What is Clientman and Clientman Removal?

ClientMan, a form of spyware sponsored by Odysseus Marketing, Inc., places your computer at a high risk for personal security.  It is a Browser Helper Object, or BHO, that has the functionality of adware coupled with the capability of a Backdoor Trojan.

ClientMan captures, stores, and sends confidential information including IP address, browser identification, and user logins to a remote server.  It usurps the Internet bandwidth on the infected computer, possibly creating sluggishness in its processing.

ClientMan has the ability to generate pop up advertisements based upon the user’s Internet activity.  Additionally, it can redirect your Web searches and add links to Web pages for advertising purposes.

ClientMan infects computers with the following operating systems: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, and Windows Server 2003.

It is best to remove ClientMan as soon as you discover it has infected your machine.  ClientMan can be removed with a current anti-spyware program.  Additionally, manual removal of ClientMan can be accomplished.  The registry editor will be used in a manual removal of this application.  Therefore, it is important to back up your computer files before attempting removal.  Using the registry editor may result in accidental deletion of important files.

The ClientMan registry values, registry keys, DLL files, processes, and files need to be completely removed from the infected computer.  To delete each file, process, and key manually, complete the following set of directions. 

• Click Start.
• Click Run.
• Type ‘regedit’.
• Click ok to open the registry editor, referred to as regedit.
• Click my computer at the top of the box.
• Click edit.
• Click find.
• Type in the one of the keys or files in the following lists, and click find or find next.  Begin with the ones that do not start with HKEY, since these are more easily discovered and deleted.  Make sure that the box is checked in front of keys, values, and data, so that the regedit looks in the correct places.  Regedit should locate a key for you.  Right click on the key and delete it by clicking delete in the menu that appeared or on the keyboard.
• You will do this one file at a time.  After you delete each one that you locate, hit the F3 key on your keyboard to reopen the find next box.  Continue the process and delete additional bad registry files.
• Once regedit indicates that the search is finished, you should click on my computer in the regedit and redo the search to guarantee that you have deleted all possible bad files from this program.

ClientMan files:

addata.lst
app.dat
ause3.exe
ause3-decoded.exe
blank.gif
cachelut.dat
clickthru.log
client.cfg
cmupd.exe
elitejho32.exe
firstrun.log
fixtitle.exe
getall.php
getbuys.exe
infoctl.exe
ipend.log
msawindows.exe
msckin.dat
msckin.exe
mscman.dat
mscman.exe
msdioo.exe
msdm.exe
msgdmf.exe
msmm.exe
msnkmi.dll
msobfl.dll
msurlcli1.exe
msvc32.exe
mungedpage.html
popup.log
searchhijack.html
setup_jalapeno.exe
svc.exe 
uinfo4.exe
uinfo4-decoded.exe
uinfo5.exe
uinfo7.exe
uinfo7-decoded.exe
uninstall.uni
unpacked-svc.exe 
whois-om.html
words.lst

Detecting and deleting the ClientMan files or keys that begin with HKEY involve a more involved set of steps.  Use the following steps to manually delete the ClientMan values that start with HKEY.

• Click Start.
• Click Run.
• Type ‘regedit’.
• Click ok to open the registry editor, referred to as regedit.
• Click my computer at the top of the box.
• Follow the path given in each value, clicking each folder open to locate the next item in the path until you have reached the last item.  Once you have gotten to the last item, you can delete it.  Each slash indicates a new folder.

ClientMan registry values:

HKEY_CLASSES_ROOT\AppID\urlcli.DLL

HKEY_CLASSES_ROOT\appid\{026e4b83-1bf7-41cb-8233-4af35341bc69}
HKEY_CLASSES_ROOT\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_CLASSES_ROOT\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_CLASSES_ROOT\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_CLASSES_ROOT\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_CLASSES_ROOT\clsid\{94927a13-4aaa-476a-989d-392456427688}
HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb}
HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

HKEY_CLASSES_ROOT\Disable.DisableObj
HKEY_CLASSES_ROOT\Disable.DisableObj.1
HKEY_CLASSES_ROOT\dnsrep.dnsrepobj
HKEY_CLASSES_ROOT\dnsrep.dnsrepobj.1
HKEY_CLASSES_ROOT\interface\{a7370377-e217-4467-8448-9845270cd4a3}

HKEY_CLASSES_ROOT\Interface\{570F481A-1C3B-4DF6-9DBE-FAE17DD008F9}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{94927a13-4aaa-476a-989d-392456427688}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED50735-B0D9-47C6-9774-02DD8E6FE053}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94927A13-4AAA-476A-989D-392456427688
HKEY_CLASSES_ROOT\typelib\{a1a986e7-7674-4d8b-8081-e422fdb8480b}

HKEY_CLASSES_ROOT\TypeLib\{75FC904C-6E6B-4E9D-9FD3-7A447962DA9B}
HKEY_CLASSES_ROOT\TypeLib\{026E4B83-1BF7-41CB-8233-4AF35341BC69}
HKEY_CLASSES_ROOT\urlcli.urlcliobj
HKEY_CLASSES_ROOT\urlcli.urlcliobj.1
HKEY_CURRENT_USER\software\climan
HKEY_CURRENT_USER\software\ipend
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run clientman
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run msmc
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run clientman1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run clientman1
HKEY_LOCAL_MACHINE\software\classes\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7}
HKEY_LOCAL_MACHINE\software\classes\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808}
HKEY_LOCAL_MACHINE\software\classes\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324}
HKEY_LOCAL_MACHINE\software\classes\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85}
HKEY_LOCAL_MACHINE\software\classes\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053}
HKEY_LOCAL_MACHINE\software\classes\clsid\{94927a13-4aaa-476a-989d-392456427688}
HKEY_LOCAL_MACHINE\software\classes\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{a097840a-61f8-4b89-8693-f68f641cc838}
HKEY_LOCAL_MACHINE\software\classes\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43}
HKEY_LOCAL_MACHINE\software\classes\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361}
HKEY_LOCAL_MACHINE\software\classes\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb}

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
\{0982868C-47F0-4EFB-A664-C7B0B1015808}

Use the uppermost set of directions to find and delete these ClientMan DLL files:

2in1fd04f73f.dll
browserhelper.dll
browserhelper2db3ad7a.dll
browserhelper-decoded.dll
browserhelpere90a5c6.dll
disable.dll
disable1.dll
dnsrep13f4a6e5.dll
dnsrepa9c22ca5.dll
gstylebhob76a4c84.dll
iestcrmfrood.dll
metahelp60741389.dll
mscdka.dll
msdaim.dll
msdpdm.dll
mseclk.dll
msedah.dll
mseffm.dll
mselhm.dll
msfaol.dll
msibkd.dll
msjfbl.dll
mskceo.dll
mskhhe.dll
mskpkc.dll
msnkmi.dll
msobfl.dll
msvrfy804449fd.dll
newads.dll
searchrep6706569a.dll
searchrep8181a0e2.dll
tagger.dll
taggerbhoe884facd.dll
trackurl5f9d991e.dll
trackurl79ad003c.dll
trackurl7f663945.dll
trackurl7f663945-decoded.dll
trackurld66084b4.dll
unpacked-browserhelper.dll
urlcli25e74486.dll
urlcli67806664.dll
urlclia30956de.dll

To manually detect and delete the ClientMan processes, complete the following set of instructions:

• Click Start.
• Click Search.
• Click for files or folders.
• Type in the name of the file, one at a time, from the following list of ClientMan processes.
• Click search.
• Delete the found files.

ClientMan processes:

ause3.exe
ause3-decoded.exe
cmupd.exe
elitejho32.exe
fixtitle.exe
getbuys.exe
infoctl.exe
msawindows.exe
msckin.exe
mscman.exe
msdioo.exe
msdm.exe
msgdmf.exe
msmm.exe
msurlcli1.exe
msvc32.exe
setup_jalapeno.exe
svc.exe
uinfo4.exe
uinfo4-decoded.exe
uinfo5.exe
uinfo7.exe
uinfo7-decoded.exe
unpacked-svc.exe

A4Zeta Beta 1 Removal Facts

A4Zeta Beta 1 is an insidious software application that belongs to the family of spyware.  It is a malicious and insidious Trojan known as a Remote Administration Tool or RAT.  This program is equipped to perform many clandestine activities that put the infected computer’s safety and security features at risk, as well as disrupting the processing of the computer.

A4Zeta Beta 1 has been around since 2002, possibly originating in South America.  The author of this program is Renner.  The primary goal of this malware program is to gain access to a computer for the purpose of controlling the computer through a server and a remote client.  A4Zeta Beta 1 installs the server that it will use to access your personal information.

A program such as this is fully capable of monitoring the computer user’s activity to the point of recording keystrokes, tracking the computer user’s browsing habits, maintaining a log, and stealing personal information.  A4Zeta Beta 1 will be able to gain access to your important data, including account numbers for your bank accounts and credit card accounts, passwords, and any other information that you have stored on the infected computer.

Additionally, A4Zeta Beta 1 can usurp the infected computer’s bandwidth, disrupting the computer’s processing ability.  This particular program is known for restarting the infected computer, further disrupting the computer user’s  time on the computer.  Moreover, A4Zeta Beta 1 is capable of downloading additional software applications onto the infected computer without the owner’s consent or knowledge.

To remove A4Zeta Beta 1, it will be necessary to ensure that all A4Zeta Beta 1 processes, A4Zeta Beta 1 registry keys, A4Zeta Beta 1 DLL files, and other dangerous A4Zeta Beta 1 files from your computer.  This needs to be done with caution, however, due to the sensitive nature of the computer’s registry.  Specifically, the A4Zeta Beta 1 process, a4zetabeta 1.exe needs to be removed.  In addition, the A4Zeta Beta 1 files, a4zetabeta 1.exe and leia-me.txt need to be removed.

To remove the A4Zeta Beta 1 Program manually, follow these instructions:

For Windows 95, Windows 98, Windows 2000, Windows Me, Windows NT, and Windows XP in the classic view:

• Click the start button to open the menu.
• Click settings.
• Click control panel.
• Double click the “add/remove programs” icon in the control panel window to open it.
• Search for the A4Zeta Beta 1 program in the list of entries.
• Click on the phrase, A4Zeta Beta 1 to select it.
• Click on the button that will remove it, either “add/remove” or “change/remove.”
• Follow the prompts that are given to remove A4Zeta Beta 1.
• Reboot your computer.
• Open the Add/Remove Programs icon and check to see if A4Zeta Beta 1 has been removed from the list of currently installed programs.
• If A4Zeta Beta 1 is still listed in the currently installed programs file, then you will need to take further steps to remove the application.

If your computer is using Windows XP in the default XP view, you will navigate directly from start to control panel.  The remaining removal steps for A4Zeta Beta 1 will be the same as those listed above. 

Manual removal is tedious and full of potential for mishap.  For these reasons, it is highly recommended that an anti-spyware application be considered for removal of this and all spyware, malware, and adware programs.

The Adware.MediaInject application displays pop-up advertisements on a user’s computer.

The Adware.MediaInject application is also known as the following:

• Generic.cb;
• Mediainj;
• Trojan.Win32.Inject.a;
• Virtool.MediaInject.a
• and Adware.Win32.MediaInject.

SoftBulldog.com reportedly published the Adware.MediaInject application. The publisher’s website is www.softbulldog.com/ free.html.

The Adware.MediaInject program reportedly comes bundled with other software authored by softbulldog.com. These other programs which may carry the Adware.MediaInject application include:

• Greasemonkey (Internet Explorer extension);
• Customize Google (Google search enhancer);
• Omgili (search engine);
• MalWhere (process monitor);
• Sigster (search engine);
• YADA (download manager);
• and aSkin (skins for Internet Explorer).

The advertising software comes in several versions. These versions include Adware.MediaInject.a; Adware.MediaInject.c; and Adware.MediaInject.d.

The Adware.MediaInject program installs registry keys on the startup folder. This enables the program to run each time the computer starts or the user reboots the system.

The components commonly added by application are:

• %ProgramFiles%\ micore\ runc.exe;
• ..\ not-a-virus.adware.win32.mediainject.a \ 65b6f6e2.exe;
• ..\ Internet keyword\ inetmgr.exe;
• ..\ Internet keyword\ inetsvc.exe;
• and ..\ Internet keyword\ ikw.exe.

Some file processes associated with the Adware.MediaInject application include the expin.dll; wrdget.dll; runc.exe; micore.exe; runc.exe and expin.dllmicore.exe.

Adware applications are capable of displaying advertisements on a user’s computer in an obtrusive manner. These are means of marketing tactics used by companies to gain profit. The advertisements usually come in pop-up form, banners, pop-unders and links in websites.

The Adware.MediaInject application can also track a user’s browsing habits. This information goes to a central server. Advertisements then appear on the user’s computer catering to the user’s searches.

An infected computer exhibits constant appearance of pop-up advertisements. The user also gets redirected to a different website and the browser home page changes without his consent. Just like any infected computer, there is a slower computer performance and Internet connection speed. There is also an unexplainable high band width consumption and low disk space.

The Advanced Registry Optimizer application looks, talks and walks like a rogue registry cleaner.

Reports show that the Advanced Registry Optimizer program is a seemingly legitimate program masked as a true registry cleaner. Experts however claim that Advanced Registry Optimizer is a Rogue Registry Cleaner program that purposely makes exaggerated claims on the user’s computer system security. Reports claim that it does so to entice computer users into buying a paid version of the program.

Advocates of the Advanced Registry Optimizer application categorize the software as a user-friendly registry cleaner that can dramatically improve the performance of the user’s computer. It allegedly does this by removing errors existing in the user’s computer.

It is claimed that it is a Windows utility that aids in maintaining the stability of the user’s computer by scanning for and repairing worthless registry entries.

It is claimed by the sponsors of this program that the Advanced Registry Optimizer application assists in providing the accelerated system speeds and enhanced response time of the user’s computer. Some advertisers even claim that the application can give efficient system operation and a more secure system. It is also said to reduce error messages.

Publishers of this software also claim that this program can be helpful when the user is experiencing reduced Internet and computer speed. It can also help remove irremovable computer programs. In instances when the computer does not boot as it should be as well as in cases where some applications stopped when new software has been installed, the Advanced Registry Optimizer is said to be efficient

Supporters of the Advanced Registry Optimizer application claim that this product can perform actions such as scanning user’s computer for errors and defragging the user’s registry. It is also capable of executing backup files, restoring files, displaying and classifying registry errors. It can eradicate the detected registry errors.

Notwithstanding these acclaimed beneficial uses, security experts consider the Advanced Registry Optimizer application a malware. This is because it makes exaggerated claims regarding the security of the user’s computer. It is also said by experts that the application can provide possibly incorrect results on the scan conducted. These seemingly legitimate results can be used as a tool to scare and persuade the users into purchasing a commercial version of the program.

This article is solely the opinion of the author of this article and is not in any way to be construed as the opinion of filetonic, its owners, techjocks or anyone affiliated with this website.

The 1-ACT Parental Advisor 2006 application is an adware.

Reports show that the 1-ACT Parental Advisor 2006 application is marketed as a computer control utility used by parents and employers.  The author claims that the 1-ACT Parental Advisor 2006 application has the functions of protecting children from pornography, stalker and pedophiles. It also allows an employer to save money by making sure their employees are using their computer resources strictly for work purposes only.

Reports claim that the 1-ACT Parental Advisor 2006 application provides online and offline filter controls. It also provides parents or system administrators control on websites and programs accessed in a computer. Other reports show that the 1-ACT Parental Advisor 2006 allows blocking of particular URLs and programs and it permits a schedule when access can be granted. It is also allegedly able to place offline websites in a list and may allow a security password for programs.

The 1-ACT Parental Advisor 2006 application is reported to block websites with adult content and control access to the Internet. However, the 1-ACT Parental Advisor 2006 application is also claimed to log keystrokes. It can also monitor and log all actions in the computer. It may also reputedly email all recorded data to a user as it is capable of running secretly from the user. It steals passwords and confidential data and may have rootkit technology to be able to remain undetected by other software.

Anti-virus companies also state that the 1-ACT Parental Advisor 2006 application is installed by the executable file parentallock.exe.

It is also possible for the 1-ACT Parental Advisor 2006 application to make screenshots of the computer display and capture microphone and webcam data. It can also log sessions in Instant Messaging applications and record visited websites as well as files shared in a Peer-to-Peer network.

The 1-ACT Parental Advisor 2006 application is claimed to have undesirable effects in machine such as creating unwanted modifications to the computer. It can change the configuration of a Web browser’s homepage and its settings. Lastly, it is capable of gathering and sending confidential data to a remote host without awareness or consent of the user.

The 3wplayer application is a Downloader Trojan program.

A downloader Trojan program is often installed under a false pretense of being beneficial to the user. These applications install and execute a malicious component without the user’s knowledge. Downloader Trojan applications have the capability to download and run other malware applications. The malicious software may have a variety of abilities, causing damage and disruption of normal system functions.

The 3wplayer application is affiliated with the websites http://www.3wplayer.com/ and DailyAppz.Play3w.com. The program is being marketed as a wide-ranging media player. Advertisements show that it can play several file formats. It also has an easy to use interface. The program is compatible with the Windows Operating System.

The 3wplayer application may be willingly installed into the system by the user. Users may be unaware of reports that show if the system is infected with the Trojan.Win32.Obfuscated.en program. Once installed, it can also download and execute other malware programs with adware capabilities into a system.

This application is often distributed in the tactic  associated with downloadable content. Videos that are likely to be downloaded are uploaded into file-sharing sites or networks. The files often appear to be in the conventional AVI format. Once the file is fully downloaded and the user attempts to watch the video, a message will appear.

The message then tells the user that the downloaded video can only be played with the 3wplayer application. It further directs the user to a site where the media player can be downloaded free. Upon installation, the program also installs adware programs that are included with its software. Downloaded media files mostly do not contain the expected videos.

Upon execution, the 3wplayer software reportedly creates the following files:

• C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\Uninstall 3wPlayer.ink;
• %ProgramFiles%\3wPlayer\settings.ini;
• %ProgramFiles%\3wPlayer\settings.stp;
• and %ProgramFiles%\3wPlayer\SkinCrafterDll.dll.

One adware program that the 3wplayer application has been reported to download and install is the Adware.Lop application. This software can hijack the Web browser. It is also capable of adding a search button and toolbar to the Internet Explorer program without consent from the user. Malware programs downloaded by the 3wplayer application make the system susceptible to pop-up advertisements, undesired networks, security software disabling and personal information theft.

The 3wplayer application may be detected under the following names:

• domplayer;
• zixplayer;
• WinZix;

and DivoCodec.