GreenguyandJim Fighting Zango

babymaker · 2006-10-26, 03:52 AM

well i applaud the effort and it's nice to see action taken

I have to say if i was zango, i would just take a few keywords off the landing page and put a system wide ad to pop a spyware removal site or any porn site etc and grab all that traffic back....................

zman · 2006-10-26, 04:52 AM

I've made quite a bit of research the last couple of days and this is what I came up with.
It's a batch file I wrote which is intended to totally remove Zango from the surfers computer.
It basically does the same thing as Jim's tutorial says plus a few things like removing Zango start menu shortcuts,
Zango cookies, windows prefetch data and all the registry entries I could find were created by it.

Code:

@echo off
cls

set TMPF1=%TEMP%\dzf.tmp
set Prefetch=%WinDir%\Prefetch

echo 1. Terminating known Zango processes.
taskkill /f /im "zanu.exe" /im "zango.exe" > nul 2>&1
echo.

echo 2. Searching for and unregistering Zango DLL's.
for /r "%ProgramFiles%\" %%i in (*zangohook.dll *ZbAds.dll *ZbCoreSrv.dll *ZbHostIE.dll *ZbToolbar.dll) do (regsvr32 /u /s "%%i"
echo    "%%i" - OK)
echo.

echo 3. Locating and deleting Zango files and folders.
echo    This may take a while... Please be patient.
if exist %TMPF1% del %TMPF1%
pushd %ProgramFiles%\
for /f "delims=" %%i in ('dir /ad /o /b /s ^| find /i "zango" ^| sort /r') do (
dir "%%i\" /a-d /b >> %TMPF1% 2> nul
rmdir /s /q "%%i\")
echo    %ProgramFiles%\ - OK
popd

pushd %AllUsersProfile%\
for /f "delims=" %%i in ('dir /ad /o /b /s ^| find /i "zango" ^| sort /r') do (rmdir /s /q "%%i\")
for /f "delims=" %%i in ('dir /a /b /s ^| find /i "zango"') do (del /f /q "%%i")
echo    %AllUsersProfile%\ - OK)
popd

pushd %UserProfile%\
for /f "delims=" %%i in ('dir /ad /o /b /s ^| find /i "zango" ^| sort /r') do (rmdir /s /q "%%i\")
for /f "delims=" %%i in ('dir /a /b /s ^| find /i "zango"') do (del /f /q "%%i")
echo    %UserProfile%\ - OK
popd

if exist %TMPF1% for /f "delims=" %%i in ('find /i ".exe" %TMPF1% ^| find /i /v "%TMPF1%"') do (
del /f /q "%Prefetch%\%%i*" >nul 2>&1)
del /f /q "%Prefetch%\*zango*" >nul 2>&1
del /f /q "%TMPF1%" >nul 2>&1
echo    %Prefetch%\ - OK
echo.

echo 4. Cleaning up known Zango registry entries.
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "zanu" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "zango" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zango TvTimes" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZangoToolbarWebTools" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{CF1A5756-F372-463E-BC20-1D3D58F4B9AF}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ncmyb.SABHO" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Classes\ncmyb.SABHO.1" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jade Shadow" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango TV Times" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zanu" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287}" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\ZangoToolbar" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\zango" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\zanu" /f >nul 2>&1
echo    HKEY_LOCAL_MACHINE - OK
reg delete "HKCR\ZbSrv.ZbCoreServices" /f >nul 2>&1
reg delete "HKCR\ZbSrv.ZbCoreServices.1" /f >nul 2>&1
reg delete "HKCR\Typelib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}" /f >nul 2>&1
reg delete "HKCR\Typelib\{DC92EE2E-DF2D-4A80-A48B-17377C81CFC2}" /f >nul 2>&1
reg delete "HKCR\LMgr180.WMDRMAx" /f >nul 2>&1
reg delete "HKCR\LMgr180.WMDRMAx.1" /f >nul 2>&1
reg delete "HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}" /f >nul 2>&1
reg delete "HKCR\Interface\{E43DFAA6-8C16-4519-B022-8792408505A4}" /f >nul 2>&1
reg delete "HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}" /f >nul 2>&1
reg delete "HKCR\Interface\{BDDDF1A5-51A9-4F51-B38D-4CD0AD831B31}" /f >nul 2>&1
reg delete "HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}" /f >nul 2>&1
reg delete "HKCR\Interface\{A16650A9-B065-40EC-BBD1-F8D370D17FB1}" /f >nul 2>&1
reg delete "HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}" /f >nul 2>&1
reg delete "HKCR\Interface\{7FA8976F-D00C-4E98-8729-A66569233FB5}" /f >nul 2>&1
reg delete "HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}" /f >nul 2>&1
reg delete "HKCR\Interface\{6C092742-10FE-4DB2-988D-FC71948DE70C}" /f >nul 2>&1
reg delete "HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}" /f >nul 2>&1
reg delete "HKCR\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}" /f >nul 2>&1
reg delete "HKCR\CLSID\{CF1A5756-F372-463E-BC20-1D3D58F4B9AF}" /f >nul 2>&1
reg delete "HKCR\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}" /f >nul 2>&1
reg delete "HKCR\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}" /f >nul 2>&1
reg delete "HKCR\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}" /f >nul 2>&1
reg delete "HKCR\ClientAX.ClientInstaller" /f >nul 2>&1
reg delete "HKCR\ClientAX.ClientInstaller.1" /f >nul 2>&1
reg delete "HKCR\ClientAX.RequiredComponent" /f >nul 2>&1
reg delete "HKCR\ClientAX.RequiredComponent.1" /f >nul 2>&1
reg delete "HKCR\ClientAX.ZangoClientAX" /f >nul 2>&1
reg delete "HKCR\ClientAX.ZangoClientAX.1" /f >nul 2>&1
reg delete "HKCR\ZbSrv.ZbCoreServices" /f >nul 2>&1
reg delete "HKCR\ZbSrv.ZbCoreServices.1" /f >nul 2>&1
reg delete "HKCR\Typelib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}" /f >nul 2>&1
reg delete "HKCR\Typelib\{DC92EE2E-DF2D-4A80-A48B-17377C81CFC2}" /f >nul 2>&1
reg delete "HKCR\LMgr180.WMDRMAx" /f >nul 2>&1
reg delete "HKCR\LMgr180.WMDRMAx.1" /f >nul 2>&1
reg delete "HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}" /f >nul 2>&1
reg delete "HKCR\Interface\{E43DFAA6-8C16-4519-B022-8792408505A4}" /f >nul 2>&1
reg delete "HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}" /f >nul 2>&1
reg delete "HKCR\Interface\{BDDDF1A5-51A9-4F51-B38D-4CD0AD831B31}" /f >nul 2>&1
reg delete "HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}" /f >nul 2>&1
reg delete "HKCR\Interface\{A16650A9-B065-40EC-BBD1-F8D370D17FB1}" /f >nul 2>&1
reg delete "HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}" /f >nul 2>&1
reg delete "HKCR\Interface\{7FA8976F-D00C-4E98-8729-A66569233FB5}" /f >nul 2>&1
reg delete "HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}" /f >nul 2>&1
reg delete "HKCR\Interface\{6C092742-10FE-4DB2-988D-FC71948DE70C}" /f >nul 2>&1
reg delete "HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}" /f >nul 2>&1
reg delete "HKCR\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}" /f >nul 2>&1
reg delete "HKCR\CLSID\{CF1A5756-F372-463E-BC20-1D3D58F4B9AF}" /f >nul 2>&1
reg delete "HKCR\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}" /f >nul 2>&1
reg delete "HKCR\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}" /f >nul 2>&1
reg delete "HKCR\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}" /f >nul 2>&1
reg delete "HKCR\ClientAX.ClientInstaller" /f >nul 2>&1
reg delete "HKCR\ClientAX.ClientInstaller.1" /f >nul 2>&1
reg delete "HKCR\ClientAX.RequiredComponent" /f >nul 2>&1
reg delete "HKCR\ClientAX.RequiredComponent.1" /f >nul 2>&1
reg delete "HKCR\ClientAX.ZangoClientAX" /f >nul 2>&1
reg delete "HKCR\ClientAX.ZangoClientAX.1" /f >nul 2>&1
echo    HKEY_CLASSES_ROOT - OK
reg delete "HKCU\Software\zanu" /f >nul 2>&1
reg delete "HKCU\SOFTWARE\ZangoToolbar" /f >nul 2>&1
reg delete "HKCU\SOFTWARE\zango" /f >nul 2>&1
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "{5CBE2611-C31B-401F-89BC-4CBB25E853D7}" /f >nul 2>&1
reg add "HKCU\Software\Microsoft\RAS Autodial\Control" /v "LoginSessionDisable" /t REG_DWORD /d 0 /f >nul 2>&1
echo    HKEY_CURRENT_USER - OK
echo.
echo All Done!
pause

I believe it would be much easier for the surfer to double-click a file and get rid of that Zango crap than to manually delete all
those registry entries and files.

The downside of this batch file is that it does not run under Win95/98/Me because some of the commands I've used are
only available under Win2k and later. I've tested this on Windows XP Pro with Service Pack 2 and it worked flawlessly.

If there's anybody out there who could test it on other OS's and let me know I would appreciate it.

Licker4U · 2006-10-26, 09:13 AM

Quote:

I believe it would be much easier for the surfer to double-click a file and get rid of that Zango crap than to manually delete all
those registry entries and files.

I agree. Not everyone is going to feel comfortable going into the guts of their computer and deleting files.

babymaker · 2006-10-26, 03:56 PM

Quote:

Originally Posted by Licker4U

I agree. Not everyone is going to feel comfortable going into the guts of their computer and deleting files.

i agree on that, you have to remember that these sufers are probably not that internet or computer savy, they voluntarily infected their computers with a "virus" spyware. Unfortunetly, these are also the people who still believe in $1 trial offers lol, and other things like that and probably convert 1:1 lol, so when people think well it's only 2.8% etc, maybe so, but it could be 80%+ of your 1:200 or so conversions.

virgohippy · 2006-10-27, 03:14 PM

Quote:

Originally Posted by babymaker

i agree on that, you have to remember that these sufers are probably not that internet or computer savy, they voluntarily infected their computers with a "virus" spyware. Unfortunetly, these are also the people who still believe in $1 trial offers lol, and other things like that and probably convert 1:1 lol, so when people think well it's only 2.8% etc, maybe so, but it could be 80%+ of your 1:200 or so conversions.

Good point, babymaker.

Now imagine how much trust a surfer would develop with a site if that site not only informs them of malicious software on their system, but helps them remove it too... and still gives them free porn samples.

babymaker · 2006-10-27, 03:27 PM

Quote:

Originally Posted by virgohippy

Good point, babymaker.

Now imagine how much trust a surfer would develop with a site if that site not only informs them of malicious software on their system, but helps them remove it too... and still gives them free porn samples.

True, but not by having them do it manually i dont think they will dare, we need a program for them to use, even if it deletes cookies, the cookies get replaced anyway, as soon as they click back to the site.

2006-10-26, 03:52 AM	#1
babymaker Someone Turn Off The Damn Heat! Join Date: Aug 2003 Location: The Sewer....err.philly i mean Posts: 1,366	well i applaud the effort and it's nice to see action taken I have to say if i was zango, i would just take a few keywords off the landing page and put a system wide ad to pop a spyware removal site or any porn site etc and grab all that traffic back.................... __________________ *Get ElevatedX W/Hosting 99MO!*