SPYW_CLIENTMAN.A

Download the latest scan engine

In the wild: No

Reported detections:

Low
 
Description:

Alias: CoolWebSearch (Ad-Aware), ClientMan (Ad-Aware), Win32.Small.Trojan (Ad-Aware), SpyWiper (Mcafee), ClientMan (PestPatrol), ClientMan (SpyBot), Spyware.ClientMan (Symantec), Adware.OMI (Symantec)

Author

    Odysseus Marketing

Classification

    Browser Hijacker

Installation and Setup Components

This browser helper object (BHO) opens popups. It crashes IE randomly and seems to add itself to Norton Firewall's Allow list. It attempts to read a user's name from RealName, Settings \Software\Microsoft\Internet Account Manager\Accounts\ SMTP Display Name, InstallUser, BusinessTitle, JobTitle, and vCard.

Various versions hijack search engine results, searches made in the address bar, and even error pages. Some versions add advertising links to Web pages and display popup ads.

This BHO may be installed by FavoriteMan and Grokster.

During installation, this BHO drops several files and creates certain folders. It also modifies the registry to enable its automatic execution at every startup.

Files

  • app.dat
  • ause3-decoded.exe
  • browserhelper-decoded.dll
  • browserhelper.dll
  • browserhelpere90a5c6.dll
  • clickthru.log
  • client.cfg
  • firstrun.log
  • getall.php
  • ipend.log
  • msckin.dat
  • mscman.dat
  • msdm.exe
  • msdpdm.dll
  • msgdmf.exe
  • mskceo.dll
  • msmm.exe
  • msvc32.exe
  • mungedpage.html
  • popup.log
  • searchhijack.html
  • searchrep6706569a.dll
  • svc.exe
  • taggerbhoe884facd.dll
  • trackurl5f9d991e.dll
  • trackurl7f663945-decoded.dll
  • trackurl7f663945.dll
  • uinfo4-decoded.exe
  • uinfo5.exe
  • uinfo7-decoded.exe
  • uninstall.uni
  • unpacked-browserhelper.dll
  • unpacked-svc.exe
  • whois-om.html
  • C:\Windows\System32\barbho.dll
  • %Program Files%\clientman\run\2in1fd04f73f.dll
  • %Program Files%\clientman\run\ause3.exe
  • %Program Files%\clientman\run\browserhelper2db3ad7a.dll
  • %Program Files%\clientman\run\cmupd.exe
  • %Program Files%\clientman\run\dnsrepa9c22ca5.dll
  • %Program Files%\clientman\run\fixtitle.exe
  • %Program Files%\clientman\run\getbuys.exe
  • %Program Files%\clientman\run\gstylebhob76a4c84.dll
  • %Program Files%\clientman\run\infoctl.exe
  • %Program Files%\clientman\run\msckin.exe
  • %Program Files%\clientman\run\mscman.exe
  • %Program Files%\clientman\run\msurlcli1.exe
  • %Program Files%\clientman\run\msvrfy804449fd.dll
  • %Program Files%\clientman\run\searchrep8181a0e2.dll
  • %Program Files%\clientman\run\trackurl79ad003c.dll
  • %Program Files%\clientman\run\trackurld66084b4.dll
  • %Program Files%\clientman\run\uinfo4.exe
  • %Program Files%\clientman\run\uinfo7.exe
  • %Program Files%\clientman\run\urlcli25e74486.dll
  • %Program Files%\clientman\run\urlclia30956de.dll
  • %System Root%\cachelut.dat
  • %System Root%\Downloaded Program Files\disable.dll
  • %System Root%\Downloaded Program Files\disable1.dll
  • %System Root%\mscdka.dll
  • %System Root%\mseclk.dll
  • %System Root%\mseffm.dll
  • %System Root%\msncjk.dll
  • %System Root%\msobfl.dll
  • %System Root%\System32\disable.dll
  • %System Root%\System32\disable1.dll
  • %System Root%\System32\msccof.exe
  • %System Root%\System32\mscdka.dll
  • %System Root%\System32\msdlgk.dll
  • %System Root%\System32\mseclk.dll
  • %System Root%\System32\mseffm.dll
  • %System Root%\System32\msmc.exe
  • %System Root%\System32\msncjk.dll
  • %System Root%\System32\msobfl.dll
  • %System Root%\System\disable.dll
  • %System Root%\System\disable1.dll
  • %System Root%\System\mscdka.dll
  • %System Root%\System\mseffm.dll
  • %System Root%\System\msobfl.dll
  • %System Root%\words.lst

(Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files. %System Root% refers to the root directory, which is usually C:\.)

Folders

  • C:\Program Files\clientman\run
  • %Program Files%\clientman

Autorun Registry Entries

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
Currentversion\Run\
clientman

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
Currentversion\Run\
clientman1

HKEY_CURRENT_USER\Software\Microsoft\Windows\
Currentversion\Run\
clientman

HKEY_CURRENT_USER\Software\Microsoft\Windows\
Currentversion\Run\
clientman1

HKEY_CURRENT_USER\Software\Microsoft\Windows\
Currentversion\Run\
msmc



Solution: 

Minimum scan engine version needed: 7.100


Trend customers

    Keep your pattern file and scan engine updated. Trend Micro antivirus software can clean or remove most types of viruses. Certain viruses, such as Trojans, scripts, overwriting viruses and joke programs which are identified as "uncleanable", should simply be deleted.

All Internet users

    1. For a quick check-up of your PC, use HouseCall - Trend Micro's online virus scanner. This will check for viruses which may already be on your PC.
    2. To keep your computer healthy by catching viruses before they have a chance to infect your PC or network, get the best antivirus solution available today. Trend Micro offers antivirus and content security solutions for home users, corporate users, and ISPs. To look through our entire product line, click here.

Description created:  Jul 17, 2004



TECHNICAL DETAILS





SOLUTION


Spyware pattern version needed : 0.619.00

Pattern release date:  Mar 18, 2008