[Solved]Help: Clientman/Odysseus Marketing Parasite

Discussion in 'adware, spyware & hijack cleaning' started by pithpulchritude, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. pithpulchritude

    pithpulchritude Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Hey there, I suffered from the Look2me/Zesty parasite but managed to delete it. I still have Clientman/Odysseus Marketing lingering though. But I deleted everything I found, including reg values, .dll's, and folders. I manually deleted everything in Safe mode from the registry and hardrive. I'm still hijacked and cant search, get certain popups, and I get a green underlining undermany words on web pages. I deleted my cookies and all temporary internet files. Ane when I run a random search under yahoo I get files from only "xmlfeed.spaex.com," "odysseusmarketing.com," "meta.7search.com," and "abcsearch.com." Spybot and Ad-aware don't pick up on anything further. I've done everything I've found on all forums, I don't know what else to do. Can anyone help?

    Does this HijackThis log help?

    Logfile of HijackThis v1.97.7
    Scan saved at 12:36:30 PM, on 6/30/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator.BELLA\Desktop\Spyware Stuff\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vup] C:\WINNT\vup.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.6332986111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Help: Clientman/Odysseus Marketing Parasite

    HI pithpulchritude

    is this O4 - HKLM\..\Run: [vup] C:\WINNT\vup.exe
    VUP.EXE flasher utility in Windows 2000 ?

    Check the following items in HIjackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <---optional
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <----- optional

    Any idea what this is?
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    if UNKNOWN pls. check !

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following items IF still present:

    C:\Program Files\AutoUpdate

    Reboot

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Problems gone?
     
  3. pithpulchritude

    pithpulchritude Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Re: Help: Clientman/Odysseus Marketing Parasite

    Hey Marianna, I did everything described. I don't know what vup.exe was but I got rid of it. And I never had the folder C:\Program Files\AutoUpdate even with the show hidden files option on. I'm still hijacked. And nothing has changed. I went into safemode and searched for everything with "autoupdate" but nothing. Here is the new log. Is there anything else to do? (Please not reformat!) Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 10:28:11 PM, on 6/30/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Administrator.BELLA\Desktop\Spyware Stuff\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.6332986111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Help: Clientman/Odysseus Marketing Parasite

    Hi pithpulchritude

    I can't find anything "suspicious" guess, the only way to be sure is:

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Was something found??
     
  5. pithpulchritude

    pithpulchritude Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Re: Help: Clientman/Odysseus Marketing Parasite

    Okay, I did everything listed. I already have Ad-aware 6 Professional with all the updates and configurations, but still no find :( I even scanned in Safe mode. You said "Check option 'Use Custom scanning options'" but it lists "Use Default Scanning options" and a seperate option is "Select Drives/Folders to scan" you pick one or the other. Not sure which you meant but I did two scans both ways. I uninstalled the old version of Spybot I had and got the latest version. Nothing was detected, only a couple of cookies and my browser is still hijacked :'(
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Help: Clientman/Odysseus Marketing Parasite

    HI pithpulchritude

    is strange, that nothing is to be seen in your log.

    Well first you could try cwshredder - if it can find "something"

    First update or download CWShredder to version 1.59.1
    CWShredder (http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe)
    Use the Fix button and follow the instructions you will receive.

    How about - scanning with an on-line scan and see if it finds "anything"??

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
     
  7. pithpulchritude

    pithpulchritude Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    4
    Re: Help: Clientman/Odysseus Marketing Parasite

    Hey Marianna, I don't want to jinx it but I think it's really gone! All of it. I'm free! I have been battleing all this evil spyware for months. I can't believe it.

    The CWShredder one thing and it deleted it. The Panda Scanner found 8 trojans and the other found 10! This scares me. How come Spybot and Ad-ware miss so much? And I have Norton 2003 and I update it almost everyday. Why is this happening? (At one point I thought my virus scanner might have been deactivated by the malware/viruses...is that possible?) I'm going to keep using these programs, but am I still 100% clean?

    Thank you Marianna, you sincerely helped me. I can use my computer once again.
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Help: Clientman/Odysseus Marketing Parasite

    Hi pithpulchritude :0

    In the meantime you have to have quite a "sortiment of tools" to get rid of the nasty stuff :( Yep, there are malware\virus\trojans out there to deactivate your AV .

    Maybe you should also take McAfee AVERT Stinger in your "toolbox". Run ad aware PLUS SpybotS&D at least once week - look for updates ! And then of course "common sense" :)

    Please follow the steps to avoid re-infection that was posted in http://www.computercops.biz/postt7736.html

    Happy Safe Computing - glad we could help :)
     
Thread Status:
Not open for further replies.