Clientman................

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
Wondering if anyone has had the pleasure of dealing with this new nasty piece of work.I have the pleasure of getting to know this thing well and still it wont cooperate with me Everytime i use adware , spybot or any other removal prog it finds the reg entries and when i remove them with those proga or manually after a reboot it reappears. This is even after multiple related reg lines removed or edited. Any help would be greatfully appreciated.
 

IMM

Joined
Feb 1, 2002
Messages
3,257
Does it appear to be one of the variants listed here?
http://www.doxdesk.com/parasite/ClientMan.html

Post the scan log from HijackThis
Unzip somewhere to keep and run hijackthis.exe - press scan - the Scan button changes to a Save Log button. Save, and then copy and paste the entire log here.
Dont' choose to fix anything yet - most entries will be harmless
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
Ya it seems to be one of those varients in which i have followed several of those removal processes and still no luck.Ill do the SS with the hijack.
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
Logfile of HijackThis v1.97.2
Scan saved at 12:53:43 AM, on 10/4/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Xit Wound\My Documents\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.8360069444
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
I really dont know which of those varients i am dealing with and like i said everytime i remove what i find after reboot it is back and ad ware and spybot both still find it and remove itbut, it comes back everytime. I would really be greatful if someone find the cure for this disease.
Thanks for the help .
 

IMM

Joined
Feb 1, 2002
Messages
3,257
It has this
C:\WINDOWS\System32\svc.exe
as a running process - you would do well to terminate it before dealing with the files and registry.
One way to do that is to download Process Explorer
Unzip the package to a location where you will keep it for future use.
Run the extracted procexp.exe file from that location and then right click on the svc.exe task and choose Kill.
If the process is successfully terminated - it will vanish from the task list (much like using Ctrl-Alt-Delete and choosing End Task)
Killing a task in this fashion does not delete any files or registry items - it just gets the task out of the way so that the files we wish to delete are not in use.

This item
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
is it's startup.
Place a check next to it and choose fix after terminating the process.

If you are using Spybot - Search and Destroy then use the beta updates - after installing (if it isn't already), press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".
Then, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
Im going to give that a try and i do thank you for taking a look at this for me.
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
This item
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
is it's startup.
Place a check next to it and choose fix after terminating the process <-------- what program do i use to find this or where do i locate this to accomplish that task ?
 

IMM

Joined
Feb 1, 2002
Messages
3,257
Run HijackThis.exe, press Scan - then place a check next to that one item by clicking in the box next to the item, and push the Fix Checked button.
 

Xit Wound

Thread Starter
Joined
Oct 4, 2003
Messages
14
Thanks for the help lastnight but unfortunately i accidentlly deleted the entire clsid registry folder. Im sure you know what happen after that mistake but that mistake fixed the clientman issue for sure, the hard way.

Thanks so much for your help and im going to refer this forum to some friends. You responded so fast with the correct info and i do thank you, il continue to swim these forums from now on and see if i can help or gain some knowledge.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top