[Solved]Help: Clientman/Odysseus Marketing Parasite

Hey there, I suffered from the Look2me/Zesty parasite but managed to delete it. I still have Clientman/Odysseus Marketing lingering though. But I deleted everything I found, including reg values, .dll's, and folders. I manually deleted everything in Safe mode from the registry and hardrive. I'm still hijacked and cant search, get certain popups, and I get a green underlining undermany words on web pages. I deleted my cookies and all temporary internet files. Ane when I run a random search under yahoo I get files from only "xmlfeed.spaex.com," "odysseusmarketing.com," "meta.7search.com," and "abcsearch.com." Spybot and Ad-aware don't pick up on anything further. I've done everything I've found on all forums, I don't know what else to do. Can anyone help?

Does this HijackThis log help?

Logfile of HijackThis v1.97.7
Scan saved at 12:36:30 PM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator.BELLA\Desktop\Spyware Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vup] C:\WINNT\vup.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.6332986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Re: Help: Clientman/Odysseus Marketing Parasite

HI pithpulchritude

is this O4 - HKLM\..\Run: [vup] C:\WINNT\vup.exe
VUP.EXE flasher utility in Windows 2000 ?

Check the following items in HIjackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <---optional
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <----- optional

Any idea what this is?
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
if UNKNOWN pls. check !

NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following items IF still present:

C:\Program Files\AutoUpdate

Reboot

Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp
folder. It's a good idea to do that regularly.

Problems gone?

 

Re: Help: Clientman/Odysseus Marketing Parasite

Hey Marianna, I did everything described. I don't know what vup.exe was but I got rid of it. And I never had the folder C:\Program Files\AutoUpdate even with the show hidden files option on. I'm still hijacked. And nothing has changed. I went into safemode and searched for everything with "autoupdate" but nothing. Here is the new log. Is there anything else to do? (Please not reformat!) Thanks

Logfile of HijackThis v1.97.7
Scan saved at 10:28:11 PM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator.BELLA\Desktop\Spyware Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38054.6332986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Re: Help: Clientman/Odysseus Marketing Parasite

Hi pithpulchritude

I can't find anything "suspicious" guess, the only way to be sure is:

Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to Step 2 below.


Spybot S&D
The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Was something found??

 

Re: Help: Clientman/Odysseus Marketing Parasite

Okay, I did everything listed. I already have Ad-aware 6 Professional with all the updates and configurations, but still no find I even scanned in Safe mode. You said "Check option 'Use Custom scanning options'" but it lists "Use Default Scanning options" and a seperate option is "Select Drives/Folders to scan" you pick one or the other. Not sure which you meant but I did two scans both ways. I uninstalled the old version of Spybot I had and got the latest version. Nothing was detected, only a couple of cookies and my browser is still hijacked

 

Re: Help: Clientman/Odysseus Marketing Parasite

HI pithpulchritude

is strange, that nothing is to be seen in your log.

Well first you could try cwshredder - if it can find "something"

First update or download CWShredder to version 1.59.1
CWShredder (http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe)
Use the Fix button and follow the instructions you will receive.

How about - scanning with an on-line scan and see if it finds "anything"??

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

 

Re: Help: Clientman/Odysseus Marketing Parasite

Hey Marianna, I don't want to jinx it but I think it's really gone! All of it. I'm free! I have been battleing all this evil spyware for months. I can't believe it.

The CWShredder one thing and it deleted it. The Panda Scanner found 8 trojans and the other found 10! This scares me. How come Spybot and Ad-ware miss so much? And I have Norton 2003 and I update it almost everyday. Why is this happening? (At one point I thought my virus scanner might have been deactivated by the malware/viruses...is that possible?) I'm going to keep using these programs, but am I still 100% clean?

Thank you Marianna, you sincerely helped me. I can use my computer once again.

 

Re: Help: Clientman/Odysseus Marketing Parasite

Hi pithpulchritude :0

In the meantime you have to have quite a "sortiment of tools" to get rid of the nasty stuff Yep, there are malware\virus\trojans out there to deactivate your AV .

Maybe you should also take McAfee AVERT Stinger in your "toolbox". Run ad aware PLUS SpybotS&D at least once week - look for updates ! And then of course "common sense"

Please follow the steps to avoid re-infection that was posted in http://www.computercops.biz/postt7736.html

Happy Safe Computing - glad we could help