Removing eZula remanents?

[Jeff]

Hello spyware gurus,

I've been unable to find a way to remove, what I assume to be,
remanents of eZula from my system. None of the usual spy/adware tools
find any problem with my system (all are updated regularly), and there
is no evidence of extraneous .exe's running in my task manager.
However, when I visit http://www.whirlywiryweb.com/q/ezula.asp it
indicates that I have eZula installed. Examining the code for
detections shows that "clsid:3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE" is
what triggers this false(?) positive. My questions are:

1) Is this a false positive? Can SpyBot S&D and AdAware be unable to
detect a version of eZula?

2) Can eZula have mutated into one of the benign looking processes
normally present on Windows XP Pro?

3) If this is a false positive, how do I remove the remainder of what
was probably once eZula on my system?

Thank you for your kind replies...

Jeff

[Jim Byrd]

Hi Jeff - Are you using SpywareBlaster? If so, that might explain it, as
this is one of the CLSIDs for which it sets a "kill" bit in the Registry.
This needs to remain to protect you against that particular malware ActiveX
component, but it may also be generating the (false) positive you're seeing
at whirlywiryweb. If you're not using SpywareBlaster, then post back and we
can try taking a look at the Reg entry to see what you've got there.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In news:ffl7mvondcj09gtrhi52mqdedm493oah8h@pita.alt.n et,
Jeff <jeff@nospamnever.net> typed:
> Hello spyware gurus,
>
> I've been unable to find a way to remove, what I assume to be,
> remanents of eZula from my system. None of the usual spy/adware tools
> find any problem with my system (all are updated regularly), and there
> is no evidence of extraneous .exe's running in my task manager.
> However, when I visit http://www.whirlywiryweb.com/q/ezula.asp it
> indicates that I have eZula installed. Examining the code for
> detections shows that "clsid:3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE" is
> what triggers this false(?) positive. My questions are:
>
> 1) Is this a false positive? Can SpyBot S&D and AdAware be unable to
> detect a version of eZula?
>
> 2) Can eZula have mutated into one of the benign looking processes
> normally present on Windows XP Pro?
>
> 3) If this is a false positive, how do I remove the remainder of what
> was probably once eZula on my system?
>
> Thank you for your kind replies...
>
> Jeff

[Jeff]

In message <w4T8b.440648$Ho3.71191@sccrnsc03> "Jim Byrd"
<jamesrbyrd@spamlesscomcast.net> wrote:

>Hi Jeff - Are you using SpywareBlaster? If so, that might explain it, as
>this is one of the CLSIDs for which it sets a "kill" bit in the Registry.
>This needs to remain to protect you against that particular malware ActiveX
>component, but it may also be generating the (false) positive you're seeing
>at whirlywiryweb. If you're not using SpywareBlaster, then post back and we
>can try taking a look at the Reg entry to see what you've got there.

Jim,

I do have SpywareBlaster installed and have "all items" protected. I
went through the list and unchecked all the eZula variants and tried
the website again - voila!!! No more eZula. I then rechecked ALL
items and protected my computer again.

Thank you very much for your insight into the cause of the false
positive. I really appreciate the advice and the fact that I don't
really have scumware installed on my system.

Cheers,
Jeff

[Jim Byrd]

YW, Jeff - Glad you got it straightened out.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In news:5058mvk06nrcpd803f5h8pdji6to2qgm9n@cabalnet.c om,
Jeff <jeff@nospamnever.net> typed:
> In message <w4T8b.440648$Ho3.71191@sccrnsc03> "Jim Byrd"
> <jamesrbyrd@spamlesscomcast.net> wrote:
>
>> Hi Jeff - Are you using SpywareBlaster? If so, that might explain
>> it, as this is one of the CLSIDs for which it sets a "kill" bit in
>> the Registry. This needs to remain to protect you against that
>> particular malware ActiveX component, but it may also be generating
>> the (false) positive you're seeing at whirlywiryweb. If you're not
>> using SpywareBlaster, then post back and we can try taking a look at
>> the Reg entry to see what you've got there.
>
> Jim,
>
> I do have SpywareBlaster installed and have "all items" protected. I
> went through the list and unchecked all the eZula variants and tried
> the website again - voila!!! No more eZula. I then rechecked ALL
> items and protected my computer again.
>
> Thank you very much for your insight into the cause of the false
> positive. I really appreciate the advice and the fact that I don't
> really have scumware installed on my system.
>
> Cheers,
> Jeff

[siljaline]

On Sun, 14 Sep 2003 20:18:11 GMT, "Jim Byrd" <jamesrbyrd@spamlesscomcast.net> wrote:

>YW, Jeff - Glad you got it straightened out.

Hey stranger



--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_