StopZilla, more?

jk469 · Apr 6, 2009

I *believe* I have StopZilla running (I see SZServer.exe running, and can't kill it), and am unable to remove it. I am also intermittently having other problems with random webpages popping up.

I tried following the general cleanup procedure. SuperAntiSpyware and Malwarebytes Anti-Malware would not run on my computer. I attach the logs for combofix and MGTools.

TimW · Apr 9, 2009

Open notepad and copy and paste the following text in the quote box into the window:

sc stop szserver
sc delete szserver
Click to expand...

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
c:\winnt\SYSTEM32\jiyayuda.exe
c:\winnt\SYSTEM32\bemubize.exe
c:\winnt\SYSTEM32\kohirovu.exe
c:\winnt\SYSTEM32\visemelu.exe
c:\winnt\SYSTEM32\muwadozi.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\documents and settings\All Users\Application Data\STOPzilla!
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

jk469 · Apr 12, 2009

Note: since my original post I disables Szserver.exe using services.msc. (STOPzilla Service still appears in services.msc, listed as startup type disabled.) I also manually deleted any files I could that I could identify with STOPzilla.

I ran Avenger as suggested; the log is attached. After looking at the log myself, I manually deledted the STOPzilla! folder.

I ran MGtools; the logs are attached.

Please advise!

TimW · Apr 15, 2009

Good that you caught that.

Now lets just be rid of two things.

If you are still unable to run Combo, we need to use Avenger again:

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
aux
aux1
aux2
aux3
aux4
aux5
aux6
aux7
aux8
aux9

Files to delete:
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul

Registry Keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux9
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

jk469 · Apr 17, 2009

(Note: ComboFix *did* run...I never had problems with that...)

I did as you suggested. Here are the logs. Thanks for your continued help!

TimW · Apr 20, 2009

Is ZoneAlarm the full suite including anti-virus protection? (If not you need to install one)>

Your logs are clean...though you need to download and install:
Java Runtime 6.

What issues are you still having?

jk469 · Apr 20, 2009

My only remaining issue is that "STOPzilla Service" still shows up when I run services.msc. (But it is disabled, so I guess this is not a big deal.)

Also, I have already installed Java Runtime 6...why?

Thanks again for your help. I would love to hear about any sites where one can learn the more technical details about protecting Windows.

TimW · Apr 23, 2009

Your last log did not show any Java installed, which is why I asked you to install it.

Look in the services for the stopzilla name...then:

Open notepad and copy and paste the following text in the quote box into the window:

sc stop szserver ---> make sure this is what displays in the services.
sc delete szserver ---> make sure this is what displays in the services.
Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

As long as it is disabled that will suffice, though you should be able to delete it with the above.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

StopZilla, more?

jk469 Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jk469 Private E-2

Attached Files:

avenger.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jk469 Private E-2

Attached Files:

avenger.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jk469 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member