Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

Mostly Virus-Free

More and more Windows users agree that OS X is 'mostly' virus-free.


WASHINGTON, DC (Associated Press) - Government regulators are trying to shut down a company they say secretly downloaded spyware onto the computers of unwitting Internet users, rendering them helpless to a flood of popup ads, computer crashes, and other annoyances.

The Federal Trade Commission has asked a U.S. District Court judge to halt an operation that secretly installed spyware and adware that could not be uninstalled by the consumers whose computers it infected. The defendants used the lure of free software they claimed would make peer-to-peer file sharing anonymous. The agency alleges the stealthy downloads violate federal law and asked the court to order a permanent halt to them.

According to the complaint filed by the FTC, Odysseus Marketing and its principal, Walter Rines, advertised software they claimed would allow consumers to engage in peer-to-peer file sharing anonymously. With claims like 'DOWNLOAD MUSIC WITHOUT FEAR', and 'DON'T LET THE RECORD COMPANIES WIN', the defendants encouraged consumers to download their free software.

The agency charges that the claims are bogus.

First, the software does not make file-sharing anonymous.

Second, the cost to consumers is considerable because the 'free' software is bundled with spyware called Clientman that secretly downloads dozens of other software programs, degrading consumers' computer performance and memory.

Among other things, this accumulated software replaces or reformats search engine results. For example, consumers who downloaded the spyware may try to conduct a Google or Yahoo! search. Their screens will reveal a page that appears to be the Google or Yahoo! search engine result, but the page is a copy-cat site, and the order of the search results is rigged to place the defendants' clients first.

The bundled software programs also generate popup ads and capture and transmit information from the consumers' computers to servers controlled by the defendants.

The FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own 'uninstall' tool, it does not work. In fact, it installs additional software, according to the FTC's complaint.

The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices.

The defendants are based in Stratham, New Hampshire.

The Commission vote to authorize staff to file the complaint was 4-0. The complaint was filed in the U.S. District Court for the District of New Hampshire.

Part Two: Links

Federal Trade Commission, Plaintiff, v. Odysseus Marketing, Inc., and Walter Rines, Defendants., United States District Court, District of New Hampshire FTC File No. 042 3205

Wired: Spyware Purveyor in Cross Hairs
The Register: FTC clamps down on spyware firm
PC Pro: FTC cracks down on alleged spyware merchant
Boston Globe: Regulators: N.H. firm's business is spyware
PC World: FTC Seeks to Halt Alleged Spyware Site
eWEEK: FTC Targets Illegal Spyware Operation
Boston Herald: Feds hit N.H. co. on spyware
FOX News: Feds Take on Company Facing Spyware Allegations
ZD Net: FTC files case against alleged spyware pusher | Spyware Confidential

Part Three: Odysseus Marketing - Uninstaller

<http://www.odysseusmarketing.com/uninstall/>
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html>
<head>
<title>Odysseus Marketing - Uninstaller</title>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
</head>
<body>
Welcome to the uninstall page for clientman.<br/>
Instructions are as follows</br>
<UL>
<LI>1) Exit all instances of Internet Explorer and Windows Explorer other than
this one.
<LI>2) Hit the Go button on this page.
<LI>3) Allow the uninstall program to be loaded on your computer it will occur
automatically. Should any dialog boxes appear, be sure to hit 'ok' or 'yes'
otherwise nothing will be uninstalled.
<LI>4) When the uninstall is complete, you will be prompted with a message box
to reboot your machine.
</UL>
<strong>Cookies must be enabled for this process to work properly. </strong>
<UL>
<LI>1) select Tools -> Internet options from the IE window
<LI>2) click the privacy tab
<LI>3) adjust the vertical slider bar to read 'accept all cookies'
</UL>
<form action='download.php' method='post'>
<input type='submit' value='Go!'>
</form>
</body>
</html>

Part Four: Cookies.plist

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE plist PUBLIC '-//Apple Computer//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'>
<plist version='1.0'>
<array>
    <dict>
        <key>Domain</key>
        <string>www.odysseusmarketing.com</string>
        <key>Expires</key>
        <date>2005-10-07T12:41:02Z</date>
        <key>Name</key>
        <string>check</string>
        <key>Path</key>
        <string>/uninstall</string>
        <key>Value</key>
        <string>enabled</string>
    </dict>
    <dict>
        <key>Domain</key>
        <string>www.odysseusmarketing.com</string>
        <key>Expires</key>
        <date>2005-10-07T12:41:06Z</date>
        <key>Name</key>
        <string>cc</string>
        <key>Path</key>
        <string>/uninstall</string>
        <key>Value</key>
        <string>156fc08d7ef017aa9953e370728e925cf52ce705149ac3314</string>
    </dict>
</array>
</plist>

Part Five: Uninstall Download

<html>
<head>
<title>Odysseus Marketing - Uninstaller</title>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
<META HTTP-EQUIV='Refresh' CONTENT='2; URL=uninstall.exe'>
</head>
<body>
<div align='center'>The download of the uninstallation program should start within
a few seconds.<br/>
A dialog box will appear, be sure to click 'Open', otherwise nothing will be
uninstalled 1</div>
</body>
</html>

Part Six: uninstall.exe.xstrings

000000000000004d !This program cannot be run in DOS mode.
00000000000000d7 3Rich
00000000000001e0 .text
0000000000000208 .rdata
0000000000000230 .data
0000000000000258 .rsrc
000000000001043e kernel32.dll
000000000001044b user32.dll
0000000000010458 GetModuleHandleA
000000000001046b MessageBoxA

  • 68096 bytes.
  • 32-bit Windows program.
  • No compression signature.
  • Four sections, two dependencies.
  • No apparent dynamic dependencies.
  • Made with Visual Studio 6.0 or later.
  • Program issues a single message box.
  • Calls are in ASCII rather than Unicode.
  • Program looks for a single module handle.
  • No embedded disk or Registry based paths.

Part Seven: pithpulchritude

Hey there, I suffered from the Look2me/Zesty parasite but managed to delete it. I still have Clientman/Odysseus Marketing lingering though. But I deleted everything I found, including reg values, .dll's, and folders. I manually deleted everything in Safe mode from the registry and hardrive. I'm still hijacked and cant search, get certain popups, and I get a green underlining undermany words on web pages. I deleted my cookies and all temporary internet files. Ane when I run a random search under yahoo I get files from only 'xmlfeed.spaex.com', 'odysseusmarketing.com', 'meta.7search.com', and 'abcsearch.com'. Spybot and Ad-aware don't pick up on anything further. I've done everything I've found on all forums, I don't know what else to do. Can anyone help?

Part Eight: kjm7722

Someone Please Help Me!!!

I started my computer up today and when I am on Internet Explorer each page I look at Highlights certain words and they are linked to a web address called oddyessus marketing, which then dumps me into a search results page called 1st blaze.

When I click on the properties of this link it says it is a Hypertext transfer protocol. Type: PHP?NID=20file

How do I remove this?????

Part Nine: Pest Patrol Analysis

ClientMan gathers a list of running processes. Tries to read:

* RealName, Settings from \Software\Microsoft\Internet Account Manager\Accounts\

* SMTP Display Name, InstallUser, BusinessTitle, JobTitle, vCard from \Software\Speedbit\Download Accelerator\

* RegisteredOwner, DefCompany, InstallCompany from \Software\Zone Labs\ZoneAlarm\Registration and \Software\SBInfo\User\

* RegisteredOrganisation from \Software\Microsoft\MessengerService (or MSNMessenger)\ListCache\.NET Messenger Service

* IdentityName from \Software\Mirabilis\ICQ\Owners\

* LastOwner, Name from \Software\Yahoo\Pager\

* Yahoo! User ID from \Software\America Online\AOL Instant Messenger (TM)

* your name from \CurrentVersion\Users\ and \Software\Symantec\Shared Technology\Volatile Storage\Member Profile\vCard\Home (or Business) and \Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\Location0\

Has been observed sending unknown data to its servers at ipend.datastorm.biz

Security Issues:

Yes. As part of its 'updates' feature, ClientMan can quietly download and run arbitrary unsigned code from its controlling server. According to one source, ClientMan 'appears to be able to change settings on older versions of the popular free ZoneAlarm firewall program without user consent. When ClientMan tries to connect to the Internet, ZoneAlarm flashes a warning and asks the user to confirm whether the program should be allowed to connect or not. Instead of waiting for user approval, ClientMan clicks the Yes button and checks the Always checkbox. Now ClientMan has permission to access the network whenever it chooses.'

Stability Issues: Yes. All variants appear to be poorly written, and can cause crashes and hangs of Internet Explorer at random moments.

Part Ten: Removal

Remove these registry entries if found:

HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb}
HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_CURRENT_USER\software\climan
HKEY_CURRENT_USER\software\ipend
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runclientman1
HKEY_LOCAL_MACHINE\bjects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_LOCAL_MACHINE\bjects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_LOCAL_MACHINE\bjects\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_LOCAL_MACHINE\bjects\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_LOCAL_MACHINE\bjects\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman1

Stop Running Processes:

Kill these running processes with Task Manager:

ause3-decoded.exe
desktopdir+\setup_jalapeno.exe
msdioo.exe
msdm.exe
msgdmf.exe
msmm.exe
msvc32.exe
programfilesdir+\clientman\run\ause3.exe
programfilesdir+\clientman\run\cmupd.exe
programfilesdir+\clientman\run\fixtitle.exe
programfilesdir+\clientman\run\getbuys.exe
programfilesdir+\clientman\run\infoctl.exe
programfilesdir+\clientman\run\msckin.exe
programfilesdir+\clientman\run\mscman.exe
programfilesdir+\clientman\run\msurlcli1.exe
programfilesdir+\clientman\run\uinfo4.exe
programfilesdir+\clientman\run\uinfo7.exe
svc.exe
systemroot+\system32\elitejho32.exe
systemroot+\system32\msawindows.exe
systemroot+\system32\msccof.exe
uinfo4-decoded.exe
uinfo5.exe
uinfo7-decoded.exe
unpacked-svc.exe

Remove AutoRun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msmc, delete it and reboot the machine immediately.

Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

browserhelper.dll
browserhelper-decoded.dll
browserhelpere90a5c6.dll
metahelp60741389.dll
msdpdm.dll
profilepath+\applic~1\iestcrmfrood.dll
profilepath+\local settings\temp\mskhhe.dll
profilepath+\local settings\temp\mskpkc.dll
programfilesdir+\clientman\run\2in1fd04f73f.dll
programfilesdir+\clientman\run\browserhelper2db3ad7a.dll
programfilesdir+\clientman\run\dnsrepa9c22ca5.dll
programfilesdir+\clientman\run\gstylebhob76a4c84.dll
programfilesdir+\clientman\run\msvrfy804449fd.dll
programfilesdir+\clientman\run\searchrep8181a0e2.dll
programfilesdir+\clientman\run\trackurl79ad003c.dll
programfilesdir+\clientman\run\trackurld66084b4.dll
programfilesdir+\clientman\run\urlcli25e74486.dll
programfilesdir+\clientman\run\urlclia30956de.dll
searchrep6706569a.dll
systemroot+\downloaded program files\disable.dll
systemroot+\downloaded program files\disable1.dll
systemroot+\mscdka.dll
systemroot+\mseclk.dll
systemroot+\mseffm.dll
systemroot+\msncjk.dll
systemroot+\msobfl.dll
systemroot+\system\disable.dll
systemroot+\system\disable1.dll
systemroot+\system\mscdka.dll
systemroot+\system\mseffm.dll
systemroot+\system\msobfl.dll
systemroot+\system32\disable.dll
systemroot+\system32\disable1.dll
systemroot+\system32\mscdka.dll
systemroot+\system32\msdaim.dll
systemroot+\system32\msdlgk.dll
systemroot+\system32\mseclk.dll
systemroot+\system32\msedah.dll
systemroot+\system32\mseffm.dll
systemroot+\system32\msfaol.dll
systemroot+\system32\msibkd.dll
systemroot+\system32\msjfbl.dll
systemroot+\system32\mskceo.dll
systemroot+\system32\mskhhe.dll
systemroot+\system32\mskpkc.dll
systemroot+\system32\msncjk.dll
systemroot+\system32\msnkmi.dll
systemroot+\system32\msobfl.dll
taggerbhoe884facd.dll
trackurl5f9d991e.dll
trackurl7f663945.dll
trackurl7f663945-decoded.dll
unpacked-browserhelper.dll

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\appid\{026e4b83-1bf7-41cb-8233-4af35341bc69}
HKEY_CLASSES_ROOT\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_CLASSES_ROOT\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_CLASSES_ROOT\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_CLASSES_ROOT\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_CLASSES_ROOT\clsid\{94927a13-4aaa-476a-989d-392456427688}
HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb}
HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_CLASSES_ROOT\dnsrep.dnsrepobj
HKEY_CLASSES_ROOT\dnsrep.dnsrepobj.1
HKEY_CLASSES_ROOT\interface\{a7370377-e217-4467-8448-9845270cd4a3}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{94927a13-4aaa-476a-989d-392456427688}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_CLASSES_ROOT\typelib\{a1a986e7-7674-4d8b-8081-e422fdb8480b}
HKEY_CLASSES_ROOT\urlcli.urlcliobj
HKEY_CLASSES_ROOT\urlcli.urlcliobj.1
HKEY_CURRENT_USER\software\climan
HKEY_CURRENT_USER\software\ipend
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman1
HKEY_LOCAL_MACHINE\software\classes\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_LOCAL_MACHINE\software\classes\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_LOCAL_MACHINE\software\classes\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_LOCAL_MACHINE\software\classes\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_LOCAL_MACHINE\software\classes\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_LOCAL_MACHINE\software\classes\clsid\{94927a13-4aaa-476a-989d-392456427688}
HKEY_LOCAL_MACHINE\software\classes\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_LOCAL_MACHINE\software\classes\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_LOCAL_MACHINE\software\classes\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_LOCAL_MACHINE\software\classes\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{94927a13-4aaa-476a-989d-392456427688}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msmc

Remove Files:

Remove these files (if present) with Windows Explorer:

app.dat
ause3-decoded.exe
browserhelper.dll
browserhelper-decoded.dll
browserhelpere90a5c6.dll
clickthru.log
client.cfg
desktopdir+\setup_jalapeno.exe
firstrun.log
getall.php
ipend.log
metahelp60741389.dll
msckin.dat
mscman.dat
msdioo.exe
msdm.exe
msdpdm.dll
msgdmf.exe
msmm.exe
msvc32.exe
mungedpage.html
popup.log
profilepath+\applic~1\iestcrmfrood.dll
profilepath+\local settings\temp\mskhhe.dll
profilepath+\local settings\temp\mskpkc.dll
programfilesdir+\clientman\run\2in1fd04f73f.dll
programfilesdir+\clientman\run\ause3.exe
programfilesdir+\clientman\run\browserhelper2db3ad7a.dll
programfilesdir+\clientman\run\cmupd.exe
programfilesdir+\clientman\run\dnsrepa9c22ca5.dll
programfilesdir+\clientman\run\fixtitle.exe
programfilesdir+\clientman\run\getbuys.exe
programfilesdir+\clientman\run\gstylebhob76a4c84.dll
programfilesdir+\clientman\run\infoctl.exe
programfilesdir+\clientman\run\msckin.exe
programfilesdir+\clientman\run\mscman.exe
programfilesdir+\clientman\run\msurlcli1.exe
programfilesdir+\clientman\run\msvrfy804449fd.dll
programfilesdir+\clientman\run\searchrep8181a0e2.dll
programfilesdir+\clientman\run\trackurl79ad003c.dll
programfilesdir+\clientman\run\trackurld66084b4.dll
programfilesdir+\clientman\run\uinfo4.exe
programfilesdir+\clientman\run\uinfo7.exe
programfilesdir+\clientman\run\urlcli25e74486.dll
programfilesdir+\clientman\run\urlclia30956de.dll
searchhijack.html
searchrep6706569a.dll
svc.exe
systemroot+\cachelut.dat
systemroot+\downloaded program files\disable.dll
systemroot+\downloaded program files\disable1.dll
systemroot+\mscdka.dll
systemroot+\mseclk.dll
systemroot+\mseffm.dll
systemroot+\msncjk.dll
systemroot+\msobfl.dll
systemroot+\system\disable.dll
systemroot+\system\disable1.dll
systemroot+\system\mscdka.dll
systemroot+\system\mseffm.dll
systemroot+\system\msobfl.dll
systemroot+\system32\disable.dll
systemroot+\system32\disable1.dll
systemroot+\system32\elitejho32.exe
systemroot+\system32\msawindows.exe
systemroot+\system32\msccof.exe
systemroot+\system32\mscdka.dll
systemroot+\system32\msdaim.dll
systemroot+\system32\msdlgk.dll
systemroot+\system32\mseclk.dll
systemroot+\system32\msedah.dll
systemroot+\system32\mseffm.dll
systemroot+\system32\msfaol.dll
systemroot+\system32\msibkd.dll
systemroot+\system32\msjfbl.dll
systemroot+\system32\mskceo.dll
systemroot+\system32\mskhhe.dll
systemroot+\system32\mskpkc.dll
systemroot+\system32\msncjk.dll
systemroot+\system32\msnkmi.dll
systemroot+\system32\msobfl.dll
systemroot+\words.lst
taggerbhoe884facd.dll
trackurl5f9d991e.dll
trackurl7f663945.dll
trackurl7f663945-decoded.dll
uinfo4-decoded.exe
uinfo5.exe
uinfo7-decoded.exe
uninstall.uni
unpacked-browserhelper.dll
unpacked-svc.exe
whois-om.html

Remove Directories:

Remove these directories (if present) with Windows Explorer:

programfilesdir+\clientman

Afterword

More and more Windows users agree that OS X is mostly virus-free. After browsing through the above materials, more and more OS X users will surely agree that Windows is mostly not.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.