2433f433 virus

Posted 6/19/2013 3:54 PM
#95816
User avatar

TomJVV Valued member

Date Joined Nov 2016
Total Posts: 18
Win XP only starts on CMD mode<!-- google_ad_section_end --> <br/> <br/><!-- google_ad_section_start -->I'm running Win XP on a IBM Lenovo T500. I use MS Internet Explorer. <br/> <br/>Basically, I had the 2433f virus. I located the files with MBAM and deleted them with DOS. <br/> <br/>Now my system starts and I login with my wall paper visible and the DOS CMD prompt window only. No icons or system menu etc. After closing the DOS window, I get just my wall paper and mouse cursor. Oh, CTRL ALT DEL brings up the task menu as always. All my system processes seem to be in there as normal. <br/> <br/>I had a virus the other day. In the middle of working, the screen turned white and nothing would work; <br/>no menus, no icons etc. The mouse cursor was visible. <br/>I powered down manually and restarted. I logged in as usual, but Windows turned white immediately. <br/> <br/> <br/> <br/>First, I tried to boot in safe mode. Windows would not boot. It started to boot, then auto-rebooted while the screen was still blue. <br/> <br/> <br/>Next, I powered down and logged in as System Administrator. This worked and the computer seemed normal. <br/> <br/>I ran an Avast boot scan with a fresh data file and it found several objects. I chose "delete" and the scan finished. Upon reboot the virus was still there. <br/> <br/> <br/> <br/>Next, again logged in as Sys Adm and I ran MBAM (also up to date) and each time it found two files which I instructed it to delete. I rebooted and each time the virus was still there. After several attempts, I figured out that MBAM was not able to delete the files. I got the names and locations and started Windows in safe mode with command prompt. I used DOS to delete the two files. <br/>C:\documents and settings\all users\application data\2433f433 <br/>C:\documents and settings\tom\templates\2433f433 <br/> <br/> <br/>I rebooted and logged in as System Admin again. Ran MBAM and the system seemed clear. <br/>I switched user to Tom (that's my normal login) and Win takes a bit long to load, then loads only with my desktop wall paper and DOS CMD prompt window open. No icons. If I close the window, I still have my wall paper, but no icons, no system menu etc. Mouse works. <br/> <br/>Task manager works with CTRL ALT DEL key combo. Looks like all or most of my processes are in there. <br/> <br/> <br/> <br/>I tried running Hijackthis, but my system is running weird because I'm working from the Sys Admin area. You'd think I'd have 100% access and control, but NO. I can't get to any of my normal login files or apps. <br/> <br/>Looks like a windows startup switch of some kind is "stuck". <br/> <br/>Any help Appreciated <br/> <br/>THANKS! <br/> <br/>TomJV <br/> <br/> <br/> <br/>UPDATE: <br/> <br/>I logged in as Tom (normal login) and got the wallpaper and CMD window. <br/> <br/>Next, I used TaskManager to run Rededit. Came up no prob. Made no changes. <br/> <br/>Next, I used TaskManager to run Progman.exe. The screen immediately turned white just like the virus was still in there. I shut down manually. <br/> <br/><!-- google_ad_section_end -->
Posted 6/19/2013 4:05 PM
#95817
User avatar

TomJVV Valued member

Date Joined Nov 2016
Total Posts: 18
SORRY, <br/>THAT'S WINDOW XP ! <br/> <br/>TomJV
Posted 6/19/2013 4:31 PM
#95818
User avatar

TomJVV Valued member

Date Joined Nov 2016
Total Posts: 18
Logfile of Trend Micro HijackThis v2.0.2 <br/>Scan saved at 9:56:07 AM, on 6/19/2013 <br/>Platform: Windows XP SP3 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v8.00 (8.00.6001.18702) <br/>Boot mode: Normal <br/> <br/>Running processes: <br/>C:\WINDOWS\Explorer.EXE <br/>C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe <br/>C:\WINDOWS\system32\TpShocks.exe <br/>C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe <br/>C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe <br/>C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe <br/>C:\Program Files\Synaptics\SynTP\SynTPEnh.exe <br/>C:\Program Files\Lenovo\Zoom\TpScrex.exe <br/>C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe <br/>C:\WINDOWS\system32\rundll32.exe <br/>C:\WINDOWS\system32\igfxpers.exe <br/>C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe <br/>C:\WINDOWS\system32\igfxsrvc.exe <br/>C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe <br/>C:\Program Files\Synaptics\SynTP\SynTPLpr.exe <br/>C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe <br/>C:\WINDOWS\system32\igfxtray.exe <br/>C:\WINDOWS\system32\hkcmd.exe <br/>C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe <br/>C:\Program Files\Lenovo\Client Security Solution\cssauth.exe <br/>C:\PROGRA~1\THINKV~1\AMSG\amsg.exe <br/>C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe <br/>C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe <br/>C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe <br/>C:\Program Files\Ask.com\Updater\Updater.exe <br/>C:\WINDOWS\system32\ctfmon.exe <br/>C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe <br/>C:\Program Files\Internet Explorer\iexplore.exe <br/>C:\Program Files\Internet Explorer\iexplore.exe <br/>C:\WINDOWS\system32\notepad.exe <br/>C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <br/> <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 <br/>R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" <br/>O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll <br/>O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll <br/>O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll <br/>O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll <br/>O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll <br/>O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe <br/>O4 - HKLM\..\Run: [TpShocks] TpShocks.exe <br/>O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe <br/>O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r <br/>O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe <br/>O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe <br/>O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor <br/>O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe <br/>O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe <br/>O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe <br/>O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe <br/>O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe <br/>O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe <br/>O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s <br/>O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe <br/>O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent <br/>O4 - HKLM\..\Run: [CreateLMBCShortCut] "C:\Program Files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" <br/>O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog <br/>O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe <br/>O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe <br/>O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe <br/>O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto <br/>O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" <br/>O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k <br/>O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" <br/>O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" <br/>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <br/>O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - Global Startup: Malwarebytes Anti-Malware.lnk = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe <br/>O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL <br/>O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe <br/>O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe <br/>O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll <br/>O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll <br/>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB <br/>O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab <br/>O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab <br/>O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll <br/>O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe <br/>O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe <br/>O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe <br/>O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe <br/>O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe <br/>O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe <br/>O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe <br/>O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe <br/>O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe <br/>O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe <br/>O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe <br/>O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe <br/>O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe <br/>O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe <br/>O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe <br/>O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE <br/>O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe <br/>O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe <br/>O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe <br/>O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe <br/>O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe <br/>O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe <br/>O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe <br/>O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe <br/>O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe <br/>O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe <br/>O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe <br/>O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe <br/>O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe <br/> <br/>-- <br/>End of file - 10407 bytes
Posted 6/19/2013 6:54 PM
#95820
User avatar

TomJVV Valued member

Date Joined Nov 2016
Total Posts: 18
OMG! <br/> <br/>I just logged in as tom (normal login) and the wallpaper and CMD window came up as usual. <br/> <br/>Next, I started taskmanager and opened Windows explorer, thinking I could copy all my docs to a backup drive. AS SOON AS I CLICKED ON WINDOWS EXPLORER, EVERYTHING CAME BACK! <br/> <br/>I've never seen anything like it. Obviously, I still have scans to do etc., but she's running. <br/> <br/>Go figure . . . If I learn anything, I'll post. <br/> <br/>TomJV
Posted 6/19/2013 11:59 PM
#95821
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hello :smile: </div> <br/> <br/> <br/> <br/> <br/>We need to get a comprehensive report of what is present in your system. <br/> <br/>Download OTL by OldTimer, saving it to your desktop: http://oldtimer.geekstogo.com/OTL.exe <br/>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. <br/>Select All Users <br/> <br/>Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. <br/> <br/>When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. <br/> <br/> <br/>Post both logs in next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 9, 2016, 8:23 PM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,969 registered members. Please welcome our newest member, Heisenberg.
There are currently no users on-line.