[Michelle]

I've not heard of Aloha systems specifically, but it's just a "regular" computer with this touchscreen software on it, right?

[Advertisements]

This computer is Windows 2000 with service pack 4

the aloha touch screens are out in the restaurant but they use this (normal Computer) to operate, its all networked and stuff

Im waiting for the aloha guy to call back and let me know if its safe to run all the AdAware programs. This Aloha system Also access's the internet to process credit cards .
I prolly need to becareful cause ther are prolly lots of programs associated with it.

Yea the touch screens are out in the restaurant, we dont actually have any kind of touch screen on this normal computer in the office. but if this computer goes down so does every toch screen in the restaurant

This is kinda scary......

[retrac]

This computer is Windows 2000 with service pack 4

the aloha touch screens are out in the restaurant but they use this (normal Computer) to operate, its all networked and stuff

Im waiting for the aloha guy to call back and let me know if its safe to run all the AdAware programs. This Aloha system Also access's the internet to process credit cards .
I prolly need to becareful cause ther are prolly lots of programs associated with it.

Yea the touch screens are out in the restaurant, we dont actually have any kind of touch screen on this normal computer in the office. but if this computer goes down so does every toch screen in the restaurant

This is kinda scary......

[Michelle]

This is kinda scary......

Yeah, you can say that again lol

[retrac]

i guess im gonna wait for the ALoha guy to call. See what he says?
Cause if something got messed up it could cripple our business for a night or i dont know how long....(There will be no more Internet exploring up here again once this gets fixed...thats fo sure )

Im gonna stay up here after work tonight and uninstall Mcafee(out of date ) and install AVG, maybe a few others.. you be around tonight??
If dude doesnt call me back ,im prolly still gonna try and get rid of anything we know is bad... but definetly leave things alone that i am not sure about..

[Michelle]

I will be around tonight! But, you may want to check with me before getting rid of anything...

[retrac]

Most definetly!!! I will prolly get to start messing with this around 10pm when the restaurant closes....hope that is not to late???

Oh and howdy nieghboor, Im in Arkansas
I use to live in Arlington(right outside Dallas) but had to move back to AR..

Once again Thank you so much !!!!!


Would you happen to know how to get into MSCONFIG on Windows 2000 ??

Edited by retrac, 17 May 2005 - 04:21 PM.

[retrac]

ok i figured out how to get msconfig on here so i was able to stop lots of the unneccesary startup items(24 of em ) GaaaaaLeeey

i also just uninstalled all unneccesary programs from Add/Remove

what would be your first recommendation to get this started ??

im bout to go delete all temp files too.

i currently have AdAwareSE and MS AntiSpy thats it as far as protection and scanning capabilities go. Ive also got McAfee but it is prolly 4 months out of date.....So i think im gonna go get AVG for this computer ??

Any Suggestions

P.S. be back in 15 minutes

well i ran MS antiSpy and it killed about blank (i think Although it keeps trying to set itself as my homepage but MS AntiSpy is keeping it from doing that. )

i hate these Badies

Edited by retrac, 17 May 2005 - 10:21 PM.

[Michelle]

If you're going to run HiJackThis then I need you to re-enable those items in msconfig. No sense in disabling when they aren't needed - we can use HiJackThis to remove them from startup. Plus, I want to see everything

Edited by bananafanafo, 17 May 2005 - 10:37 PM.

[retrac]

OMG !! i think i pissed them off

After runnin MS antispy it removed a browser high jacker and my home page worked again and i watched MS AS block it over & over ANd seem to be doin the job until i uninstalled our out of date Mcafee and installed AVG ,which during the Updating it found a trojanD/L and Horse

All the things i unchecked were ligit im pretty sure i looked them all up and they were software we use to use cept for 1 it was totally blank

So you want me to turn them all back on??? it takes a lil while to reboot this computer

It has 2 hard drives 1 is connected and soley for our Aloha system


Oh and about :Blank is back

Edited by retrac, 17 May 2005 - 10:58 PM.

[Michelle]

About:blank has to do with CoolWebSearch and there are several programs to run in order to get rid of it. I would really like normal startup to be selected in msconfig and I need to see a HiJackThis log.

We will also have to disable MS Anti-Spyware otherwise it will interfere with cleaning.

[retrac]

Logfile of HijackThis v1.99.1
Scan saved at 12:21:02 AM, on 5/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\svchost.exe
C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINNT\winfv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xgmyl.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xgmyl.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {395A0AC4-5AF4-4565-FA3D-6597CE5C75E8} - C:\WINNT\netqw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winfv.exe] C:\WINNT\winfv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - Startup: CTI Tray Icon.lnk = C:\Program Files\WinFax\Ctitrayi.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BD254E2-8B0C-4C01-BE11-A86733D1EC5E}: NameServer = 206.222.97.82,206.222.97.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BD254E2-8B0C-4C01-BE11-A86733D1EC5E}: NameServer = 206.222.97.82,206.222.97.50
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BD254E2-8B0C-4C01-BE11-A86733D1EC5E}: NameServer = 206.222.97.82,206.222.97.50
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmy.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CtlSvr - Aloha Technologies - C:\AlohaDrive\Aloha\bin\Ctlsvr.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EdcSvr - Aloha Technologies - C:\AlohaDrive\Aloha\bin\Edcsvr.EXE
O23 - Service: Fastech Security Server (FSSecurityServer) - Ibertech, Inc. - C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



OMG ! AVG is finding tons of trojans ( i Just keep closing the box where it asks me what to do with the file)

im getting scared im afraid something might break and my boss will come into a completly unfunctional Computer system(our entire restaurant thrives on this machine running, Waiters cant ring anything up & the kitchen wont get any print-outs , and our credit card system all work through this computer) I swear if you help me get this fixed i will never let anyone D/L another thing on this computer. And the boss said he would get a laptop for all Internet use!

BLESS YOU!!!!!

you wont be able to keep me from PayPal this time

Edited by retrac, 17 May 2005 - 11:31 PM.

[Michelle]

Ok, let's get this party started



We will deal with about:blank first. Make sure to follow ALL directions exactly I have them below. You will definitely want to print these out (umm if you can lol), if you can't print them, save the instructions in Notepad!

Go to Start > Control Panel > Add/Remove programs and remove the following, if found:

Security iGuard
Party Poker

Exit Add/Remove programs.

Please download the programs listed below, but do not run them yet:

1) About:Buster:
*Download it and extract it to C:/aboutbuster.
*Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
*Click "OK" at the prompt with instructions.
*Click "Update" and then "Check For Update" to begin the update process.
*If any updates exist please download them by clicking "Download Update".
*You should not run the program yet so click "Exit".
2) CleanUp! - Download it and install it.
3) CWShredder - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Set your system to SHOW HIDDEN FILES

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service (or 11Fßä#·ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

11Fßä#·ºÄÖ`I

*NOTE* Make sure there IS a SPACE before the first "1" otherwise it won't work.

Click OK.

It should pull up information about the service, if it ask an "are you sure?" question click YES, when it asks want to reboot now click NO.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

While still in Safe Mode, Run HiJackThis, place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xgmyl.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xgmyl.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xgmyl.dll/sp.html#14044
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {395A0AC4-5AF4-4565-FA3D-6597CE5C75E8} - C:\WINNT\netqw.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmy.exe

Close HiJack This. (Still in Safe Mode!)

Using Windows Explorer delete these files (in bold), if found:

C:\WINNT\system32\crmy.exe
C:\Program Files\Security iGuard
C:\WINNT\netqw.dll
C:\WINNT\xgmyl.dll
C:\Program Files\PartyPoker

Reboot your computer in normal mode and post your AboutBuster log and a new HiJackThis log. We'll clean up what's left!

Edited by bananafanafo, 18 May 2005 - 01:08 AM.

[retrac]

quick problem .... does PartyPoker Have to go??? the Boss Loves it


Never Mind Ill just take it off

DO these scans check both Hard drives ??? The Aloha guy told me ,once someone got it all off but it was just on the other hard drive so it came back. I think its even possible that the 3 touchscreens might have small hard drives on them..

Edited by retrac, 18 May 2005 - 12:09 AM.

[Michelle]

No you do not have to remove Party Poker I doubt it's on the other hard-drives.

[retrac]

Oh [bleep]!!!!!!! i already did Shoot......they can reinstall i guess

Um Securityiguard was already deleted before you told me too( i had just done it) but maybe i checked 1 of the boxes of MSconfig that made you see it. Its not available for uninstall.

Also this computer has to be available for use around 10 am. Is that gonna be a problem ???