PDA

View Full Version : Weird Zango problem on a PC I'm cleaning



Ecrofirt
2007-04-29, 06:30
Hi all,

Note to the admins: This isn't about my PC. This is about a friend's PC that I'm working on.

---

OK, so the PC is coming up with some Zango spyware that I can't get rid of, and I'm left wondering if perhaps the spyware is no longer on her machine but the registry keys have become corrupt.

-Here's exactly what happened-
I went to a friend's house today to do maintenance on her machine. Her machine came up relatively clean except for some minor Zango/180Solutions stuff. I've run the following:
Spybot, which found the Zango and 180Solutuons stuff but couldn't remove it.
Spybot again upon a reboot, which still couldn't remove it
Ad-aware, which found those two things and said it removed them (but apparantly didn't).
AVG AntiSpyware, which found them but couldn't remove them (part of the log is below)
Smitfraudfix, which didn't find anything useful
VundoFix and Lavasoft's Vundo remover, neither of which found anything
Look2Me-Destroyer and Lavasoft's Look2Me remover, neither of which found anything
Rogue Remover, which found nothing.
HijackThis 2.00 Beta (log below)

I ran most of those in Safe Mode as well, to no effect. The Zango stuff in question won't go away. I couldn't find any running services or anything that looked like they'd cause it, and I can't find any Zango-related .dll files on the machine.

I spent about an hour and a half going through various manual removal procedures to no avail. There's a few registry keys that keep popping up in Spybot and Ad-Aware and stuff, but I get an error whenever I try to delete them (even in Safe Mode).

The keys are as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer]
@="ClientAX.ClientInstaller.1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1]
@="ClientInstaller Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1\CLSID]
@="{99410CDE-6F16-42ce-9D49-3807F78F0287}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer]
@="ClientAX.RequiredComponent.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1]
@="RequiredComponent Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1\CLSID]
@="{0AC49246-419B-4EE0-8917-8818DAAD6A4E}"

I found some references to a Zango Toolbar in the registry that I was able to get rid of, as well as some references to zangocash.com that I deleted. I also found some stuff related to GIANT Antispyware that had the same {99410...} stuff. I couldn't tell for sure, but it looked like it was a GIANT registry reference to a removed installation of the Zango Toolbar.

Anyhow, that's a bunch of information.
Here's part of the AVG Antispyware log:

HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180Solutions : Error during cleaning.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0055512.dll -> Adware.Sud : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Error during cleaning.
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Error during cleaning.

And here's her HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:19:11 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--

I wonder, is it possible that GIANT removed the Zango toolbar, and somehow corrupted those registry keys so they're un-deletable, and are giving back false positives? That's the only thing that makes sense to me.

Sorry for the long post :(

Mr_JAk3
2007-05-02, 11:23
Hello Ecrofirt :)

Ok at first, please post a HijackThis 1.99.1 log to here. See more -> Please read 'Before you Post' sticky topic, provide the correct HJT log (http://forums.spybot.info/showthread.php?t=12274)

:bigthumb:

Ecrofirt
2007-05-02, 19:37
Hello Ecrofirt :)

Ok at first, please post a HijackThis 1.99.1 log to here. See more -> Please read 'Before you Post' sticky topic, provide the correct HJT log (http://forums.spybot.info/showthread.php?t=12274)

:bigthumb:

Mr_JAk, I don't have access to her PC that often. Is there enough of a difference between a 2.00 Beta and a 1.99.1 log that it'll make a difference? I'm hoping I might be able to get some suggestions that won't have me making the trip to her house just to post another HJT log.

I'd also like to mention some things I think I forgot in the first post:
She has AVG AntiVirus on her PC, and it didn't pick up anything.

There was nothing Zango related in Add/Remove programs like the manual removal guides I used said there would be.

I was at her house over the weekend for 5 hours or so, and there wasn't one popup during that time.

The real problem seems to be those few keys that won't go away. There seems to be no evidence of any other infection on her machine. Is it possible that those keys are just corrupt or something, and they're causing false positives in her scans?

I tried removing the keys in Normal Mode, Safe Mode (without networking), and save mode without explorer.exe running (by first killing it with process.exe, and then opening Regedit via the Task Manager). They won't go away.

If there's legitimate concern that there may be a real Zango infection on her machine, I'll certainly go back and run a log in 1.99.1. Otherwise, I'm just basically wondering if I may be correct about them being false positives.

tashi
2007-05-18, 08:36
This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.