Help!

system · November 19, 2004, 11:01pm

I’m running 4.5.523. I’m inundated with viruses that Avast finds…I’ve included a screenshot of my virus chest of some just from like a couple of hours on the pc. I’ve scanned, I’ve run A2, Adaware, Spybot S&D, I have SpywareGuard running. It’s unbelievable how many of these things pop up in one sitting. Is there anything that can be done? Are these false? What can I do. It seems that the more protection I’ve installed on my PC the more warnings I’ve been getting. The SpywareGuard constantly finds things saying it wants to change the registry. And I constantly get this TSL Installer trying to install…it’s wild. Any suggestions would be appreciated.
Thanks,

Lisandro · November 20, 2004, 12:31am

Seing the picture, all files except the last one are safe to be deleted.

You must clean your temporary files folder and disable your System restore to avoid reinfection:

Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok

Better is run an avast boot time scanning (right click on the skin and schedule it)

system · November 20, 2004, 12:38am

Not sure what you mean by disable it…then enable it again.
And I clean the Temp folders constantly.
What does the Boot time scan do vs. a regular scan.
Also, how long does a full scan normally take…when I do a full scan on my PC it takes hours. I suppose it depends on how much is on your PC of course.
Thanks,

Lisandro · November 20, 2004, 2:00am

System restore. Disabling you will delete all files about previous system state.
After cleaning, enable it again.

You will have full access to disk (no files in use).

Like you said, depends. Some hours seems enough if you ask for a throughout scan.

system · November 20, 2004, 2:27am

OK…did a boot time scan. System Restore has been shut off for some time now I noticed. Should that be turned back on? I’ve emptied the virus chest except for these 3 files: saie.exe in the WINDOWS/SYSTEM folder.
I’ve also done a full clean using BeClean and a custom clean getting rid of all the *.tmp etc. files. Still getting some viruses…any more suggestions?
Also, anyone know what that saie.exe is or TSL Installer?
Thanks again,

Lisandro · November 20, 2004, 9:40pm

You mean that even after a boot time scanning you’re infected?
Which files (path and name) and which virus?

You should only enable the System restore again when you get sure to be clean.

system · November 20, 2004, 10:00pm

Yes…did a boot time scan and still getting virus warnings. Attached a screenshot of the virus chest since the boot time scan. And I’ve deleted some as they’ve been coming in too…like 2.tmp…DE.tmp…etc. Not sure what’s going on.
Thanks,

Lisandro · November 20, 2004, 10:03pm

Before running boot time scanning:

Did you disable the system restore?
Did you empty all your temporary files?

system · November 20, 2004, 10:06pm

Imw28if

All the .Temp files are safe to deleat, and i found some information on saie.exe for you:
" saie.exe
What Is It?
Internet Optimizer - saie.exe

What Does it Do?
Internet Optimizer is an error page hijacker. This is commonly installed by other malware packages like Moneytree. This system is known to download and install additional packages which you don’t want. If you have this then you likely have a number of other things you’ll need to remove."

So i suggest you run Ad-Aware and spybot to make sure no other spyware/adware is left on your computer.

–lee

Eddy · November 20, 2004, 10:14pm

Click on the link in my signature and start cleaning your system the proper way.

system · November 20, 2004, 11:44pm

Well…I’ve run AdAware…Spybot…A2…I have SpywareGuard running…who knows…I’m about to give…
Thanks for all of your help,

system · November 20, 2004, 11:50pm

You might try searching for help on removing ezula

Eddy · November 20, 2004, 11:52pm

Have you used HijackThis?
Did you remove the culprit which installed saie.exe?

system · November 20, 2004, 11:54pm

I don’t know if this is the place to submit this but I dld HijackThis and here’s the log of that. Not sure how to decypher this. Any help would be appreciated. Thanks,

system · November 21, 2004, 12:19am

In addition to what is usually suggested, you might want to try… not only disabling System Restore, but also disable Virtual Memory and Hibernation. Reboot and delete the pagefile.sys and hiberfil.sys files and make sure that CWShredder is one of the clean up apps you run. Then schedule a boot scan.

Eddy · November 21, 2004, 12:30am

This is what my HijackThis Log Analyzer has to say about it, but also use the online analyzer.

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\system32\lgxmfmj\ifocejh.exe
\windows\system32\ftuksqv\gtedk.exe
\windows\system32\bwaowxpo\ybuk.exe
\windows\system32\dgjldfc\tsddofm.exe
\windows\system32\rrtg\jkxvrxq.exe
\windows\system32\qrmuhru\ulrvcnh.exe
\progra~1\web offer\wo.exe
\progra~1\ezula\mmod.exe
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
r3 - default urlsearchhook is missing
o2 - bho: (no name) - {5a0f6258-51f6-f5f6-9b65-ff81433caddc} - c:\windows\system32\vvgdccid\msnjlhxv.dll
o4 - hklm..\run: [lveqlap] c:\windows\system32\ahqglae\lveqlap.exe
o4 - hklm..\run: [ifocejh] c:\windows\system32\lgxmfmj\ifocejh.exe
o4 - hklm..\run: [kttykue] c:\windows\system32\ibcqpkv\kttykue.exe
o4 - hklm..\run: [vwqmdeao] c:\windows\system32\dycoakdt\vwqmdeao.exe
o4 - hklm..\run: [uebtatsx] c:\windows\system32\onyilpov\uebtatsx.exe
o4 - hklm..\run: [nbikjx] c:\windows\system32\xtalniao\nbikjx.exe
o4 - hklm..\run: [moht] c:\windows\system32\ngfbx\moht.exe
o4 - hklm..\run: [mcpjbn] c:\windows\system32\pryr\mcpjbn.exe
o4 - hklm..\run: [fleaoc] c:\windows\system32\brqkr\fleaoc.exe
o4 - hklm..\run: [ybuk] c:\windows\system32\bwaowxpo\ybuk.exe
o4 - hklm..\run: [tsddofm] c:\windows\system32\dgjldfc\tsddofm.exe
o4 - hklm..\run: [xfri38l] inewseui.exe
o4 - hklm..\run: [ulrvcnh] c:\windows\system32\qrmuhru\ulrvcnh.exe
o4 - hklm..\run: [dvwgvam] c:\windows\system32\fqeeyw\dvwgvam.exe
o4 - hklm..\run: [akqox] c:\windows\system32\gvxph\akqox.exe
o4 - hklm..\run: [kmigau] c:\windows\system32\miraddx\kmigau.exe
o4 - hklm..\run: [ccbld] c:\windows\system32\lquapfbu\ccbld.exe
o4 - hklm..\run: [lmyov] c:\windows\system32\rtfm\lmyov.exe
o4 - hklm..\run: [cusif] c:\windows\system32\cqhlqcbx\cusif.exe
o4 - hklm..\run: [dciotvmx] c:\windows\system32\mkjoujaq\dciotvmx.exe
o4 - hklm..\run: [gtedk] c:\windows\system32\ftuksqv\gtedk.exe
o4 - hklm..\run: [jkxvrxq] c:\windows\system32\rrtg\jkxvrxq.exe
o4 - hklm..\run: [tsl] c:\progra~1\common~1\tsa\tsl.exe
o4 - hkcu..\run: [go0srujqp] saviperf.exe
o4 - hkcu..\run: [tsa] c:\progra~1\common~1\tsa\tsm.exe
o4 - hkcu..\run: [ezwo] c:\progra~1\web offer\wo.exe
o4 - hkcu..\runonce: [web offer] c:\windows\system32\ezsys.exe /uninstpop3 c:\program files\web offer
o4 - global startup: microsoft office shortcut bar.lnk = ?
o16 - dpf: video poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
o16 - dpf: yahoo! blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
o16 - dpf: yahoo! chinese checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
o16 - dpf: yahoo! dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
o16 - dpf: yahoo! euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
o16 - dpf: yahoo! poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
o16 - dpf: yahoo! pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
o16 - dpf: yahoo! trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
o16 - dpf: {0a5fd7c5-a45c-49fc-adb5-9952547d5715} (creative software autoupdate) - http://www.creative.com/su/ocx/15007/ctsueng.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/quicktimeinstaller.exe
o16 - dpf: {4e888414-db8f-11d1-9cd9-00c04f98436a} (microsoft.winrep) - https://webresponse.one.microsoft.com/oas/activex/winrep.cab
o16 - dpf: {7a32634b-029c-4836-a023-528983982a49} - http://fdl.msn.com/public/chat/msnchat42.cab
o16 - dpf: {a17e30c4-a9ba-11d4-8673-60db54c10000} (yahooymailto class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
o16 - dpf: {a1b09066-c95c-4ef6-8dfd-3dd0afe610b6} - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/ygppicscreensaver.1.0.2.5.cab
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} (yaddbook class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {f6acf75c-c32c-447b-9bef-46b766368d29} (creative software autoupdate support package) - http://www.creative.com/su/ocx/15008/ctpid.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [updreg] c:\windows\updreg.exe
o4 - hkcu..\run: [a²] “c:\program files\a2\a2guard.exe”

Help!

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

Announcements

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY: