also please follow Derek's advice and post the content of those folders.
     
  12. Jim Moore

    Jim Moore Guest

    This is a referbished compaq computer, originally loaded with window millenium and came with a back-up of system info on the D drive from Compaq.

    here is the list under
    C:\cpqdrv\PATCHES
    DNX application
    RM application
    324951 GIF Image
    211968 MS-Dos Batch File
    DOS1111 MS-Dos Batch File
    DOS1112 MS-Dos Batch File
    DOSTZEN MS-Dos Batch File
    DOSDIAG MS-Dos Batch File
    DVD Registration Entries
    ORIA Registration Entries
    CLOSEADD Setup Info
    COSEDEL Setup Info
    211968 Shortcut to MS-DOS Program

    printed info about DOS1111

    @ECHO OFF
    @REM 7/18/2000

    REM Deletes the _RESTORE directory, which clears any/all System Restore checkpoints.
    deltree /y C:\_restore >nul

    And in the Back up D Drive
    D:\CPQS\PATCHES files
    Has All the same as the those listed above in the C drive plus these few more

    211892 MS-DOS Batch File
    211904 MS-DOS Batch File
    999999 MS-DOS Batch File
    OEMRST Reg Entries
    211892 Shortcut to MS-Dos Program
    211904 Shortcut to MS-Dos Program
    999999 Shortcut to MS-Dos Program

    all the files in both drives were last modified in either 1999 or 2000 and most recently the file 211968 in the C drive way back in 6/7/2001 which is about when I bought this refurbished computer.

    I have gotten rid of all the suspicious and infected emails and rerun the RAV Scan

    Scan started at 4/3/2004 5:41:48 PM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
    D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

    Scanned
    ============================
       Objects: 48770
       Directories: 5368
       Archives: 2713
       Size(Kb): -248176
       Infected files: 2

    Found
    ============================
       Viruses found: 2
       Suspicious files: 0
       Disinfected files: 0
       Mail files: 2030

    I will now do as instructed on the HJT and repost a report after fixing and rebooting.

    Thanks Again,
    YOU GUYS are Great,
    I Hope someone is paying you well!
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That looks lots cleaner now.
    Seems those two files belong there. You can still submit them to Gavin at submit@diamondcs.com.au

    Looking forward to your next HJT log now.

    All in this forum is teamwork, the members and moderators/admins. The best satisfaction is yet another system cleansed out and secured for a happy use on internet. The virtual applauses and karmacookies taste well! Remember we all learn from each posting again. And we can use some threads in our CV :)
    See what google does: type any of our user names in google, you might need to add "security", and you will see us on top of the list, each time again. That's a very good feeling too!
     
  14. Jim Moore

    Jim Moore Guest

    OH Yes I do have MS auto update enabled!

    here is the latest HJT report

    Logfile of HijackThis v1.97.5
    Scan saved at 6:40:26 PM, on 4/3/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\shpc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX08.u10\HijackThis.exe
    C:\WINDOWS\system32\regsvr32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/index.gsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://charter.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Charter featuring MSN
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SHPC32] shpc32.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Print Favorites (HKLM)
    O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab


    hmm I thought I unintalled Norton Systemworks along time ago but there it is running
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    and it is still listed on my control panel, I guess It did not uninstall afterall.

    should I fix this one and any others?
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    It just changed my ie search page somehow.

    how about all the new ones from the online virus searches?

    I suppose I should figure out how to replace the two infected files I have first.

    C:\cpqdrv\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected
    D:\CPQS\PATCHES\DOS1111.BAT - BAT/RBTG.gen* -> Infected

    And then I hope to be able to get the TDS-3 working to find out if there is anything worse to deal with.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Your log is looking cleaner now, but i leave the fixes to the experts.
    The HOSTS file entry that was placed by TDS to enable --once you have it visible on screen-- you with the F5 button to jump immediately to the TDS forum at the DiamondCS site itself.
    The domain name mentioned there no longer belongs to DiamondCS.
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Jim,

    Your HJT log is clean now, no problems with it.
    I will let someone else advise you as to the infected batch files....

    Regards,
    Kent
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I would think that the virus alert is a false alarm as what that virus does is exactly what the bat file is supposed to do

    the virus wipes the disk sector which is what the bat file is set to do as part of the compaq restore process.

    I would do as the others say and zip & send the folder to mailto:submit@diamondcs.com.au just so the experts can check, but I've seen that in other compaq systems and it has exactly the same files

    which search page do you want?
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did i see correctly you have no firewall started?
    Oh and how much RAM do you have?
    Could it be due to that TDS is there but can't show the GUI? Is it still the same or is there better hope now?
     
  19. Jim Moore

    Jim Moore Guest

    I have the Win XP network settings firewall enabled.
    I have 640 megs of RAM
    Still no change in the TDS showing only running in Taskmanager.
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Jim,

    This may or may not apply to your situation. Do you have TDS starting at boot? If it is, there has been a problem with that in XP. TDS tries starting before some needed programs are running. If this is your case, kill the TDS process in task manager and then restart it. It should come up. If it does, the workaround for having it start with your system is to change Configuration >> Run At Windows Startup to NO and add a shortcut to TDS in your startup folder......

    Like I say, I do not know if this applies to you, but if it does, it is an easy fix.....

    Regards,
    Kent
     
  21. Jim Moore

    Jim Moore Guest

    Thanks, but no, It does not start at boot.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    From the programs you have running i'm not aware of any which would be conflicting with TDS -- could only suggest to see if there is any program not urgently needed at startup to close that and try again, so one by one, maybe starting with the norton speeddisk to name one example, just for a try.
    If you see TDS in the TaskManager, how long did you wait for it to appear?
    Seconds, minute, more minutes?
    For initialising it can take several seconds before you see it appear, you might see some HD activity during it's starting but in a few seconds it would start appearing on screen.
     
  23. FanJ

    FanJ Guest

    Hi,

    It could very well be that I'm completely wrong here (I don't have XP and don't know anything about it from own experience...):

    I was wondering whether Jim's TDS-3 problem could have anything to do with users accounts under XP.
    If I remember me well I have seen some postings with advices to run TDS-3 as power-user.

    Well, as I said, I could be completely wrong here ( :oops: ).
    Maybe Pilli or others with knowledge about this, could jump in here and (if needed ...) correct my wild guess...

    Regards, Jan.
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    FanJ is quite correct in stating that you have to use the "run as" command for TDs3 when running from a limited user account :)
    Right click on the TDS shortcut, properties, Shortcut, advanced, run with different credentials.
    Though I do not know if this is applicable in this case :)
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks Jan, forgot about that part. Indeed, TDS installed in the admin account and run as from the user.
    It was running but not showing it's face yet.
    But in the meantime the system is lots cleaner too fortunately :)
     
Thread Status:
Not open for further replies.