Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


EasyA-Z.com browser hijack

  • This topic is locked This topic is locked
9 replies to this topic

#1 lamby


  • Members
  • 6 posts
  • Local time:03:31 AM

Posted 07 May 2012 - 12:02 PM


we have XP SP3, running Firefox 12.0 & Avira Free Antivirus (Ver 12, all definition files up to date)

looks like we stumbled across a hacked site (looking for bridesmaids dresses, of all things) and we now have an annoying browser hijacker type virus

Avira detects the spawned files, and removes them, but cannot find the file doing the spawning

the viruses detected (according to Avira) are:

both normally picked up in H:\Windows\Installer\ directory in filename 800000cb.@
although occasionally picked up in H:\documents & settings\%user name%\Local Settings\Application Data\
(same filename)

PC appears to be running fine generally, aside from Avira detecting the 2 viruses every few minutes, when we're online, but on some occasions google will redirect searches to EasyA-Z.com, and once we had a large image that covered the whole screen, with a picture of a policeman, and lots of text talking about illegal internet activity, phone this number to pay a 100 fine, blah, blah, blah. I've not seen this screen since, and can only think Avira is now preventing this showing (otherwise I'd take a photo and post it)

if I disable the network card, then the virus does not re-spawn

A full scan by Avira, incl. one with their Rescue CD, Malwarebytes, Ad-aware & TDSSkiller reveals nothing. Nothing stands out on the HJT log.

The GMER scan reports that it has found rootkit activity

I've copied the DDS Log below, and have attached the other required DDS log, plus the GMER log.

all help hugely appreciated.

Thanks, Lamby

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by John at 11:34:20 on 2012-05-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3318.2586 [GMT 1:00]
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
H:\WINDOWS\system32\svchost -k DcomLaunch
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
H:\Program Files\Avira\AntiVir Desktop\sched.exe
H:\Program Files\Avira\AntiVir Desktop\avguard.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
H:\Program Files\Microsoft Hardware\Keyboard\type32.exe
H:\Program Files\Canon\MyPrinter\BJMyPrt.exe
H:\Program Files\Avira\AntiVir Desktop\avgnt.exe
H:\Program Files\Common Files\Java\Java Update\jusched.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
H:\Program Files\Avira\AntiVir Desktop\avshadow.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\plugin-container.exe
H:\Program Files\Serviio\bin\ServiioService.exe
H:\Program Files\Serviio\bin\ServiioService.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = "h:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "h:\program files\tomtom home 2\TomTomHOMERunner.exe" -s
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] h:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] h:\windows\system32\hkcmd.exe
mRun: [Persistence] h:\windows\system32\igfxpers.exe
mRun: [IntelliType] "h:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [CanonMyPrinter] h:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [avgnt] "h:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"
StartupFolder: h:\docume~1\john\startm~1\programs\startup\serviio.lnk - h:\program files\serviio\bin\ServiioConsole.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer =
TCP: Interfaces\{B2D3B4BC-666F-4580-A9B5-9EFBEB4A3422} : DhcpNameServer =
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - h:\documents and settings\john\application data\mozilla\firefox\profiles\0tcqy511.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF3DF&PC=DCF3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=DCF3DF&PC=DCF3&q=
FF - component: h:\documents and settings\john\application data\mozilla\firefox\profiles\0tcqy511.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: h:\documents and settings\john\application data\mozilla\firefox\profiles\0tcqy511.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: h:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: h:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: h:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: h:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npCortona.dll
FF - plugin: h:\windows\system32\npdeployJava1.dll
FF - plugin: h:\windows\system32\npptools.dll
============= SERVICES / DRIVERS ===============
R1 avkmgr;avkmgr;h:\windows\system32\drivers\avkmgr.sys [2011-11-3 36000]
R2 AntiVirSchedulerService;Avira Scheduler;h:\program files\avira\antivir desktop\sched.exe [2011-11-3 86224]
R2 AntiVirService;Avira Realtime Protection;h:\program files\avira\antivir desktop\avguard.exe [2011-11-3 110032]
R2 avgntflt;avgntflt;h:\windows\system32\drivers\avgntflt.sys [2010-4-2 74640]
R2 ddnt;ddnt;h:\windows\system32\drivers\ddnt.sys [2010-9-12 7072]
R2 hasplms;Sentinel HASP License Manager;h:\windows\system32\hasplms.exe -run --> h:\windows\system32\hasplms.exe -run [?]
R2 Serviio;Serviio;h:\program files\serviio\bin\ServiioService.exe [2012-1-31 276480]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;h:\windows\system32\drivers\thdudf.sys [2011-11-27 66944]
R2 TomTomHOMEService;TomTomHOMEService;h:\program files\tomtom home 2\TomTomHOMEService.exe [2012-1-23 92592]
R3 brfilt;Brother MFC Filter Driver;h:\windows\system32\drivers\BrFilt.sys [2009-2-21 2944]
R3 BrSerWDM;Brother Serial driver;h:\windows\system32\drivers\BrSerWdm.sys [2009-2-21 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;h:\windows\system32\drivers\BrUsbMdm.sys [2009-2-21 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;h:\windows\system32\drivers\BrUsbScn.sys [2009-2-21 10368]
S3 FVNETusbXP;Belkin 11Mbps Wireless USB Network Adapter®;h:\windows\system32\drivers\bkusbxp.sys --> h:\windows\system32\drivers\bkusbxp.sys [?]
S3 FXDrv32;FXDrv32;\??\g:\fxdrv32.sys --> g:\FXDrv32.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;h:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 129976]
=============== Created Last 30 ================
2012-05-07 09:42:00 388096 ----a-r- h:\documents and settings\john\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-07 09:41:57 -------- d-----w- h:\program files\Trend Micro
2012-05-06 08:01:37 -------- d-----w- h:\program files\Serviio
2012-05-05 11:58:10 73728 ----a-w- h:\windows\system32\javacpl.cpl
2012-05-05 11:58:10 476960 ----a-w- h:\windows\system32\npdeployJava1.dll
2012-05-05 11:27:46 -------- d-----w- H:\Temp
2012-05-05 10:04:29 -------- d-----w- h:\windows\pss
2012-05-05 06:55:07 -------- d-----w- h:\documents and settings\john\application data\Malwarebytes
2012-05-05 06:54:54 -------- d-----w- h:\documents and settings\all users\application data\Malwarebytes
2012-05-05 06:54:53 22344 ----a-w- h:\windows\system32\drivers\mbam.sys
2012-05-05 06:54:53 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2012-05-05 06:40:35 101720 ----a-w- h:\windows\system32\drivers\SBREDrv.sys
2012-05-04 19:58:33 -------- d-----w- h:\documents and settings\john\local settings\application data\{6F8F4C70-9623-11E1-826D-B8AC6F996F26}
2012-05-04 19:17:44 -------- d-----w- h:\documents and settings\all users\application data\vsosdk
2012-05-04 18:50:01 -------- d-----w- h:\documents and settings\john\application data\log
2012-04-28 11:24:29 -------- d-----w- h:\documents and settings\all users\application data\TomTom
2012-04-26 08:35:16 -------- d-----w- h:\program files\Mozilla Maintenance Service
2012-04-26 08:35:10 157352 ----a-w- h:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-26 08:35:10 129976 ----a-w- h:\program files\mozilla firefox\maintenanceservice.exe
==================== Find3M ====================
2012-05-05 11:57:56 472864 ----a-w- h:\windows\system32\deployJava1.dll
2012-03-01 11:01:32 916992 ----a-w- h:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- h:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- h:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- h:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- h:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- h:\windows\system32\html.iec
2012-02-28 07:11:40 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
============= FINISH: 11:34:32.57 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:31 AM

Posted 07 May 2012 - 02:43 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.



#3 lamby

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:31 AM

Posted 07 May 2012 - 04:30 PM


huge thanks for the fast reply.

MBR log file attached

by the way, Antivir is now reporting 2 more viruses... Sirefef.P.211 in a file called ARK5A.tmp from within Avira's own Application Data Temp files

and Infected.Webpage.Gen2 from temp internet files, from IE5, which to my knowledge hasn't even been opened!

I've also found that fake police screen.... apparently an e-crime virus:

this is what came up when the virus first hit, but hasn't been seen since

and finally, I've also found that the Windows Firewall settings are no longer accessible "due to an unidentifiable problem"

aswMBR version Copyright© 2011 AVAST Software
Run date: 2012-05-07 21:26:44
21:26:44.656 OS Version: Windows 5.1.2600 Service Pack 3
21:26:44.656 Number of processors: 2 586 0xF0D
21:26:44.656 ComputerName: STUDYPC UserName: John
21:26:46.578 Initialize success
21:27:57.171 AVAST engine defs: 12050701
21:28:01.781 Service scanning
21:28:10.703 Service FXDrv32 G:\FXDrv32.sys **LOCKED** 21
21:28:33.078 Modules scanning
21:28:41.046 Disk 0 trace - called modules:
21:28:42.375 AVAST engine scan H:\WINDOWS
21:28:55.546 AVAST engine scan H:\WINDOWS\system32
21:34:36.687 AVAST engine scan H:\WINDOWS\system32\drivers
21:34:56.703 AVAST engine scan H:\Documents and Settings\John
21:43:26.828 File: H:\Documents and Settings\John\Local Settings\Temp\~!#19C.tmp **INFECTED** Win32:Downloader-OHO [Trj]
21:44:11.515 AVAST engine scan H:\Documents and Settings\All Users
21:47:28.203 File: H:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20120507-202106-496C1CAC\ARK5A.tmp **INFECTED** Win32:Sirefef-VZ [Trj]
21:54:47.890 Scan finished successfully
22:24:58.984 The log file has been saved successfully to "H:\Documents and Settings\John\Desktop\Virus Software\aswMBR.txt"

thanks again, John

Attached Files

Edited by Noviciate, 07 May 2012 - 05:08 PM.
Added from attachment

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:31 AM

Posted 08 May 2012 - 02:20 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Check the Scan All User box at the top.
  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    • netsvcs
      C:\Windows\assembly\tmp\U\*.* /s
      >C:\commands.txt echo list vol /raw /hide /c
      >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
      type c:\diskreport.txt /c
      erase c:\commands.txt /hide /c
      erase c:\diskreport.txt /hide /c
  • Click the Run Scan button and allow it to do it's thing.
  • Once the scan has completed two notepad windows, OTL.Txt and Extras.Txt, will open - these text files will be saved in the same location as OTL.
  • Please post the contents of both in your next reply - you may need to post each seperately if they are overly long.

So long, and thanks for all the fish.



#5 lamby

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:31 AM

Posted 08 May 2012 - 05:49 PM


will leave this running overnight.

i've got my firewall back, but cannot access the whole thing. in the advanced tab I get a message: "The Network settings have become corrupted. To fix this, click Restore Defaults. This will delete all your settings for the Windows firewall. It might cause some programs to stop working."

I also took advantage of the Avira Premium 30-day trial that popped up. This gives additional web and mail protection. Only the web and mail options are not able to activate...

Also, my desktop icons are now auto-arranging themselves to the left of the screen, even though auto-arrange is off. I can move them about and arrange as required, but each time there is a screen refresh, they go back.


I'll post logs tomorrow!


#6 lamby

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:31 AM

Posted 09 May 2012 - 03:14 AM

ESET Online Scanner - found nothing except false positives. Basically, all my own companies release software, which includes HASP encryption

OTL ... will not run! I get the "OTL has encountered a problem and needs to close...." message

I found a couple of other sources for this, and all respond in the same way.

I'm guessing the virus could be doing this?

i'm close to a re-format and start again???

#7 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:31 AM

Posted 09 May 2012 - 03:44 PM

Good evening. :)

i'm close to a re-format and start again???

That's a choice you will have to make for yourself - it's basically a trade off between the time it will take to reinstall the OS and your programs and the time it may take to resolve the problems you are having, and I can't say how long it will take. On the plus side a reformat and reinstall will give your PC that straight-out-of-the-box feel with a speed boost due to the fresh start, particularly as the OS has got two years under it's belt already it is probably not running at top speed any more, which is always a bonus.

You'll need to let me know what you decide to do.

So long, and thanks for all the fish.



#8 lamby

  • Topic Starter

  • Members
  • 6 posts
  • Local time:03:31 AM

Posted 10 May 2012 - 03:09 AM

Good morning :)

here's where I am at now. I got my old DOS Toolskit out (had to retrieve it from an old archived drive). Booted into Safemode and manually took out all the temp files that ccleaner hadn't removed when this first started.

this appears to have got rid of the Avira pop-ups :) but I am still occasionally getting re-directed to EasyA-Z from Google :(

I used this method: http://windowsxp.mvps.org/sharedaccess.htm
to restore my sharedacess registry entry, and have my windows firewall back :) although I cannot access advanced settings, and have gone through various methods to resolve this, but nothing. :(

I now have Avira Premium running without problems, and this includes web and mail monitoring :) (I haven't done enough searching yet to see if this stops the EasyA-Z redirection)

But I now have big issues with Explorer folder views and my desktop icon arrangemnts :angry: :angry: :angry:

desktop icons are "auto-arranged" even though auto-arrange is unchecked. I can arrnage the icons, but as soon as there is a screen refresh, they all go back

explorer folders can all be set to the same, and stay that way, but if I reset, and set different folders to view differently, (ie, my Documents folder i like to LIST, the network properties and MY COMPUTER i like DETAILS) then they don't remember, and return to a default state, although this default state seems to change after each boot up

all scans i can get working (and OTL still won't run) show absolutely nothing.

so, I've ordered a new HDD, with the intention of making a fresh install of XP, and starting again, and once I've got everything working & transferred across will format the current HDD and create a clone, incase anything like this happens again!!!

so 1 final question (which you might not be able to give a definite answer to)... i think I should be safe to copy all data from the infected drive, without pulling the virus with it? I think these trojans seat themselves in system areas and affect the general running of the PC rather than corrupting datafiles. Should this be the case? (best guess will do)

Thanks for your help though :)

#9 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:31 AM

Posted 10 May 2012 - 02:29 PM

Good evening. :)

create a clone, incase anything like this happens again!!!

Have been grateful for one of these myself when a drive went baaaad.

Should this be the case? (best guess will do)

Best guess is Yup. What I would do is to get Windows up and running on the new drive and then slave the old drive and scan it before copying anything across, or burn the data to a disk, or two, and then scan them before copying it to the new drive. I'm not sure that there is any risk, but for the amount of time a scan will take it seems a shame not to add an extra layer of happy.

So long, and thanks for all the fish.



#10 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:31 AM

Posted 15 May 2012 - 03:26 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users