Ecrofirt
2007-04-29, 06:30
Hi all,
Note to the admins: This isn't about my PC. This is about a friend's PC that I'm working on.
---
OK, so the PC is coming up with some Zango spyware that I can't get rid of, and I'm left wondering if perhaps the spyware is no longer on her machine but the registry keys have become corrupt.
-Here's exactly what happened-
I went to a friend's house today to do maintenance on her machine. Her machine came up relatively clean except for some minor Zango/180Solutions stuff. I've run the following:
Spybot, which found the Zango and 180Solutuons stuff but couldn't remove it.
Spybot again upon a reboot, which still couldn't remove it
Ad-aware, which found those two things and said it removed them (but apparantly didn't).
AVG AntiSpyware, which found them but couldn't remove them (part of the log is below)
Smitfraudfix, which didn't find anything useful
VundoFix and Lavasoft's Vundo remover, neither of which found anything
Look2Me-Destroyer and Lavasoft's Look2Me remover, neither of which found anything
Rogue Remover, which found nothing.
HijackThis 2.00 Beta (log below)
I ran most of those in Safe Mode as well, to no effect. The Zango stuff in question won't go away. I couldn't find any running services or anything that looked like they'd cause it, and I can't find any Zango-related .dll files on the machine.
I spent about an hour and a half going through various manual removal procedures to no avail. There's a few registry keys that keep popping up in Spybot and Ad-Aware and stuff, but I get an error whenever I try to delete them (even in Safe Mode).
The keys are as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer]
@="ClientAX.ClientInstaller.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer]
@="ClientAX.RequiredComponent.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"
I found some references to a Zango Toolbar in the registry that I was able to get rid of, as well as some references to zangocash.com that I deleted. I also found some stuff related to GIANT Antispyware that had the same {99410...} stuff. I couldn't tell for sure, but it looked like it was a GIANT registry reference to a removed installation of the Zango Toolbar.
Anyhow, that's a bunch of information.
Here's part of the AVG Antispyware log:
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180Solutions : Error during cleaning.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0055512.dll -> Adware.Sud : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Error during cleaning.
And here's her HijackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:19:11 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
--
I wonder, is it possible that GIANT removed the Zango toolbar, and somehow corrupted those registry keys so they're un-deletable, and are giving back false positives? That's the only thing that makes sense to me.
Sorry for the long post :(
Note to the admins: This isn't about my PC. This is about a friend's PC that I'm working on.
---
OK, so the PC is coming up with some Zango spyware that I can't get rid of, and I'm left wondering if perhaps the spyware is no longer on her machine but the registry keys have become corrupt.
-Here's exactly what happened-
I went to a friend's house today to do maintenance on her machine. Her machine came up relatively clean except for some minor Zango/180Solutions stuff. I've run the following:
Spybot, which found the Zango and 180Solutuons stuff but couldn't remove it.
Spybot again upon a reboot, which still couldn't remove it
Ad-aware, which found those two things and said it removed them (but apparantly didn't).
AVG AntiSpyware, which found them but couldn't remove them (part of the log is below)
Smitfraudfix, which didn't find anything useful
VundoFix and Lavasoft's Vundo remover, neither of which found anything
Look2Me-Destroyer and Lavasoft's Look2Me remover, neither of which found anything
Rogue Remover, which found nothing.
HijackThis 2.00 Beta (log below)
I ran most of those in Safe Mode as well, to no effect. The Zango stuff in question won't go away. I couldn't find any running services or anything that looked like they'd cause it, and I can't find any Zango-related .dll files on the machine.
I spent about an hour and a half going through various manual removal procedures to no avail. There's a few registry keys that keep popping up in Spybot and Ad-Aware and stuff, but I get an error whenever I try to delete them (even in Safe Mode).
The keys are as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer]
@="ClientAX.ClientInstaller.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer]
@="ClientAX.RequiredComponent.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"
I found some references to a Zango Toolbar in the registry that I was able to get rid of, as well as some references to zangocash.com that I deleted. I also found some stuff related to GIANT Antispyware that had the same {99410...} stuff. I couldn't tell for sure, but it looked like it was a GIANT registry reference to a removed installation of the Zango Toolbar.
Anyhow, that's a bunch of information.
Here's part of the AVG Antispyware log:
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180Solutions : Error during cleaning.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0055512.dll -> Adware.Sud : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Error during cleaning.
And here's her HijackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:19:11 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
--
I wonder, is it possible that GIANT removed the Zango toolbar, and somehow corrupted those registry keys so they're un-deletable, and are giving back false positives? That's the only thing that makes sense to me.
Sorry for the long post :(