1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Clientman................

Discussion in 'Virus & Other Malware Removal' started by Xit Wound, Oct 4, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    Wondering if anyone has had the pleasure of dealing with this new nasty piece of work.I have the pleasure of getting to know this thing well and still it wont cooperate with me Everytime i use adware , spybot or any other removal prog it finds the reg entries and when i remove them with those proga or manually after a reboot it reappears. This is even after multiple related reg lines removed or edited. Any help would be greatfully appreciated.
     
  2. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Does it appear to be one of the variants listed here?
    http://www.doxdesk.com/parasite/ClientMan.html

    Post the scan log from HijackThis
    Unzip somewhere to keep and run hijackthis.exe - press scan - the Scan button changes to a Save Log button. Save, and then copy and paste the entire log here.
    Dont' choose to fix anything yet - most entries will be harmless
     
  3. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    Ya it seems to be one of those varients in which i have followed several of those removal processes and still no luck.Ill do the SS with the hijack.
     
  4. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    Logfile of HijackThis v1.97.2
    Scan saved at 12:53:43 AM, on 10/4/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\svc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Xit Wound\My Documents\programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.8360069444
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    I really dont know which of those varients i am dealing with and like i said everytime i remove what i find after reboot it is back and ad ware and spybot both still find it and remove itbut, it comes back everytime. I would really be greatful if someone find the cure for this disease.
    Thanks for the help .
     
  6. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    It has this
    C:\WINDOWS\System32\svc.exe
    as a running process - you would do well to terminate it before dealing with the files and registry.
    One way to do that is to download Process Explorer
    Unzip the package to a location where you will keep it for future use.
    Run the extracted procexp.exe file from that location and then right click on the svc.exe task and choose Kill.
    If the process is successfully terminated - it will vanish from the task list (much like using Ctrl-Alt-Delete and choosing End Task)
    Killing a task in this fashion does not delete any files or registry items - it just gets the task out of the way so that the files we wish to delete are not in use.

    This item
    O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
    is it's startup.
    Place a check next to it and choose fix after terminating the process.

    If you are using Spybot - Search and Destroy then use the beta updates - after installing (if it isn't already), press Settings, and Settings again.
    Go to the Webupdate section, and check "Display also available beta versions".
    Then, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
     
  7. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    Im going to give that a try and i do thank you for taking a look at this for me.
     
  8. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    This item
    O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
    is it's startup.
    Place a check next to it and choose fix after terminating the process <-------- what program do i use to find this or where do i locate this to accomplish that task ?
     
  9. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Run HijackThis.exe, press Scan - then place a check next to that one item by clicking in the box next to the item, and push the Fix Checked button.
     
  10. Xit Wound

    Xit Wound Thread Starter

    Joined:
    Oct 4, 2003
    Messages:
    14
    Thanks for the help lastnight but unfortunately i accidentlly deleted the entire clsid registry folder. Im sure you know what happen after that mistake but that mistake fixed the clientman issue for sure, the hard way.

    Thanks so much for your help and im going to refer this forum to some friends. You responded so fast with the correct info and i do thank you, il continue to swim these forums from now on and see if i can help or gain some knowledge.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169409

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice