Spyware Detail

Summary

Aze Search Toolbar modifies the hosts and hijacks the following Domains to the following IP addresses:

69.50.166.11 www.google.com
69.50.166.11 google.com
69.50.166.11 www.google.co.uk
69.50.166.11 google.co.uk
69.50.166.11 www.google.ca
69.50.166.11 google.ca
69.50.166.11 www.google.es
69.50.166.11 google.es
69.50.166.11 www.google.de
69.50.166.11 google.de
69.50.166.11 www.google.fr
69.50.166.11 google.fr
69.50.166.11 www.google.com.au
69.50.166.11 google.com.au
69.50.166.14 www.yahoo.com
69.50.166.14 yahoo.com
69.50.166.12 www.msn.com
69.50.166.12 msn.com
69.50.166.12 search.msn.com

69.50.166.13 astalavista.com
69.50.166.13 www.astalavista.com
69.50.166.13 astalavista.box.sk
69.50.166.13 cracks.am
69.50.166.13 www.cracks.am
69.50.166.12 go.com
A file is placed in the system root named 'hosts' that has all of this data listed.

Searches performed under these domains have the actual search results supplanted with erroneous information. The results appear to be legitimate, with no indication of change, but when the same search is done on a machine that is not infected, much different results come back. For instance, I did a search using Google for the key word 'PestPatrol' while infected and the top results were http://www.softwareoasis.net/442.ht, and http://www.jdoqocy.com/click-1564080-10374065. When this same search was performed on a clean machine the results brought back www.pestpatrol.com, www.pestscan.com, and store.ca.com (all CA PestPatrol domains) as the top three results.

Also, Aze Search Toolbar disables the Google toolbar and does not allow searches to be performed in it. Actually, in some testing, Aze Search Toolbar deleted Google Registry entries for the Toolbar would not be displayed. Furthermore, if Google is reinstalled after Aze, then the Google search functions are disabled. The user will be presented with a bogus 404 page with predetermined 'Associated Searches.' If a user navigates to 69.50.166.12/www.go.com they are presented with an erroneous page that has the MSN icon and look and feel, but all searches are erroneous.

Alias

ZToolbar
Azsearch Toolbar
SimpleBar Toolbar
CoolWebSearch.MWSearch (Microsoft Anti-Spy)

Vendor Description

THE TEXT THAT FOLLOWS IS FROM THE AUTHOR OF AZE SEARCH TOOLBAR: 'When you surf Net hunting for free porn, you simply click on unknown links, visit strange sites and don't think about security. And once you catch undesirable software. If my page is opened arbitrarily by some harmful software it means there are people which do not like you and this is not my guilt.

Homepage removing

Prior to blaming me read the following:
At first, try to fix inproper homepage, searchpage etc. by the newest version of our sofware.We use it in most such cases.

Search for Spyware Remover's.
If there software didn't help you download Remover
To change your home page do the following:
Select in your browser menu Tools -> Internet Options
Type the address of your homepage in the field Address of the HomePage
section e.g. http://microsoft.com or, if you wish see blank page,
about:blank'

Category

Hijacker:  Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Search Hijacker:  Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.



Reasons For Retention

Based on eTrust PestPatrol® Spyware Scorecard v2.0 Aze Search Toolbar violates the following criteria:

Changes browser settings, for example the default search provider, home or error page(s) etc., without user permission at time of change. Aze changes the user's start page to www.azesearch.com. Also, it changes the host file to: Host: www.cracks.am, IP Address 69.50.166.13. azesearch.ocx, file version: 1.0.0.1.

Second, silently connects to an unintended location to transmit personal information.

Third, Creates or modifies "hosts" file to divert domain reference without user permission or knowledge at time of change. See: ' Overview: Summary.'

Fourth, can't be uninstalled by Windows Add/Remove Programs and no uninstaller is provided with application.

Fifth, Installs or updates without user permission or knowledge at time of installation. Periodically updates without user awareness or permission. Installs using Active-X without user prompting download.

View Full Details