My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.Zango.AV

MEDIUM
LOW
approx. 300K
(180Solutions, 180SearchAssistant, Zango)

Symptoms

A traybar icon is visible, a toolbar appears in Internet Explorer, pop-ups appear when browsing.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

Adware.Zango is a potentially unwanted application with adware capabilities that runs in the background, monitors user search queries and displays ads based on them. It also installs a toolbar in Internet Explorer that changes its interface and display links related to user searches.

The application comes however with an EULA (license agreement) that explicitly specifies the software’s behavior and therefore, when agreed, Zango cannot be held responsible for this software.

When installed, Adware.Zango performs the following actions:

1. Creates its install folder with one of the following names:

%program-files%\Zango
%program-files%\Seekmo

2. Creates the following files in the install dir:

\bin\[version nr]\CoreSrv.dll
\bin\[version nr]\HostIE.dll
\bin\[version nr]\HostOE.dll
\bin\[version nr]\HostOL.dll
\bin\[version nr]\InstIE.dll
\bin\[version nr]\OEAddOn.exe
\bin\[version nr]\Srv.exe
\bin\[version nr]\Toolbar.dll
\bin\[version nr]\Wallpaper.dll
\bin\[version nr]\[install-name]SA.exe
\bin\[version nr]\[install-name]SAAX.dll
\bin\[version nr]\[install-name]SADF.exe
\bin\[version nr]\[install-name]SAHook.dll
\bin\[version nr]\[install-name]UnInstaller.exe
\bin\[version nr]\arrow.ico
\bin\[version nr]\copyright.txt
\bin\[version nr]\dBenderC.dll
\bin\[version nr]\firefox\extensions\components\npclntax.xpt
\bin\[version nr]\firefox\extensions\install.rdf
\bin\[version nr]\firefox\extensions\plugins\npclntax_[install-name]SA.dll

3. Adds the following values:

“[install-name]OE” = “%program-files%\[install-name]\bin\[version-nr]\oeaddon.exe”
“[install-name]SA” = “%program-files%\[install-name]\bin\[version-nr]\[install-name]sa.exe”

to the registry subkey:

“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

4. Adds:

“[install-name]” = “%program-files%\[install-name]\bin\[version-nr]\hostie.dll”

as a CLSID to the registry subkeys:

“HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects”
“HKLM\Software\Microsoft\Internet Explorer\Toolbar”

4. Adds the following registry subkeys:
“HKCU\Software\[install-name]”
“HKCU\Software\[install-name]SA”
“HKLM\Software\[install-name]”
“HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\[install-name]”
“HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\[install-name]SA”

where:
[install-name] is either “Zango” or “Seekmo”.
"%program-files% refers to the Program Files folder (default is: C:\Program Files).