Name: ClientMan Category: Browser Plug-in Alias: iPend, ClientMan.MSMC Advice: Remove Risk: Moderate Risk Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance. Description: ClientMan is a wide-ranging advertising threat. The various versions released may add advertising links to web pages, open popup adverts, and redirect search engine results, address bar searches and error pages. ClientMan is a spyware application that submits various Internet usage information to a server, including email and instant messaging details. It also submits personal information, such as IP address, browser used, and user details retrieved from other installed applications on the system. ClientMan is bundled with file sharing programs or its affiliates. The software does not contain any information about its source or purpose. Its default location is "C:Program FilesClientMan". ClientMan starts up every time when the computer is rebooted. The installer says the software is delivered from odysseusmarketing.com. This software has a number of variants: ClientMan.b99 variant runs at reboot. ClientMan.bho1 is a browser helper object variant. ClientMan.bho2 is a browser helper object variant. ClientMan.mskhhe is implemented as a browser helper object. ClientMan.msmc runs at reboot. ClientMan has been bundled with some versions of Grokster from late March 2003. Installed by the FavoriteMan spyware threat. Makes all targeted words in all web pages links with a yellow background, pointing to ClientMan's server odysseusmarketing.com. This may redirect to a search results site such as 1stblaze.com or epilot.com. Periodically opens pop-up advertising from odysseusmarketing.com, which may redirect to popupmarketing.com. The Tagger variant redirects use of known search engines (at the time of writing, Google and Yahoo only) to firstbookmark.com; the address bar will still show the address of the original search engine, but the content of the page will be overwritten with results from firstbookmark.com (which are currently sourced from 123search.com). Signatures: process: ause3-decoded.exe: MD5 Hash: a0d89fae38b5ddab22c... process: ause3.exe: MD5 Hash: 0d6252964b805d34631... process: ause3.exe: MD5 Hash: 78a98279c2a092372a6... process: cmupd.exe: MD5 Hash: 48e557e5a0612d67cd9... process: fixtitle.exe: MD5 Hash: 8ad80e6fe1b6602ca7f... process: getbuys.exe: MD5 Hash: f1f649a59993ab1ec36... process: msccof.exe: MD5 Hash: c85ba97b0c0f595e8ba... process: msckin.exe: MD5 Hash: c213b8b6587ee13b7fe... process: mscpbo.exe: MD5 Hash: 265d24907a0472973d5... process: msdm.exe: MD5 Hash: 7618808601791f49b39... process: msgdmf.exe: MD5 Hash: ceb7419550ec77f1f36... process: msmm.exe: MD5 Hash: e47b6fe50f368067ec5... process: msurlcli1.exe: MD5 Hash: 1075524b0532eec7194... process: msvc32.exe: MD5 Hash: c37961aa8199d957f79... process: svc.exe: MD5 Hash: 98f0cfb54b1a38a15a2... process: uinfo4-decoded.exe: MD5 Hash: 73da1a3e7327f2faf3d... process: uinfo4.exe: MD5 Hash: 3aa29fb8022c931bfc5... process: uinfo5.exe: MD5 Hash: 0c32269e255e8c9f45b... process: uinfo7-decoded.exe: MD5 Hash: c30c6b95a21224135d8... process: uinfo7.exe: MD5 Hash: f8c3e2f67e72974c845... process: unpacked-svc.exe: MD5 Hash: c58441bd0018e3d296b... process: mscman.exe: MD5 Hash: ... process: infoctl.exe: MD5 Hash: ... process: uinfo7.exe: MD5 Hash: ... process: msmm.exe: MD5 Hash: ... process: msongn.exe: MD5 Hash: ... process: msmc.exe: MD5 Hash: a7d8d99f8d4895dfba4... process: mscif.exe: MD5 Hash: c87adcc919897eb908d... process: msmc.exe: MD5 Hash: 877a00ed7eaee6d58ea.. Type: Browser Plug-in - Spyware's primary purpose is to collect demographic and usage information from your computer, usually for advertising purposes. Spyware usually that 'sneaks' onto a system or performs other activities hidden to the user. Spyware programs are usually bundled as a hidden component and downloaded from the Internet. These modules are almost always installed on the system secretively and try to run secretively as well.