Overview
Summary:
Alias:
See Also:
Category:
Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.
Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.
Notifier: Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.
Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.
Variants:
Similar Pests:
Origins
Group:
Vendor:
By This Group:
Mailing Address:
Phone:
URL:
Date of Origin:
Distribution
Distribution:
Prevalence:
Clot Factor:
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:
Operation
Advertising:
Periodically opens pop-up advertising from odysseusmarketing.com, which may redirect to popupmarketing.com.
ClientMan/Tagger redirects use of known search engines (at the time of writing, Google and Yahoo only) to firstbookmark.com; the address bar will still show the address of the original search engine, but the content of the page will be overwritten with results from firstbookmark.com (which are currently sourced from 123search.com).
"User hereby gives authorization and permission for marketing offers and solicitations to be sent from Odysseus Marketing Inc or any of it's authorized partners via any methods deemed acceptable in Odysseus Marketing, Inc.'s sole discretion, including but not limited to web browser, email, instant messaging applications, or via proprietary delivery methods to user's system or desktop." -- http://www.odysseusmarketing.com/tnc.htm
Storage Required:
Browser Performance:
Risks
Privacy Issues:
Has been observed sending unknown data to its servers at ipend.datastorm.biz
"III -The user understands and agrees that the application may or may not render them anonymous, untraceable or invisible at any given time, and acknowledge and agree that Odysseus Marketing shall in no way be liable or responsible for any actions of the user, and agree to hold harmless Odysseus Marketing, Inc from any resulting actions, including but not limited to legal actions, by any third parties.
V -The user understands and acknowledges that the application and associated components may communicate from time to time with Odysseus Marketing, Inc server systems and/or that of its partners, and gives express permission for said communications and data transmissions of any and all types used by the application and any associated components.
VI -The user understands, acknowledges and agrees that the application and associated components may alter Internet browsing and/or computer user experiences in a manner acceptable to Odysseus Marketing Inc, in its sole discretion, including but not limited to, search engine query results, display of pop-up window messages, highlighting and hyperlinking of words on web pages, redirection of error message pages, changing of user home page, addition of bookmarks to user's browser, and/or other alterations/modifications.
VII -The user understands, acknowledges, and gives express permission for the application and/or associated components to collect personal information, including, but not limited to, name, demographic data, interests, profession, education, marital status, sex, age, income, and any other information Odysseus Marketing, Inc. decides to collect regarding user, at its sole discretion.
VIII -The user understands, acknowledges, and gives express permission for the application and/or associated components to collect information and data regarding Internet activity, including web sites visited, search queries conducted, applications installed and used, files present on user's hard drive or system, transactions conducted, and any other behavioral data deemed necessary by Odysseus marketing, Inc in its sole discretion.
IX -User understands, acknowledges, and gives express permission for the use of any data collected by Odysseus Marketing Inc.as it sees fit, including the sharing, rental, or sale of any of said data or any portion thereof to any entity at the sole discretion of Odysseus Marketing, Inc. User expressly indemnifies and holds harmless Odysseus Marketing Inc. from any liability or consequence arising out of the possession, use, sale, or transfer of said data, and grants the ownership of any said collected data to Odysseus Marketing, Inc, including the rights to transfer ownership to another entity at any time for any reason. User understands and acknowledges that the permission granted for collection and use of data is irrevocable and survives any removal of the application and associated components." -- http://www.odysseusmarketing.com/tnc.htm
Privacy Policy:
Security Issues:
"XI -User hereby understands and gives permission for application and/or any associated components to alter applications, files, and/or data so as to display information and/or marketing messages, including but not limited to file sharing applications, media viewers, and/or player applications.
XII -User hereby understand, acknowledges, and gives express permission for application and/or associated components to disable or delete applications and/or files deemed unfriendly or harmful to Odysseus Marketing, Inc or any of its partners in Odysseus Marketing Inc.'s sole discretion without notice to the user, and may auto-reinstall application and/or any associated components, unless approved auto-uninstall application is used." -- http://www.odysseusmarketing.com/tnc.htm
Stability Issues:
Detection and Removal
Automatic Removal:
PestPatrol detects this.
PestPatrol removes this.
Manual Removal:
If there is an entry for mscman in the Control Panel's Add/Remove Programs list, use it to remove ClientMan.
If that fails, to remove ClientMan, do the following:
- Right click here, and from the context menu, choose "Save Target As.." Save the file to your hard drive anywhere as remcli.exe.
- Close all copies of Internet Explorer and other applications.
- Find remcli.exe (the file you just saved), and doubleclick on it to run it. (If you saved it as remcli.ex, it will not run. Rename it to remcli.exe and then run it.)
- Immediately reboot your PC.
- Once you have rebooted, immediately use Windows Explorer or look under "My Computer" and find C:\Program Files\ClientMan\
- Delete the directory C:\Program Files\ClientMan\.
If that fails, you will learn that the developers of ClientMan have gone out of their way to make automated removal difficult. In the directory \program files\clientman\ or \program files\clientman\run\ you will have some randomly named dlls, such as browserhelperX.dll, trackurlX.dll, or searchrepx.dll, where X is a random eight-digit hexadecimal value.
You will need to unregister each of these dlls before removing them, invoking
regsvr32 /u x
where x is the name of each dll you have found.
Remove these registry entries if found:
HKEY_CLASSES_ROOT\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb}
HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_CURRENT_USER\software\climan
HKEY_CURRENT_USER\software\ipend
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runclientman1
HKEY_LOCAL_MACHINE\bjects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_LOCAL_MACHINE\bjects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_LOCAL_MACHINE\bjects\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_LOCAL_MACHINE\bjects\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_LOCAL_MACHINE\bjects\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman1
Kill these running processes with Task Manager:
Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msmc, delete it and reboot the machine immediately.
Unregister these DLLs with Regsvr32, then reboot:
Remove these registry items (if present) with RegEdit:
Remove these files (if present) with Windows Explorer:
Remove these directories (if present) with Windows Explorer:
Research
File Analyses:
- ClientMan: 2in1fd04f73f.dll · app.dat · ause3.exe · ause3-decoded.exe · browserhelper.dll · browserhelper2db3ad7a.dll · browserhelper-decoded.dll · browserhelpere90a5c6.dll · clickthru.log · client.cfg · cmupd.exe · disable.dll · firstrun.log · fixtitle.exe · getall.php · getbuys.exe · ipend.log · metahelp60741389.dll · msckin.dat · msckin.exe · mscman.dat · msdioo.exe · msdm.exe · msdpdm.dll · mseffm.dll · msfaol.dll · msgdmf.exe · mskceo.dll · msmm.exe · msobfl.dll · msurlcli1.exe · msvc32.exe · mungedpage.html · popup.log · searchhijack.html · searchrep6706569a.dll · svc.exe · taggerbhoe884facd.dll · trackurl5f9d991e.dll · trackurl7f663945.dll · trackurl7f663945-decoded.dll · trackurld66084b4.dll · uinfo4.exe · uinfo4-decoded.exe · uinfo5.exe · uinfo7.exe · uinfo7-decoded.exe · uninstall.uni · unpacked-browserhelper.dll · unpacked-svc.exe · whois-om.html
- ClientMan.2in1: msncjk.dll
- ClientMan.DNSRep: msdlgk.dll
- ClientMan.MSMC: msccof.exe