Ezula amongst other problems

hi all,

I used all of the removal tools in the faq to no avail. everytime i turn on my computer, I have two dll files that install and proceed to download every known spyware to mankind. I get a message that says that Regsvr32 has registered the following two dll files. I tried to unregister them and delete but they came back to life anyways on restart.

replacesearch.dll
syssfitb.dll


After they install, I get a ton of other spyware that piggybacks onto it. HELP!
I ran hijack this, let me know if you want to see the log

-Patrick

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser and e-mail. Please close these before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

Attached is my log. THANKS A TON!

 

First, please exit Spybot S&D TeaTimer as this may block something we attempt to repair.

Now, Please look in Add or Remove Programs for the following and Uninstall them if found:


eZula

SafeGuard Popup Blocker

STOPzilla!

Spykiller

Viewpoint


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


msnavc32.exe

a65d.exe

sfita.exe

windchk32.exe

mmod.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - D:\Documents and Settings\All Users\Application Data\msw\MSW.dll

O4 - HKLM\..\Run: [pfzadyz] c:\windows\system32\pfzadyz.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [g0sERgZnP] ddejwia.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [okqk] C:\PROGRA~1\COMMON~1\okqk\okqkm.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.6/TVTStage1.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0008.exe

O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll

O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe


Again, make sure All Browser Windows are Closed when you Click FIX.



NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\eZula ←–– Delete this whole folder if it exist!

C:\Program Files\SafeGuard Popup Blocker ←–– Delete this whole folder if it exist!

C:\Program Files\STOPzilla! ←–– Delete this whole folder if it exist!

C:\Program Files\SpyKiller ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\sysmonnt ←–– Delete this whole folder if it exist!

C:\Program Files\sf ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\STOPzilla!\SZServer.exe ←–– Delete this whole folder if it exist!

C:\windows\system32\msnavc32.exe

C:\WINDOWS\a65d.exe

C:\WINDOWS\sfita.exe

C:\WINDOWS\System32\windchk32.exe

D:\Documents and Settings\All Users\Application Data\msw\MSW.dll

c:\windows\system32\pfzadyz.exe

C:\WINDOWS\System32\pdfupd.dll

C:\WINDOWS\mm15201518.Stub.exe

C:\WINDOWS\System32\prutqct.exeokqkm.exe

C:\WINDOWS\SYSTEM32\IS3WLHandler.dll

ddejwia.exe ←–– Search for this file and delete when found!



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

thanks for the help. I think I got most of the stuff as my comp has sped up. Attached is my new hijackthis log. THanks a ton since this saved me $100 from my campus IT department to fix it

-patrick

 

First:

Look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:


sixtypopsix.exe



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O2 - BHO: (no name) - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} -
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} -
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} -


Again, make sure All Browser Windows are Closed when you Click FIX.


Second:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file mediafix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the mediafix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Third:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file popfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the popfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Fourth:


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\sixtypopsix.exe

C:\WINDOWS\180ax.exe


NEXT:
Run CCleaner



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

sucessful in following all of the outlined directions. thanks again

-patrick

see attached

 

First:


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file bhofix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the bhofix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Second:


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} -
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} -
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} -


Again, make sure All Browser Windows are Closed when you Click FIX.


Third:

Are you familiar with babson.edu ?




Also,
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

New updates were released this morning!



NOW:

After you complete this, attach a new HJT log. I want to see if the O2 & O16 entries return. I believe the O2 are part of a new infection that does not have a fix yet.

 

see attached log

babson.edu is my college

thanks
-patrick

 

Log is clean!

Do you use PartyPoker?

 

yes briefly, is it notoriously filled with spyware?

-pat

 

I use Party Poker and I feel it is OK.

 

Just checking to see if you used it. Its ok, personally I wouldnt have it but if you use it then its fine.


Are you experiencing any further problems?