Adware.Ezula - Removal

Printer Friendly Page

Updated: February 13, 2007 11:32:58 AM

Type: Adware

Version: 1.0

Publisher: Ezula

Risk Impact: Medium

File Names: eZinstall.exe Ezula.dll wo.exe apev.exe

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

Removal using the Adware.Ezula Removal Tool
Symantec Security Response has developed a removal tool for Adware.Ezula. Use this removal tool first, as it is the easiest way to remove this risk.

The tool can be found here: http://securityresponse.symantec.com/avcenter/FixEzula.exe

The current version of the tool is 1.0.3 and will have a digital signature timestamp equivalent to 07/29/05 01:31 AM PDT.

Note: The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

It has been reported that a computer with this security risk on it may also have other security risks installed. Symantec recommends that the following steps be carried out:

Run the Removal Tool.
Update the definitions by starting the Symantec program and running LiveUpdate.
Run a full system scan to detect any other security risks on the computer.
If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html
If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the risk report.

Manual Removal

Update the virus definitions.
Uninstall TopText using the Add/Remove Programs utility.
Locating the uninstaller
Run a full system scan and delete all the files detected as Adware.Ezula.
Delete the values that were added to the registry.

For specific details on each of these steps, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Uninstalling the Adware

Do one of the following:
- On the Windows 98 taskbar:
  1. Click Start > Settings > Control Panel.
  2. In the Control Panel window, double-click Add/Remove Programs.
- On the Windows Me taskbar:
  1. Click Start > Settings > Control Panel.
  2. In the Control Panel window, double-click Add/Remove Programs.
    If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
- On the Windows 2000 taskbar:
  By default, Windows 2000 is set up the same as Windows 98. In that case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
- On the Windows XP taskbar:
  1. Click Start > Control Panel.
  2. In the Control Panel window, double-click Add or Remove Programs.
Click TopText.

Note: You may need to use the scroll bar to view the whole list.
Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

3. Locating the uninstaller
Depending on the version of Ezula installed, there may not be the option to uninstall it from the Add or Remove Programs pane. If this is case, locate the uninstaller by doing the following:

Using Windows Explorer, browse to the folder %ProgramFiles%\Ezula\.
Locate the file UNWISE.EXE and double-click it.
Follow any prompts.
Using Windows Explorer again, browse to the folder %ProgramFiles%\Web Offer\.
Locate the file UNWISE.EXE and double-click it.
Follow any prompts.
Restart your computer

4. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.
- For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
- For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Adware.Ezula, click Delete.

5. To delete the values from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Note: This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

Click Start > Run.
Type regedit

Then click OK.
Navigate to the subkey:

HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the values:

"eZmmod" = "C:\PROGRA~1\ezula\mmod.exe" "eZWO" = "C:\PROGRA~1\Web Offer\wo.exe"
Navigate to and delete the following registry keys, if present:

HKEY_CLASSES_ROOT\AppID\eZulaBootExe.EXE HKEY_CLASSES_ROOT\AppID\eZulaMain.EXE HKEY_CLASSES_ROOT\AppID\{8A044397-5DA2-11D4-B185-0050DAB79376} HKEY_CLASSES_ROOT\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{07F0A543-47BA-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{07F0A545-47BA-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{19DFB2CB-9B27-11D4-B192-0050DAB79376} HKEY_CLASSES_ROOT\CLSID\{2079884B-6EF3-11D4-8A74-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{2306ABE4-4D42-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{25630B47-53C6-4E66-A945-9D7B6B2171FF} HKEY_CLASSES_ROOT\CLSID\{2BABD334-5C3F-11D4-B184-0050DAB79376} HKEY_CLASSES_ROOT\CLSID\{370F6354-41C4-4FA6-A2DF-1BA57EE0FBB9} HKEY_CLASSES_ROOT\CLSID\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF} HKEY_CLASSES_ROOT\CLSID\{55910916-8B4E-4C1E-9253-CCE296EA71EB} HKEY_CLASSES_ROOT\CLSID\{58359010-BF36-11d3-99A2-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{6DF5E318-6994-4A41-85BD-45CCADA616F8} HKEY_CLASSES_ROOT\CLSID\{788C6F6F-C2EA-4A63-9C38-CE7D8F43BCE4} HKEY_CLASSES_ROOT\CLSID\{78BCF937-45B0-40A7-9391-DCC03420DB35} HKEY_CLASSES_ROOT\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA} HKEY_CLASSES_ROOT\CLSID\{A166C1B0-5CDB-447A-894A-4B9FD7149D51} HKEY_CLASSES_ROOT\CLSID\{B1DD8A69-1B96-11D4-B175-0050DAB79376} HKEY_CLASSES_ROOT\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{C4FEE4A7-4B8B-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\CLSID\{D290D6E7-BF9D-42F0-9C1B-3BC8AE769B57} HKEY_CLASSES_ROOT\CLSID\{E7A05400-4CFA-4DF3-A643-E40F86E8E3D7} HKEY_CLASSES_ROOT\CLSID\{F75521B8-76F1-4A4D-84B1-9E642E9C51D0} HKEY_CLASSES_ROOT\Interface\{07F0A542-47BA-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{07F0A544-47BA-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{1823BC4B-A253-4767-9CFC-9ACA62A6B136} HKEY_CLASSES_ROOT\Interface\{19DFB2CA-9B27-11D4-B192-0050DAB79376} HKEY_CLASSES_ROOT\Interface\{241667A3-EC83-4885-84DD-C2DAAFC1C5EA} HKEY_CLASSES_ROOT\Interface\{25630B50-53C6-4E66-A945-9D7B6B2171FF} HKEY_CLASSES_ROOT\Interface\{27BC6871-4D5A-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} HKEY_CLASSES_ROOT\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9} HKEY_CLASSES_ROOT\Interface\{3D7247DD-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{3D7247F1-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{4FD8645F-9B3E-46C1-9727-9837842A84AB} HKEY_CLASSES_ROOT\Interface\{58359012-BF36-11D3-99A2-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{788C6F6E-C2EA-4A63-9C38-CE7D8F43BCE4} HKEY_CLASSES_ROOT\Interface\{78BCF936-45B0-40A7-9391-DCC03420DB35} HKEY_CLASSES_ROOT\Interface\{7EDC96E1-5DD3-11D4-B185-0050DAB79376} HKEY_CLASSES_ROOT\Interface\{8A0443A2-5DA2-11D4-B185-0050DAB79376} HKEY_CLASSES_ROOT\Interface\{8EBB1743-9A2F-11D4-8A7E-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{955CBF48-4313-4B1F-872B-254B7822CCF2} HKEY_CLASSES_ROOT\Interface\{9CFA26C2-81DA-4C9D-A501-F144A4A000FA} HKEY_CLASSES_ROOT\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{C4FEE4A6-4B8B-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\Interface\{EF0372DC-F552-11D3-8528-0050DAB79376} HKEY_CLASSES_ROOT\Interface\{EF0372DE-F552-11D3-8528-0050DAB79376} HKEY_CLASSES_ROOT\Interface\{EFA52460-8822-4191-BA38-FACDD2007910} HKEY_CLASSES_ROOT\TypeLib\{07F0A536-47BA-11D4-8A6D-0050DA2EE1BE} HKEY_CLASSES_ROOT\TypeLib\{083FA8F4-84F4-11D4-8A77-0050DA2EE1BE} HKEY_CLASSES_ROOT\TypeLib\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} HKEY_CLASSES_ROOT\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_CLASSES_ROOT\TypeLib\{58359011-BF36-11D3-99A2-0050DA2EE1BE} HKEY_CLASSES_ROOT\TypeLib\{8A044396-5DA2-11D4-B185-0050DAB79376} HKEY_CLASSES_ROOT\TypeLib\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA} HKEY_CLASSES_ROOT\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA} HKEY_CLASSES_ROOT\TypeLib\{BAF13496-8F72-47A1-9CEE-09238EFC75F0} HKEY_CLASSES_ROOT\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE} HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon.1 HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost.1 HKEY_CLASSES_ROOT\eZulaAgent.IEObject HKEY_CLASSES_ROOT\eZulaAgent.IEObject.1 HKEY_CLASSES_ROOT\EZulaAgent.PlugProt HKEY_CLASSES_ROOT\EZulaAgent.PlugProt.1 HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand.1 HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1 HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper.1 HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper.1 HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe.1 HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe.1 HKEY_CLASSES_ROOT\EZulaMain.TrayIConM HKEY_CLASSES_ROOT\EZulaMain.TrayIConM.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eZula HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ezstub.dll HKEY_CURRENT_USER\Software\eZula HKEY_CURRENT_USER\Software\Web Offer
Navigate to and delete the following subkeys if you are sure they are not being used by other programs:

HKEY_CLASSES_ROOT\AppID\AtlBrowser.EXE HKEY_CLASSES_ROOT\CLSID\{0818D423-6247-11D1-ABEE-00D049C10000}
Exit the Registry Editor.

Technical Details

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}