eZula ??

Hi all,

I am new to this forum, so I hope I am in the right place to post this message.

I am in great need of help in removing the eZula adware. This thing has costed me several days of in-productivity, and it is turning my semi-grey hair into bright silver. Can anyone help.

I have tried removing it using the control panel / Add or Remove program. Tried getting rid of TopText, Web Offer, Stub.exe, eZPopxxx, Isearch, etc.. and running the cmd command of -unregserver before deleting files. Nothing I did was able to remove them permanently.

Help !

Tony

should go in the
Antivirus Protection forum, just leave it here and it'll be moved

Thread moved to Antivirus Protection from Lounge.

Have you tried Lavasoft's Ad-Aware?

Thank you. I tried Lavasoft's Ad-Aware, Microsoft's AntiSpyware and a couple of others. They seem to work but as soon as I bring up the Window Explorer or Internet Browser, the virus re-installed itself. I was not able to locate where this sneaky re-install program. Any suggestion?

Thanks.

Tony

Print out these instructions if you have to, cos if you need to do any of these things you will have to close all internet browser windows.

Complete removal instructions for Ezula are to:

1) Uninstall it from Add/Remove Programs.

Reboot the computer.


2) Soon as windows is rebooted after the uninstall, search for stub.exe and ezstub.exe in Start Menu > Search.
Hit CTRL+ALT+DEL if running Windows XP to bring up the task manager. Are either of them running? If so, right click on them and end process.
Also, just in case, Go to start menu > Run... > type this:

regsvr32.exe -u stub.exe then enter,
and
regsvr32.exe -u ezstub.exe

In case they were still registered with your LoadLibrary here.

Then delete the files from anywhere they appear on your hard disk (search for them using Start Menu > Search).

3) search for ezulaboot.dll, and delete it.
Then, like before, go to Run and type:
regsvr32.exe -u ezulaboot.dll and hit enter.

Ezula should now be compteley removed from the system.
Please post back here when you've completely followed those instructions in full, and, if the system still has bugs, download HijackThis and run the scan, and post the log file here for us to check out.
Cheers,
-DJ SpeCtre

DJ SpeCtre,

Thank you. I have done what you suggested. Additionally I have switched to Netscape from IExplorer, turned-off the Startup and Recovery feature of My Computer, and now the system appears to be stable and relatively clean. I said 'relatively clean' because occasionally the system still would reboot for no reason, and other times it would place icons on my desktop, or popup ads.

Anyway, I did as you suggested, download HiJackThis and here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 2:11:47 PM, on 03/17/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\3COM\NBX\NBX TAPI Dialer\TAPIDIALER.exe
C:\WINDOWS\explorer.exe
C:\PC Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MenuLink, Inc.
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: NBX TAPI Dialer.lnk = C:\Program Files\3COM\NBX\NBX TAPI Dialer\TAPIDIALER.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://svr-files/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://svr-files/officescan/clientinstall/setup.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5DD00D19-478E-4086-BE54-616723EB8EC8} (MLInstall Control) - http://qa-server2/Menulink256/MLInstall.ocx
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://svr-files/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://menulinkportal/backofhouse/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105060110265
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://qa-server1/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = menulink.net
O17 - HKLM\Software\..\Telephony: DomainName = menulink.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = menulink.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = menulink.net
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\i8nmli5118.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\mqrd3x40.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: MenuLinkServer - MenuLink Computer Solutions, Inc. - C:\Program Files\MenuLink\BOANETServer\MenuLinkServer.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Thank you very much.

Tony

Ok. You still have spyware components from isearch installed on your system go to this address below and it will download a removal tool for all isearch applications:

http://toolbar.isearch.com/uninstall/isearch_removal.exe

Dont worry, its safe, i used it myself on occasion.

Next, googlesearch Spybot Search & Destroy, and download it, then update it to the latest definitions file, and scan your system. Its free and a great great program. You can also use it to check out BHOs (Browser Helper Objects) on your computer, and it gives you information on what processes run in startup and whether or not they are spyware.

Hopefully you should be clean after this. But one tip, be wary of where you browse. Not saying that you do, but especially if you visit hack/crack/keygen sites, or links to porn, they are the most notorious places for picking up all manner of spyware crap. Good that you've switched to Netscape, but remember that isnt immune from software security holes either.

Best of luck!

-DJ SpeCtre

DJ SpeCtre,

I wish I had talked to you sooner. I had been trying to clean the virus on my own last week, and had deleted some components of Isearch, and because of this, the Toolbar.isearch.com's isearch_removal.exe tool does not work. I guess I will have to learn to live with this Isearch or completely reload my PC.

As you suggested, I downloaded SpyBot Search & Destroy and scanned my disks. It found several and was successful in removing all but two - IGetNet and Common hijacker. It identified these two and said it cleaned them. But when I re-run Search & Destroy again, these two problems are there once again. They are 'Redirected Host'. Just exactly what sort of harm can they do? And are there any tools that will remove them?

Lastly, on how I think the virus got to my system. On the morning these virus starts to infect my system, I had only visited MSN's main site. The date was 3/11/05. If you can access that screen you would see a link to some brokage house offering free retirement calculation. I paid them a visit, answered a few questions and noticed that some files were downloaded to my system. I was not too alarmed at that point because I thought I can trust them since they are a legit business. About the only thing I access now a day are all links from MSN, but I guess that is not necessarily safe.

Tony

I have just had norton antivirus find Adware.Ezula it looks like it is linked to macromedia . I cant find Ezulu or TopText in the uninstall menu and though norton recomends to delete it . It fails to do so each time. Then it asks me if I would ignore it in future scans . I have scanned my computer with spybot , microsoft antispyware , ad-aware and spy hunter and none of these have detected it. I have also read that there might be legal implcations and that the installing program may no longer work. should I just let norton ignore this ?( I have found the file that norton is showing as adware.ezula it is in the macromedia shockwave folder under The groovealliance it is groove.x32 what is it ?)