ClientMan Description:
ClientMan is a wide-ranging advertising
parasite. The various versions released may add
advertising links to web pages, open popup
adverts, and redirect search engine results,
address bar searches and error pages.
ClientMan/Helper is the earliest known
variant. It includes two IE Browser Helper
Objects - a 'browserhelper' and a 'trackurl' DLL,
used to add yellow advertising links to pages -
along with various other processes. It is not
detected by the script at this site, for tedious
technical reasons.
ClientMan/Tagger is a newer update that can be
loaded by browserhelper. The 'browserhelper' DLL
is replaced by a 'taggerbho' one, and there is a
new 'searchrep' DLL which redirects search engine
usage, plus new EXE files 'fixtitle' and 'getbuys'.
ClientMan/2in1 is the latest update. The
taggerbho is replaced with a '2in1' DLL; the
yellow links are no longer added to the page.
Instead, all address bar searches, unknown
domains and web server error pages are redirected
(currently to searchassistant.net) by the new 'dnsrep'
DLL, and pop-up adverts are opened at regular
intervals by the new 'urlcli' DLL. (At the time
of writing, these are spawned from
popupsponsor.com and popuptraffic.com, and are
closed immediately after opening, in order to con
affiliate fees from these companies.)
Additionally there are new 'gstylebho' and 'msvrfy'
DLLs.
ClientMan gathers a list of running processes
along with any user details it can get from:
- Outlook Express mail accounts
- Windows/MSN Messenger accounts
- AOL Instant Messenger (AIM) accounts
- ICQ accounts
- Yahoo Pager accounts
- Speedbit Download Accelerator software
registration
- Zone Alarm software registration
- Creative SoundBlaster software registration
- Windows dialling location
ClientMan has been observed sending unknown
data to its servers at ipend.datastorm.biz; it is
suspected this may be an encoded version of this
information.
ClientMan Automatic Removal:
Using Spyware Doctor
to remove ClientMan AUTOMATICALLY!
Sponsored Links:
ClientMan Manual Removal:
Open the registry (click 'Start', choose 'Run'
and enter 'regedit') and find the key
Software\Microsoft\Windows\CurrentVersion\Run,
inside HKEY_LOCAL_MACHINE (for ClientMan/Helper
and ClientMan/Tagger) or HKEY_CURRENT_USER (for
ClientMan/2in1). On the right, right-click the
entry 'ClientMan' or 'ClientMan1' and choose
'Delete'.
Now open the 'run' folder inside 'ClientMan'
in the Program Files folder, and note the names
of the DLLs. If you have the Helper variant, you
should see 'browserhelperX.dll' and 'trackurlX.dll',
where X is a random eight-digit hexadecimal
value. If you have the Tagger variant, you should
have 'taggerbhoX.dll', 'trackurlX.dll' and 'searchrepX.dll'.
In either variant, you may have further leftover
DLLs from previous updates.
Open a DOS command prompt window (from
Start->Programs->Accessories). Enter the
following commands in the DOS window, for the
Helper variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\browserhelperX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"
Or, for the Tagger variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\taggerbhoX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"
regsvr32 /u "\Program Files\ClientMan\run\searchrepX.dll"
Or, for the 2in1 variant:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\urlcliX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"
regsvr32 /u "\Program Files\ClientMan\run\searchrepX.dll"
regsvr32 /u "\Program Files\ClientMan\run\msvrfyX.dll"
regsvr32 /u "\Program Files\ClientMan\run\gstylebhoX.dll"
regsvr32 /u "\Program Files\ClientMan\run\dnsrepX.dll"
regsvr32 /u "\Program Files\ClientMan\run\2in1X.dll"
Replace the 'X' in these commands with the
random letters and numbers you see in the
filenames in the folder view. If there's more
than one file with the same name but a different
set of numebrs you can use either, it doesn't
matter. Tip: if you drag the DLL file from the
folder view into the DOS command prompt window,
it will put the filename in for you, so you don't
have to type it out.
Users of non-English versions of Windows may
also need to replace the name 'Program Files'
with the name of the Program Files folder on
their operating system. Tip: if you drag the file
in question into the DOS command prompt window,
its full name will be inserted for you. Remember
to include the space after '/u' before dragging
in a file if you do this.
Now restart the computer and you should be
able to delete the entire 'ClientMan' folder
inside Program Files. You can also delete the 'words.lst'
file inside the Windows folder and the 'cachelut.dat'
file which you may find inside the Windows folder
or inside the Internet Explorer folder in Program
Files. Finally, to clean up, you can delete the
registry keys 'HKEY_CURRENT_USER\Software\CliMan'
and 'HKEY_CURRENT_USER\Software\iPend', if you
wish.
There may be an entry in the Control Panel's
Add/Remove Programs list for 'mscman'. Try
selecting this and clicking 'Remove' if it is
there.
More
Removal Instructions for Adware/Spyware Programs -
'C'
| 
