Home » Industry Watch
Mostly Virus-Free
More and more Windows users agree that OS X is 'mostly' virus-free.
WASHINGTON, DC (Associated Press) - Government regulators are trying to shut down a company they say secretly downloaded spyware onto the computers of unwitting Internet users, rendering them helpless to a flood of popup ads, computer crashes, and other annoyances.
The Federal Trade Commission has asked a U.S. District Court judge to halt an operation that secretly installed spyware and adware that could not be uninstalled by the consumers whose computers it infected. The defendants used the lure of free software they claimed would make peer-to-peer file sharing anonymous. The agency alleges the stealthy downloads violate federal law and asked the court to order a permanent halt to them.
According to the complaint filed by the FTC, Odysseus Marketing and its principal, Walter Rines, advertised software they claimed would allow consumers to engage in peer-to-peer file sharing anonymously. With claims like 'DOWNLOAD MUSIC WITHOUT FEAR', and 'DON'T LET THE RECORD COMPANIES WIN', the defendants encouraged consumers to download their free software.
The agency charges that the claims are bogus.
First, the software does not make file-sharing anonymous.
Second, the cost to consumers is considerable because the 'free' software is bundled with spyware called Clientman that secretly downloads dozens of other software programs, degrading consumers' computer performance and memory.
Among other things, this accumulated software replaces or reformats search engine results. For example, consumers who downloaded the spyware may try to conduct a Google or Yahoo! search. Their screens will reveal a page that appears to be the Google or Yahoo! search engine result, but the page is a copy-cat site, and the order of the search results is rigged to place the defendants' clients first.
The bundled software programs also generate popup ads and capture and transmit information from the consumers' computers to servers controlled by the defendants.
The FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own 'uninstall' tool, it does not work. In fact, it installs additional software, according to the FTC's complaint.
The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices.
The defendants are based in Stratham, New Hampshire.
The Commission vote to authorize staff to file the complaint was 4-0. The complaint was filed in the U.S. District Court for the District of New Hampshire.
Part Two: Links
Federal Trade Commission, Plaintiff, v. Odysseus Marketing, Inc., and Walter Rines, Defendants., United States District Court, District of New Hampshire FTC File No. 042 3205
Wired: Spyware Purveyor in Cross Hairs The Register: FTC clamps down on spyware firm PC Pro: FTC cracks down on alleged spyware merchant Boston Globe: Regulators: N.H. firm's business is spyware PC World: FTC Seeks to Halt Alleged Spyware SiteeWEEK: FTC Targets Illegal Spyware Operation Boston Herald: Feds hit N.H. co. on spyware FOX News: Feds Take on Company Facing Spyware Allegations ZD Net: FTC files case against alleged spyware pusher | Spyware Confidential
Part Three: Odysseus Marketing - Uninstaller
<http://www.odysseusmarketing.com/uninstall/> <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'> <html> <head> <title>Odysseus Marketing - Uninstaller</title> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'> </head> <body> Welcome to the uninstall page for clientman.<br/> Instructions are as follows</br> <UL> <LI>1) Exit all instances of Internet Explorer and Windows Explorer other than this one. <LI>2) Hit the Go button on this page. <LI>3) Allow the uninstall program to be loaded on your computer it will occur automatically. Should any dialog boxes appear, be sure to hit 'ok' or 'yes' otherwise nothing will be uninstalled. <LI>4) When the uninstall is complete, you will be prompted with a message box to reboot your machine. </UL> <strong>Cookies must be enabled for this process to work properly. </strong> <UL> <LI>1) select Tools -> Internet options from the IE window <LI>2) click the privacy tab <LI>3) adjust the vertical slider bar to read 'accept all cookies' </UL> <form action='download.php' method='post'> <input type='submit' value='Go!'> </form> </body> </html>
Part Four: Cookies.plist
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE plist PUBLIC '-//Apple Computer//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'> <plist version='1.0'> <array> <dict> <key>Domain</key> <string>www.odysseusmarketing.com</string> <key>Expires</key> <date>2005-10-07T12:41:02Z</date> <key>Name</key> <string>check</string> <key>Path</key> <string>/uninstall</string> <key>Value</key> <string>enabled</string> </dict> <dict> <key>Domain</key> <string>www.odysseusmarketing.com</string> <key>Expires</key> <date>2005-10-07T12:41:06Z</date> <key>Name</key> <string>cc</string> <key>Path</key> <string>/uninstall</string> <key>Value</key> <string>156fc08d7ef017aa9953e370728e925cf52ce705149ac3314</string> </dict> </array> </plist>
Part Five: Uninstall Download
<html> <head> <title>Odysseus Marketing - Uninstaller</title> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'> <META HTTP-EQUIV='Refresh' CONTENT='2; URL=uninstall.exe'> </head> <body> <div align='center'>The download of the uninstallation program should start within a few seconds.<br/> A dialog box will appear, be sure to click 'Open', otherwise nothing will be uninstalled 1</div> </body> </html>
Part Six: uninstall.exe.xstrings
000000000000004d !This program cannot be run in DOS mode. 00000000000000d7 3Rich 00000000000001e0 .text 0000000000000208 .rdata 0000000000000230 .data 0000000000000258 .rsrc 000000000001043e kernel32.dll 000000000001044b user32.dll 0000000000010458 GetModuleHandleA 000000000001046b MessageBoxA
- 68096 bytes.
- 32-bit Windows program.
- No compression signature.
- Four sections, two dependencies.
- No apparent dynamic dependencies.
- Made with Visual Studio 6.0 or later.
- Program issues a single message box.
- Calls are in ASCII rather than Unicode.
- Program looks for a single module handle.
- No embedded disk or Registry based paths.
Part Seven: pithpulchritude
Hey there, I suffered from the Look2me/Zesty parasite but managed to delete it. I still have Clientman/Odysseus Marketing lingering though. But I deleted everything I found, including reg values, .dll's, and folders. I manually deleted everything in Safe mode from the registry and hardrive. I'm still hijacked and cant search, get certain popups, and I get a green underlining undermany words on web pages. I deleted my cookies and all temporary internet files. Ane when I run a random search under yahoo I get files from only 'xmlfeed.spaex.com', 'odysseusmarketing.com', 'meta.7search.com', and 'abcsearch.com'. Spybot and Ad-aware don't pick up on anything further. I've done everything I've found on all forums, I don't know what else to do. Can anyone help?
Part Eight: kjm7722
Someone Please Help Me!!!
I started my computer up today and when I am on Internet Explorer each page I look at Highlights certain words and they are linked to a web address called oddyessus marketing, which then dumps me into a search results page called 1st blaze.
When I click on the properties of this link it says it is a Hypertext transfer protocol. Type: PHP?NID=20file
How do I remove this?????
Part Nine: Pest Patrol Analysis
ClientMan gathers a list of running processes. Tries to read:
* RealName, Settings from \Software\Microsoft\Internet Account Manager\Accounts\
* SMTP Display Name, InstallUser, BusinessTitle, JobTitle, vCard from \Software\Speedbit\Download Accelerator\
* RegisteredOwner, DefCompany, InstallCompany from \Software\Zone Labs\ZoneAlarm\Registration and \Software\SBInfo\User\
* RegisteredOrganisation from \Software\Microsoft\MessengerService (or MSNMessenger)\ListCache\.NET Messenger Service
* IdentityName from \Software\Mirabilis\ICQ\Owners\
* LastOwner, Name from \Software\Yahoo\Pager\
* Yahoo! User ID from \Software\America Online\AOL Instant Messenger (TM)
* your name from \CurrentVersion\Users\ and \Software\Symantec\Shared Technology\Volatile Storage\Member Profile\vCard\Home (or Business) and \Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\Location0\
Has been observed sending unknown data to its servers at ipend.datastorm.biz
Security Issues:
Yes. As part of its 'updates' feature, ClientMan can quietly download and run arbitrary unsigned code from its controlling server. According to one source, ClientMan 'appears to be able to change settings on older versions of the popular free ZoneAlarm firewall program without user consent. When ClientMan tries to connect to the Internet, ZoneAlarm flashes a warning and asks the user to confirm whether the program should be allowed to connect or not. Instead of waiting for user approval, ClientMan clicks the Yes button and checks the Always checkbox. Now ClientMan has permission to access the network whenever it chooses.'
Stability Issues: Yes. All variants appear to be poorly written, and can cause crashes and hangs of Internet Explorer at random moments.
Part Ten: Removal
Remove these registry entries if found:
HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb} HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} HKEY_CURRENT_USER\software\climan HKEY_CURRENT_USER\software\ipend HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runclientman1 HKEY_LOCAL_MACHINE\bjects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7} HKEY_LOCAL_MACHINE\bjects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_LOCAL_MACHINE\bjects\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_LOCAL_MACHINE\bjects\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_LOCAL_MACHINE\bjects\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runclientman1
Stop Running Processes:
Kill these running processes with Task Manager:
ause3-decoded.exe desktopdir+\setup_jalapeno.exe msdioo.exe msdm.exe msgdmf.exe msmm.exe msvc32.exe programfilesdir+\clientman\run\ause3.exe programfilesdir+\clientman\run\cmupd.exe programfilesdir+\clientman\run\fixtitle.exe programfilesdir+\clientman\run\getbuys.exe programfilesdir+\clientman\run\infoctl.exe programfilesdir+\clientman\run\msckin.exe programfilesdir+\clientman\run\mscman.exe programfilesdir+\clientman\run\msurlcli1.exe programfilesdir+\clientman\run\uinfo4.exe programfilesdir+\clientman\run\uinfo7.exe svc.exe systemroot+\system32\elitejho32.exe systemroot+\system32\msawindows.exe systemroot+\system32\msccof.exe uinfo4-decoded.exe uinfo5.exe uinfo7-decoded.exe unpacked-svc.exe
Remove AutoRun Reference:
Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately. If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman1, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msmc, delete it and reboot the machine immediately.
Unregister DLLs:
Unregister these DLLs with Regsvr32, then reboot:
browserhelper.dll browserhelper-decoded.dll browserhelpere90a5c6.dll metahelp60741389.dll msdpdm.dll profilepath+\applic~1\iestcrmfrood.dll profilepath+\local settings\temp\mskhhe.dll profilepath+\local settings\temp\mskpkc.dll programfilesdir+\clientman\run\2in1fd04f73f.dll programfilesdir+\clientman\run\browserhelper2db3ad7a.dll programfilesdir+\clientman\run\dnsrepa9c22ca5.dll programfilesdir+\clientman\run\gstylebhob76a4c84.dll programfilesdir+\clientman\run\msvrfy804449fd.dll programfilesdir+\clientman\run\searchrep8181a0e2.dll programfilesdir+\clientman\run\trackurl79ad003c.dll programfilesdir+\clientman\run\trackurld66084b4.dll programfilesdir+\clientman\run\urlcli25e74486.dll programfilesdir+\clientman\run\urlclia30956de.dll searchrep6706569a.dll systemroot+\downloaded program files\disable.dll systemroot+\downloaded program files\disable1.dll systemroot+\mscdka.dll systemroot+\mseclk.dll systemroot+\mseffm.dll systemroot+\msncjk.dll systemroot+\msobfl.dll systemroot+\system\disable.dll systemroot+\system\disable1.dll systemroot+\system\mscdka.dll systemroot+\system\mseffm.dll systemroot+\system\msobfl.dll systemroot+\system32\disable.dll systemroot+\system32\disable1.dll systemroot+\system32\mscdka.dll systemroot+\system32\msdaim.dll systemroot+\system32\msdlgk.dll systemroot+\system32\mseclk.dll systemroot+\system32\msedah.dll systemroot+\system32\mseffm.dll systemroot+\system32\msfaol.dll systemroot+\system32\msibkd.dll systemroot+\system32\msjfbl.dll systemroot+\system32\mskceo.dll systemroot+\system32\mskhhe.dll systemroot+\system32\mskpkc.dll systemroot+\system32\msncjk.dll systemroot+\system32\msnkmi.dll systemroot+\system32\msobfl.dll taggerbhoe884facd.dll trackurl5f9d991e.dll trackurl7f663945.dll trackurl7f663945-decoded.dll unpacked-browserhelper.dll
Clean Registry:
Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\appid\{026e4b83-1bf7-41cb-8233-4af35341bc69} HKEY_CLASSES_ROOT\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7} HKEY_CLASSES_ROOT\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808} HKEY_CLASSES_ROOT\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324} HKEY_CLASSES_ROOT\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_CLASSES_ROOT\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_CLASSES_ROOT\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85} HKEY_CLASSES_ROOT\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053} HKEY_CLASSES_ROOT\clsid\{94927a13-4aaa-476a-989d-392456427688} HKEY_CLASSES_ROOT\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_CLASSES_ROOT\clsid\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_CLASSES_ROOT\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43} HKEY_CLASSES_ROOT\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_CLASSES_ROOT\clsid\{f76fda04-87fa-4717-91f6-4bb5be9fd2bb} HKEY_CLASSES_ROOT\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} HKEY_CLASSES_ROOT\dnsrep.dnsrepobj HKEY_CLASSES_ROOT\dnsrep.dnsrepobj.1 HKEY_CLASSES_ROOT\interface\{a7370377-e217-4467-8448-9845270cd4a3} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0982868c-47f0-4efb-a664-c7b0b1015808} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{0ba1c6eb-d062-4e37-9db5-b07743276324} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{5ed50735-b0d9-47c6-9774-02dd8e6fe053} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{94927a13-4aaa-476a-989d-392456427688} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} HKEY_CLASSES_ROOT\typelib\{a1a986e7-7674-4d8b-8081-e422fdb8480b} HKEY_CLASSES_ROOT\urlcli.urlcliobj HKEY_CLASSES_ROOT\urlcli.urlcliobj.1 HKEY_CURRENT_USER\software\climan HKEY_CURRENT_USER\software\ipend HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\clientman1 HKEY_LOCAL_MACHINE\software\classes\clsid\{00a0a40c-f432-4c59-ba11-b25d142c7ab7} HKEY_LOCAL_MACHINE\software\classes\clsid\{0982868c-47f0-4efb-a664-c7b0b1015808} HKEY_LOCAL_MACHINE\software\classes\clsid\{0ba1c6eb-d062-4e37-9db5-b07743276324} HKEY_LOCAL_MACHINE\software\classes\clsid\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_LOCAL_MACHINE\software\classes\clsid\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_LOCAL_MACHINE\software\classes\clsid\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85} HKEY_LOCAL_MACHINE\software\classes\clsid\{5ed50735-b0d9-47c6-9774-02dd8e6fe053} HKEY_LOCAL_MACHINE\software\classes\clsid\{94927a13-4aaa-476a-989d-392456427688} HKEY_LOCAL_MACHINE\software\classes\clsid\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_LOCAL_MACHINE\software\classes\clsid\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_LOCAL_MACHINE\software\classes\clsid\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43} HKEY_LOCAL_MACHINE\software\classes\clsid\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_LOCAL_MACHINE\software\classes\clsid\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00a0a40c-f432-4c59-ba11-b25d142c7ab7} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0982868c-47f0-4efb-a664-c7b0b1015808} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{0ba1c6eb-d062-4e37-9db5-b07743276324} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{166348f1-2c41-4c9f-86bb-eb2b8ade030c} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{25f7fa20-3fc3-11d7-b487-00d05990014c} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{447160cd-ecf5-4ea2-8a8a-1f70ca363f85} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5ed50735-b0d9-47c6-9774-02dd8e6fe053} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{94927a13-4aaa-476a-989d-392456427688} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{96be1d9a-9e54-4344-a27a-37c088d64fb4} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{a097840a-61f8-4b89-8693-f68f641cc838} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ba77911b-a393-4a2e-b5b5-5b8ed17d7b43} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\clientman1 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msmc
Remove Files:
Remove these files (if present) with Windows Explorer:
app.dat ause3-decoded.exe browserhelper.dll browserhelper-decoded.dll browserhelpere90a5c6.dll clickthru.log client.cfg desktopdir+\setup_jalapeno.exe firstrun.log getall.php ipend.log metahelp60741389.dll msckin.dat mscman.dat msdioo.exe msdm.exe msdpdm.dll msgdmf.exe msmm.exe msvc32.exe mungedpage.html popup.log profilepath+\applic~1\iestcrmfrood.dll profilepath+\local settings\temp\mskhhe.dll profilepath+\local settings\temp\mskpkc.dll programfilesdir+\clientman\run\2in1fd04f73f.dll programfilesdir+\clientman\run\ause3.exe programfilesdir+\clientman\run\browserhelper2db3ad7a.dll programfilesdir+\clientman\run\cmupd.exe programfilesdir+\clientman\run\dnsrepa9c22ca5.dll programfilesdir+\clientman\run\fixtitle.exe programfilesdir+\clientman\run\getbuys.exe programfilesdir+\clientman\run\gstylebhob76a4c84.dll programfilesdir+\clientman\run\infoctl.exe programfilesdir+\clientman\run\msckin.exe programfilesdir+\clientman\run\mscman.exe programfilesdir+\clientman\run\msurlcli1.exe programfilesdir+\clientman\run\msvrfy804449fd.dll programfilesdir+\clientman\run\searchrep8181a0e2.dll programfilesdir+\clientman\run\trackurl79ad003c.dll programfilesdir+\clientman\run\trackurld66084b4.dll programfilesdir+\clientman\run\uinfo4.exe programfilesdir+\clientman\run\uinfo7.exe programfilesdir+\clientman\run\urlcli25e74486.dll programfilesdir+\clientman\run\urlclia30956de.dll searchhijack.html searchrep6706569a.dll svc.exe systemroot+\cachelut.dat systemroot+\downloaded program files\disable.dll systemroot+\downloaded program files\disable1.dll systemroot+\mscdka.dll systemroot+\mseclk.dll systemroot+\mseffm.dll systemroot+\msncjk.dll systemroot+\msobfl.dll systemroot+\system\disable.dll systemroot+\system\disable1.dll systemroot+\system\mscdka.dll systemroot+\system\mseffm.dll systemroot+\system\msobfl.dll systemroot+\system32\disable.dll systemroot+\system32\disable1.dll systemroot+\system32\elitejho32.exe systemroot+\system32\msawindows.exe systemroot+\system32\msccof.exe systemroot+\system32\mscdka.dll systemroot+\system32\msdaim.dll systemroot+\system32\msdlgk.dll systemroot+\system32\mseclk.dll systemroot+\system32\msedah.dll systemroot+\system32\mseffm.dll systemroot+\system32\msfaol.dll systemroot+\system32\msibkd.dll systemroot+\system32\msjfbl.dll systemroot+\system32\mskceo.dll systemroot+\system32\mskhhe.dll systemroot+\system32\mskpkc.dll systemroot+\system32\msncjk.dll systemroot+\system32\msnkmi.dll systemroot+\system32\msobfl.dll systemroot+\words.lst taggerbhoe884facd.dll trackurl5f9d991e.dll trackurl7f663945.dll trackurl7f663945-decoded.dll uinfo4-decoded.exe uinfo5.exe uinfo7-decoded.exe uninstall.uni unpacked-browserhelper.dll unpacked-svc.exe whois-om.html
Remove Directories:
Remove these directories (if present) with Windows Explorer:
programfilesdir+\clientman
Afterword
More and more Windows users agree that OS X is mostly virus-free. After browsing through the above materials, more and more OS X users will surely agree that Windows is mostly not.
|