ClientMan is a difficult spyware program to deal with.  It first appeared in Grokster bundles late in March of 2003.  It has to be manually installed, which is usually bypassed by the bundled installation.

ClientMan has several styles of attack, depending on which version you have.  All versions, once installed, can bypass the security settings of the older ZoneAlarm firewalls by automatically clicking “yes” when it asks you if you want to allow it to access the Internet.  It can also add itself to Norton’s Allow Program list.

All the ClientMan versions are Browser Hijackers, with the ability to download updates and 2in1 shows pop up advertising.  The differences are in the details.  The original highlighted certain keyphrases, which would redirect to its affiliate sites.  The Tagger version redirects browsing to its affiliate sites, and doesn’t have the yellow advertisement links.

ClientMan should be removed by an antispyware tool.  It generates random file names, which makes the already difficult manual removal task that much more difficult.  SpyZooka can stop it dead in its tracks.

Also Known As:
Spyware.ClientMan,
iPend,
Adware:Win32/ClientMan,
ClientMan.msmc,
ClientMan.msdaim,
ClientMan.2in1,
Parasite: ClientMan,
Trojan.ClientMan,
ClientMan.b99,
ClientMan.bho1,
ClientMan.bho2,
ClientMan.Helper,
ClientMan.Tagger,
ClientMan.DNSRep,
clientman.exe

Associated Files:
(First Version) ause3-decoded.exe, browserhelper-decoded.dll,
browserhelper.dll, browserhelpere90a5c6.dll, msccof.exe,
msckin.exe, msdm.exe, msdpdm.dll, msgdmf.exe,
mskceo.dll, msmc.exe, msmm.exe, msvc32.exe,
searchrep6706569a.dll, svc.exe, taggerbhoe884facd.dll,
trackurl5f9d991e.dll, trackurl7f663945-decoded.dll,
trackurl7f663945.dll, uinfo4-decoded.exe, uinfo5.exe,
uinfo7-decoded.exe, unpacked-browserhelper.dll,
unpacked-svc.exe,
%ProgramFiles%ClientMannew,
%ProgramFiles%ClientManrun,
%System%ms[4 RANDOM LETTERS].dll,
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “Client Man” = “Msckin.exe”,
HKEY_CURRENT_USERSoftwareCliMan,
HKEY_CLASSES_ROOTCLSID{5ED50735-B0D9-47C6-9774-02DD8E6FE053},
HKEY_CLASSES_ROOTCLSID{FCADDC14-BD46-408A-9842-CDBE1C6D37EB},
HKEY_CLASSES_ROOTCLSID{CC916B4B-BE44-4026-A19D-8C74BBD23361},
HKEY_CLASSES_ROOTCLSID{94927A13-4AAA-476A-989D-392456427688},
HKEY_CLASSES_ROOTCLSID{0982868C-47F0-4EFB-A664-C7B0B1015808},
HKEY_CLASSES_ROOTInterface{570F481A-1C3B-4DF6-9DBE-FAE17DD008F9},
HKEY_CLASSES_ROOTInterface{A7370377-E217-4467-8448-9845270CD4A3},
HKEY_CLASSES_ROOTTypeLib{75FC904C-6E6B-4E9D-9FD3-7A447962DA9B},
HKEY_CLASSES_ROOTTypeLib{026E4B83-1BF7-41CB-8233-4AF35341BC69},
HKEY_CLASSES_ROOTAppIDurlcli.DLL,
HKEY_CLASSES_ROOTAppID{026E4B83-1BF7-41CB-8233-4AF35341BC69},
HKEY_CLASSES_ROOTDisable.DisableObj, HKEY_CLASSES_ROOTDisable.DisableObj.1,
HKEY_CLASSES_ROOTurlcli.UrlCliObj, HKEY_CLASSES_ROOTurlcli.UrlCliObj.1,
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{5ED50735-B0D9-47C6-9774-02DD8E6FE053},
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{cc916b4b-be44-4026-a19d-8c74bbd23361}, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{94927A13-4AAA-476A-989D-392456427688},
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{0982868C-47F0-4EFB-A664-C7B0B1015808},
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionExtStats
{0982868C-47F0-4EFB-A664-C7B0B1015808},
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
{00A0A40C-F432-4C59-BA11-B25D142C7AB7},
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objects{00A0A40C-F432-4C59-BA11-B25D142C7AB7}