I have been having a minor problem with my computer for a few months now. Whenever I have Norton Antivirus 2005 scan my computer, it does not find any viruses, but it says that it finds Adware.Ezula. I have tried all of the programs you have listed for anti-spyware, and it has been unable to find it and remove it. And when I try to manually remove the file, it automatically re-appears. Here's the details from the Norton Log:
Source: C:\WINDOWS\iLookup\TTIL.exe
Description: The file C:\WINDOWS\iLookup\TTIL.exe is a Adware threat.
Click for more information about this threat : Adware.Ezula
Here's my HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:16:23 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=proxy.cjb.net:1080
R3 - URLSearchHook: (no name) - {687C7EE8-4D54-11D7-9B69-0050DABF55DD} - (no file)
O1 - Hosts: 216.201.182.27 directory.thepalace.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {42132494-F48F-4187-ABC8-0F343AD2E465} - C:\WINDOWS\system32\pbshmd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE" -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.democrats.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akamai.net/7/248/11498/v1/ww...qt/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7795EFE1-112A-11D4-B89A-00105A17A30A} (AffinityGui.Application) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) - http://toolbar.googl...gleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://216.8.159.20/activex/AMC.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {F743C0A6-863B-474E-B22D-88A106040145} (AffinityGui.Application) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I hope you can tell me whether this is a real threat, a false alarm, or if there are any other malware on my computer. Thanks!
2
Cannot remove spyware
Started by rodriguez6670, Mar 11 2006 11:24 PM
1 reply to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 12 March 2006 - 09:48 AM
Hi rodriguez6670, Welcome To The Forum 
There is obviously a problem if you are removing the file and it keeps coming back but I'm not sure if that is an Ezula entry, Ezula should add itself to Add/remove screen as TopText and the folder is in Program Files, they do make a program called ILookup but I wasnt aware of them installing into the Windows folder and there was another marketing company that used that name (Aztec Marketing SA) but there is no signs of that in your log. (I do have some uninstall files for the Aztec Marketing I-Lookup but there is many different variants so will post them if the problems continue).
First check your Add/Remove programs screen (Start Menu > Control Panel > Add or Remove Programs) and check for Ezula or TopText, press remove if found.
Next goto Program Files (Start Menu > My Computer > C:\Drive > Program Files) and check for a folder called Ezula, if you find it then open the folder and look for the uninstall file which will be called UNWISE. If found double click to start the removal.
You do have afew entries in your log which can be removed to clean up and also one Adware program (PBar/4Arcade related).
Run Hijack This and Choose Do a system scan then place checks next to these entries:
R3 - URLSearchHook: (no name) - {687C7EE8-4D54-11D7-9B69-0050DABF55DD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {42132494-F48F-4187-ABC8-0F343AD2E465} - C:\WINDOWS\system32\pbshmd.dll
O13 - WWW. Prefix: http://
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {7795EFE1-112A-11D4-B89A-00105A17A30A} (AffinityGui.Application) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
Close all open browser and other windows except for Hijack This then press the Fix Checked button.
Download Ewido from Here
When installing, under Additional Options uncheck Install background guard. Click on Update in the left menu, then click the Start update button. After the update finishes from the main menu click on Scanner then click Complete System Scan , If ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on ok.When the scan finishes, click on Save Report and save it to your desktop or c:/drive then post back the results if it detects any problems.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please Reboot after running these scanners and then post back the Ewido log and the Panda scan log.
Thanks Andy
There is obviously a problem if you are removing the file and it keeps coming back but I'm not sure if that is an Ezula entry, Ezula should add itself to Add/remove screen as TopText and the folder is in Program Files, they do make a program called ILookup but I wasnt aware of them installing into the Windows folder and there was another marketing company that used that name (Aztec Marketing SA) but there is no signs of that in your log. (I do have some uninstall files for the Aztec Marketing I-Lookup but there is many different variants so will post them if the problems continue).
First check your Add/Remove programs screen (Start Menu > Control Panel > Add or Remove Programs) and check for Ezula or TopText, press remove if found.
Next goto Program Files (Start Menu > My Computer > C:\Drive > Program Files) and check for a folder called Ezula, if you find it then open the folder and look for the uninstall file which will be called UNWISE. If found double click to start the removal.
You do have afew entries in your log which can be removed to clean up and also one Adware program (PBar/4Arcade related).
Run Hijack This and Choose Do a system scan then place checks next to these entries:
R3 - URLSearchHook: (no name) - {687C7EE8-4D54-11D7-9B69-0050DABF55DD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {42132494-F48F-4187-ABC8-0F343AD2E465} - C:\WINDOWS\system32\pbshmd.dll
O13 - WWW. Prefix: http://
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {7795EFE1-112A-11D4-B89A-00105A17A30A} (AffinityGui.Application) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_02) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
Close all open browser and other windows except for Hijack This then press the Fix Checked button.
Download Ewido from Here
When installing, under Additional Options uncheck Install background guard. Click on Update in the left menu, then click the Start update button. After the update finishes from the main menu click on Scanner then click Complete System Scan , If ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on ok.When the scan finishes, click on Save Report and save it to your desktop or c:/drive then post back the results if it detects any problems.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please Reboot after running these scanners and then post back the Ewido log and the Panda scan log.
Thanks Andy
