Unable to Remove EZula and Other "Super" Trojan - Help!

[Karl Burrows]

Our Pastor somehow downloaded a program that was able to execute and I have
had the worst time removing it. One is EZula and related programs which
once uninstalled, magically reinstall themselves (and seem to be proud of
it, because they make no bones about showing the programs installing). The
other is a web search toolbar that shows up by the clock taskbar which is
un-named as far as I can tell other than "Search the Web"). One of these or
another program keeps running a exe file that is a random 6-8 letter name.
I can go into Task Manager and stop the service and another will start.

This has been a big headache. I have turned off System Restore, booted in
Sale Mode and run Symantec scan, AdAware, SpyBot, CWSShredder and did an
online Panda scan. Once I think I have beaten it, the pop ups start and
then the program start appearing again. I have Googled until I can't see
anymore.

Unless someone has a suggestion, I will have to reformat and reinstall. Why
in the hell do people do this? Do they realize the true hardship they
create?

 

[Harry Ohrn]

I typed "remove EZula" into google and this was the first hit
http://www.whirlywiryweb.com/removeezula.htm

 

[t.cruise]

http://securityresponse.symantec.com/avcenter/venc/data/adware.ezula.html
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

In memory of my mentor Alex Nichol MVP
http://aumha.org/alex.htm

 

[Karl Burrows]

Yes, tried that one as well. The problem is the ezula file is hiding in
system32 and will not close. It changes each time I go into safe mode and
installs again. There is also a related file called itoptext as well. I
think there is another Trojan that is starting the install process and
recreating the files. Very frustrating!

I typed "remove EZula" into google and this was the first hit
http://www.whirlywiryweb.com/removeezula.htm

 

[Karl Burrows]

That just says use Add/Remove Programs, where a program called itoptext. I
can remove it, but it gets reinstalled again after a reboot. I have already
run Symantec scans in safe mode with system restore turned off and still no
luck.

http://securityresponse.symantec.com/avcenter/venc/data/adware.ezula.html
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

In memory of my mentor Alex Nichol MVP
http://aumha.org/alex.htm

 

[Malke]

That just says use Add/Remove Programs, where a program called
itoptext. I
can remove it, but it gets reinstalled again after a reboot. I have
already run Symantec scans in safe mode with system restore turned off
and still no luck.

Since you have already run most of the first-line antispyware tools, get
the latest version of HijackThis and run it in Safe Mode. Then post
your HJT log to one of the sites I will give you below. Please do not
post your HJT log here. I particularly recommend the AumHa forum, where
you will get the lengthy expert help you will need. Please make sure to
read all posting FAQ's first.

http://www.tomcoyote.com/hjt/ - HijackThis software
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Karl Burrows]

Thanks! Will run it next week when I am at the church and post it.
Hopefully, I will recognize something and the posters can help.

That just says use Add/Remove Programs, where a program called
itoptext. I
can remove it, but it gets reinstalled again after a reboot. I have
already run Symantec scans in safe mode with system restore turned off
and still no luck.

Since you have already run most of the first-line antispyware tools, get
the latest version of HijackThis and run it in Safe Mode. Then post
your HJT log to one of the sites I will give you below. Please do not
post your HJT log here. I particularly recommend the AumHa forum, where
you will get the lengthy expert help you will need. Please make sure to
read all posting FAQ's first.

http://www.tomcoyote.com/hjt/ - HijackThis software
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[... et al.]

Our Pastor somehow downloaded a program that was able to execute and I have
had the worst time removing it. One is EZula and related programs which
once uninstalled, magically reinstall themselves (and seem to be proud of
it, because they make no bones about showing the programs installing). The
other is a web search toolbar that shows up by the clock taskbar which is
un-named as far as I can tell other than "Search the Web"). One of these or
another program keeps running a exe file that is a random 6-8 letter name.
I can go into Task Manager and stop the service and another will start.

This has been a big headache. I have turned off System Restore, booted in
Sale Mode and run Symantec scan, AdAware, SpyBot, CWSShredder and did an
online Panda scan. Once I think I have beaten it, the pop ups start and
then the program start appearing again. I have Googled until I can't see
anymore.

What did your pastor /intentionally/ download and install?

Can it be that after you EZula uninstalled, you have something else
autorunning at every boot, that looks benign (not EZula or iTopText) but
that on executing checks to see if the malware is installed and if not
will force-reinstalls EZula. - This benignlooking program will probably
be from were the malware originally came onto your computer as well.
A screensaver, something running in the (lower right) notification area,
or something else running in the background. You will have to find that
original program and uninstall that.

Unless someone has a suggestion, I will have to reformat and reinstall. Why
in the hell do people do this?

Language. What will your pastor say?

Do they realize the true hardship they create?

They count on you giving up and continue runnig your computer with it
installed. They are mammonites.

 

[Karl Burrows]

I'm sure there is something running that is executing EZula. I just can't
figure out what it is that is creating these. I can uninstall the iTopTools
and reboot and about 10 minutes later, I will see a .exe icon in the taskbar
installing EZula and WebSearch. There is nothing in add/remove programs
except the iTopTools.

Our Pastor somehow downloaded a program that was able to execute and I
have
had the worst time removing it. One is EZula and related programs which
once uninstalled, magically reinstall themselves (and seem to be proud of
it, because they make no bones about showing the programs installing).
The
other is a web search toolbar that shows up by the clock taskbar which is
un-named as far as I can tell other than "Search the Web"). One of these
or
another program keeps running a exe file that is a random 6-8 letter name.
I can go into Task Manager and stop the service and another will start.

This has been a big headache. I have turned off System Restore, booted in
Sale Mode and run Symantec scan, AdAware, SpyBot, CWSShredder and did an
online Panda scan. Once I think I have beaten it, the pop ups start and
then the program start appearing again. I have Googled until I can't see
anymore.

What did your pastor /intentionally/ download and install?

Can it be that after you EZula uninstalled, you have something else
autorunning at every boot, that looks benign (not EZula or iTopText) but
that on executing checks to see if the malware is installed and if not
will force-reinstalls EZula. - This benignlooking program will probably
be from were the malware originally came onto your computer as well.
A screensaver, something running in the (lower right) notification area,
or something else running in the background. You will have to find that
original program and uninstall that.

Unless someone has a suggestion, I will have to reformat and reinstall.
Why
in the hell do people do this?

Language. What will your pastor say?

Do they realize the true hardship they create?

They count on you giving up and continue runnig your computer with it
installed. They are mammonites.

 

[Malke]

I'm sure there is something running that is executing EZula. I just
can't
figure out what it is that is creating these. I can uninstall the
iTopTools and reboot and about 10 minutes later, I will see a .exe
icon in the taskbar
installing EZula and WebSearch. There is nothing in add/remove
programs except the iTopTools.

Hi, Karl. Quite a few types of malware will respawn, hide themselves,
and otherwise make themselves difficult to find and remove. That's why
I suggested you try HijackThis and post your log at AumHa.

The only other suggestions I have for you:

1. Take the machine to a professional (not your local equivalent of
BigStoreUSA). The pastor should pay.

2. Back up the data, format the drive, clean install Windows. This step
is almost never necessary with XP, but if the pastor will not pay a
professional to fix the damage he (the pastor) caused, there really
isn't much more to be done.

Good luck,

Malke