BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
2433f433 virus
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > 2433f433 virus  
Forum Quick Jump
 
New Topic Post reply to : 2433f433 virus Printable version of : 2433f433 virus
[ << Previous Thread | Next Thread >> ]

TomJVV
New Member


Date Joined Mar 2010
Total Posts : 20
 
   Posted 6/19/2013 6:54 PM (GMT +3)    Quote: 2433f433 virusAlert an admin about: 2433f433 virus
Win XP only starts on CMD mode<!-- google_ad_section_end -->
<!-- google_ad_section_start -->I'm running Win XP on a IBM Lenovo T500. I use MS Internet Explorer.

Basically, I had the 2433f virus.  I located the files with MBAM and deleted them with DOS. 
Now my system starts and I login with my wall paper visible and the DOS CMD prompt window only. No icons or system menu etc. After closing the DOS window, I get just my wall paper and mouse cursor. Oh, CTRL ALT DEL brings up the task menu as always. All my system processes seem to be in there as normal.

I had a virus the other day. In the middle of working, the screen turned white and nothing would work;
no menus, no icons etc. The mouse cursor was visible.
I powered down manually and restarted. I logged in as usual, but Windows turned white immediately.
 
First, I tried to boot in safe mode.  Windows would not boot.  It started to boot, then auto-rebooted while the screen was still blue.

Next, I powered down and logged in as System Administrator. This worked and the computer seemed normal.
I ran an Avast boot scan with a fresh data file and it found several objects.  I chose "delete" and the scan finished.  Upon reboot the virus was still there.
 
Next, again logged in as Sys Adm and I ran MBAM (also up to date) and each time it found two files which I instructed it to delete. I rebooted and each time the virus was still there.  After several attempts, I figured out that MBAM was not able to delete the files. I got the names and locations and started Windows in safe mode with command prompt. I used DOS to delete the two files.
C:\documents and settings\all users\application data\2433f433
C:\documents and settings\tom\templates\2433f433

I rebooted and logged in as System Admin again. Ran MBAM and the system seemed clear.
I switched user to Tom (that's my normal login) and Win takes a bit long to load, then loads only with my desktop wall paper and DOS CMD prompt window open. No icons. If I close the window, I still have my wall paper, but no icons, no system menu etc. Mouse works.
Task manager works with CTRL ALT DEL key combo.  Looks like all or most of my processes are in there.
 
I tried running Hijackthis, but my system is running weird because I'm working from the Sys Admin area.  You'd think I'd have 100% access and control, but NO.  I can't get to any of my normal login files or apps. 
Looks like a windows startup switch of some kind is "stuck". 
Any help Appreciated
THANKS!
TomJV
 
UPDATE:
I logged in as Tom (normal login) and got the wallpaper and CMD window. 
Next, I used TaskManager to run Rededit.  Came up no prob.  Made no changes.
Next, I used TaskManager to run Progman.exe.  The screen immediately turned white just like the virus was still in there.  I shut down manually.
<!-- google_ad_section_end -->

Post Edited (TomJVV) : 6/19/2013 5:54:18 PM GMT

Back to Top
 

TomJVV
New Member


Date Joined Mar 2010
Total Posts : 20
 
   Posted 6/19/2013 7:05 PM (GMT +3)    Quote: 2433f433 virusAlert an admin about: 2433f433 virus
SORRY,
THAT'S WINDOW XP !

TomJV
Back to Top
 

TomJVV
New Member


Date Joined Mar 2010
Total Posts : 20
 
   Posted 6/19/2013 7:31 PM (GMT +3)    Quote: 2433f433 virusAlert an admin about: 2433f433 virus
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:07 AM, on 6/19/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [CreateLMBCShortCut] "C:\Program Files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Malwarebytes Anti-Malware.lnk = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 10407 bytes
Back to Top
 

TomJVV
New Member


Date Joined Mar 2010
Total Posts : 20
 
   Posted 6/19/2013 9:54 PM (GMT +3)    Quote: 2433f433 virusAlert an admin about: 2433f433 virus
OMG!
I just logged in as tom (normal login) and the wallpaper and CMD window came up as usual.
Next, I started taskmanager and opened Windows explorer, thinking I could copy all my docs to a backup drive.  AS SOON AS I CLICKED ON WINDOWS EXPLORER, EVERYTHING CAME BACK!
I've never seen anything like it.  Obviously, I still have scans to do etc., but she's running.
Go figure . . .   If I learn anything, I'll post.
TomJV
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 6/20/2013 2:59 AM (GMT +3)    Quote: 2433f433 virusAlert an admin about: 2433f433 virus
Hello           smile
 
 
 
 
 
We need to get a comprehensive report of what is present in your system.

Download OTL by OldTimer, saving it to your desktop: http://oldtimer.geekstogo.com/OTL.exe
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select  All Users

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 

Post both logs in next reply.
 


Please read:  Forum Rules
Click here:   Before-posting-a-log
 
Do not PM me with logfiles. They will be deleted. 

 

Back to Top
 
New Topic Post reply to : 2433f433 virus Printable version of : 2433f433 virus
 
Forum Information
Currently it is Wednesday, September 03, 2014 12:29 AM (GMT +3)
There are a total of 60,587 posts in 13,315 threads.
In the last 3 days there were 3 new threads and 4 reply posts. View Active Threads
Who's Online
This forum has 36306 registered members. Please welcome our newest member, bcbjork.
2 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Slow Performance Since Installing Bullguard (0)9/2/2014 8:24:31 PM (bcbjork)
BullGuard2014 Quarantine BUG (0)9/2/2014 5:40:39 PM (ztlol1314)
Bullguard Backup: 3 GB of files are "missing" but freespace calcuation seems to think they (3)8/31/2014 11:20:08 PM (Robert Mateescu)
Blocking of sites (5)8/31/2014 6:53:45 PM (Robert Mateescu)