Techies: Please Help!
 

I was messing where I shouldn't have been messing (no, this does not belong in the internet porno thread) and found a quick game I wanted to try. I KNOW better, but it asked me to download something called Zango. I started to thinking I would just delete it later. Well, it all went to hell and I wanted to back out. Now, I am unable to completely delete it. It tried to create a toolbar on my internet connection. I have deleted all files I could find and it's still trying to create a toolbar (it says "finalizing installation" across the toolbar area constantly.) Zango is represented in my toolbar list, as is the Google I have always used. However, when I put Google up it doesn't come up, Zango keeps trying to "install." And unchecking the Zango toolbar has no effect. Oh, and "add/remove" programs comes up with a blank programs list, perhaps a security feature.

I was hoping one of you out there might have some idea what I can do to stop the madness. I wouldn't get into big trouble if I had to call in IT (most of them are my buds, anyway) but I sure would feel stupid! :)

Any ideas? Thanks!

(My signature really applies to me now!)

Manual removal instructions here.

Thanks elspode. You're very kind! I'm going to try it now.

You may also want to review this. If you have Zango, you might (and probably do) have some other goodies running around wreaking all sorts of hidden havoc.

Yes, thank you. I ran Spybot and AdAware and there were all sorts of Gremlins. Didn't get rid of the toolbar problem though.

I went through the manual fix step by step, mostly to no avail, but I WAS able to find a way to delete a Zango function. Now, my toolbar list shows Zango AND Google, and google is visible if the Zango is checked. However, I'm not getting the installation notice, and google toolbar seems to be OK.

I might mess around with it some more later.

Thanks for the help.

Assuming you're running WinXP or Win98, there's a function called "System Restore" you might use. Only as a last resort, as it will delete any programs you loaded since the last restore point was created. Photos, documents, and the like will be fine.

I don't know if Mac™ has anything along those lines, but I don't see why not.

Absolutly true.
If a restore point was created after the virus got on your system, the virus will be restored.

If you clean out the system, and you're sure it's clean, set a restore point, and name it as such.

But, like I said, it's usually a last resort.

Zango sounds similar to spyware programs made intentionally undeleteable so that information on your machine is constantly sent to a third party computer, et al.

Files to look for:
clientax21.exe
animer.exe
mediagateway.exe
installer.exe
gimmysmile.exe
fev.exe
180sainstalleradperform.exe
mt-uninstaller.exe
sac186.exe
qpij.exe
setup.exe
updater.exe
sv.exe
zangomesse.exe
zangotbuninstaller.exe
zangotbinstaller.exe
zangoinstaller.exe
%program_files%\zango\zango.exe
zanu.exe
180sainstalleradperform.exe
180solutions.cab
a7f284ec20.dll
animer.exe
clientax21.exe
fev.exe
gimmysmile.exe
installer.exe
mediagatew.ex_
18014.mht
18018.mht
mediagateway.exe
mt-uninstaller.exe
npclntax.dll
open library.url
qpij.exe
res12.tmp
sac186.exe
saix.dll
setup.exe
sv.exe
uninstall zango instructions.lnk
updater.exe
zango customer support.url
zango.com.url
zango.exe
zango.ico
zango_kyf.dat
zangoau.dat
zangohook.dll
zangoinstaller.exe
zangomesse.exe
zangotb.dll
zangotbinstaller.exe
%program_files%\zango\zangohook.dll
%programs%\zango programs\zango.com.url
%programs%\zango\uninstall zango instructions.lnk
%programs%\zango\zango customer support.url
%programs%\zango\zango.com.url
zanu.exe
zanu_kyf.dat
zanuau.dat
zanuhook.dll
%common_programs%\zango\open library.url
%common_programs%\zango\uninstall zango instructions.lnk
%common_programs%\zango\zango customer support.url
%common_programs%\zango\zango.com.url
zangotbuninstaller.exe
%program_files%\zango programs\common\libraries\cryptoapi.dll
%program_files%\zango programs\common\zango.ico
%program_files%\zango\zango.exe
%program_files%\zango\zango_gdf.dat
%program_files%\zango\zango_hpk.dat
%program_files%\zango\zango_kyf.dat
%program_files%\zango\zango_kyf_update.dat
%program_files%\zango\zangoau.dat

Registry entries (execte REGEDIT to find these):
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run zanu
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run zango
HKEY_CLASSES_ROOT\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}
HKEY_CLASSES_ROOT\appid\{f1f040d5-e8f8-4680-b101-9334e9773841}
HKEY_CLASSES_ROOT\appid\zangotoolbar.dll
HKEY_CLASSES_ROOT\appid\zangotoolbar.dll appid
HKEY_CLASSES_ROOT\clientax.zangoclientax
HKEY_CLASSES_ROOT\clientax.zangoclientax.1
HKEY_CLASSES_ROOT\clientax.zangoclientax.1\clsid
HKEY_CLASSES_ROOT\clientax.zangoclientax\clsid
HKEY_CLASSES_ROOT\clientax.zangoclientax\curver
HKEY_CLASSES_ROOT\clsid\{144b9c7e-235a-4316-9eb3-5e393714c77a}
HKEY_CLASSES_ROOT\clsid\{391b0aa4-1e17-485f-b635-0fe26219e87e}
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\control
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\inprocserver32
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\inprocserver32 threadingmodel
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\miscstatus
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\miscstatus\1
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\progid
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\programmable
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\toolboxbitmap32
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\typelib
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\version
HKEY_CLASSES_ROOT\clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}\versionindependentprogid
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\control
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\inprocserver32
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\inprocserver32 threadingmodel
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\miscstatus
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\miscstatus\1
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\progid
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\programmable
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\toolboxbitmap32
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\version
HKEY_CLASSES_ROOT\clsid\{56f1d444-11bf-4879-a12b-79cf0177f038}\versionindependentprogid
HKEY_CLASSES_ROOT\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a} appid
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\inprocserver32
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\inprocserver32 threadingmodel
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\progid
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\programmable
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\typelib
HKEY_CLASSES_ROOT\clsid\{ea0d26bd-9029-431a-86e0-83152d67828a}\versionindependentprogid
HKEY_CLASSES_ROOT\interface\{d5175f49-39e5-4af1-ba98-e2234869276d}
HKEY_CLASSES_ROOT\interface\{dd469a88-316c-441d-b712-783d9b9a6707}
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}\1.0
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}\1.0\0
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}\1.0\0\win32
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}\1.0\flags
HKEY_CLASSES_ROOT\typelib\{01bf19c2-59d3-43e9-a2cc-c2d62d8878d3}\1.0\helpdir
HKEY_CLASSES_ROOT\typelib\{15ea8944-438e-471e-860d-6743d4383a37}
HKEY_CLASSES_ROOT\typelib\{91e523db-2a1c-4231-bb06-9be27c28739a}
HKEY_CLASSES_ROOT\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}
HKEY_CURRENT_USER\software\zango
HKEY_CURRENT_USER\software\zango actionurl_current_version
HKEY_CURRENT_USER\software\zango actionurl_last_full_version
HKEY_CURRENT_USER\software\zango cdata
HKEY_CURRENT_USER\software\zango geourl_current_version
HKEY_CURRENT_USER\software\zango geourl_last_full_version
HKEY_CURRENT_USER\software\zango keyword_current_version
HKEY_CURRENT_USER\software\zango keyword_last_chunk
HKEY_CURRENT_USER\software\zango keyword_last_full_version
HKEY_CURRENT_USER\software\zango keyword_updating_ver
HKEY_CURRENT_USER\software\zango last_conn_h
HKEY_CURRENT_USER\software\zango last_conn_l
HKEY_CURRENT_USER\software\zango timeoffset
HKEY_CURRENT_USER\software\zango we
HKEY_CURRENT_USER\software\zanu
HKEY_LOCAL_MACHINE\software\gimmysmileys\favorites\1 expdescription
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar {ea0d26bd-9029-431a-86e0-83152d67828a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\zango
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{56f1d444-11bf-4879-a12b-79cf0177f038}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\folders c:\documents and settings\all users\start menu\programs\zango programs\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\folders c:\program files\zango programs\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\folders c:\program files\zango programs\common\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\folders c:\program files\zango programs\common\libraries\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\folders c:\program files\zango programs\zango tv times\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run zango
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run zanu
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\mediagatewayx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{c1b52e99-7ee0-4217-a072-e4742850e517}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\zango
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\zango displayicon
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\zango displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\zango uninstallstring
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\zanu
HKEY_LOCAL_MACHINE\software\zango
HKEY_LOCAL_MACHINE\software\zango cvf
HKEY_LOCAL_MACHINE\software\zango duid
HKEY_LOCAL_MACHINE\software\zango partner_id
HKEY_LOCAL_MACHINE\software\zango product_id
HKEY_LOCAL_MACHINE\software\zango umt
HKEY_LOCAL_MACHINE\software\zanu


Variations of above summaries will exist. If malware, some registry and file entries would be deleted only to reappear. NY State Attorney General is suing some companies for doing software
"which advertised "free" software available for download, including screensavers, screen cursors and games. The Attorney General found that along with these programs, Intermix secretly downloaded a number of ad-delivery programs. One such program was called "KeenValue" and it delivered pop-up ads to its unsuspecting users. Another program, "IncrediFind," redirected web addresses to Intermix's proprietary search engine. Other programs placed advertising "toolbars" on users' screens".

Search for special software dedicated to only removing that malware. Without that software, history says - your fried. Your computer integrity remains way too dangerous to use for anything secure - ie bank account, Amazon, credit cards, etc.

Last time I fixed one of these computers, it was sending information to computers in Ukraine and Russia.

Yikes!

Thanks for your help. Now pardon me while my head explodes.

as a stop-gap, use ZoneAlarm (make every program 'ask' for permission) along with TDIMon from Sysinternals, which shows the low-level info sent from the app to the network interface --- useful for showing the destination IP address.

After reading this I'm almost glad all my problems revolve around hardware.